[Aide] My personal guide to AIDE

Marc Haber mh+aide at zugschlus.de
Sun Mar 23 14:33:57 EET 2008


Hi Russell,

On Sun, Mar 16, 2008 at 12:31:13PM +0000, Russell Gadd wrote:
> Marc Haber wrote:
> > On Sat, Mar 15, 2008 at 06:09:44PM +0000, Russell Gadd wrote:
> >> Marc Haber wrote:
> >>>> On installation, debconf is used to query the user whether to initialize the
> >>>> AIDE database and whether to automatically place the new database at a place
> >>>> where aide can pick it up as a reference. aideinit, the script used to
> >>>> initialize the database, has a man page. [NOTE - I HAVEN'T USED DEBCONF -
> >>>> DOESN'T SEEM A PROBLEM]
> >>>>     
> >>>>         
> >>> It isn't a problem at all, the scripts invoked by debconf are just
> >>> sophisticated versions of aide --init and cp /var/lib/aide/aide.db.new
> >>> /var/lib/aide/aide.db.
> >>>
> >>> Do you want me to document that in the package?
> >>>
> >>>   
> >>>       
> >> Would be worth a mention.
> >>     
> >
> > but where? In the README?
> >
> 
> First I'd just say that I don't remember answering questions on 
> installation - maybe it did ask them, I really can't remember.

They are asked at "medium" priority so they might have been hidden
away from you depending on which debconf level you have chosen for
your installation.

>  But my point is when I read "debconf is used to ..." I wasn't sure
>  whether this meant that I should somehow invoke debconf or whether it
>  should have been done automatically on installation. (Probably my
>  ignorance of package management).

This is probably lack of Debian knowledge, but I'll try improving the
docs:

On installation, debconf questions are asked at medium priority
to query the user whether to initialize the AIDE database and whether
to automatically place the new database at a place where aide can
pick it up as a reference. aideinit, the script used to initialize
the database, has a man page, and can be invoked at the users'
discretion at a later time.

> As regards documentation, I've now had another look at it. In the hope 
> it helps, I will offer up some suggestions from a user perspective. I 
> think the man pages are fine and don't need any improvement. But I think 
> the README could be organised slightly differently. I would move the 
> section on /usr/bin/aide.wrapper to below the section on the daily cron 
> job. Then you start with the top 3 paragraphs of overview, which are fine.

Done.

> I would follow this by a sort of HOWTO section which covers set up and 
> management.

I am not a big fan of HOWTO type documentation as they lead people to
do things that they don't understand.

I appreciate your input, but aide is a tool for experienced users, and
not for beginners who would need docs _that_ detailed. Beginners are
likely not able to interpret aide reports anyway.

>  is extensively commented.  Then consider and alter or add to
>  /etc/aide/aide.conf and /etc/aide/aide.conf.d (may want to mention
>  checking the man page of update-aide.conf which uses these files).
>  Mention the executable point here.

I am not a big fan of duplicating information, and the executeable
point is in upadte-aide.conf's man page in the very first paragraph.
Almost impossible to miss if one takes a single look at the man page.

>  Before doing any modifications you might want to back up ...
>  (configs and databases).

best practice of systems administration, I don't think it makes sense
to clutter up the docs with that.

>  After doing any modifications you need to rerun aideinit and update
>  the reference database otherwise on the next run you will get a
>  spurious comparison between a newly generated database and the old
>  reference database. You can test your new config by explicitly
>  running /etc/aide/aide.conf.d (which will abort if a run is already
>  in progress). However this will of course not show any changes unless
>  some other processing has taken place in the system meanwhile, so you
>  may want to wait a while before doing another run - suggest wait for
>  the next daily job, and compare this to the last one
>  pre-modification. Once you are happy with the reports are what you
>  need, you will only need to revisit the setup when the output grows
>  to be unmanageable. For example, whenever the system is updated you
>  should see a lot of output showing the changes. Once you are
>  satisfied that nothing is amiss with the updates, you can make these
>  a permanent part of the reference database by rerunning aideinit
>  again. Of course you may need to tweak the configs again if you
>  install new packages

I generally use aideinit only for new installations and proceed, once
aide is in place with aide --update. This will generate a new database
_and_ report any changes found, ensuring continous monitoring of the
files.

You can see the new README.Debian file in svn via
http://svn.debian.org/wsvn/pkg-aide/trunk/debian/aide-common.README.Debian?op=file&rev=0&sc=0
- I'd appreciate your comments

> No, the man page is fine. I needed to re-read it. Please remember that 
> my document is just a personal attempt to put in one place the things I 
> need to be reminded of.

No problem, your document is valueable input, even if I do not take
all of your suggestions.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190


More information about the Aide mailing list