Re: [Aide] Need help with AIDE configuration

[LIJE Creative]

Hi guys,

It's working better with the last tweaks I did on the cron conf file.
Thanks Keith and Hannes about that.

Also, I wanted to ask how to exclude folders with a wild card?
Currently, I got a lot of ispconfig websites and a lot of sessions files
generated in the /tmp/ folder of every websites.
I wanted to exclude these folders like that:

!/home/www/clients/client0/*/tmp/.*

But the wild card doesn't seem to work.

/home/www/clients/client0/web11/tmp/sess_8demipef935hpkklaop8ad0fr0
/home/www/clients/client0/web12/tmp/sess_878h8gq2gqnl9b4b424cqd35c3
/home/www/clients/client0/web12/tmp/sess_8aq7l3qbb22ff4n7nhjpvhg9v5
/home/www/clients/client0/web12/tmp/sess_8demipef935hpkklaop8ad0fr0
/home/www/clients/client0/web12/tmp/sess_8gnjb088jl6dskt1n9asakf9s3
/home/www/clients/client0/web12/tmp/sess_8l446hr5vhbmnk6lpj2nlke216
/home/www/clients/client0/web12/tmp/sess_8p51s15v8or8llh1cpb33760s6

are still beeing added to the database.
I want it to be dynamic if I add more websites.
I got 40+ wesites on this server. I don't want to add the 40 folders to
exclude.

Can you help?

Cordialement,


Jérôme LILLE | Responsable Agence
i...@lije-creative.com | +33 7 70 87 02 03
Site internet : www.lije-creative.com

2016-04-23 10:11 GMT+02:00 LIJE Creative :

> Hi,
>
> I tweaked /etc/default/aide as requested. The db seems to be copied now.
>
>
> AIDE returned with exit code 5. Added and changed entries detected!
> AIDE post run information
> output database /var/lib/aide/aide.db.new was copied to
> /var/lib/aide/aide.db as requested by cron job configuration
> End of AIDE post run information
> AIDE produced no errors.
>
> Output is 329870 lines, truncated to 1000.
> AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
> New AIDE database written to /var/lib/aide/aide.db.new
> Start timestamp: 2016-04-23 06:25:06 +0200
> Verbose level: 6
>
> Summary:
>   Total number of entries:  331957
>   Added entries:329796
>   Removed entries:  0
>   Changed entries:  6
>
>
> Also, AIDE does an update, not a check by default in the configuration
> file. I had to put yes in the COPYNEWDB option.
> I'll let you know in the following days how it's going on.
>
> @Keith : I just used *apt-get install aide* to get AIDE on my debian
> jessie 8, nothing more. As Hannes said, the cron is part of this package
> but I didn't know upstream AIDE doesn't contain a cron script.
>
> Cordialement,
>
>
> Jérôme LILLE | Responsable Agence
> i...@lije-creative.com | +33 7 70 87 02 03
> Site internet : www.lije-creative.com
>
> 2016-04-22 20:11 GMT+02:00 Hannes von Haugwitz :
>
>> On Fri, Apr 22, 2016 at 07:47:27AM -0400, Keith Constable wrote:
>> > I mentioned protecting the AIDE database and binaries because any
>> results
>> > generated by AIDE are meaningless unless you can verify that an intruder
>> > hasn't modified the binaries and database. That said, I understand
>> certain
>> > applications of AIDE may not warrant such paranoia. It's up to you how
>> far
>> > you want to take it.
>>
>> Just out of curiosity, what are your methods to ensure the integrity of
>> the AIDE binary and the database?
>>
>> Best regards
>>
>> Hannes
>> ___
>> Aide mailing list
>> Aide@cs.tut.fi
>> https://mailman.cs.tut.fi/mailman/listinfo/aide
>>
>
> ᐧ
>

ᐧ
___
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

Re: [Aide] Need help with AIDE configuration

[LIJE Creative]

Hi,

I tweaked /etc/default/aide as requested. The db seems to be copied now.


