[Aide] Aide init

Keith Constable kccricket at gmail.com
Tue Oct 23 04:45:44 EEST 2012 

On 22 Oct 2012, at 9:36 PM, Keith Constable <kccricket at gmail.com> wrote:

> On 22 Oct 2012, at 8:26 PM, ncalsmitty1369 <ncalsmitty1369 at gmail.com> wrote:
>> Hi Keith,
>> 
>> On Debian boxes there is a directory called /etc/aide/aide.conf.d. That directory contains files that have
>> match rules based on many different services. On Squeeze boxes, I have created the aide.db via "aide -c
>> 
>> 
>> aide.con -i". Copied the aide.db.new file to aide.db and then run the Debian /etc/cron.daily/aide script.
>> The script reads in the /etc/aide.conf file and incorporates the rule files found in aide.conf.d. It then
>> 
>> 
>> creates a file named aide.conf.autogenerated and places it in the directory /var/lib/aide. Which is where
>> the aide.db file is kept. This is the same process that I used on another Debian Squeeze box, non xen domU,
>> 
>> which worked without issues. 
>> 
>> 
>> Did I understand your suggestion correctly? I am definitely open to more if it helps resolve the problem!
> 
> Smitty,
> 
> There are a few things to note in this process. In the logs that you pasted, you see that it looks through your filesystem and gives you information like:
> 
> /bin match=0, tree=0x1aaa5c0, attr=0
> 
> Note that "match=0". This means that aide took a look at the /bin directory, decided it didn't match any of the config rules, and did not add it to the database. You would normally expect a lot of noise from the -V255 argument, including some lines that contain "match=1".
> 
> In your procedure, you say that you start the process by generating the DB by running:
> 
> aide -c aide.con -i
> 
> I'll assume that's a typo, and that you meant "aide.conf". Since you haven't run the cron script yet, I'll also assume you are referring to /etc/aide/aide.conf. Unless you've modified /etc/aide/aide.conf, the database you just initialized is now empty, since the default config doesn't contain any rules to match on. You may be getting those errors because the database is empty.
> 
> Now, I am not familiar with Debian's system for aide, so all of this is educated speculation. However, it seems to me that you should be generating aide.conf.autogenerated first, then initializing the database with that new autogenerated config file.
> 
> Also, it's worth noting that squeeze provides an aide-xen package. However, I have never used Xen, so I don't know how that package fits into the process, if at all.
> 
> I apologize if I'm completely off the mark.
> 
> Regards,
> 
> Keith Constable

It may also be worth noting that Debian provides a helpful "aideinit" command that moves the databases and uses the correct config file automatically.

-Keith



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4352 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20121022/f2eccec8/attachment.bin

More information about the Aide mailing list