[Aide] My personal guide to AIDE
Russell Gadd
russ.mail.lists at googlemail.com
Sun Mar 16 14:31:13 EET 2008
Hi Marc,
Marc Haber wrote:
> On Sat, Mar 15, 2008 at 06:09:44PM +0000, Russell Gadd wrote:
>
>> Marc Haber wrote:
>>
>>>> On installation, debconf is used to query the user whether to initialize the
>>>> AIDE database and whether to automatically place the new database at a place
>>>> where aide can pick it up as a reference. aideinit, the script used to
>>>> initialize the database, has a man page. [NOTE - I HAVEN'T USED DEBCONF -
>>>> DOESN'T SEEM A PROBLEM]
>>>>
>>>>
>>> It isn't a problem at all, the scripts invoked by debconf are just
>>> sophisticated versions of aide --init and cp /var/lib/aide/aide.db.new
>>> /var/lib/aide/aide.db.
>>>
>>> Do you want me to document that in the package?
>>>
>>>
>>>
>> Would be worth a mention.
>>
>
> but where? In the README?
>
>
First I'd just say that I don't remember answering questions on
installation - maybe it did ask them, I really can't remember. But my
point is when I read "debconf is used to ..." I wasn't sure whether this
meant that I should somehow invoke debconf or whether it should have
been done automatically on installation. (Probably my ignorance of
package management). So my comment was more along the lines of a
personal note "if this is telling me to run debconf, I didn't and it
didn't seem to matter". Later in my document I explicity suggest running
aideinit after tweaking /etc/default/aide.
As regards documentation, I've now had another look at it. In the hope
it helps, I will offer up some suggestions from a user perspective. I
think the man pages are fine and don't need any improvement. But I think
the README could be organised slightly differently. I would move the
section on /usr/bin/aide.wrapper to below the section on the daily cron
job. Then you start with the top 3 paragraphs of overview, which are fine.
I would follow this by a sort of HOWTO section which covers set up and
management. (my ideas which follow are only in outline) It would start
by saying that in normal use aide runs unattended as a daily cron job
/etc/cron.daily/aide which is explained below. In its default setup, if
you do nothing more, you will start to see daily reports, which are very
likely to contain much more output than you need to focus your attention
on, so you will want to modify the setup. First consider the main Debian
configuration file /etc/default/aide which is extensively commented.
Then consider and alter or add to /etc/aide/aide.conf and
/etc/aide/aide.conf.d (may want to mention checking the man page of
update-aide.conf which uses these files). Mention the executable point
here. Before doing any modifications you might want to back up ...
(configs and databases). After doing any modifications you need to rerun
aideinit and update the reference database otherwise on the next run you
will get a spurious comparison between a newly generated database and
the old reference database. You can test your new config by explicitly
running /etc/aide/aide.conf.d (which will abort if a run is already in
progress). However this will of course not show any changes unless some
other processing has taken place in the system meanwhile, so you may
want to wait a while before doing another run - suggest wait for the
next daily job, and compare this to the last one pre-modification. Once
you are happy with the reports are what you need, you will only need to
revisit the setup when the output grows to be unmanageable. For example,
whenever the system is updated you should see a lot of output showing
the changes. Once you are satisfied that nothing is amiss with the
updates, you can make these a permanent part of the reference database
by rerunning aideinit again. Of course you may need to tweak the configs
again if you install new packages
The next section of your README then explains the daily cron job and
further sections add special information.
If you don't think this stuff should be in a README let me know.
Alternatively if you want me to have a stab at writing this section I'd
be happy to make up a draft.
>> <snip>
>>
>> ...., but is it to do with how your routines distinguish
>> between scripts and lists?
>>
>
> Yes. If update-aide.conf finds a file with its x bit set, it executes
> the file. Otherwise, it cats the file's contents verbatim to the
> configuration. Making a file that doesn't hold shell code executable
> will fail.
>
> I could add more checks so that only files that really could be
> executed will be executed, but that would break the systematics, IMO.
>
I agree, keep it clean.
> This is documented in update-aide.conf's man page, DESCRIPTION, first
> paragraph. Is room for improvement there?
>
No, the man page is fine. I needed to re-read it. Please remember that
my document is just a personal attempt to put in one place the things I
need to be reminded of.
> I would re-word the last sentence of your docs like "The file only
> contains path patterns that can be copied to the configuration
> verbatim, so its x bit is not set. If I make the file executeable,
> this results in an invalid aide configuration."
>
>
My doc now reads:
Most of these files are just path patterns (as in the aide manual) which
are copied to the configuration verbatim - for example look at the file
31_aide_syslog. However some are scripts, which output the patterns to
stdout. You could use any executable file which outputs to stdout:
update-aide.conf determines whether to execute the file or just copy the
text in the file according to whether the file is executable. Personally
in my own adjustments I have just used lists.
> That won't only work for bash scripts, but for everything that can be
> executed and prints rules to its standard output. It is important to
> note that the x bit is taken as the criterium whether to cat a file or
> to execute it:
>
> if [ -x "$file" ]; then
> $file
> else
> cat $file
> fi
>
> (taken - sans debug output - from update-aide.conf)
>
>
Point taken
> Greetings
> Marc
>
>
Best wishes
Russell
More information about the Aide
mailing list