summary: new user notes $ date ; sudo aide -c /etc/aide/aide.conf --check > Wed Sep 17 23:18:16 EDT 2014 > WARNING: Old db contains a entry that shouldn't be there, run --init or > --update
This appears to be due to my application of log-handling rules that are recommended in the default /etc/aide/aide.conf freshly installed by Debian 7/wheezy. How to fix? details: I recently installed AIDE onto a fresh Debian 7.5 install with the following procedure: ### Install packages $ sudo aptitude -y install aide # produces following output: # > The following NEW packages will be installed: # > aide aide-common{a} # > 0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded. # ... # > Processing triggers for man-db ... # > Setting up aide (0.15.1-8) ... # > Setting up aide-common (0.15.1-8) ... # > # > Creating config file /etc/default/aide with new version # ... # > Creating config file /etc/cron.daily/aide with new version ### Check for major files $ ls -al /etc/default/aide /etc/aide/aide.conf /var/lib/aide/aide.db /var/lib/aide/aide.db.new # produces following output: # > ls: cannot access /var/lib/aide/aide.db: No such file or directory # > ls: cannot access /var/lib/aide/aide.db.new: No such file or directory # > -rw-r--r-- 1 root root 6639 Jun 29 2012 /etc/aide/aide.conf # > -rw-r--r-- 1 root root 3286 Jun 29 2012 /etc/default/aide ### Backup originals of major files for FP in '/etc/aide/aide.conf' '/etc/default/aide' ; do sudo cp ${FP} ${FP}.0 ; sudo chmod 400 ${FP}.0 ; done ### Modify default /etc/default/aide sudo sed -i -e 's/^MAILTO=.*/MAILTO=tom_ro...@pobox.com/' /etc/default/aide grep -nH -e '^MAILTO' /etc/default/aide sudo sed -i -e 's/^COMMAND=.*/COMMAND=check/' /etc/default/aide grep -nH -e '^COMMAND' /etc/default/aide sudo sed -i -e 's/^TRUNCATEDETAILS=.*/TRUNCATEDETAILS=yes/' /etc/default/aide grep -nH -e '^TRUNCATEDETAILS' /etc/default/aide sudo sed -i -e 's/^FILTERUPDATES=.*/FILTERUPDATES=yes/' /etc/default/aide grep -nH -e '^FILTERUPDATES' /etc/default/aide sudo sed -i -e 's/^FILTERINSTALLATIONS=.*/FILTERINSTALLATIONS=yes/' /etc/default/aide grep -nH -e '^FILTERINSTALLATIONS' /etc/default/aide # produces expected output: # > /etc/default/aide:20:MAILTO=tom_ro...@pobox.com # ... # > /etc/default/aide:57:FILTERINSTALLATIONS=yes ### Modify default /etc/aide/aide.conf ## recommended by http://www.snekul.com/wordpress/blog/2012/09/27/using-aide-on-ubuntu-12-04-lts-precise-pangolin-and-debian-7-wheezy/ sudo sed -i -e 's/^Checksums = .*/Checksums = sha512+tiger/' /etc/aide/aide.conf grep -nH -e '^Checksums' /etc/aide/aide.conf ## following rules derived from my fiddling with AIDE on this fresh box, trying to reduce log output sudo cat << 'END_HERE_DOC' | sudo tee -a /etc/aide/aide.conf ### following initial rules from http://aide.sourceforge.net/stable/manual.html#config MyRule = p+i+n+u+g+s+b+m+c+md5+sha1 ## what directories/files you want to scan, and how. Note regarding rule order: ## https://mailman.cs.tut.fi/pipermail/aide/2014-April/001445.html ## > [Aide] wildcard in aide.conf? ## > Keith Constable kccricket at gmail.com ## > Thu Apr 24 13:25:20 EEST 2014 ## > Be certain that your most specific rules are on top and most generic on bottom. ## > For example "!/home/.*/Downloads" needs to be higher in the list than "/home" /bin MyRule # apply rule=MyRule to all files=/bin/* /etc p+i+u+g # check only permissions, inode, user and group for /etc /home MyRule !/run # don't scan /run/* . # Note: above rule still resulted in much output like # > open_dir():No such file or directory: /run/udev/watch/10 # until I reordered the rules for /var (moved `/var MyRule` from top to bottom). /sbin MyRule /usr MyRule # will ignore some members of /var : !/var/adm/utmp$ # ignore the specific file=/var/adm/utmp !/var/backups # ignore dir=/var/backups (and all subdirs) !/var/cache !/var/lib # attempt to handle /var/log/dmesg* (before rest of /var/log) /var/log/dmesg$ Log # takes care of the growing live log (step 7). # The "Log" rule is appropriate for logs that are not rotated daily as rotation might be reported (if the file size has decreased since the last aide run). # For daily rotated logs, the "FreqRotLog" may be more appropriate: i.e., `/var/log/dmesg$ FreqRotLog` /var/log/dmesg\.1$ LowLog /var/log/dmesg\.2\.gz$ LoSerMemberLog # substituting 8->y-1 , 9->y /var/log/dmesg\.[345678]\.gz$ SerMemberLog /var/log/dmesg\.9\.gz$ HiSerMemberLog /var/log Log # apply rule=Log to all files=/var/log/* !/var/mail !/var/spool/.* # ignore subdirs of /var/spool (but not /var/spool itself) !