[Aide] Best Practices on storing aide databases

Erik Damsgaard edamsgaa at csc.com
Tue Jan 25 08:23:51 EET 2011


I am doing a similar thing like 'sshaide.sh' through monitoring jobs run 
from Xymon. The jobs are scheduled to run every 15,30,45,60 minutes or 
whatever you think is feasible through Xymon. I keep all db's, binaries 
and conf files on the xymon server and 1) copy it out 2)run the job 3)copy 
result back and alarm through Xymon.
In this way I get alarms out through Xymon and to the right place for 
actions. Please see http://www.xymon.com/

I have additional scripts for updates(which will clear the alarm and 
generate a new db) and init's which is run manually.

Regards
---------------------------
ERIK DAMSGAARD
Security Analyst
CSC
GSS Nordic | Tell (+45 36146217) | Cell (+45 29236217) | edamsgaa at csc.com 
| www.csc.com/dk

CSC ? This is a PRIVATE message. If you are not the intended recipient, 
please delete without copying and kindly advise us by e-mail of the 
mistake in delivery.  NOTE: Regardless of content, this e-mail shall not 
operate to bind CSC to any order or other contract unless pursuant to 
explicit written agreement or government initiative expressly permitting 
the use of e-mail for such purpose ? CSC Danmark A/S ? Registered Office: 
Retortvej 8, DK - 2500 Valby, Denmark ? Registered in Denmark No: 15231599




From:
Vijay <vavarachen at gmail.com>
To:
Aide user mailinglist <aide at cs.tut.fi>
Date:
24-01-2011 22:57
Subject:
Re: [Aide] Best Practices on storing aide databases



Bobby,
  Take a look at 'sshaide.sh' script in the contrib folder of the aide 
release.

# DESCRIPTION
#       sshaide.sh uses AIDE and SSH to remotely run integrity checks
#       on ALL configured client systems or those specifically listed on
#       the command line from a centralized manager station.  sshaide.sh
#       stores all binaries, databases and reports on a secure, 
centralized
#       manager station.  Database initialization or periodic checks are
#       run on demand or via cron jobs from the manager stations based on
#       local policy requirements.

Thanks,
Vijay

2011/1/24 J. Bobby Lopez <jbl at jbldata.com>
Would there be any online docs which discuss this?


On Fri, Jan 14, 2011 at 10:47 AM, J. Bobby Lopez <jbl at jbldata.com> wrote:
Hi, 

Just started using AIDE, and so far I'm liking it.

I'm curious though what some of the best practices are on storing the AIDE 
databases.

When aide.db.new is created, it's in the same directory as aide.db.  When 
I copy aide.db.new to aide.db, should I be deleting aide.db.new?

What is to prevent someone who happens to gain root from running AIDE 
again, generating a new aide.db.new, and copying over aide.db before the 
next cron job, therefore making their trespass undetectable?

Thanks,
Bobby


_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide




-- 
"Knowledge is the only wealth that grows as you spend it, and diminishes 
as you save it."
-- ancient Sanskrit saying_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20110125/d625007e/attachment.html 


More information about the Aide mailing list