[Aide] large installations of AIDE?

Vijay vavarachen at gmail.com
Tue Apr 5 20:00:54 EEST 2011 

Ben,
    Unfortunately I do not have a very good way of consuming the many
reports which come in :-(  I mostly rely on the fact that most are
reporting no change, so I don't really have to bother looking at them.
 I only look at the once which show change (mail size is a good
indicator).  I would then investigate the change and either update the
aide.db or tweak the conf file if I don't want to see such changes in
the future.  Usually it is  case of someone forgetting to follow the
procedure and run aide after a package installation  :-P

I do agree that a better way to consume, report and perform trend
analysis on such data needs to be developed.  Maybe there is already
something in the works but I am not aware of it.  Perhaps others on
this list can chime in.

Thanks,
V

On Tue, Apr 5, 2011 at 11:55 AM, Ben Hartshorne <ben at hartshorne.net> wrote:
> Hi Vijay,
>
> Thanks for the reply!  I'll keep the issues with prelink in mind as we begin
> our implementation.
>
> Do you have any method for consuming the reports from the different hosts?
> You mention that at first they were too verbose, but through good tuning,
> the volume dropped.  Do you just read any emails that come up each day?  Do
> you do log analysis or use email for getting reports off the host?  This is
> the part I'm most interested in - with the sheer volume of hosts we intend
> to have under AIDE's watchful eye, a human scanning the emails will be
> insufficient.
>
> Thanks,
>
> -ben
>
> On Tue, Apr 5, 2011 at 7:24 AM, Vijay <vavarachen at gmail.com> wrote:
>>
>> Ben,
>>     I had the good fortune of starting from scratch when setting up
>> the cloud infrastructure, so I was able to integrate AIDE into the vm
>> templates and build script.  Also, in my case there were basically
>> three classifications of servers (web, db and app) and much of the
>> dynamic data sits in /var which is mounted noexec,nodev,nosuid.  So I
>> am mostly concerned with monitoring /etc, /usr, /lib etc.
>>
>> Initially I had run into some issues with prelink, which ran on a
>> daily basis and resulted in false positives.  Since our systems are
>> tightly controlled and don't change very often, I disabled prelink and
>> made it part of the system update procedure (aide -C pre update, and
>> prelink followed by aide -u post update).
>>
>> Currently I do not have a central configuration management to maintain
>> the aide configuration.  Also, due to time constraints the aide.db
>> sits on each host, which I realize defeats the purpose of aide.  I am
>> planning to leverage the sshaide.sh found in the contrib folder to
>> manage aide from a central server.
>>
>> Another challenge I ran into early on was having to look at a lot of
>> uninteresting information in aide reports.  It took me a while to
>> tweak my aide config to only parts of filesystem of interest.  I would
>> recommend setting up an instance of each type of server in a lab and
>> playing around (add software, reboot, touch files, etc.) and establish
>> a good baseline aide config.
>>
>> I think a larger lesson here is that simply deploying AIDE is not
>> going to improve your security.  To be effective, tools like AIDE need
>> to be coupled with processes and procedures and a large degree of
>> standardization in the environment.
>>
>> Hope this helps.
>>
>> V
>>
>> 2011/4/4 Ben Hartshorne <ben at hartshorne.net>:
>> > Hi,
>> >
>> > I'm thinking through what it would take to manage a large installation
>> > of
>> > AIDE (thousands of machines), and am wondering if there are some
>> > whitepapers, blog posts, transcripts, recollections, or other musings
>> > from
>> > some who have done this before.  Managing the AIDE configuration files
>> > themselves will be relatively easy using our existing configuration
>> > management system; I'm much more interested in how to collect, analyze,
>> > process, and act upon the information AIDE generates about each system.
>> > It's obviously trivial to overwhelm myself with data about each system,
>> > especially if I don't do a good job of describing the expected changes
>> > in
>> > the system ahead of time, but there are likely many more caveats I'd
>> > love to
>> > hear about from one who's been there.
>> >
>> > Ideally, I'm looking for a method of aggregating the reports from each
>> > host,
>> > so that I may
>> > * get reports of which hosts are not conforming to spec
>> > * create rules about specific subsets of hosts that are allowed to be
>> > out of
>> > spec in certain ways
>> > * act upon those reports in an automated way (for example, email a
>> > product
>> > owner or (in the extreme) automatically trigger a remote power off for
>> > hosts
>> > that violate some very specific rules)
>> >
>> >
>> > Does anybody out there have some good links I should read?
>> >
>> > Thanks,
>> >
>> > -ben
>> >
>> > _______________________________________________
>> > Aide mailing list
>> > Aide at cs.tut.fi
>> > https://mailman.cs.tut.fi/mailman/listinfo/aide
>> >
>> >
>
>

More information about the Aide mailing list