[Aide] Need help with AIDE configuration

Fri Apr 22 14:47:27 EEST 2016

The answer to your original question is to run "aide --check". Given a
properly initialized database, the output will be exactly what you're
looking for. I promise.

Based on the screen shot you originally included, it looks to me that your
current database is empty. You'll need to move/rename the aide.db.new file
generated by that cron script into the path and file name noted by the
DATABASE variable line. Future runs of AIDE will then only report actual
filesystem changes.

If you browse the source for AIDE, I doubt you will find references to this
cron script. OS packages often include these sorts of scripts for ease of
use. If I'm wrong, I'm certain Hannes will step in and correct me. In the
past, he's stated that he's unable to support the cron scripts because he
didn't write them. I also have no experience with this cron script.

I mentioned protecting the AIDE database and binaries because any results
generated by AIDE are meaningless unless you can verify that an intruder
hasn't modified the binaries and database. That said, I understand certain
applications of AIDE may not warrant such paranoia. It's up to you how far
you want to take it.

Regards,
Keith

On Friday, April 22, 2016, LIJE Creative <info at lije-creative.com> wrote:

> No, AIDE ouf of the box offers daily report.
> Once installed, it added me the file: */etc/cron.daily/aide* which sends
> me a daily report.
> There is a MAILTO parameter which must be filled to work.
>
> CRON_DAILY_RUN="${CRON_DAILY_RUN:-yes}"
> *MAILTO="xxx at xxx.fr <javascript:_e(%7B%7D,'cvml','xxx at xxx.fr');>"*
> eval MAILTO="$MAILTO"
> DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
> LINES="${LINES:-1000}"
> COMMAND="${COMMAND:-check}"
> COPYNEWDB="${COPYNEWDB:-no}"
> QUIETREPORTS="${QUIETREPORTS:-no}"
> SILENTREPORTS="${SILENTREPORTS:-no}"
> TRUNCATEDETAILS="${TRUNCATEDETAILS:-no}"
> FILTERUPDATES="${FILTERUPDATES:-no}"
> FILTERINSTALLATIONS="${FILTERINSTALLATIONS:-no}"
> CRONEXITHOOK="${CRONEXITHOOK:-}"
> ONEXIT=""
>
> You can also see that the command is check, indeed.
> This is not AIDE binaries and database that matters to me but the files of
> my web server.
> If a hacker get a chance to inject some file in a website, I want to see
> it. But he won't probably modify the AIDE database from himself.
>
> Cordialement,
>
> Jérôme LILLE | Responsable Agence
> info at lije-creative.com
> <javascript:_e(%7B%7D,'cvml','info at lije-creative.com');> | +33 7 70 87 02
> 03
> Site internet : www.lije-creative.com
>
> 2016-04-22 5:05 GMT+02:00 Keith Constable <kccricket at gmail.com
> <javascript:_e(%7B%7D,'cvml','kccricket at gmail.com');>>:
>
>> "aide --check " compares the file system to the aide database and gives
>> you a report of changed and added and deleted files.
>>
>> Are you using an OS packaged version of AIDE? AIDE itself produces no
>> daily report.
>>
>> You should only --init a new database once you've validated all changes
>> reported by the --check run.
>>
>> What protections do you have in place to ensure that the AIDE binaries
>> and database aren't compromised by an intruder?
>>
>> Regards,
>> Keith
>>
>>
>> On Thursday, April 21, 2016, LIJE Creative <info at lije-creative.com
>> <javascript:_e(%7B%7D,'cvml','info at lije-creative.com');>> wrote:
>>
>>> Hi guys,
>>>
>>> Like you, I'm a user of AIDE but I need a hand about the configuration.
>>>
>>> I'm getting the daily aide report. It contains the 1000 first lines of
>>> the log file.
>>>
>>> Do you know if there is a way to get only the list of newly added
>>> entries (difference between the new and old database) and the changed
>>> entries?
>>> Everyday, I'm getting these 330k new added entries so I can't check if
>>> anything is messed up.
>>>
>>> I'm running AIDE on my /var/www folder to check newly added files from
>>> my clients or hackers.
>>>
>>> Thanks
>>>
>>> ᐧ
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.cs.tut.fi/pipermail/aide/attachments/20160422/3da098a7/attachment.html>