aide / aide Goto Github PK
View Code? Open in Web Editor NEWaide source code
License: GNU General Public License v2.0
aide source code
License: GNU General Public License v2.0
AIDE - Advanced Intrusion Detection Environment ------------------------------------------------- Version 0.18 This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved. This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extend permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Introduction ------------ AIDE is a tool for monitoring file system changes. It can be used to detect unauthorized monitored files and directories. AIDE was written to be a simple and free alternative to Tripwire. Features currently included in AIDE are as follows: o File attributes monitored: permissions, inode, user, group file size, mtime, atime, ctime, links and growing size. o Checksums and hashes supported: SHA1, MD5, RMD160, and TIGER. CRC32, HAVAL and GOST if Mhash support is compiled in. o Plain text configuration files and database for simplicity. o Rules, variables and macros that can be customized to local site or system policies. o Powerful regular expression support to selectively include or exclude files and directories to be monitored. o gzip database compression if zlib support is compiled in. o Free software licensed under the GNU General Public License v2. The homepage of AIDE is https://aide.github.io Current Version --------------- AIDE is currently maintained on GitHub. Please visit https://github.com/aide/aide/ to get the newest version of the source code. Documentation ------------- The documentation for AIDE can be found in the doc/ directory. Installation ------------ If you are using a git version of the source you need to generate the configuration files first: $ sh ./autogen.sh For generic installation instructions please see the INSTALL file (generated by autogen.sh). In short, just type: $ ./configure $ make $ make install See './configure --help' for the available configuration options. For AIX 5.3 it has been reported there is a problem with using mhash which causes an "Undefined symbol: .rpl_malloc" error. This is a problem in mhash_config.h which can be fixed by removing the line that reads #define malloc rpl_malloc Dynamic versus Static Linking ----------------------------- Formerly aide was linked statically by default to reduce the attack vector of compromised shared libraries and to ease client/server monitoring configurations. However an attacker could still simply replace the statically linked binary, tamper the database file or use dynamically loaded kernel modules to change the behaviour of AIDe. These days many Linux distributions (eg Centos/Oracle Linux), operating systems (eg Mac OS/OpenSolaris) and libaries have dropped support for static linking. Hence starting with releae v0.18 AIDE is linked dynamically by default. To re-enable static linking use '--enable-static' when configuring AIDE. Source Code Verification ------------------------ We highly recommend checking that the version of AIDE downloaded and installed is an original and unmodified one. You can either verify the source tarball or the git tag. To check the supplied signature with GnuPG: $ gpg --verify aide-<VERSION_NUMBER>.tar.gz.asc This checks that the detached signature file is indeed a signature of aide-<VERSION_NUMBER>.tar.gz. To validate the gpg signature of the git tag: $ git verify-tag v<VERSION_NUMBER> The current public key needed for signature verification is: pub 4096R/68E7B931 2011-06-28 [expires: 2025-06-27] uid Hannes von Haugwitz <[email protected]> If you do not have this key, you can get it from one of the well known PGP key servers. You have to make sure that the key you install is not a faked one. You can do this with reasonable assurance by comparing the output of: $ gpg --fingerprint 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 with the fingerprint published elsewhere. Requirements ------------ AIDE requires the following development tools: o C99 compatible compiler. o GNU Autoconf o GNU Autoconf Macro Archive o GNU Automake o GNU flex. o GNU yacc (bison). o GNU make. o pkg-config o PCRE2 library (libpcre2-8, library with 8-bit code unit support) o Mhash (optional, but highly recommended). Mhash is currently available from http://mhash.sourceforge.net/. A static version of libmhash needs to be build using the --enable-static=yes configure option. Aide requires at least mhash version 0.9.2 o libcheck (optional, needed for 'make check', license: LGPL-2.1) Note: flex version 2.5.31 is broken, you might see the following error conf_lex.c: In function `conflex': conf_lex.c:4728: error: `yy_prev_more_offset' undeclared (first use in this function) conf_lex.c:4728: error: (Each undeclared identifier is reported only once conf_lex.c:4728: error: for each function it appears in.) Either downgrade to flex 2.5.4 or get an updated version that fixes this bug. Large File Support ----------------- To be able to store the size of files larger than 2GB, AIDE needs large file support (LFS) to be available in the OS. The configure script automatically checks for LFS. To turn off LFS call the configure script with the '-disable-largefile' option. Feedback and Support -------------------- End user support is available on the AIDE mailing list: https://www.ipi.fi/mailman/listinfo/aide An archive for the mailing list archive is available online: http://www.ipi.fi/pipermail/aide/ Please report bugs and feature requests to the aide issue tracker https://github.com/aide/aide/issues Credits ------- Please see the AUTHORS file.