AIDE returned with exit code 5. Added and changed entries detected!
AIDE post run information
output database /var/lib/aide/aide.db.new was copied to
/var/lib/aide/aide.db as requested by cron job configuration
End of AIDE post run information
AIDE produced no errors.

Output is 329870 lines, truncated to 1000.
AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new
Start timestamp: 2016-04-23 06:25:06 +0200
Verbose level: 6

Summary:
  Total number of entries:  331957
  Added entries:329796
  Removed entries:  0
  Changed entries:  6


Also, AIDE does an update, not a check by default in the configuration
file. I had to put yes in the COPYNEWDB option.
I'll let you know in the following days how it's going on.

@Keith : I just used *apt-get install aide* to get AIDE on my debian jessie
8, nothing more. As Hannes said, the cron is part of this package but I
didn't know upstream AIDE doesn't contain a cron script.

Cordialement,


Jérôme LILLE | Responsable Agence
i...@lije-creative.com | +33 7 70 87 02 03
Site internet : www.lije-creative.com

2016-04-22 20:11 GMT+02:00 Hannes von Haugwitz :

> On Fri, Apr 22, 2016 at 07:47:27AM -0400, Keith Constable wrote:
> > I mentioned protecting the AIDE database and binaries because any results
> > generated by AIDE are meaningless unless you can verify that an intruder
> > hasn't modified the binaries and database. That said, I understand
> certain
> > applications of AIDE may not warrant such paranoia. It's up to you how
> far
> > you want to take it.
>
> Just out of curiosity, what are your methods to ensure the integrity of
> the AIDE binary and the database?
>
> Best regards
>
> Hannes
> ___
> Aide mailing list
> Aide@cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>

ᐧ
___
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

Re: [Aide] Need help with AIDE configuration

[Richard van den Berg]

On 22 Apr 2016, at 12:44, Hannes von Haugwitz  wrote:
> 
> If I remember correctly this statement was made by Richard (one of the past 
> AIDE developers).

You're probably right. 

Cheers,

Richard (ex-AIDE developer)
___
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

Re: [Aide] Need help with AIDE configuration

[Hannes von Haugwitz]

On Fri, Apr 22, 2016 at 07:47:27AM -0400, Keith Constable wrote:
> I mentioned protecting the AIDE database and binaries because any results
> generated by AIDE are meaningless unless you can verify that an intruder
> hasn't modified the binaries and database. That said, I understand certain
> applications of AIDE may not warrant such paranoia. It's up to you how far
> you want to take it.

Just out of curiosity, what are your methods to ensure the integrity of
the AIDE binary and the database?

Best regards

Hannes
___
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

Re: [Aide] Need help with AIDE configuration

[Hannes von Haugwitz]

Hi,

On Fri, Apr 22, 2016 at 07:47:27AM -0400, Keith Constable wrote:
> If you browse the source for AIDE, I doubt you will find references to this
> cron script. OS packages often include these sorts of scripts for ease of
> use. If I'm wrong, I'm certain Hannes will step in and correct me.

Yes, upstream AIDE doesn't contain a cron script. The cron script
belongs to the Debian package[0], which I also maintain.

> In the past, he's stated that he's unable to support the cron scripts
> because he didn't write them.

If I remember correctly this statement was made by Richard (one of the
past AIDE developers).

Best regards

Hannes

[0] https://anonscm.debian.org/cgit/pkg-aide/aide.git
___
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

Re: [Aide] Need help with AIDE configuration

[Hannes von Haugwitz]

Hi,

On Thu, Apr 21, 2016 at 11:14:25PM +0200, LIJE Creative wrote:
> Do you know if there is a way to get only the list of newly added entries
> (difference between the new and old database) and the changed entries?
> Everyday, I'm getting these 330k new added entries so I can't check if
> anything is messed up.

Looks like you are using the aide package from Debian/Ubuntu.

Please have a look at /etc/default/aide. In this file you can configure
the /etc/cron.daily/aide behaviour. Especially the MAIL and the
COPYNEWDB option may be of interest to you.

