I have just set up AIDE in Debian, and have made the following guide for my own use as I will probably forget these details later. I offer these to anyone interested. Please let me know of any errors here. Feel free to use as you desire - no guarantees.
Russell's guide to AIDE ======================= This just applies to Debian's version of AIDE. Extracts from README.Debian: ============================ Debian's aide packages add some value and functionality to AIDE. Most of this functionality is delivered by scripts and is configured via the Debian configuration file in /etc/default/aide. The AIDE configuration used by the Debian scripts is maintained in /etc/aide/aide.conf and /etc/aide/aide.conf.d. The script update-aide.confis used to concatenate /etc/aide/aide.conf and/etc/aide/aide.conf.d to /var/lib/aide/config.autogenerated, which is the input configuration file for the actual aide binary. The databases are kept in /var/lib/aide by default. update-aide.conf has a man page. The Debian scripts invoke aide via the wrapper /usr/bin/aide.wrapper which gives Debian-specific parameters to the aide binary. If you intend to use AIDE for your own use, please note that aide is compiled to use /dev/null as the default configuration file, so you _always_ need to give the path to a configuration file. This is to prevent a local invocation of aide from messing with the Debian database. On installation, debconf is used to query the user whether to initialize the AIDE database and whether to automatically place the new database at a place where aide can pick it up as a reference. aideinit, the script used to initialize the database, has a man page. [NOTE - I HAVEN'T USED DEBCONF - DOESN'T SEEM A PROBLEM] Main work of the aide package happens in a daily cron job, which is installed to /etc/cron.daily/aide and thus runs as part of cron.dailyprocessing. Standard output ends up in /var/log/aide/aide.log, and standard error in /var/log/aide/error.log. The cron job then mails aide's output to the address configured as MAILTO if either - reportable changes have been found or - no reportable changes have been found and QUIETREPORTS is not set to "yes". These mails go to root by default. That means, that if QUIETREPORTS="yes", no message with contents "no changes detected, everything is fine" will be sent. If NOISE is set to a regular expression, lines matching are filtered out in the e-mail report. This is commonly used in environments where some changes are not important enough to be part of the e-mail report that is read by humans, but should be in the log nevertheless for future reference. A second, not de-noised copy of the output is included as well. Usage ===== After installing, first look at /etc/default/aide and edit it for any tweaks you want to make - the comments in it are sufficient explanation. I have only modified MAILSUBJ to include the date, as otherwise my email system (gmail) attaches all the reports together. Then run aideinit to initialise the database. At this point if the cron job is run you would get no differences reported. As above AIDE runs automatically as a cron job. I actually use anacron since my PC is not on 24/7 - this means AIDE is run a few minutes after I log in in the morning. It takes around 25 minutes on my system (PIII 600Mhz). This is dependent on how many files you have to check and also how many hashes you use. Using all the hashes seems like overkill, but as this runs in the background I keep all these. If you want to run AIDE manually just type /etc/cron.daily/aide (logged in as root). If AIDE is already running (due to cron or anacron) this will abort at some stage. At this point you need do no more, you should get daily AIDE reports. Altering the file checking configuration ======================================== When you get long output you may want to adjust the configuration. The manual for the aide binary is useful but when it talks about modifying the config you have to bear in mind that the Debian config is generated automatically from a series of config files in /etc/aide/aide.conf.d. The actual basic config file /etc/aide/aide.conf is only a short header. The real work of adjusting the config is done by modifying or adding to the files in /etc/aide/aide.conf.d. Some of these files are just path patterns (as in the aide manual) and some are bash scripts. I have only included the path patterns in my file so it is not executable (making it executable fails). I have created my own file 50_aide_russells which contains all my modifications. The number at the front of the filename appears to be used by the aide wrapper to decide on the order of processing of these files. Most of the standard applications appear as number 31 so my adjustments come later than this. Read the notes in the AIDE manual http://www.cs.tut.fi/%7Erammer/aide/manual.html about the importance of the order of the rules (especially the sentence: "It is generally a good idea to write the most general rules last."). Some gotchas about setting up your aide.conf.d files: Make sure you escape any dots in filenames: !/home/(anotheruser|russell)/\.cache/xfce4/desktop The round brackets in the above line are useful for specifying alternatives to make the spec shorter. Add a $ to the end of the line if you are specifying only one file: !/var/log/exim4/mainlog$ If you add directories or files to be checked don't forget to add the checking rule at the end (in this case Logs): /var/log/cups Logs You can include comment lines with hashes Sort your lines to make it easier to find and modify later You can use variables (I haven't): (extract from http://linux.die.net/man/5/aide.conf) @@define VAR val Define variable VAR to value val Later in the file you can use @@{VAR} anywhere: @@{VAR} is replaced with the value of the variable VAR. If variable VAR is not defined an empty string is used. One special VAR is @@{HOSTNAME} which is substituted for the hostname of the current system. After modifying any config files you need to reinitialise the database. I suggest update-aide.conf && aideinit -y -f update-aide.conf does the conversion of the multiple config files into /var/lib/aide/config.autogenerated - it looks like it is run in the aideinit script, my bash isn't good enough to be sure of this, so executed it first anyway, only takes a second or two. aideinit recreates the database and the options -y -f ensure it is written over the old version. The next cron run will use the updated config and database. Personal notes on my system =========================== My aide.db is 22MB - no chance of getting it on a floppy! I have 2 Debian systems on my PC multibooted. One is used soley to run AIDE and when it is run, it mounts the other system's partition under a directory called mymain. (When booted by the boot manager, the main system can't see the AIDE checking system's partition, so this is secure from compromise by the main system.) When running the AIDE check, I can therefore check both systems at the same time. I use the same rules for both systems. So to do this I have made a special fix (see the sed line below) in the script /usr/sbin/update-aide.conf (near the end of this script) which adds a prefix "(|mymain) " to all the paths AFTER update-aide.conf has processed all the aide.conf.d files. (I got this idea from "how to audit vservers and chroots from the host system" in README.Debian): #********* the sed line below was inserted by Russell #********** (note I've used semicolons as a sed delimiter to avoid confusion with /) #********* this appends "(|mymain)" to the front of all paths specified #********* in order to process the subdirectory tree of mymain system as well as this system #********* also need to add to /etc/aide/aide.conf #********* @@define PREFIX (|mymain) (cat ${UPAC_confdir}/aide.conf 2>/dev/null; cat_parts ${UPAC_confd}) | \ removecomments \ | sed '\;^[=!/]; s;/;/@@{PREFIX};' \ >> ${UPAC_outputfile}.tmp Resulting lines in /var/lib/aide/config.autogenerated look like: !/@@{PREFIX}tmp/amanda/runtar.200[0-9]{11,14}.debug$ /@@{PREFIX}tmp/amanda$ VarDir
_______________________________________________ Aide mailing list Aide@cs.tut.fi https://mailman.cs.tut.fi/mailman/listinfo/aide