[Aide] [newbie] "Old db contains a entry that shouldn't be there": problem with log check rules?

Tom Roche Tom_Roche at pobox.com
Thu Sep 18 07:29:02 EEST 2014 

summary: new user notes

$ date ; sudo aide -c /etc/aide/aide.conf --check
> Wed Sep 17 23:18:16 EDT 2014
> WARNING: Old db contains a entry that shouldn't be there, run --init or --update

This appears to be due to my application of log-handling rules that are recommended in the default /etc/aide/aide.conf freshly installed by Debian 7/wheezy. How to fix?

details:

I recently installed AIDE onto a fresh Debian 7.5 install with the following procedure:

### Install packages
$ sudo aptitude -y install aide
# produces following output:
# > The following NEW packages will be installed:
# >   aide aide-common{a} 
# > 0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
# ...
# > Processing triggers for man-db ...
# > Setting up aide (0.15.1-8) ...
# > Setting up aide-common (0.15.1-8) ...
# > 
# > Creating config file /etc/default/aide with new version
# ...
# > Creating config file /etc/cron.daily/aide with new version

### Check for major files
$ ls -al /etc/default/aide /etc/aide/aide.conf /var/lib/aide/aide.db /var/lib/aide/aide.db.new
# produces following output:
# > ls: cannot access /var/lib/aide/aide.db: No such file or directory
# > ls: cannot access /var/lib/aide/aide.db.new: No such file or directory
# > -rw-r--r-- 1 root root 6639 Jun 29  2012 /etc/aide/aide.conf
# > -rw-r--r-- 1 root root 3286 Jun 29  2012 /etc/default/aide

### Backup originals of major files
for FP in '/etc/aide/aide.conf' '/etc/default/aide' ; do sudo cp ${FP} ${FP}.0 ; sudo chmod 400 ${FP}.0 ; done

### Modify default /etc/default/aide
sudo sed -i -e 's/^MAILTO=.*/MAILTO=Tom_Roche at pobox.com/' /etc/default/aide
grep -nH -e '^MAILTO' /etc/default/aide

sudo sed -i -e 's/^COMMAND=.*/COMMAND=check/' /etc/default/aide
grep -nH -e '^COMMAND' /etc/default/aide

sudo sed -i -e 's/^TRUNCATEDETAILS=.*/TRUNCATEDETAILS=yes/' /etc/default/aide
grep -nH -e '^TRUNCATEDETAILS' /etc/default/aide

sudo sed -i -e 's/^FILTERUPDATES=.*/FILTERUPDATES=yes/' /etc/default/aide
grep -nH -e '^FILTERUPDATES' /etc/default/aide

sudo sed -i -e 's/^FILTERINSTALLATIONS=.*/FILTERINSTALLATIONS=yes/' /etc/default/aide
grep -nH -e '^FILTERINSTALLATIONS' /etc/default/aide

# produces expected output:
# > /etc/default/aide:20:MAILTO=Tom_Roche at pobox.com
# ...
# > /etc/default/aide:57:FILTERINSTALLATIONS=yes

### Modify default /etc/aide/aide.conf

## recommended by http://www.snekul.com/wordpress/blog/2012/09/27/using-aide-on-ubuntu-12-04-lts-precise-pangolin-and-debian-7-wheezy/
sudo sed -i -e 's/^Checksums = .*/Checksums = sha512+tiger/' /etc/aide/aide.conf
grep -nH -e '^Checksums' /etc/aide/aide.conf

## following rules derived from my fiddling with AIDE on this fresh box, trying to reduce log output
sudo cat << 'END_HERE_DOC' | sudo tee -a /etc/aide/aide.conf
### following initial rules from http://aide.sourceforge.net/stable/manual.html#config
MyRule = p+i+n+u+g+s+b+m+c+md5+sha1 

## what directories/files you want to scan, and how. Note regarding rule order:
## https://mailman.cs.tut.fi/pipermail/aide/2014-April/001445.html
## > [Aide] wildcard in aide.conf?
## > Keith Constable kccricket at gmail.com
## > Thu Apr 24 13:25:20 EEST 2014

## > Be certain that your most specific rules are on top and most generic on bottom.
## > For example "!/home/.*/Downloads" needs to be higher in the list than "/home"

