Solved

using aide for file integrity

Posted on 2003-10-26
1
431 Views
Last Modified: 2006-11-17
Hello
if there is a better place to ask this question, please let me know.
after reading all the doc I can find on aide.


#aide --check
does it write a new aide.db.new or append to the existing one?


#aide --update
if this writes the changes from the aide.db.new to the aide.db inorder to set a new standards if you please, then why aide --check when it is executed after aide --update still shows a report of differences in the databases and why the date of the aide.db.new in the ls command does not reflect the time of the writing of the --update?


is there more effective file arrangement to inspect than what I have here in this aide.conf
please consider the advice from
Aide Manual version 0_1.htm
********************************
But keep in mind that you should not ignore too much as that leaves you open for an attack. An intruder might place his/her/its/their root kit in a directory that you have ignored completely. One good example is /var/spool/lp or something similar. This is the place that lp daemon stores its temporary files. You should not ignore it completely however. You should only ignore the format of files that you lp daemon keeps creating. And remember to use the $-sign at the end of your regexps. This stops someone from creating a directory that is ignored along with its contents.
********************************
I am not sure how to put the above comment into a line of code in the config file.
here is part of my AIDE conf

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1

# Kernel, system map, etc.
=/boot$ Binlib

# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib


# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib

#system configuration files
/etc Binlib





thanks
0
Comment
Question by:samj
1 Comment
 

Accepted Solution

by:
lazykoder earned 95 total points
ID: 10160946
hi samj,

in your aide.con there should be setttings for the database file. Always it is advised that you initialize and maintain a database file which contains the information of all the file that you want to be checked and create a new database file when you do an update after making changes to the aide.conf file.

the configuration options in aide.conf are:

database=file:/var/aide/db/aide.db
database_out=file:/var/aide/db/aide.db.new

so by this u r indicating that your output database is always gonna be aide.db.new, so if u do :

#./aide --config=./aide.conf --init

then you need to do the following without fail:

# mv aide.db.new aide.db

coz u'r new db is aide.db.new but in u'r conf file u have mentioned the db file to be aide.db. So the next time u invoke

#aide --check

it will look for aide.db

So when you do an #aide --update it will write to the new file aide.db.new which you need to move to aide.db. The reason #aide --check is giving you those errors is because of not moving the freshly generated db to the actual db file which aide is looking at for the check.

Hope the above answers u'r question.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question