[Aide] question about dealing with expected files
Smith, Cathy
cathy.smith at pnnl.gov
Sat Mar 23 00:59:36 EET 2013
Hi
Thanks for the clarification. This is working now.
The mail from the cron job running aide --check is not reporting the files added/dropped from /var/log/sa any more. It is correctly reporting that the directory /var/log/sa did change.
Here is the email from the cron job:
Subject: Cron <root at foo> /usr/sbin/aide --check 2>&1
AIDE found differences between database and filesystem!!
Start timestamp: 2013-03-22 05:30:01
Summary:
Total number of files: 65498
Added files: 2
Removed files: 1
Changed files: 11
---------------------------------------------------
Added files:
---------------------------------------------------
added: /var/log/aide/aide.log-20130321.gz
added: /var/log/aide/aide.log-20130322
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /var/log/aide/aide.log-20130321
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /var/log
changed: /var/log/sa
changed: /var/log/aide
changed: /var/log/aide/aide.log
changed: /var/log/cis
changed: /var/log/audit/audit.log
changed: /var/log/secure
changed: /var/log/cron
changed: /var/log/maillog
changed: /var/log/99updateyum.log
changed: /root/.bash_history
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /var/log
Mtime : 2013-03-21 03:31:04 , 2013-03-22 03:10:04
Ctime : 2013-03-21 03:31:04 , 2013-03-22 03:10:04
Directory: /var/log/sa
Mtime : 2013-03-21 00:00:01 , 2013-03-22 00:00:01
Ctime : 2013-03-21 00:00:01 , 2013-03-22 00:00:01
I made 2 changes to my aide.conf, both where I moved the most general statement to the last. I've included the relevant parts from the aide.conf below, but to summarize, I moved these two directives specifically
/var/log/sa
/var/log
The default aide.conf provided by Red Hat assumes that / is not included in the check, so it starts by specifying what I do want to have checked. I've modified some of the default rules to remove the check for selinux as it is not running in my environment.
# Sane, with multiple hashes
NORMAL = R+rmd160+sha256-selinux
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change
LOG = >
# Next decide what directories/files you want in the database.
# note: These are the RH default entries. RH doesn't by default check starting at / - cls
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# My customizations
# subdirectories in /var/log
/var/log/(aide|cis|mail|ntpstats|ppp|prelink|rhsm) NORMAL
# 03.21.13 cls - ignore CommVault log directory
!/var/log/simpana
# normal type log files that are expected to grow
/var/run/utmp$ LOG
/var/log/wtmp$ LOG
/var/log/messages$ LOG
# do check /var/log/sa but ignore expected files
!/var/log/sa/sa[0-9][0-9]$
!/var/log/sa/sar[0-9][0-9]$
/var/log/sa NORMAL
# most general goes last
/var/log NORMAL
Thank you again.
Kind regards,
Cathy
---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy
Phone: 509.375.2687
Fax: 509.375.2330
Email: cathy.smith at pnnl.gov
-----Original Message-----
From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf Of Richard van den Berg
Sent: Monday, March 18, 2013 11:46 PM
To: Aide user mailinglist
Subject: Re: [Aide] question about dealing with expected files
On 19 mrt. 2013, at 01:21, "Smith, Cathy" <cathy.smith at pnnl.gov> wrote:
> I’ve tried just to have aide ignore them, but the files are still listed under the daily added and dropped sections of the log:
How did you try to exclude this directory? Please show us your aide.conf
Kind regards,
Richard
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
More information about the Aide
mailing list