[Aide] My personal guide to AIDE
Marc Haber
mh+aide at zugschlus.de
Sun Mar 23 14:33:57 EET 2008
Hi Russell,
On Sun, Mar 16, 2008 at 12:31:13PM +0000, Russell Gadd wrote:
> Marc Haber wrote:
> > On Sat, Mar 15, 2008 at 06:09:44PM +0000, Russell Gadd wrote:
> >> Marc Haber wrote:
> >>>> On installation, debconf is used to query the user whether to initialize the
> >>>> AIDE database and whether to automatically place the new database at a place
> >>>> where aide can pick it up as a reference. aideinit, the script used to
> >>>> initialize the database, has a man page. [NOTE - I HAVEN'T USED DEBCONF -
> >>>> DOESN'T SEEM A PROBLEM]
> >>>>
> >>>>
> >>> It isn't a problem at all, the scripts invoked by debconf are just
> >>> sophisticated versions of aide --init and cp /var/lib/aide/aide.db.new
> >>> /var/lib/aide/aide.db.
> >>>
> >>> Do you want me to document that in the package?
> >>>
> >>>
> >>>
> >> Would be worth a mention.
> >>
> >
> > but where? In the README?
> >
>
> First I'd just say that I don't remember answering questions on
> installation - maybe it did ask them, I really can't remember.
They are asked at "medium" priority so they might have been hidden
away from you depending on which debconf level you have chosen for
your installation.
> But my point is when I read "debconf is used to ..." I wasn't sure
> whether this meant that I should somehow invoke debconf or whether it
> should have been done automatically on installation. (Probably my
> ignorance of package management).
This is probably lack of Debian knowledge, but I'll try improving the
docs:
On installation, debconf questions are asked at medium priority
to query the user whether to initialize the AIDE database and whether
to automatically place the new database at a place where aide can
pick it up as a reference. aideinit, the script used to initialize
the database, has a man page, and can be invoked at the users'
discretion at a later time.
> As regards documentation, I've now had another look at it. In the hope
> it helps, I will offer up some suggestions from a user perspective. I
> think the man pages are fine and don't need any improvement. But I think
> the README could be organised slightly differently. I would move the
> section on /usr/bin/aide.wrapper to below the section on the daily cron
> job. Then you start with the top 3 paragraphs of overview, which are fine.
Done.
> I would follow this by a sort of HOWTO section which covers set up and
> management.
I am not a big fan of HOWTO type documentation as they lead people to
do things that they don't understand.
I appreciate your input, but aide is a tool for experienced users, and
not for beginners who would need docs _that_ detailed. Beginners are
likely not able to interpret aide reports anyway.
> is extensively commented. Then consider and alter or add to
> /etc/aide/aide.conf and /etc/aide/aide.conf.d (may want to mention
> checking the man page of update-aide.conf which uses these files).
> Mention the executable point here.
I am not a big fan of duplicating information, and the executeable
point is in upadte-aide.conf's man page in the very first paragraph.
Almost impossible to miss if one takes a single look at the man page.
> Before doing any modifications you might want to back up ...
> (configs and databases).
best practice of systems administration, I don't think it makes sense
to clutter up the docs with that.
> After doing any modifications you need to rerun aideinit and update
> the reference database otherwise on the next run you will get a
> spurious comparison between a newly generated database and the old
> reference database. You can test your new config by explicitly
> running /etc/aide/aide.conf.d (which will abort if a run is already
> in progress). However this will of course not show any changes unless
> some other processing has taken place in the system meanwhile, so you
> may want to wait a while before doing another run - suggest wait for
> the next daily job, and compare this to the last one
> pre-modification. Once you are happy with the reports are what you
> need, you will only need to revisit the setup when the output grows
> to be unmanageable. For example, whenever the system is updated you
> should see a lot of output showing the changes. Once you are
> satisfied that nothing is amiss with the updates, you can make these
> a permanent part of the reference database by rerunning aideinit
> again. Of course you may need to tweak the configs again if you
> install new packages
I generally use aideinit only for new installations and proceed, once
aide is in place with aide --update. This will generate a new database
_and_ report any changes found, ensuring continous monitoring of the
files.
You can see the new README.Debian file in svn via
http://svn.debian.org/wsvn/pkg-aide/trunk/debian/aide-common.README.Debian?op=file&rev=0&sc=0
- I'd appreciate your comments
> No, the man page is fine. I needed to re-read it. Please remember that
> my document is just a personal attempt to put in one place the things I
> need to be reminded of.
No problem, your document is valueable input, even if I do not take
all of your suggestions.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the Aide
mailing list