[Aide] AIDE + Apache 2.2 reload Problem

Daniel Gerne daniel.gerne at googlemail.com
Thu Aug 30 11:23:04 EEST 2012


Dear Keith,

thank you for support. We are running SLES 11 SP1. AIDE is installed
from its package manager. Httpd is also installed from its package
manager. So far we know that AIDE recognizes a change in both
modification and change times. Therefore one solution could be to
remove those checks from AIDE configuration and rely on the hash
checks by changing
ConfFiles       = p+i+n+u+g+s+b+m+c+md5+sha1
to
ConfFiles       = p+i+n+u+g+s+b+md5+sha1

But we want to make sure that there is no better solution, first.

regards
Daniel

2012/8/29 Keith Constable <kccricket at gmail.com>:
> On Tue, Aug 28, 2012 at 4:27 AM, Daniel Gerne
> <daniel.gerne at googlemail.com> wrote:
>> Hello,
>>
>>
>> we want to use AIDE on our webservers running apache 2.2.
>> To manage the logs we use logrotate on the apache logs. As far as I
>> know it is best practice to do a "reload" on rotate for apache logs so
>> apache will continue writing to log.
>> The problem is that AIDE recognizes changes on the httpd binary and
>> many logfiles when reloading. This makes it impossible for use to
>> recognize intrusion on all apache files.
>>
>>
>> I think somebody else must have had the same problem. Do you have any
>> suggestions?
>>
>>
>> Regards Daniel
>
> You should specify a different rule for the log files. Aide has the
> "L" rule built in that is suitable for most log files. The L rule is
> equivalent to "p+i+l+n+u+g+acl+selinux+xattrs". It will not check if
> the content of the file has changed. If aide still warns about the
> logs, you should create your own rule that doesn't contain the i
> (inode) rule and apply that to the log files.
> "p+l+n+u+g+acl+selinux+xattrs" should be suitable.
>
> I can't help you with the warning on httpd until we get more
> information from you. What OS/distro are you running? Is httpd
> installed from the OS's package manager, or did you build it yourself?
> What, specifically, is aide saying changed about the httpd binary?
>
> Regards,
>
> Keith
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide


More information about the Aide mailing list