The answer to your original question is to run "aide --check". Given a properly initialized database, the output will be exactly what you're looking for. I promise.
Based on the screen shot you originally included, it looks to me that your current database is empty. You'll need to move/rename the aide.db.new file generated by that cron script into the path and file name noted by the DATABASE variable line. Future runs of AIDE will then only report actual filesystem changes. If you browse the source for AIDE, I doubt you will find references to this cron script. OS packages often include these sorts of scripts for ease of use. If I'm wrong, I'm certain Hannes will step in and correct me. In the past, he's stated that he's unable to support the cron scripts because he didn't write them. I also have no experience with this cron script. I mentioned protecting the AIDE database and binaries because any results generated by AIDE are meaningless unless you can verify that an intruder hasn't modified the binaries and database. That said, I understand certain applications of AIDE may not warrant such paranoia. It's up to you how far you want to take it. Regards, Keith On Friday, April 22, 2016, LIJE Creative <i...@lije-creative.com> wrote: > No, AIDE ouf of the box offers daily report. > Once installed, it added me the file: */etc/cron.daily/aide* which sends > me a daily report. > There is a MAILTO parameter which must be filled to work. > > CRON_DAILY_RUN="${CRON_DAILY_RUN:-yes}" > *MAILTO="x...@xxx.fr <javascript:_e(%7B%7D,'cvml','x...@xxx.fr');>"* > eval MAILTO="$MAILTO" > DATABASE="${DATABASE:-/var/lib/aide/aide.db}" > LINES="${LINES:-1000}" > COMMAND="${COMMAND:-check}" > COPYNEWDB="${COPYNEWDB:-no}" > QUIETREPORTS="${QUIETREPORTS:-no}" > SILENTREPORTS="${SILENTREPORTS:-no}" > TRUNCATEDETAILS="${TRUNCATEDETAILS:-no}" > FILTERUPDATES="${FILTERUPDATES:-no}" > FILTERINSTALLATIONS="${FILTERINSTALLATIONS:-no}" > CRONEXITHOOK="${CRONEXITHOOK:-}" > ONEXIT="" > > You can also see that the command is check, indeed. > This is not AIDE binaries and database that matters to me but the files of > my web server. > If a hacker get a chance to inject some file in a website, I want to see > it. But he won't probably modify the AIDE database from himself. > > Cordialement, > > Jérôme LILLE | Responsable Agence > i...@lije-creative.com > <javascript:_e(%7B%7D,'cvml','i...@lije-creative.com');> | +33 7 70 87 02 > 03 > Site internet : www.lije-creative.com > > 2016-04-22 5:05 GMT+02:00 Keith Constable <kccric...@gmail.com > <javascript:_e(%7B%7D,'cvml','kccric...@gmail.com');>>: > >> "aide --check " compares the file system to the aide database and gives >> you a report of changed and added and deleted files. >> >> Are you using an OS packaged version of AIDE? AIDE itself produces no >> daily report. >> >> You should only --init a new database once you've validated all changes >> reported by the --check run. >> >> What protections do you have in place to ensure that the AIDE binaries >> and database aren't compromised by an intruder? >> >> Regards, >> Keith >> >> >> On Thursday, April 21, 2016, LIJE Creative <i...@lije-creative.com >> <javascript:_e(%7B%7D,'cvml','i...@lije-creative.com');>> wrote: >> >>> Hi guys, >>> >>> Like you, I'm a user of AIDE but I need a hand about the configuration. >>> >>> I'm getting the daily aide report. It contains the 1000 first lines of >>> the log file. >>> >>> Do you know if there is a way to get only the list of newly added >>> entries (difference between the new and old database) and the changed >>> entries? >>> Everyday, I'm getting these 330k new added entries so I can't check if >>> anything is messed up. >>> >>> I'm running AIDE on my /var/www folder to check newly added files from >>> my clients or hackers. >>> >>> Thanks >>> >>> ᐧ >
_______________________________________________ Aide mailing list Aide@cs.tut.fi https://mailman.cs.tut.fi/mailman/listinfo/aide