Solved

using aide for file integrity

Posted on 2003-10-26
1
432 Views
Last Modified: 2006-11-17
Hello
if there is a better place to ask this question, please let me know.
after reading all the doc I can find on aide.


#aide --check
does it write a new aide.db.new or append to the existing one?


#aide --update
if this writes the changes from the aide.db.new to the aide.db inorder to set a new standards if you please, then why aide --check when it is executed after aide --update still shows a report of differences in the databases and why the date of the aide.db.new in the ls command does not reflect the time of the writing of the --update?


is there more effective file arrangement to inspect than what I have here in this aide.conf
please consider the advice from
Aide Manual version 0_1.htm
********************************
But keep in mind that you should not ignore too much as that leaves you open for an attack. An intruder might place his/her/its/their root kit in a directory that you have ignored completely. One good example is /var/spool/lp or something similar. This is the place that lp daemon stores its temporary files. You should not ignore it completely however. You should only ignore the format of files that you lp daemon keeps creating. And remember to use the $-sign at the end of your regexps. This stops someone from creating a directory that is ignored along with its contents.
********************************
I am not sure how to put the above comment into a line of code in the config file.
here is part of my AIDE conf

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1

# Kernel, system map, etc.
=/boot$ Binlib

# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib


# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib

#system configuration files
/etc Binlib





thanks
0
Comment
Question by:samj
1 Comment
 

Accepted Solution

by:
lazykoder earned 95 total points
ID: 10160946
hi samj,

in your aide.con there should be setttings for the database file. Always it is advised that you initialize and maintain a database file which contains the information of all the file that you want to be checked and create a new database file when you do an update after making changes to the aide.conf file.

the configuration options in aide.conf are:

database=file:/var/aide/db/aide.db
database_out=file:/var/aide/db/aide.db.new

so by this u r indicating that your output database is always gonna be aide.db.new, so if u do :

#./aide --config=./aide.conf --init

then you need to do the following without fail:

# mv aide.db.new aide.db

coz u'r new db is aide.db.new but in u'r conf file u have mentioned the db file to be aide.db. So the next time u invoke

#aide --check

it will look for aide.db

So when you do an #aide --update it will write to the new file aide.db.new which you need to move to aide.db. The reason #aide --check is giving you those errors is because of not moving the freshly generated db to the actual db file which aide is looking at for the check.

Hope the above answers u'r question.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question