To better support processing of the report by machines, AIDE should support JSON as report format.
In file included from src/db_disk.c:38:
./include/gen_list.h:75:66: warning: declaration of 'struct stat64' will not be visible outside of this function [-Wvisibility]
db_line* get_file_attrs(char* filename,DB_ATTR_TYPE attr, struct AIDE_STAT_TYPE *fs);
^
./config.h:47:24: note: expanded from macro 'AIDE_STAT_TYPE'
#define AIDE_STAT_TYPE stat64
^
src/db_disk.c:173:51: warning: declaration of 'struct stat64' will not be visible outside of this function [-Wvisibility]
static int get_file_status(char *filename, struct AIDE_STAT_TYPE *fs) {
^
./config.h:47:24: note: expanded from macro 'AIDE_STAT_TYPE'
#define AIDE_STAT_TYPE stat64
^
src/db_disk.c:175:12: warning: implicit declaration of function 'lstat64' is invalid in C99 [-Wimplicit-function-declaration]
sres = AIDE_LSTAT_FUNC(filename,fs);
^
./config.h:32:25: note: expanded from macro 'AIDE_LSTAT_FUNC'
#define AIDE_LSTAT_FUNC lstat64
^
src/db_disk.c:198:24: error: variable has incomplete type 'struct stat64'
struct AIDE_STAT_TYPE fs;
^
src/db_disk.c:198:9: note: forward declaration of 'struct stat64'
struct AIDE_STAT_TYPE fs;
^
./config.h:47:24: note: expanded from macro 'AIDE_STAT_TYPE'
#define AIDE_STAT_TYPE stat64
^
This is https://sourceforge.net/p/aide/feature-requests/15/
Hi,
-V255 prints information about each config line read,
such as
72:Selrule
87:Variable substitution
It would be great to print the actual line as well,
and for variable substitutions which variables are
being substituted with which value.
Additionally, the line numbering seems to be off by
one.
Hi, I am testing with Aide 0.15.1 on Oracle Linux 7 (fully app compliant with RHEL); I've been wanting to add a feature in FIM (aide) where whenever a file is created in specific directories; aide should capture md5 or sha256. I can see hashes in aide.db file, but when those hashes do not appear to be either md5 or sha256.
Also, when "aide --check" is executed after initial snapshot is created. aide.log has similar hashes in them which do not appear to be md5.
Steps to Recreate:
yum install aide
database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new GETIOC=p+i+n+u+g+s+m+md5 /home/nutan GETIOC
aide -c fim.conf --init --verbose
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
aide -c fim.conf --check --verbose
Directory: /home/nutan
Mtime : 2019-10-21 15:15:59 , 2019-10-21 15:39:44
Directory: /home/nutan/aide
Size : 22 , 65
Mtime : 2019-10-21 15:17:42 , 2019-10-21 15:22:42
It appears the MD5 is encoded in some form; Given the "==" I tried decoding those using base64, but that too did not reveal actual MD5.
what config chage can be done retrieve actual MD5 of the file in aide.log;
Also, while we talk of MD5 in this example, SHA256 has same issues.
Please add support to check for Linux capabilities attribute (see capabilities(7)
).
Please add support for signed database and config files. The public key used for signature verification should either be configurable exclusively at compile-time or at run-time via a config option.
Hi,
see the following aide.conf:
database=file:/home/mh/aide/aide.db
database_out=file:/home/mh/aide/aide.db.new
database_new=file:/home/mh/aide/aide.db.new
gzip_dbout=no
summarize_changes=yes
grouped=no
!/(etc|var|usr|home|dev|proc|sys)
!/run/udev/(data|links|tags|watch)$ d
/ sha256+sha512+rmd160+haval+gost+crc32+tiger+p+u+g+ftype+s+b+n+i+acl+xattrs+e2fsattrs+selinux
When running aide --init with this configuration no contents of /run/udev/data/ is included in the database. Removing the !/run/udev/... line, /run/udev/data's contents is there.