/bin MyRule      # apply rule=MyRule to all files=/bin/*
/etc p+i+u+g     # check only permissions, inode, user and group for /etc
/home MyRule
!/run            # don't scan /run/* .
# Note: above rule still resulted in much output like
# > open_dir():No such file or directory: /run/udev/watch/10
# until I reordered the rules for /var (moved `/var MyRule` from top to bottom).
/sbin MyRule
/usr MyRule
# will ignore some members of /var :
!/var/adm/utmp$  # ignore the specific file=/var/adm/utmp
!/var/backups    # ignore dir=/var/backups (and all subdirs)
!/var/cache
!/var/lib
# attempt to handle /var/log/dmesg* (before rest of /var/log)
/var/log/dmesg$ Log
#   takes care of the growing live log (step 7).
#   The "Log" rule is appropriate for logs that are not rotated daily as rotation might be reported (if the file size has decreased since the last aide run).
#   For daily rotated logs, the "FreqRotLog" may be more appropriate: i.e., `/var/log/dmesg$ FreqRotLog`
/var/log/dmesg\.1$ LowLog
/var/log/dmesg\.2\.gz$ LoSerMemberLog
# substituting 8->y-1 , 9->y
/var/log/dmesg\.[345678]\.gz$ SerMemberLog
/var/log/dmesg\.9\.gz$ HiSerMemberLog
/var/log Log     # apply rule=Log to all files=/var/log/*
!/var/mail
!/var/spool/.*   # ignore subdirs of /var/spool (but not /var/spool itself)
!/var/tmp
/var MyRule

## reporting

# always report changer's user and group ... only!
#report_attributes = u+g

# never report a file's block count.
ignore_list = b
# note ignore_list overrules report_attributes where they conflict
END_HERE_DOC

sudo diff -uwB /etc/aide/aide.conf.0 /etc/aide/aide.conf # verifies changes were written as expected

### Verify syntactic validity of config files: no output == success.
sudo aide --config-check
# produces no output

### Initialize AIDE database
sudo aideinit
# produces following output:
# > Running aide --init...
# >
# > AIDE, version 0.15.1
# >
# > ### AIDE database at /var/lib/aide/aide.db.new initialized.
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

### Sanity check 1: manually run `aide`

date ; sudo aide -c /etc/aide/aide.conf --check ; date
# produces following output:
# > Wed Sep 17 23:18:16 EDT 2014
# > WARNING: Old db contains a entry that shouldn't be there, run --init or --update
# > Entry /etc/adjtime in databases has different attributes: 1a0020081d 21d
# ... several more entries resembling previous and next ...
# > Entry /var/log/news/news.crit in databases has different attributes: 1a0020081d 1a0420081d
# >
# > AIDE, version 0.15.1
# >
# > ### All files match AIDE database. Looks okay!
# >
# > Wed Sep 17 23:18:26 EDT 2014

### Investigate failure of sanity check 1: manually run `aide`
date ; sudo aide -c /etc/aide/aide.conf --check -V ; date
# produces following output:
# > Wed Sep 17 23:39:28 EDT 2014
# > Rule at line 215 has c and I flags enabled at the same time. If same inode is found, flag c is ignored
# > Rule at line 217 has c and I flags enabled at the same time. If same inode is found, flag c is ignored
# > Rule at line 218 has c and I flags enabled at the same time. If same inode is found, flag c is ignored
# > WARNING: Old db contains a entry that shouldn't be there, run --init or --update
# ...

### lines 215-218 of /etc/aide/aide.conf
> /var/log/dmesg\.2\.gz$ LoSerMemberLog
> # substituting 8->y-1 , 9->y
> /var/log/dmesg\.[345678]\.gz$ SerMemberLog
> /var/log/dmesg\.9\.gz$ HiSerMemberLog

Those rules appear to me to implement the log-handling recommended in the {default, fresh, initially} installed /etc/aide/aide.conf (which follows my .sig to end of post). How to {fix handling of, appropriately use} 'c and I flags'?

TIA, Tom Roche <Tom_Roche at pobox.com>---debian-installed /etc/aide/aide.conf follows to EOF---

# AIDE conf

# The daily cron job depends on these paths
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes

# Set to no to disable summarize_changes option.
summarize_changes=yes

# Set to no to disable grouping of files in report.
grouped=yes

# if you want to sacrifice security for speed, remove some of these
# checksums. Whirlpool is broken on sparc and sparc64 (see #429180,
# #420547, #152203).
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger

# X contains the groups 'acl', 'xattrs' and 'e2fsattrs' and additionally
# under linux archs the group 'selinux'. The group is used in some other
# group definitions below. To disable one of the groups (e.g. acl) append
# '-acl' to the group definition.
X=L-p-ftype-i-l-n-u-g

# check permissions, owner, group and file type
OwnerMode = p+u+g+ftype

# Check size and block count
Size = s+b

# Files that stay static
InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums

# Files that stay static but are copied to a ram disk on startup
# (causing different inode)
RamdiskData = InodeData-i

# Check everything
Full = InodeData+StaticFile

# Files that change their mtimes or ctimes but not their contents
VarTime = InodeData+Checksums

# Files that are recreated regularly but do not change their contents
VarInode = VarTime-i

# Files that change their contents during system operation
VarFile = OwnerMode+n+l+X

# Directories that change their contents during system operation
VarDir = OwnerMode+n+i+X

# Directories that are recreated regularly and change their contents
VarDirInode = OwnerMode+n+X

# Directories that change their mtimes or ctimes but not their contents
VarDirTime = InodeData

# Logs are special: they are continously written to, may be compressed
# have their file name changed in different, mutually incompatibly ways
# and apprear and vanish at will. Handling this is a a complex and error-
# prone issue.
#
# This is best broken down in a number of small tasks:
#
#
# (A)
# While a live log is being written to, it doesn't change its mode and
# inode and its size only increases.
#
# (B)
# When a live log is rotated for the first time, it should not change
# its mode, may change its inode, and its size decreases. The size
# decrease may not be noticed by aide if the file had size x at the last
# aide run, was rotated in the mean time and was written to so that it
# had a size > x at the next aide run.
#
# (C)
# When a log is compressed, this looks to aide like the uncompressed
# file vanished (or was replaced by another file) and the compressed
# file appeared out of the blue. There is (currently) no way to
# associate the (gone) uncompressed file's contents with the (new)
# compressed file's contents
#
# (D)
# The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without
# changing the other properties of the file
#
# (E)
# If only a given number of log generations is to be kept, foo.{y}.bar may
# vanish, but usually only when no foo.{z}.bar exists for z>y.
#
# (F)
# The set of files foo.{x}.bar to foo.{y}.bar is called a "log series"
# in aide terms, with the lowest x being called the "LoSerMember" element
# and the highest y being called the "HiSerMember" element, and the z
# with x<z<y simple called "SerMember". The Lo and Hi members need to
# be special cased in aide configuration.
#
#
# This is an example of the normal life of a log named foo in a logrotate
# configuration using a configuration at it is commonly used in Debian
# (from old to new):
#     1 logrotate deletes HiSerMember foo.{y}.gz
#     2 logrotate rotates SerMember foo.{z-1}.gz to foo.{z}.gz for all
#       z with 3<z<=y. This includes rotation of foo.{y-1}.gz to
#       foo.{y}.gz and foo.2.gz to foo.3.gz
#     3 logrotate compresses foo.1 to foo.2.gz, creating LoSerMember foo.2.gz
#     4 logrotate rotates foo to foo.1 (a simple rename)
#     5 logrotate creates new, empty foo
#     6 foo daemon logs to foo - foo grows in size
#
# we need the following rules:
# /var/log/foo$ Log
# /var/log/foo$ FreqRotLog
#    this takes care of the growing live log (step 7). The "Log" rule
#    is appropriate for logs that are not rotated daily as rotation
#    might be reported (if the file size has decreased since the last
#    aide run). For daily rotated logs, the "FreqRotLog" may be more
#    appropriate.
# /var/log/foo\.1$ LowLog
#    this takes care of step 5.
# /var/log/foo\.2\.gz$ LoSerMemberLog
#    this allows yet unknown new files to appear with a \.2\.gz extension,
#    covering step 3.
# /var/log/foo\.[3..y-1]\.gz$ SerMemberLog
#    this watches the log files as they wander through the Series,
#    changing only their file name but not their contents or metadata,
#    covering step 2.
#    Please note that [3..y-1] needs to be a manually crafted regexp covering
#    all numbers between 3 and y-1.
# /var/log/foo\.y\.gz$ HiSerMemberLog
#    finally, the last element of the Series is allowed to vanish without
#    being reported, covering step 1.
#
# Please note that these example rules need to be adapted to the logrotate
# configuration for the log. Compression may be disabled or lead to a different
# extension, the dateext option may be used, old logs might be held in a
# different place, a log series does not necessarily need to be compressed etc.
#
# Please note that savelog rotates the live log to .0 and not to .1 as it
# is logrotates (changeable) default.


# Logs grow in size. Log rotation of these logs will be reported, so
# this should only be used for logs that are not rotated daily.
Log = OwnerMode+n+S+X

# Logs that are frequently rotated
FreqRotLog = Log-S

# The first instance of a rotated log: After the log has stopped being
# written to, but before rotation
LowLog = Log-S

# Rotated logs change their file name but retain all their other properties
SerMemberLog  = Full+I

# The first instance of a compressed, rotated log: After a LowLog was
# compressed.
LoSerMemberLog = SerMemberLog+ANF

# The last instance of a compressed, rotated log: After this name, a log
# will be removed
HiSerMemberLog = SerMemberLog+ARF

# Not-yet-compressed log created by logrotate's dateext option:
# These files appear one rotation (renamed from the live log) and are gone
# the next rotation (being compressed)
LowDELog = SerMemberLog+ANF+ARF

# Compressed log created by logrotate's dateext option: These files appear
# once and are not touched any more.
SerMemberDELog = Full+ANF

# For daemons that log to a variable file name and have the live log
# hardlinked to a static file name
LinkedLog = Log-n

More information about the Aide mailing list