/var/tmp /var MyRule ## reporting # always report changer's user and group ... only! #report_attributes = u+g # never report a file's block count. ignore_list = b # note ignore_list overrules report_attributes where they conflict END_HERE_DOC sudo diff -uwB /etc/aide/aide.conf.0 /etc/aide/aide.conf # verifies changes were written as expected ### Verify syntactic validity of config files: no output == success. sudo aide --config-check # produces no output ### Initialize AIDE database sudo aideinit # produces following output: # > Running aide --init... # > # > AIDE, version 0.15.1 # > # > ### AIDE database at /var/lib/aide/aide.db.new initialized. sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db ### Sanity check 1: manually run `aide` date ; sudo aide -c /etc/aide/aide.conf --check ; date # produces following output: # > Wed Sep 17 23:18:16 EDT 2014 # > WARNING: Old db contains a entry that shouldn't be there, run --init or --update # > Entry /etc/adjtime in databases has different attributes: 1a0020081d 21d # ... several more entries resembling previous and next ... # > Entry /var/log/news/news.crit in databases has different attributes: 1a0020081d 1a0420081d # > # > AIDE, version 0.15.1 # > # > ### All files match AIDE database. Looks okay! # > # > Wed Sep 17 23:18:26 EDT 2014 ### Investigate failure of sanity check 1: manually run `aide` date ; sudo aide -c /etc/aide/aide.conf --check -V ; date # produces following output: # > Wed Sep 17 23:39:28 EDT 2014 # > Rule at line 215 has c and I flags enabled at the same time. If same inode is found, flag c is ignored # > Rule at line 217 has c and I flags enabled at the same time. If same inode is found, flag c is ignored # > Rule at line 218 has c and I flags enabled at the same time. If same inode is found, flag c is ignored # > WARNING: Old db contains a entry that shouldn't be there, run --init or --update # ... ### lines 215-218 of /etc/aide/aide.conf > /var/log/dmesg\.2\.gz$ LoSerMemberLog > # substituting 8->y-1 , 9->y > /var/log/dmesg\.[345678]\.gz$ SerMemberLog > /var/log/dmesg\.9\.gz$ HiSerMemberLog Those rules appear to me to implement the log-handling recommended in the {default, fresh, initially} installed /etc/aide/aide.conf (which follows my .sig to end of post). How to {fix handling of, appropriately use} 'c and I flags'? TIA, Tom Roche <tom_ro...@pobox.com>---debian-installed /etc/aide/aide.conf follows to EOF--- # AIDE conf # The daily cron job depends on these paths database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new gzip_dbout=yes # Set to no to disable summarize_changes option. summarize_changes=yes # Set to no to disable grouping of files in report. grouped=yes # if you want to sacrifice security for speed, remove some of these # checksums. Whirlpool is broken on sparc and sparc64 (see #429180, # #420547, #152203). Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger # X contains the groups 'acl', 'xattrs' and 'e2fsattrs' and additionally # under linux archs the group 'selinux'. The group is used in some other # group definitions below. To disable one of the groups (e.g. acl) append # '-acl' to the group definition. X=L-p-ftype-i-l-n-u-g # check permissions, owner, group and file type OwnerMode = p+u+g+ftype # Check size and block count Size = s+b # Files that stay static InodeData = OwnerMode+n+i+Size+l+X StaticFile = m+c+Checksums # Files that stay static but are copied to a ram disk on startup # (causing different inode) RamdiskData = InodeData-i # Check everything Full = InodeData+StaticFile # Files that change their mtimes or ctimes but not their contents VarTime = InodeData+Checksums # Files that are recreated regularly but do not change their contents VarInode = VarTime-i # Files that change their contents during system operation VarFile = OwnerMode+n+l+X # Directories that change their contents during system operation VarDir = OwnerMode+n+i+X # Directories that are recreated regularly and change their contents VarDirInode = OwnerMode+n+X # Directories that change their mtimes or ctimes but not their contents VarDirTime = InodeData # Logs are special: they are continously written to, may be compressed # have their file name changed in different, mutually incompatibly ways # and apprear and vanish at will. Handling this is a a complex and error- # prone issue. # # This is best broken down in a number of small tasks: # # # (A) # While a live log is being written to, it doesn't change its mode and # inode and its size