[Aide] AIDE under CentOS - Advice to remove noise

Marc Haber mh+aide at zugschlus.de
Wed May 25 09:58:36 EEST 2016 

On Sun, May 22, 2016 at 09:17:38AM +0100, Moss, Adam David wrote:
> I have AIDE running under CentOS and an getting some noise in the output.
> Can you please advise what would be the best modification to take in
> /etc/aide/aide.conf to resolve this?
> 
> I know I could just !/var/log/xxx but that doesn't seem like the "best"
> answer.

It clearly is the easiest answer to get rid of all those messages one
and for ever. It does, however, have the possibility that somebody
will hide his root kit / exploit in
/var/log/nginx/access.log-20160520.gz if you exclude it.

Not having rotated logs trigger aide is one of the hardest tasks when
building a scalable aide setup. You have already chosen wise by
adopting a dateext rotation scheme where a log is written to,
eventually renamed to logname-$DATE, eventually compressed and then
never touched again. Managing this scheme is wildly easier than the
old scheme with log => log.1 => log.2.gz => log.3.gz etc. It can be
more easy if you don't rotate seldomly written log files daily but use
logrotate's size option to rotate the log only when it has exceeded a
certain size. I incidentally find this vastly easy to handle anyway.

The ANF, ARF and > default groups do try to cater for your needs. You
need, however, need to balance your configuration between "take the
risk of people using your logs to hide in them, but no aide alerts"
and "be informed when an archived log file changes but need to
manually ACK each rotated log file".

If you want to play with ANF, ARF, I would suggest to set up a test
directory with a local logrotate which is more often rotated and aide
runs in this test directory more often than daily as well, so that you
decrease your trial-and-error turnaround time.

I am afraid that this is no silver bullet and still places significant
workload on you, but it's all that I have to offer at the moment. Feel
free to ask additional questions if you want to.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

More information about the Aide mailing list