Best regards

Hannes
___
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

Re: [Aide] Need help with AIDE configuration

[Keith Constable]

The answer to your original question is to run "aide --check". Given a
properly initialized database, the output will be exactly what you're
looking for. I promise.

Based on the screen shot you originally included, it looks to me that your
current database is empty. You'll need to move/rename the aide.db.new file
generated by that cron script into the path and file name noted by the
DATABASE variable line. Future runs of AIDE will then only report actual
filesystem changes.


If you browse the source for AIDE, I doubt you will find references to this
cron script. OS packages often include these sorts of scripts for ease of
use. If I'm wrong, I'm certain Hannes will step in and correct me. In the
past, he's stated that he's unable to support the cron scripts because he
didn't write them. I also have no experience with this cron script.

I mentioned protecting the AIDE database and binaries because any results
generated by AIDE are meaningless unless you can verify that an intruder
hasn't modified the binaries and database. That said, I understand certain
applications of AIDE may not warrant such paranoia. It's up to you how far
you want to take it.

Regards,
Keith


On Friday, April 22, 2016, LIJE Creative  wrote:

> No, AIDE ouf of the box offers daily report.
> Once installed, it added me the file: */etc/cron.daily/aide* which sends
> me a daily report.
> There is a MAILTO parameter which must be filled to work.
>
> CRON_DAILY_RUN="${CRON_DAILY_RUN:-yes}"
> *MAILTO="x...@xxx.fr "*
> eval MAILTO="$MAILTO"
> DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
> LINES="${LINES:-1000}"
> COMMAND="${COMMAND:-check}"
> COPYNEWDB="${COPYNEWDB:-no}"
> QUIETREPORTS="${QUIETREPORTS:-no}"
> SILENTREPORTS="${SILENTREPORTS:-no}"
> TRUNCATEDETAILS="${TRUNCATEDETAILS:-no}"
> FILTERUPDATES="${FILTERUPDATES:-no}"
> FILTERINSTALLATIONS="${FILTERINSTALLATIONS:-no}"
> CRONEXITHOOK="${CRONEXITHOOK:-}"
> ONEXIT=""
>
> You can also see that the command is check, indeed.
> This is not AIDE binaries and database that matters to me but the files of
> my web server.
> If a hacker get a chance to inject some file in a website, I want to see
> it. But he won't probably modify the AIDE database from himself.
>
> Cordialement,
>
> Jérôme LILLE | Responsable Agence
> i...@lije-creative.com
>  | +33 7 70 87 02
> 03
> Site internet : www.lije-creative.com
>
> 2016-04-22 5:05 GMT+02:00 Keith Constable  >:
>
>> "aide --check " compares the file system to the aide database and gives
>> you a report of changed and added and deleted files.
>>
>> Are you using an OS packaged version of AIDE? AIDE itself produces no
>> daily report.
>>
>> You should only --init a new database once you've validated all changes
>> reported by the --check run.
>>
>> What protections do you have in place to ensure that the AIDE binaries
>> and database aren't compromised by an intruder?
>>
>> Regards,
>> Keith
>>
>>
>> On Thursday, April 21, 2016, LIJE Creative > > wrote:
>>
>>> Hi guys,
>>>
>>> Like you, I'm a user of AIDE but I need a hand about the configuration.
>>>
>>> I'm getting the daily aide report. It contains the 1000 first lines of
>>> the log file.
>>>
>>> Do you know if there is a way to get only the list of newly added
>>> entries (difference between the new and old database) and the changed
>>> entries?
>>> Everyday, I'm getting these 330k new added entries so I can't check if
>>> anything is messed up.
>>>
>>> I'm running AIDE on my /var/www folder to check newly added files from
>>> my clients or hackers.
>>>
>>> Thanks
>>>
>>> ᐧ
>
___
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

Re: [Aide] Need help with AIDE configuration

[LIJE Creative]

No, AIDE ouf of the box offers daily report.
Once installed, it added me the file: */etc/cron.daily/aide* which sends me
a daily report.
There is a MAILTO parameter which must be filled to work.