only increases. # # (B) # When a live log is rotated for the first time, it should not change # its mode, may change its inode, and its size decreases. The size # decrease may not be noticed by aide if the file had size x at the last # aide run, was rotated in the mean time and was written to so that it # had a size > x at the next aide run. # # (C) # When a log is compressed, this looks to aide like the uncompressed # file vanished (or was replaced by another file) and the compressed # file appeared out of the blue. There is (currently) no way to # associate the (gone) uncompressed file's contents with the (new) # compressed file's contents # # (D) # The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without # changing the other properties of the file # # (E) # If only a given number of log generations is to be kept, foo.{y}.bar may # vanish, but usually only when no foo.{z}.bar exists for z>y. # # (F) # The set of files foo.{x}.bar to foo.{y}.bar is called a "log series" # in aide terms, with the lowest x being called the "LoSerMember" element # and the highest y being called the "HiSerMember" element, and the z # with x<z<y simple called "SerMember". The Lo and Hi members need to # be special cased in aide configuration. # # # This is an example of the normal life of a log named foo in a logrotate # configuration using a configuration at it is commonly used in Debian # (from old to new): # 1 logrotate deletes HiSerMember foo.{y}.gz # 2 logrotate rotates SerMember foo.{z-1}.gz to foo.{z}.gz for all # z with 3<z<=y. This includes rotation of foo.{y-1}.gz to # foo.{y}.gz and foo.2.gz to foo.3.gz # 3 logrotate compresses foo.1 to foo.2.gz, creating LoSerMember foo.2.gz # 4 logrotate rotates foo to foo.1 (a simple rename) # 5 logrotate creates new, empty foo # 6 foo daemon logs to foo - foo grows in size # # we need the following rules: # /var/log/foo$ Log # /var/log/foo$ FreqRotLog # this takes care of the growing live log (step 7). The "Log" rule # is appropriate for logs that are not rotated daily as rotation # might be reported (if the file size has decreased since the last # aide run). For daily rotated logs, the "FreqRotLog" may be more # appropriate. # /var/log/foo\.1$ LowLog # this takes care of step 5. # /var/log/foo\.2\.gz$ LoSerMemberLog # this allows yet unknown new files to appear with a \.2\.gz extension, # covering step 3. # /var/log/foo\.[3..y-1]\.gz$ SerMemberLog # this watches the log files as they wander through the Series, # changing only their file name but not their contents or metadata, # covering step 2. # Please note that [3..y-1] needs to be a manually crafted regexp covering # all numbers between 3 and y-1. # /var/log/foo\.y\.gz$ HiSerMemberLog # finally, the last element of the Series is allowed to vanish without # being reported, covering step 1. # # Please note that these example rules need to be adapted to the logrotate # configuration for the log. Compression may be disabled or lead to a different # extension, the dateext option may be used, old logs might be held in a # different place, a log series does not necessarily need to be compressed etc. # # Please note that savelog rotates the live log to .0 and not to .1 as it # is logrotates (changeable) default. # Logs grow in size. Log rotation of these logs will be reported, so # this should only be used for logs that are not rotated daily. Log = OwnerMode+n+S+X # Logs that are frequently rotated FreqRotLog = Log-S # The first instance of a rotated log: After the log has stopped being # written to, but before rotation LowLog = Log-S # Rotated logs change their file name but retain all their other properties SerMemberLog = Full+I # The first instance of a compressed, rotated log: After a LowLog was # compressed. LoSerMemberLog = SerMemberLog+ANF # The last instance of a compressed, rotated log: After this name, a log # will be removed HiSerMemberLog = SerMemberLog+ARF # Not-yet-compressed log created by logrotate's dateext option: # These files appear one rotation (renamed from the live log) and are gone # the next rotation (being compressed) LowDELog = SerMemberLog+ANF+ARF # Compressed log created by logrotate's dateext option: These files appear # once and are not touched any more. SerMemberDELog = Full+ANF # For daemons that log to a variable file name and have the live log # hardlinked to a static file name LinkedLog = Log-n _______________________________________________ Aide mailing list Aide@cs.tut.fi https://mailman.cs.tut.fi/mailman/listinfo/aide