The use case is getting an aide notice if an unexpected file shows up in /run/udev/data by excluding the directory entries themseves, and the usual contents of /run/udev/data/. That way, if a file shows up that isn't "the usual contents", aide would report that.
Greetings
Marc
Hi,
when I want to check the SHA512 checksum of the generated database in a script, I need some ugliness like:
< output.aide awk '/^\/var\/lib\/aide\/aide\.db\.new$/,/^$/' | sed -n '/^[[:space:]]\+SHA512[[:space:]]\+: \(.*\)/{s//\1/;N;N;s/[[:space:]]\+//g;p;}'
or
< output.aide awk '/^\/var\/lib\/aide\/aide\.db\.new/{lastrec=1}lastrec==1 && $1=="SHA512"{sha512=1}sha512==1{a=a+1; if(a==1){printf $3}else if(a<=3){printf $1}}'
since the output of the summary database is like:
/var/lib/aide/aide.db.new
MD5 : ujh8SuEtmmNqHoYVamNRgQ==
SHA1 : Uo1hMTdnvy7vj5wxbIXmbBzPqEc=
RMD160 : HvPp9Lz+CTTqIgJvxTWGjQ3bqz0=
TIGER : FhCXXdhFR0i6D/mhWJ6vlreCm1vkXY9w
SHA256 : IK7yUtHmx+UZbVZo9ofrxBdthp7iUh6K
zpPf9aC1X50=
SHA512 : rrgb/cJ5YsQebiO6QlV4eLj+2nFFIVMw
lFlSAbYFQYaET4xKfs6R7vKr/wk0FCLL
MNIaMRe+8fSANsUJJb8Dpw==
CRC32 : aNaXDw==
HAVAL : f5Ug7AzAvydwIcu2ZGwBdw7GDWKTYEkl
dbkS2AzTC+g=
GOST : hXHrVy8eoZzjl/XQKeXw+5o2yPKCcJnG
8A+NbCuAdtM=
WHIRLPOOL: h3WmJ+lW/A31Z2b/BozVzV4Eu1DTLKTY
C0lXY33qA1piAz/Nvxovu3nt8k1M9D+I
EBHY878xKRM9bm+xbfGA2Q==
how about a config option like
meta_database_out=/path/to/dbfile
which actually writes out a one-line aide database containing the checksums of the newly generated file? That's much more easily parseable.
Greetings
Marc
This is https://sourceforge.net/p/aide/feature-requests/23/
for growing log files (option "S"), aide should be able to build checksums for the file's contents. On the next aide run, aide knows from the database the size the file had when the checksume found in the database where built, so it can verify whether the file contents has changed in the part that was already present when the reference database was built.
This is https://sourceforge.net/p/aide/feature-requests/22/
Hi,
aide should - optionally - unpack compressed files before building the checksums. This would allow to successfully track log rotation where the raw log gets compressed eventually.
This is https://sourceforge.net/p/aide/feature-requests/2/ and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257134
it would be a good idea to be able to exclude proc, sys and network
mounts via file system type.
For example, if I want to have a single aide.conf for linux 2.4 and
linux 2.6 kernels, I would probably want to exclude /sys. However,
this would /sys exclude from being checksummed on 2.4 systems where
/sys probably might be a normal file system.
I would like to be able to exclude all files on file systems with type
proc and sysfs. Please consider adding this feature to aide.
Hi,
having problem compiling this from the source, it feels like configure is broken:
(centos 7 x64)
checking for mhash_get_block_size in -lmhash... no
configure: WARNING: No mhash means no hmac.
checking for gpg_strerror in -lgpg-error... no
configure: error: You need to have libgpg-error.a installed to use libgcrypt.
However, I have both libgcrypt and libgcrypt-devel installed. Also downloaded and installed libgpg-error from source, I still can't build it with default settings, so I had to use --without-gcrypt .
Then during compile time at the end I think linking has failed
aide-0.16.1]# gcc -std=gnu99 -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -W -Wall -g -g -O2 -static -o aide src/aide.o src/base64.o src/be.o src/commandconf.o src/compare_db.o src/conf_lex.o src/conf_yacc.o src/db.o src/db_disk.o src/db_file.o src/db_lex.o src/db_list.o src/db_sql.o src/do_md.o src/error.o src/gen_list.o src/getopt1.o src/getopt.o src/list.o src/md.o src/snprintf.o src/symboltable.o src/util.o -lm -lpcre -pthread
/bin/ld: cannot find -lm
/bin/ld: cannot find -lpcre
/bin/ld: cannot find -lpthread
/bin/ld: cannot find -lc
collect2: error: ld returned 1 exit status
So how do you build this ? Maybe this builds on specific OS like debian etc ?
Thanks,
A strange thing is going on my phone. I have run out of free space. I have written some shell scripts doing the comparison, and quicly detected some benign apps responsible for eating. But it doesn't explain something. According to the history of size snapshots almost almost every small file (there are lot of them) has gains some hudreds of KiB. Even the ones that were not expected to change - the ones created by me that I have not touched between the snapshots. That's very strange. So I can imagine a malware that may use other apps files as its redundant distributed filesystem which data cannot be destroyed without either writing a special utility or wiping the all the valuable data infected.
But we can try to detect the changes. It is likely that the malware just adds the data into the gaps of files of suitable formats, if there is not enough gaps, it can create one. Often apps like databases have their data pages aligned, so the following approach may work: hash not the whole file, but its parts of certain size. Then detect the changed parts and show the user hexdump of them. Or analyse their content for entropy level and how it matches the entropy level of the unchanged part of file. Or even better, implement plugins parsing various formats headers and finding out if any gaps have been created.
Currently the verbose
level option is used to configure the report as well as the debug/log level and accepts values from 0 to 255. Both makes it very difficult to predict which verbose
level generates which output.
To ease the configuration please replace the verbose
option with the report_level
and log_level
options.
Possible values for log_level
:
critical
error
warning
config
notice
config-debug
info
debug
Possible value for report_level
:
summary
database_attributes
changed_entries
changed_attributes
added_removed_attributes
added_removed_entries
This issue is related to #20.
This is https://sourceforge.net/p/aide/feature-requests/28/
The issue is your report format is next to impossible to normalize within a SEIM architecture.
Please add to the aide.conf (example) variations for logging:
i.e.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
database=file:@@{DBDIR}/aide.db.gz
database_out=file:@@{DBDIR}/aide.db.gz
gzip_dbout=yes
verbose=5
report_url=stdout
report_url=file:@@{LOGDIR}/aide.log
report_url=syslog:LOG_AUTH
Also; please add a comment on how to append to the log instead of creating a new one.
I would recommend a better format for logging (vice reporting).
I would recommend the following:
log_url = (Take the same paramters)
log_format = syslog_IEFT, JSON, csv
I would recommend on syslog_IEFT format that you have individual lines for:
something like this:
AIDE: Start timestamp: 2016-05-17 22:02:37 : Total number of files: 40872 : Added files:0 : Removed files: 0 : Changed files: 2
AIDE: Change timestamp: 2016-05-17 22:02:37 : File: /etc/aide.conf : Inode : 133 , 907946
AIDE: Change timestamp: 2016-05-17 22:02:37 : File: /etc/fstab : Inode : 907941 , 907945 : RMD160 : 6ESZcmz1AkxzWEiCHTeInV07QeI= , Iv6sOdBI1J3a6BbDBhHelIe3NAI= SHA256 : PPxCVeCdH3tHYPT+rfY2PTwIvOepG2kF , zPMueGeaJVa/JOtwI8mrxPjOHk16J9/V
AIDE: Added timestamp: 2016-05-17 22:02:37 : File: /etc/cron.daily/test.file
AIDE: End timestamp: 2016-05-17 22:02:37 : Total number of files: 40872 : Added files:0 : Removed files: 0 : Changed files: 2
Format JSON it would be one line for all.
Some syslog takes JSON in syslog per line so that would be good.
If logging JSON format to a directory; one json file per aide run (preferably compressed)
Also in your default aide.conf:
[Perhaps one for Debian and one for RHEL variations]
You may want to add as a default:
Directories:
/etc/sysctl.d
/etc/modprobe.d
/etc/audit/rules.d
Files
/etc/default/grub
AIDE supports multiple instances of the report_url
option, but does not support different report options (e.g. report_base64
) for each report_url
.
This is https://sourceforge.net/p/aide/feature-requests/24/
It would be cool if you could specify the url of a remote database either on the command line or in the config file that would be used as the base for comparison. Rather than storing the database on protected media, you could generate it, then move to another server.
This is https://sourceforge.net/p/aide/feature-requests/13/
Hi,
it would be great for the Debian packaging if it were
possible to @include entire directories like
/etc/aide/aide.conf.d/.
aide would have to take precautions to avoid including
backup files and other disabled files. In Debian, for
example, it is common to exclude files ending in
.dpkg-*. There are multiple approaches:
This would allow packages to bring their own aide
configuration snippet and to have it enabled
automatically. The Debian aide packages currently
implement this behavior by having aide wrapped and the
real configuration file built just before aide is
invoked, but that's a fragile hack. Would be better to
have that functionality in aide proper.
Thanks for considering.
Hi,
I would like to be able to write something like
!/usr/share/locale/[^/]/LC_MESSAGES/.*.mo$ mime=application/x-gettext-translation
to exclude everything that matches the given MIME type. That would probably help in reducing the amount of aide reports in directories with many known harmless files which could be used by an attacker to hide away executables or scripts or tools.
I know that this will link in libmagic which has a rather complicated security history, but the use case would be helpful anyway.
Greetings
Marc
This is https://sourceforge.net/p/aide/feature-requests/27/
Periodically I've update machines' software with rpm or yum (which is a wrapper for yum).
All of the files that get touched via an update, and the directories that they live in, get changed.
It would be nice to have the packaging information associated with an RPM be used to selectively update entries in the database.
I could do:
% aide --update
% mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
but that's a sledgehammer approach, and unrelated changes would also be unwittingly captured.
The RPM package describes the user, group, mode, SHA, xattrs, and ACL associated with a file. Most of the information that's needed to prime a new (or replacement) entry into aide.db.gz ... The rest can be derived by inspection. For each entry, you'd also need to note that the dirname for that entry (its parent) had also changed, and update the modification time silently.
For new package installs that have associated directories, new entries for those directories would need to be created.
A separate libaide.so would likely be needed, along with Python bindings for it so that it might be callable from inside a yum plugin.
Hi, this is https://sourceforge.net/p/aide/feature-requests/4/
gzip support for compressing aide.db is cool, but bzip2 would
be even better because it will allow storing the .db on a floppy
disk more often due to its better compression rate.
(adapt this to more modern compressors, the original issue is from 2005)
This is https://sourceforge.net/p/aide/feature-requests/25/
It will be great if AIDE would support Prelude-IDS via libprelude library. As Samhain does.
I'm getting SELinux denials indicating that /usr/sbin/aide is trying to access a socket used by SSSD: the socket path is /var/lib/sss/pipes/nss. I posted this on Serverfault last week and was advised to bring it up here. Here is the link to that post which contains more information:
https://serverfault.com/questions/971435/selinux-aide-trying-to-access-sssd-socket/971580#971580
AIDE fails with Configuration error
when parsing rules containing UTF-8 characters in the regular expression:
$ aide -c aide.conf -i
185:syntax error:
185:Error while reading configuration:
Configuration error
The corresponding line in aide.conf:
186 /test/test-utf8-®-file$ R
I have some weird issues, and I'm not entirely sure why or how this has happened.
Here's the information I have so far.
I've installed aide using:
apt install aide
When I run aide -v
, it shows that CONFIG_FILE
is in /usr/local/etc/aide.conf
, but the actual configuration file lies in /etc/aide/aide.conf
.
When I run aide -C
it comes with this error:
Couldn't open file /usr/local/etc/aide.db for reading
Looking into that directory, the file doesn't exist.
I also tried to check the DB with the actual config file with aide --config=/etc/aide/aide.conf -C
and got this error:
38:Error in expression:acl
Configuration error
And line 38 in the configuration file:
InodeData = OwnerMode+n+i+Size+l+acl+xattrs+e2fsattrs+selinux
I see it mention acl
in the string.
Is my installation completely messed up?
If you must know, it's a debian 6.0.10
This is https://sourceforge.net/p/aide/feature-requests/21/
different output options, such has a mysql database or even csv/tsv data would be easier to parse to send to a database with an external command.
This would definitely need the output to have a structure that is similar throughout the different types of alerts that are written by aide.
I just installed AIDE 0.16 on a Ubuntu 18.04 LTS server via apt
.
Whenever I run sudo aide -c /etc/aide/aide.conf --check
I get a long list of items like the following:
do_md(): open() for /var/lib/lxcfs/cgroup/blkio/blkio.reset_stats failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/blkio/system.slice/blkio.reset_stats failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/blkio/system.slice/accounts-daemon.service/blkio.reset_stats failed: Permission denied
...
The same list is mailed to me daily after the cron job is runned.
Does anyone of you know what is it all about?
Hi,
I am getting reports like this:
d ... . .. E: /var/cache/apt-cacher-ng/debian/dists/bullseye/main/binary-i386/Packages.diff
Directory: /var/cache/apt-cacher-ng/debian/dists/bullseye/main/binary-i386/Packages.diff
E2FSAttrs: -----------------e--- | --------------I--e---
According to man chattr, I means that a directory is indexed using hashed trees. This looks to me like some filesystem internal which cannot be set manually. If my assessment is true, I think that this should not be reported by aide (or at least excludeable).
Greetings
Marc
If --disable-lfs is not given, then configure.ac makes the mistake
of defining the following also for Darwin (Apple MacOS):
#define AIDE_STAT_TYPE stat64
#define AIDE_OFF_TYPE off64_t
#define AIDE_BLKCNT_TYPE blkcnt64_t
The correct values are
#define AIDE_STAT_TYPE stat
#define AIDE_OFF_TYPE off_t
#define AIDE_BLKCNT_TYPE blkcnt_t
Example of error from the compiler:
src/db_disk.c:198:24: error: variable has incomplete type 'struct stat64'
struct AIDE_STAT_TYPE fs;
^
src/db_disk.c:198:9: note: forward declaration of 'struct stat64'
struct AIDE_STAT_TYPE fs;
^
./config.h:47:24: note: expanded from macro 'AIDE_STAT_TYPE'
#define AIDE_STAT_TYPE stat64
^
A temporary solution is to --disable-lfs when configuring for this platform.
Hashes are not generated on newly created files. This would significantly expand the usability of the AIDE platform if it were a feature.
Hi,
File names containing literal %'s, such as /var/log/prosody/jabber%2ezugschlus%2ede/ get escaped in the database, yieding /var/log/prosody/jabber%252ezugschlus%252ede/ in the database. This is a strictly internal representation that gets mapped back in the generated reports.
However, this mapping does not happen in rule processing. To write a rule matching this file name, one needs to write %252e in the rule. I think this is at least confusing and should either be fixed (preferred!) or documented.
Greetings
Marc
Hi, I am testing with Aide 0.15.1 on Oracle Linux 7 (fully app compliant with RHEL); I've been wanting to add a feature in FIM (aide) where whenever a file is created in specific directories; aide should capture SHA512 or sha256. I can see hashes in aide.db file. I ran "echo <encoded_checksum> | base64 -d | hexdump -v -e '32/1 "%02x" "\n”’ to get the original data however its doesn't seems to be valid and the length of the SHA512 is much shorter than expected
value from AIDE: +SN7oBJJ7EyLh0uxddVyc8RSI5ojh46X
value post running the base64 decode command:
f9237ba01249ec4c8b874bb175d57273c452239a23878e97
Bit length: | 192
Character length: | 48
Steps to Recreate:
Install aide from local yum repo.
yum install aide
create fim.conf with contents-
database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new GETIOC=p+i+n+u+g+s+m+sha256+sha512 /home/nutan GETIOC
initialise
aide -c fim.conf --init --verbose
rename new.db to make it initial snapshot
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Create and Make changes to test file in /home/nutan directory : "testfile"
Run aide to check on changes.
aide -c fim.conf --check --verbose
This is https://sourceforge.net/p/aide/feature-requests/19/
Hi,
for debugging, it might be useful to use /dev/null as
input and as output database. This is currently not
allowed, but makes sense in this special case.
Please consider allowing this special case.
Greetings
Marc
Hi,
@@define BIND_CHROOT_DIR
is a syntax error. Please allow empty values for variables.
Greetings
Marc
This is a summary of https://sourceforge.net/p/aide/feature-requests/1/ and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289174
Hi,
even if i have some background in regular expressions
it's in some cases not clear to me what happens and why
some directories are added and others not.
What i miss is a kind of simulation mode where i can
see which directories or files will be added. Its very
hard if you have to wait for the result after a small
change in the config file. Also it's very hard to check
the database file whether a directory was added or not.
With this simulation mode you may check immediately
whether your appliied rules deliver the result you
expected.
Regards,
Wilhelm
Hi,
even after using aide for five years now, I need multiple attempts to
get the regexps right. aide's way of demanding and not demanding
escape backslashes does not seem to be consistent to neither standard,
extended or perl regexps.
Debugging this is quite tedious since the turnaround times are bad
because one needs to do cryptographic operations.
How about having an option which parses the config file and the
filesystem, and outputs for each file found the aide expression that
would be used for this file if a real aide run would be invoked with
this config file.
Greetings
Marc
Whenever we run aide --update
to create a new aide db, the aide.log file in /var/log/aide is overwritten. This presents a challenge a I'd like to maintain a record of aide activities. Is there a setting to cause this log to be appended vs replaced?
Hi,
restricted selection lines are a vast improvement of aide rule flexibility. I would love to encourage people ot use the feature. For myself, I am checking my rules with
awk '{if ($2 !~ '/[fdlsbcp]/') { print }}' FS=" "
but wouldnt it be nice to have aide check for that and have it issue a warning in higher verbosity levels.
Grüße
Marc
I'm trying to exclude the following file autogenerated with the name begin with session_
!/home/root/tmp/^session_.+$
example: session_jdskaj293829jdks, session_92ujds29030jsd
and the system still notifies new file added or changed beginning with the name session_ at that directory.
Am I missing something?
Please add a command-line option (e.g. --list,-L
) to list parts of the database in human readable format (analogous to the detailed report output of new files).
Often, /dev/null
is locked by some other process, so AIDE will exit with an error when /dev/null
is used as output database.
Actually it's safe to not use any lock on /dev/null.
Hi,
when I make a syntax error, aide complains:
450:syntax error:!
in vi, I need to type 451G to go to the faulty line.
I guess it's aide that starts counting at zero instead of at one.
Greetings
Marc
Please add a log_url
option to specify the url (e.g. syslog) to be used for log messages (in contrast to the AIDE report_url
) with stderr
as default value.
Hi. how to make multi-directory exclusion on aide?
I tried !/var/www/*/data/www/assets/*
on config, but when creating the database I see errors:
get_file_status: lstat() failed for /var/www/site1/data/www/assets/captcha5d8085ae7dd54.png: No such file or directory
get_file_status: lstat() failed for /var/www/site2/data/www/assets/captcha5d8098ee56a1a.png: No such file or directory
As nowadays AIDE is CPU bound with fast storage (e.g. SSDs) it should benefit from multithreading (e.g. via pthreads
)
Currently AIDE reports a moved file or directory as removed from the old location and added to the new location while the checked attributes remain the same (modulo inode
, ctime
etc).
Please add a new Moved entries
section to the report which only shows the changed path of the or directory when there are no other changes to report.
Please add an compile-time option to support dynamic config files, so that AIDE adds the stdout of executable files in the config directory to the configuration at run-time. The config scripts must not be world-writable.
This issue depends on #4.
I mean creating databases often and then storing only diffs between the adjacent databases. Then it should be possible to see the picture of what happens in the system in time.
Please add an include directive for aide.conf to include entire directories (e.g. /etc/aide/aide.conf.d/
); so the configuration can be modularized into separate snippets. To avoid to include backup or other disabled files it would be helpful to support a regexp of allowed file names (e.g. \.conf$
).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.