Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: AIDE will not work!

  1. #11

    Re: AIDE will not work!

    I had the same error message. In my case it was caused by having a configuration file that did not specify the locations of the database files. Adding the following three lines (with FILENAME specified) resolved this problem.

    Code:
    database=file:FILENAME.db
    database_out=file:FILENAME.db.new
    database_new=file:FILENAME.db.new

  2. #12
    Join Date
    May 2008
    Beans
    32
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: AIDE will not work!

    Below is a sample of /etc/aide/aide.conf (0600 permissions or rw- --- --- if you will)
    Code:
    # AIDE conf
    
    # The daily cron job depends on these paths
    database=file:/var/lib/aide/aide.db
    database_out=file:/var/lib/aide/aide.db.old
    database_new=file:/var/lib/aide/aide.db.new
    gzip_dbout=yes
    
    #AIDE conf
    
       # Here are all the things we can check - these are the default rules 
       #
       #p:      permissions
       #ftype:  file type
       #i:      inode
       #n:      number of links
       #l:      link name
       #u:      user
       #g:      group
       #s:      size
       #b:      block count
       #m:      mtime
       #a:      atime
       #c:      ctime
       #S:      check for growing size
       #I:      ignore changed filename
       #md5:    md5 checksum
       #sha1:   sha1 checksum
       #sha256: sha256 checksum
       #sha512: sha512 checksum
       #rmd160: rmd160 checksum
       #tiger:  tiger checksum
       #haval:  haval checksum
       #crc32:  crc32 checksum
       #R:      p+ftupe+i+l+n+u+g+s+m+c+md5
       #L:      p+ftype+i+l+n+u+g
       #E:      Empty group
       #>:      Growing logfile p+ftype+l+u+g+i+n+S
       #The following are available if you have mhash support enabled:
       #gost:   gost checksum
       #whirlpool: whirlpool checksum
       #The following are available and added to the default groups R, L and >
       #only when explicitly enabled using configure:
       #acl:    access control list
       #selinux SELinux security context
       #xattrs:  extended file attributes
       #e2fsattrs: file attributes on a second extended file system
    
       # You can alse create custom rules - my home made rule definition goes like this 
       #
       MyRule = p+i+n+u+g+s+b+m+c+md5+sha1 
    
       # Next decide what directories/files you want in the database
    
       /etc p+i+u+g     #check only permissions, inode, user and group for etc
       /opt p+i+u+g	    #check only permissions, inode, user and group for opt
       /bin MyRule      # apply the custom rule to the files in bin 
       /usr/bin MyRule      # apply the custom rule to the files in bin 
       /usr/local/bin MyRule      # apply the custom rule to the files in bin 
       /sbin MyRule     # apply the same custom rule to the files in sbin 
       /usr/sbin MyRule     # apply the same custom rule to the files in sbin 
       /usr/local/sbin MyRule     # apply the same custom rule to the files in sbin 
       /var MyRule		
       !/var/log/.*     # ignore the log dir it changes too often
       !/var/spool/.*   # ignore spool dirs as they change too often
       !/var/log/wtmp$  # ignore the file /var/log/wtmp
       !/var/log/btmp$  # ignore the file /var/log/btmp
       !/var/lib/urandom
       !/var/mail/.*
       !/var/run/.*
       !/var/tmp/.*
       !/var/lib/urandom/random-seed
    Customize the above for what you want to check. Keep in mind this is really basic.

    Then run the following:

    Code:
    sudo /usr/bin/aide.wrapper -c /etc/aide/aide.conf --init
    Then run:

    Code:
    sudo /usr/bin/aide.wrapper -c /etc/aide/aide.conf --check
    Then:

    Code:
    sudo /usr/bin/aide.wrapper -c /etc/aide/aide.conf --compare
    followed by:

    Code:
    sudo /etc/cron.daily/aide
    Per your aide.conf, the following files should now exist:

    Code:
    your-machine-name:/var/lib/aide# ls -rot
    total 3124
    -rw------- 1 root 1062640 2012-03-01 20:10 aide.db
    -rw------- 1 root 1062640 2012-03-01 20:11 aide.new
    -rw------- 1 root    1544 2012-03-01 20:29 aide.conf.autogenerated
    -rw------- 1 root 1062722 2012-03-01 20:29 aide.db.old
    You should get an email notification for root (if you have it configured)

    Tweak as necessary. Celebrate that AIDE is working for you
    A torn jacket is soon mended; but hard words bruise the heart of a child.
    ~ H. W. Longfellow (1807-1882)

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •