[Aide] large installations of AIDE?

Vijay vavarachen at gmail.com
Tue Apr 5 17:24:39 EEST 2011 

Ben,
     I had the good fortune of starting from scratch when setting up
the cloud infrastructure, so I was able to integrate AIDE into the vm
templates and build script.  Also, in my case there were basically
three classifications of servers (web, db and app) and much of the
dynamic data sits in /var which is mounted noexec,nodev,nosuid.  So I
am mostly concerned with monitoring /etc, /usr, /lib etc.

Initially I had run into some issues with prelink, which ran on a
daily basis and resulted in false positives.  Since our systems are
tightly controlled and don't change very often, I disabled prelink and
made it part of the system update procedure (aide -C pre update, and
prelink followed by aide -u post update).

Currently I do not have a central configuration management to maintain
the aide configuration.  Also, due to time constraints the aide.db
sits on each host, which I realize defeats the purpose of aide.  I am
planning to leverage the sshaide.sh found in the contrib folder to
manage aide from a central server.

Another challenge I ran into early on was having to look at a lot of
uninteresting information in aide reports.  It took me a while to
tweak my aide config to only parts of filesystem of interest.  I would
recommend setting up an instance of each type of server in a lab and
playing around (add software, reboot, touch files, etc.) and establish
a good baseline aide config.

I think a larger lesson here is that simply deploying AIDE is not
going to improve your security.  To be effective, tools like AIDE need
to be coupled with processes and procedures and a large degree of
standardization in the environment.

Hope this helps.

V

2011/4/4 Ben Hartshorne <ben at hartshorne.net>:
> Hi,
>
> I'm thinking through what it would take to manage a large installation of
> AIDE (thousands of machines), and am wondering if there are some
> whitepapers, blog posts, transcripts, recollections, or other musings from
> some who have done this before.  Managing the AIDE configuration files
> themselves will be relatively easy using our existing configuration
> management system; I'm much more interested in how to collect, analyze,
> process, and act upon the information AIDE generates about each system.
> It's obviously trivial to overwhelm myself with data about each system,
> especially if I don't do a good job of describing the expected changes in
> the system ahead of time, but there are likely many more caveats I'd love to
> hear about from one who's been there.
>
> Ideally, I'm looking for a method of aggregating the reports from each host,
> so that I may
> * get reports of which hosts are not conforming to spec
> * create rules about specific subsets of hosts that are allowed to be out of
> spec in certain ways
> * act upon those reports in an automated way (for example, email a product
> owner or (in the extreme) automatically trigger a remote power off for hosts
> that violate some very specific rules)
>
>
> Does anybody out there have some good links I should read?
>
> Thanks,
>
> -ben
>
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>

More information about the Aide mailing list