[Aide] aide.db ignore/include in initial run?

Matt Zagrabelny mzagrabe at d.umn.edu
Wed Apr 12 15:37:05 EEST 2023 

Greetings Marc!

On Wed, Apr 12, 2023 at 2:19 AM Marc Haber <mh+aide at zugschlus.de> wrote:

> Hi,
>
> I maintain the packages and the rules in Debian.
>
> On Mon, Apr 10, 2023 at 05:17:41PM -0500, Matt Zagrabelny wrote:
> > Running Debian:
> >
> > aide-common    0.17.3-4+deb11u1
> >
> > After install I run:
> >
> > aideinit
> >
> > then I run (by hand):
> >
> > /etc/cron.daily/aide
> >
> > In the resulting email from cron I see:
> >
> > ----------%<-----------BEGIN
> > Summary:
> >   Total number of entries:      163267
> >   Added entries:                1
> >   Removed entries:              0
> >   Changed entries:              0
> >
> > ---------------------------------------------------
> > Added entries:
> > ---------------------------------------------------
> >
> > f+++++++++++++++++: /var/lib/aide/aide.db
> > ----------%<-----------END
>
> Yes, that's the currently intended behavior.
>

OK. Good to know.


>
> > Is there a way to have the aideinit determine the checksum value for
> > /var/lib/aide/aide.db and include it in the initial run, thus causing the
> > initial email to have 0 added entries?
>
> In 0.17.3 there is no clean way to do that. In later versions, you can
> do a partly update of the database in a second step.
>

I looked through the ChangeLog (between 0.17.3 and 0.18.1), but wasn't able
to identify the option to "do a partly update".

Could you point me in the right direction for the correct config directive?


>
> This is one of the things that you cannot do right.
>
> You could try changing /etc/aide/aide.conf.d/31_aide_aide:
>
> diff --git a/debian/aide.conf.d/31_aide_aide
> b/debian/aide.conf.d/31_aide_aide
> index 48fbcf6..22d995b 100644
> --- a/debian/aide.conf.d/31_aide_aide
> +++ b/debian/aide.conf.d/31_aide_aide
> @@ -1,5 +1,6 @@
>  /var/lib/aide$ d VarDir-n
> -/var/lib/aide/aide\\.db(\\.new)?$ f VarFile
> +/var/lib/aide/aide\\.db\\.new$ f VarFile
> +/var/lib/aide/aide\\.db$ f VarFile+ANF
>  !/var/lib/aide/dailyaidecheck$ d
>  !/var/lib/aide/dailyaidecheck/((error|a(run|err))log|mailfile)$ f
>  /var/log/aide$ d VarDir
>
> If you decide to do that, please let me know how it goes. This might be
> a valid change for the post-bookworm package as well.
>

I'll take a look at making that change and report back.


>
> Why are you wondering about this? Are you planning to roll out a big
> number of Debian systems using aide?
>

Exactly. We're not talking about 1000's of servers, but 100's. I'm looking
to minimize (default) interaction with AIDE and also looking to minimize
emails - the email stating that /var/lib/aide/aide.db was added does not
give any real additional insight to the admins. So, it would be nice to
avoid that email altogether.

Thanks for your time in answering my email and also for all of your
contributions to Debian and free software.

Cheers,

-m
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ipi.fi/pipermail/aide/attachments/20230412/15a2d6fc/attachment.html>

More information about the Aide mailing list