Solved

using aide for file integrity

Posted on 2003-10-26
1
429 Views
Last Modified: 2006-11-17
Hello
if there is a better place to ask this question, please let me know.
after reading all the doc I can find on aide.


#aide --check
does it write a new aide.db.new or append to the existing one?


#aide --update
if this writes the changes from the aide.db.new to the aide.db inorder to set a new standards if you please, then why aide --check when it is executed after aide --update still shows a report of differences in the databases and why the date of the aide.db.new in the ls command does not reflect the time of the writing of the --update?


is there more effective file arrangement to inspect than what I have here in this aide.conf
please consider the advice from
Aide Manual version 0_1.htm
********************************
But keep in mind that you should not ignore too much as that leaves you open for an attack. An intruder might place his/her/its/their root kit in a directory that you have ignored completely. One good example is /var/spool/lp or something similar. This is the place that lp daemon stores its temporary files. You should not ignore it completely however. You should only ignore the format of files that you lp daemon keeps creating. And remember to use the $-sign at the end of your regexps. This stops someone from creating a directory that is ignored along with its contents.
********************************
I am not sure how to put the above comment into a line of code in the config file.
here is part of my AIDE conf

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1

# Kernel, system map, etc.
=/boot$ Binlib

# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib


# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib

#system configuration files
/etc Binlib





thanks
0
Comment
Question by:samj
1 Comment
 

Accepted Solution

by:
lazykoder earned 95 total points
ID: 10160946
hi samj,

in your aide.con there should be setttings for the database file. Always it is advised that you initialize and maintain a database file which contains the information of all the file that you want to be checked and create a new database file when you do an update after making changes to the aide.conf file.

the configuration options in aide.conf are:

database=file:/var/aide/db/aide.db
database_out=file:/var/aide/db/aide.db.new

so by this u r indicating that your output database is always gonna be aide.db.new, so if u do :

#./aide --config=./aide.conf --init

then you need to do the following without fail:

# mv aide.db.new aide.db

coz u'r new db is aide.db.new but in u'r conf file u have mentioned the db file to be aide.db. So the next time u invoke

#aide --check

it will look for aide.db

So when you do an #aide --update it will write to the new file aide.db.new which you need to move to aide.db. The reason #aide --check is giving you those errors is because of not moving the freshly generated db to the actual db file which aide is looking at for the check.

Hope the above answers u'r question.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now