[Aide] AIDE + Apache 2.2 reload Problem

Keith Constable kccricket at gmail.com
Wed Aug 29 21:21:37 EEST 2012


On Tue, Aug 28, 2012 at 4:27 AM, Daniel Gerne
<daniel.gerne at googlemail.com> wrote:
> Hello,
>
>
> we want to use AIDE on our webservers running apache 2.2.
> To manage the logs we use logrotate on the apache logs. As far as I
> know it is best practice to do a "reload" on rotate for apache logs so
> apache will continue writing to log.
> The problem is that AIDE recognizes changes on the httpd binary and
> many logfiles when reloading. This makes it impossible for use to
> recognize intrusion on all apache files.
>
>
> I think somebody else must have had the same problem. Do you have any
> suggestions?
>
>
> Regards Daniel

You should specify a different rule for the log files. Aide has the
"L" rule built in that is suitable for most log files. The L rule is
equivalent to "p+i+l+n+u+g+acl+selinux+xattrs". It will not check if
the content of the file has changed. If aide still warns about the
logs, you should create your own rule that doesn't contain the i
(inode) rule and apply that to the log files.
"p+l+n+u+g+acl+selinux+xattrs" should be suitable.

I can't help you with the warning on httpd until we get more
information from you. What OS/distro are you running? Is httpd
installed from the OS's package manager, or did you build it yourself?
What, specifically, is aide saying changed about the httpd binary?

Regards,

Keith


More information about the Aide mailing list