CRON_DAILY_RUN="${CRON_DAILY_RUN:-yes}"
*MAILTO="x...@xxx.fr "*
eval MAILTO="$MAILTO"
DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
LINES="${LINES:-1000}"
COMMAND="${COMMAND:-check}"
COPYNEWDB="${COPYNEWDB:-no}"
QUIETREPORTS="${QUIETREPORTS:-no}"
SILENTREPORTS="${SILENTREPORTS:-no}"
TRUNCATEDETAILS="${TRUNCATEDETAILS:-no}"
FILTERUPDATES="${FILTERUPDATES:-no}"
FILTERINSTALLATIONS="${FILTERINSTALLATIONS:-no}"
CRONEXITHOOK="${CRONEXITHOOK:-}"
ONEXIT=""

You can also see that the command is check, indeed.
This is not AIDE binaries and database that matters to me but the files of
my web server.
If a hacker get a chance to inject some file in a website, I want to see
it. But he won't probably modify the AIDE database from himself.

Cordialement,


Jérôme LILLE | Responsable Agence
i...@lije-creative.com | +33 7 70 87 02 03
Site internet : www.lije-creative.com

2016-04-22 5:05 GMT+02:00 Keith Constable :

> "aide --check " compares the file system to the aide database and gives
> you a report of changed and added and deleted files.
>
> Are you using an OS packaged version of AIDE? AIDE itself produces no
> daily report.
>
> You should only --init a new database once you've validated all changes
> reported by the --check run.
>
> What protections do you have in place to ensure that the AIDE binaries and
> database aren't compromised by an intruder?
>
> Regards,
> Keith
>
>
> On Thursday, April 21, 2016, LIJE Creative  wrote:
>
>> Hi guys,
>>
>> Like you, I'm a user of AIDE but I need a hand about the configuration.
>>
>> I'm getting the daily aide report. It contains the 1000 first lines of
>> the log file.
>>
>> [image: Images intégrées 1]
>>
>> Do you know if there is a way to get only the list of newly added entries
>> (difference between the new and old database) and the changed entries?
>> Everyday, I'm getting these 330k new added entries so I can't check if
>> anything is messed up.
>>
>> I'm running AIDE on my /var/www folder to check newly added files from my
>> clients or hackers.
>>
>> Thanks
>>
>>
>> Jérôme LILLE | Responsable Agence
>> i...@lije-creative.com | +33 7 70 87 02 03
>> Site internet : www.lije-creative.com
>> ᐧ
>>
>
> ___
> Aide mailing list
> Aide@cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
ᐧ
___
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide

Re: [Aide] Need help with AIDE configuration

[Keith Constable]

"aide --check " compares the file system to the aide database and gives you
a report of changed and added and deleted files.

Are you using an OS packaged version of AIDE? AIDE itself produces no daily
report.

You should only --init a new database once you've validated all changes
reported by the --check run.

What protections do you have in place to ensure that the AIDE binaries and
database aren't compromised by an intruder?

Regards,
Keith


On Thursday, April 21, 2016, LIJE Creative  wrote:

> Hi guys,
>
> Like you, I'm a user of AIDE but I need a hand about the configuration.
>
> I'm getting the daily aide report. It contains the 1000 first lines of the
> log file.
>
> [image: Images intégrées 1]
>
> Do you know if there is a way to get only the list of newly added entries
> (difference between the new and old database) and the changed entries?
> Everyday, I'm getting these 330k new added entries so I can't check if
> anything is messed up.
>
> I'm running AIDE on my /var/www folder to check newly added files from my
> clients or hackers.
>
> Thanks
>
>
> Jérôme LILLE | Responsable Agence
> i...@lije-creative.com
>  | +33 7 70 87 02
> 03
> Site internet : www.lije-creative.com
> ᐧ
>
___
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide