4
Debian's aide packages add some value and functionality to AIDE. Most
5
of this functionality is delivered by scripts and is configured via
6
the Debian configuration file in /etc/default/aide. That file is
9
The AIDE configuration used by the Debian scripts is maintained in
10
/etc/aide/aide.conf and /etc/aide/aide.conf.d. The script
11
update-aide.conf is used to concatenate /etc/aide/aide.conf and
12
/etc/aide/aide.conf.d to /var/lib/aide/config.autogenerated, which is
13
the input configuration file for the actual aide binary. The databases
14
are kept in /var/lib/aide by default. update-aide.conf has a man page.
16
The Debian scripts invoke aide via the wrapper /usr/bin/aide.wrapper
17
which gives Debian-specific parameters to the aide binary. If you
18
intend to use AIDE for your own use, please note that aide is compiled
19
to use /dev/null as the default configuration file, so you _always_
20
need to give the path to a configuration file. This is to prevent a
21
local invocation of aide from messing with the Debian database.
26
On installation, debconf is used to query the user whether to
27
initialize the AIDE database and whether to automatically place the
28
new database at a place where aide can pick it up as a reference.
29
aideinit, the script used to initialize the database, has a man page.
34
/usr/bin/aide.wrapper is a wrapper, which uses dotlockfile to prevent
35
multiple aide processes from running as this might seriously corrupt
36
your database and surely wrecks your logs. aide.wrapper needs to run
40
the daily AIDE cron job
41
^^^^^^^^^^^^^^^^^^^^^^^
42
Main work of the aide package happens in a daily cron job, which is
43
installed to /etc/cron.daily/aide and thus runs as part of cron.daily
46
The daily cron job invokes aide.wrapper and captures standard output
47
and standard error to files. The actual command which is invoked is
48
controlled by the COMMAND variable in /etc/default/aide, and
49
additional parameters can be passed in via AIDEARGS in
50
/etc/default/aide. Standard output ends up in /var/log/aide/aide.log,
51
and standard error in /var/log/aide/error.log. Both files are rotated,
52
so that older reports stay available.
54
After running aide, the newly generated database which was created
55
with COMMAND="update" is optionally copied over the old reference
56
database. Doing this unconditionally (COPYNEWDB="yes") might be
57
dangerous since detected changes are only reported once. This is the
58
reason for COPYNEWDB="no" being the default. A third option,
59
COPYNEWDB="ifnochange" only copies the new database over the old one
60
if aide has not detected any changes. This might be necessary for the
61
ANF/ARF feature to properly handle logs that have been rotated
64
The cron job then mails aide's output to the address configured as
66
- reportable changes have been found or
67
- no reportable changes have been found and QUIETREPORTS is not
69
These mails go to root by default.
71
That means, that if QUIETREPORTS="yes", no message with contents "no
72
changes detected, everything is fine" will be sent.
74
Error and standard output are truncated to the first LINES lines each
75
in the e-mail message. If the output was truncated, this is
76
prominently visible in the e-mail. Also, if aide returned a non-zero
77
exit value, this is mentioned in the e-mail as this is usually a sign
78
of things having gone very wrong.
80
MAILTO is run through one stage of shell evaluation, so it is possible
81
to have the message mailed to recipients depending on variable values,
82
such as the host name.
84
If NOISE is set to a regular expression, lines matching are filtered
85
out in the e-mail report. This is commonly used in environments where
86
some changes are not important enough to be part of the e-mail
87
report that is read by humans, but should be in the log nevertheless
88
for future reference. A second, not de-noised copy of the output is
92
error mmap'ing some/file
93
^^^^^^^^^^^^^^^^^^^^^^^^
94
aide performs an mmap() on files that it scans in order to perform its
95
various checksums more quickly. Some special files, however, may not
96
be mmap()ed. The new default config excludes these files in
102
Also note that aide is statically linked by default. This is because of the
103
possibility of an attacker modifying libc or the like, wrapping system calls
104
and compromising the integrity of aide's reports even if the binary and data-
105
base are sitting on physically write-protected media. Of course this could
106
be done at the kernel level as well, but changing the currently running kernel
107
results in a lot more disruption (i.e. reboot) than sneaking a new libc in.
108
It's a security tool, of course we're paranoid ;).
111
how to audit vservers and chroots from the host system
112
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
113
You can easily audit vservers and chroots from the host system. If you
114
are sure that all your systems need the same audit rules, you can
115
prefix all paths in aide configuration with a varble, for example
116
@@{ROOTS}/etc/adjtime$ VarFile
117
and then set ROOTS to a regexp that matches the empty string _and_ the
118
path to your vserver file systems:
119
@@define ROOTS (|vservers/foo/|vservers/bar/)
120
Make sure that it matches the empty string or your exceptions will not
121
work for the host system. ROOT can also be set by code like
124
for i in $(ls /vservers); do
125
ROOTLIST="$ROOTLIST|/vservers/$i"
127
echo "@@define VSERVERS $ROOTLIST"
128
in an executeable rule "early" in your AIDE setup. Thanks to Christian
129
Theater for that idea.
131
If you want your vservers tobe audited differently, you'll need to
132
replicate the rules. Even a mixture of the automatic method outlined
133
above and this more manual approach is possible.
135
Why wasn't this included in the default configuration?
136
- It is a rather complex change that is only useful for a quite
138
- The rules look a lot more ugly this way
139
- One will probably apply different rules to the host system and to
142
The Debian maintainer will reconsider this if enough people demand
143
this to be included in the default configuration. Please add your vote
144
to #387463 before it gets archived.
149
AIDE keeps its database and some additional information in memory at
150
run-time. Please make sure that an adequate amount of physical memory
151
and swap is available when aide runs. If adding more memory and/or
152
swap is not possible, it might be helpful to exclude bigger parts of
153
the file system using a "!" directive. Please note that this
154
sacrifices some security as parts of the file system remain unchecked.
159
This file is maintained by Marc Haber, starting from the README.Debian
160
by Mike Markley <mike@markley.org>, last changed on Fri, 19 Dec 2003
163
See /usr/share/doc/aide/changelog.Debian.gz for an actual changelog
164
and current timestamps for package and docs.