[Aide] Basic understanding/procedural question

Bastard Operator from Hell aka Django django at nausch.org
Thu Feb 13 19:38:34 EET 2025 

HI!

Here I'm once again! ;)

I've been playing with AIDE for a few days now and I have to say that so 
far I like it a lot better than other attempts to model HIDS. But before 
I go any deeper, I wanted to quickly verify the basic procedure again to 
make sure I really understand it.

So, I noted the following steps in my PAP:

1) Edit the AIDE configuration file

2) Check the configuration file for syntactical errors using aide -D

3) Create the initial AIDE DATABASE file using the following command:
    aide -i

4) We then copy the created database file (on the host pml010074)
    /var/lib/aide/pml010074.aide.db.new.gz locally to
    /var/lib/aide/pml010074.aide.db.gz:
    cp -p /var/lib/aide/pml010074.aide.db.new.gz \
          /var/lib/aide/pml010074.aide.db.gz
    Optionally, we can copy this file /var/lib/aide/pml010074.aide.db.gz
    to the associated directory in the SAN for security reasons.

5) To check for file system changes, the file system is checked against
    the database manually using the following command, for example:
    aide -C.
    A systemd timer can be set to automate the daily check, for example:
    systemctl enable --now aidecheck.timer

6) The (sys)log files in which AIDE is logged are now monitored for
    abnormalities using a suitable tool, such as graylog.

7) If, for example, a system update is carried out via pacman -Suyy, it
    is now necessary to rebuild the AIDE database: aide -u

8) We then copy the newly created database file (on the host pml010074)
    /var/lib/aide/pml010074.aide.db.new.gz locally to
    /var/lib/aide/pml010074.aide.db.gz:
    cp -p /var/lib/aide/pml010074. aide.db.new.gz \
    /var/lib/aide/pml010074.aide.db.gz
    Optionally, we copy this file /var/lib/aide/pml010074.aide.db.gz back
    to the associated directory in the SAN for security reasons.

Have I forgotten something or even misunderstood something and not noted 
it correctly in my mental program flowchart?

I would be very grateful for any advice, whether positive or negative!


ttyl
-- 
Django (Bastard Operator from Hell [BOfH])
Mail: <mailto:django at nausch.org>

https://wetterstation-pliening.info
https://ebersberger-liedersammlung.de
https://dokuwiki.nausch.org

More information about the Aide mailing list