[Aide] Implementation and configuration question.

Dave Shevett shevett at pobox.com
Wed May 22 17:05:11 EEST 2013


On 5/22/13 5:46 AM, Richard van den Berg wrote:
> Aide does not ship with a cron.daily script. Most likely this is 
> provided by your Linux distribution. You should request support for 
> this script there. Did you read their documentation for example in 
> /usr/share/doc ?

That really has very little information in it....
dshevett at inf-3:/usr/share/doc/aide$ ls -l
total 12
-rw-r--r-- 1 root root 3366 Jan  9  2012 changelog.Debian.gz
-rw-r--r-- 1 root root 3364 Jan  9  2012 copyright
-rw-r--r-- 1 root root 3669 Jan  9  2012 NEWS.Debian.gz

I'm still having a hard time finding out information about this cron 
script though. :(

For the record, I'm using Ubuntu Precise, the package details are here;
http://packages.ubuntu.com/precise/aide-common
(this appears to be where the cron.daily script came from.  I'm going to 
contact the maintainers there as well, but I don't have a lot of hope).

>
>> 2) I want aide to rebuild and place the database after each check. One
>> warning sent to root@ that such ans such files are changed, and then the
>> database is reset.  I can't use the same filename in /etc/aide/aide.conf
>> for database, database_out, and database_new (it throws a warning).  So
>> how do I say "Run against the current db, when done, put the new db in
>> place of the old one"?  --update doesn't seem to do anything.
>> Consecutive runs of --update show the same information.
>
> See http://www.cs.tut.fi/~rammer/aide/manual.html#usage 
> <http://www.cs.tut.fi/%7Erammer/aide/manual.html#usage>
The documentation there (which I've read, btw), I believe is pushing 
aide into a usage model that is different from what I want to do. For 
example:

"There is usually some drift in the databases. What I mean by drift is 
that new files are created, config files of applications are edited, 
tons of small changes pile up until the report becomes unreadable. This 
can be avoided by updating the database once in a while. I myself run 
the update every night. But, I don't replace the input database nearly 
as often. The replacement of the input datbase should always be a manual 
operation. This should not be automated."

If there is drift, how can this be an effective tripwire?  I want to 
know immediately if a file has changed on a target system.  Once that 
report is sent to me, I want the database reset.  If implemented this 
way, if the change that has happened is innocuous (someone goes into a 
host and makes a config change), then there's no further work to be 
done.  Delete the email and move on.  As I understand the docs, there is 
no way to do this without manually moving the files around each time.  
Am I understanding this correctly?

> If I can get these basic operations going, I'll probably
>> implement it.  Am i missing some basic concept?
>
> Which parts of http://www.cs.tut.fi/~rammer/aide/manual.html 
> <http://www.cs.tut.fi/%7Erammer/aide/manual.html> specifically do you 
> have questions about?
See my answer to #2 :)

     -d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20130522/16e33a58/attachment.html 


More information about the Aide mailing list