[Aide] question about dealing with expected files

Smith, Cathy cathy.smith at pnnl.gov
Sun Mar 31 01:08:46 EET 2013 

Hi, again

I followed the instructions, and everything worked for what I wanted to check or not check in /var/log/sa.  Great.  So I went to the next directory, /var/log/aide, did the same thing, but it's not working.  I’m still getting notified of files that are expected and that I want to exclude.  I'm not sure what is not working.  So I'd appreciate your assistance again.  

Just a note. I'm running the version provided by Red Hat REHL6.  Everything is in one big file.  So, to make the most general rule clearer in the file, I reorganized a bit.  The default file provided by RH didn't really make it clear about the most general rule and had some things interspersed.  Also, this version from RH has nothing set up to handle the normal file creation/deletion that happens with logrotate.  I am trying to address this.

Oh, before it's asked, I am very careful when making a change to the aide.conf file to do
	aide --check-config
	aide --update
	cd /var/lib/aide
	cp aide.db.new.gz aide.db.gz
I also did a check on the timestamp on aide.db.gz and aide.conf just to be sure.

Here is the part of the report that I don't want to see:

---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/log/aide/aide.log-20130327.gz
added: /var/log/aide/aide.log-20130328

---------------------------------------------------
Removed files:
---------------------------------------------------

removed: /var/log/aide/aide.log-20130327

Here are the files that exist in /var/log/aide
	/var/log/aide.log
	/var/log/aide.log-20130330
	/var/log/aide.log-20130329.gz

I hate to include the entire aide.conf file either inside the body of the email or as an attachment due to size, but I will if requested.  Here is the relevant section that I've created for handling /var/log.

# /var/log  - Begin section
# normal type log files that are expected to grow 
/var/log/wtmp$ LOG
/var/log/messages$ LOG 
/var/log/yum.log$ LOG 
/var/log/up2date$ LOG 
/var/log/sudo.log$ LOG 
/var/log/maillog$ LOG 
/var/log/dmesg$ LOG

# ignore files created by logrotate
!/var/log/[a-zA-Z].*-\d{8}.*

# ignore files ending in .old
!/var/log/.*\.old$

# do check /var/log/sa but ignore expected files 
!/var/log/sa/sa[0-9][0-9]$ 
!/var/log/sa/sar[0-9][0-9]$ 
/var/log/sa NORMAL

# take care of /var/log/aide 
!/var/log/aide/aide\.log-\d{8}\.gz
!/var/log/aide/aide\.log-\d{8}$
!/var/log/aide/aide\.log$
/var/log/aide   NORMAL

/var/log   NORMAL

Thanks in advance for your help.

Best regards,


Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:      509.375.2687
Fax:        509.375.2330
Email:      cathy.smith at pnnl.gov


-----Original Message-----
From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf Of Smith, Cathy
Sent: Friday, March 22, 2013 4:00 PM
To: Aide user mailinglist
Cc: Smith, Gary R
Subject: Re: [Aide] question about dealing with expected files

Hi

Thanks for the clarification.  This is working  now.

 The mail from the cron job running aide --check is not reporting the files added/dropped from /var/log/sa any more.  It is correctly reporting that the directory /var/log/sa did change.

Here is the email from the cron job:

Subject: Cron <root at foo> /usr/sbin/aide --check 2>&1 

AIDE found differences between database and filesystem!!
Start timestamp: 2013-03-22 05:30:01

Summary:
  Total number of files:	65498
  Added files:			2
  Removed files:		1
  Changed files:		11


---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/log/aide/aide.log-20130321.gz
added: /var/log/aide/aide.log-20130322

---------------------------------------------------
Removed files:
---------------------------------------------------

removed: /var/log/aide/aide.log-20130321

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /var/log
changed: /var/log/sa
changed: /var/log/aide
changed: /var/log/aide/aide.log
changed: /var/log/cis
changed: /var/log/audit/audit.log
changed: /var/log/secure
changed: /var/log/cron
changed: /var/log/maillog
changed: /var/log/99updateyum.log
changed: /root/.bash_history

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------


Directory: /var/log
  Mtime    : 2013-03-21 03:31:04              , 2013-03-22 03:10:04
  Ctime    : 2013-03-21 03:31:04              , 2013-03-22 03:10:04

Directory: /var/log/sa
  Mtime    : 2013-03-21 00:00:01              , 2013-03-22 00:00:01
  Ctime    : 2013-03-21 00:00:01              , 2013-03-22 00:00:01



 I made 2 changes to my aide.conf, both where I moved the most general statement to the last.  I've included the relevant parts from the aide.conf below, but to summarize, I moved these two directives specifically
	/var/log/sa
	/var/log

The default aide.conf provided by Red Hat assumes that / is not included in the check, so it starts by specifying what I do want to have checked.  I've modified some of the default rules to remove the check for selinux as it is not running in my environment.

# Sane, with multiple hashes
NORMAL = R+rmd160+sha256-selinux

# For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+xattrs

# Access control only
PERMS = p+i+u+g+acl

# Logfile are special, in that they often change LOG = >

# Next decide what directories/files you want in the database.
# note: These are the RH default entries.  RH doesn't by default check starting at / - cls
/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
/lib    NORMAL
/lib64  NORMAL
/opt    NORMAL
/usr    NORMAL
/root   NORMAL
# These are too volatile
!/usr/src
!/usr/tmp

# My customizations
# subdirectories in /var/log 
/var/log/(aide|cis|mail|ntpstats|ppp|prelink|rhsm)   NORMAL
# 03.21.13 cls - ignore CommVault log directory !/var/log/simpana  

# normal type log files that are expected to grow /var/run/utmp$ LOG /var/log/wtmp$ LOG /var/log/messages$ LOG

# do check /var/log/sa but ignore expected files !/var/log/sa/sa[0-9][0-9]$  !/var/log/sa/sar[0-9][0-9]$  /var/log/sa NORMAL

# most general goes last
/var/log   NORMAL


Thank you again.

Kind regards,


Cathy
---
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone:      509.375.2687
Fax:        509.375.2330
Email:      cathy.smith at pnnl.gov


-----Original Message-----
From: aide-bounces at cs.tut.fi [mailto:aide-bounces at cs.tut.fi] On Behalf Of Richard van den Berg
Sent: Monday, March 18, 2013 11:46 PM
To: Aide user mailinglist
Subject: Re: [Aide] question about dealing with expected files

On 19 mrt. 2013, at 01:21, "Smith, Cathy" <cathy.smith at pnnl.gov> wrote:

> I’ve tried just to have aide ignore them, but the files are still listed under the daily added and dropped sections of the log:

How did you try to exclude this directory? Please show us your aide.conf

Kind regards,

Richard
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

More information about the Aide mailing list