Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- linux:aide [14.03.2025 09:57. ] – [Installation] django
+++ linux:aide [15.03.2025 09:05. ] (aktuell) – [tasks] django
@@ Zeile 1: / Zeile 1: @@
-====== Host based Intrusion Detection System mit AIDE unter Arch ======
+====== Host based Intrusion Detection System mit AIDE unter Arch Linux ======
 ===== HIDS - was ist das und wozu nutzt man es? =====
 Die Absicherung von Systemen ist eine der Grund- und Pflichtaufgaben eines jeden verantwortungsbewussten Systemadministrators und Administratorin. Dass dies ist kein einmaliger sondern stetig sich wiederholende Vorgang ist, versteht sich in aller Regel von selbst, so ist es unter anderem wichtig, dass regelmässig Systemüberprüfungen und Überwachung von Logmeldungen auf verdächtige und ungewöhnliche Ereignisse durchgeführt werden müssen. Zur Absicherung von Computersystem existieren unterschiedliche Ansätze. TLS-Transportverschlüsselung, SecureShell, oder Firewalls wird hier jedem interessierten Admin sofort in den Sinn kommen. Dabei gibt es zwei unterschiedliche Betrachungsweisen/-richtungen bei den einzelnen Lösungen. Betrachtet und analysiert man in erster Linie Netzwerkverkehr in Netzwerken und/oder Zonengrenzen einzelner Netzwerke und bewertet hierzu entsprechende Protokolle von Netzwerkgeräten wie Switche, Router und Firewalls spricht man von einem **NIDS**, einem **N**etzwerk based **I**ntrusion **D**etection **S**ystem. Im Gegensatz dazu spricht man von einem **HIDS** **H**ost based **I**ntrusion **D**etection **S**ystem, wenn der Blick primär auf einem Host selbst erfolgt und man mit Hilfe lokaler Informationen Bewertungen über zulässige Änderungen am betreffenden System selbst Entscheidungen über (un)zulässige Änderungen treffen muss und möchte. Ein HIDS konzentriert sich dabei auf detailliertere und interne Angriffe, indem es die Überwachung auf Host-Aktivitäten konzentriert. Dabei versucht ein HIDS wie AIDE lediglich, Systemanomalien und somit Eindringlinge zu erkennen und hat nicht zur Aufgabe aktiv mögliche Angreifer und Bedrohungen zu blockieren! Ein Intrusion Detection System (wie AIDE) versucht lediglich, Eindringlinge zu erkennen, arbeitet aber nicht aktiv daran, ihren Zugang von vornherein zu blockieren. Im Gegensatz dazu arbeitet ein **IPS** ein **I**ntrusion **P**revention **S**ystem aktiv daran, Bedrohungen zu blockieren und den Benutzerzugriff zu überprüfen.
@@ Zeile 422: / Zeile 422: @@
 <WRAP center round important 35%>
-Bevor das Programm AIDE gestartet werden kann muss es allerdings konfiguriert werden!
+Bevor das Programm AIDE gestartet werden kann muss es allerdings [[#konfiguration|konfiguriert]] werden!
 </WRAP>
+==== Dokumentation ====
+Die Dokumentation von AIDE findet man in der Datei **[[https://github.com/aide/aide/blob/master/README|README]]** im Git Repository.
+=== Paketinfo ===
+Was uns das Paket alles ins System gebracht hat finden wir am einfachsten mit Hilfe von **''pacman -Qil''** heraus.
+++++ Ausgabe der Befehls pacman -Qil aide |
+<code>Name            : aide
+Version         : 0.18.8-1
+Description     : A file integrity checker and intrusion detection program
+Architecture    : x86_64
+URL             : https://aide.github.io/
+Licenses        : GPL
+Groups          : None
+Provides        : None
+Depends On      : acl  e2fsprogs  libelf  mhash  pcre
+Optional Deps   : None
+Required By     : None
+Optional For    : None
+Conflicts With  : None
+Replaces        : None
+Installed Size  : 227.09 KiB
+Packager        : Unknown Packager
+Build Date      : Fri 28 Feb 2025 04:25:53 PM CET
+Install Date    : Fri 28 Feb 2025 04:26:08 PM CET
+Install Reason  : Explicitly installed
+Install Script  : Yes
+Validated By    : None
+aide /etc/
+aide /etc/aide.conf
+aide /usr/
+aide /usr/bin/
+aide /usr/bin/aide
+aide /usr/lib/
+aide /usr/lib/systemd/
+aide /usr/lib/systemd/system/
+aide /usr/lib/systemd/system/aidecheck.service
+aide /usr/lib/systemd/system/aidecheck.timer
+aide /usr/share/
+aide /usr/share/man/
+aide /usr/share/man/man1/
+aide /usr/share/man/man1/aide.1.gz
+aide /usr/share/man/man5/
+aide /usr/share/man/man5/aide.conf.5.gz
+aide /var/
+aide /var/lib/
+aide /var/lib/aide/
+aide /var/log/
+aide /var/log/aide/</code>
+++++
+=== Programminfo ===
+Bei Bedarf können wir uns alle Optionen mit denen das AIDE-Binary gebaut wurde zusammen mit den Default Konfigurationsparametern, den verfügbaren einkompilierten Attributen, den verfügbaren Hass-Attributen sowie den defaultmässigen Compound Groups uns anzeigen lassen.
+++++ Ausgabe der Befehls aide -v |
+   # aide -v
+<code>AIDE 0.18.8
+Compile-time options:
+use pcre2: mandatory
+use pthread: yes
+use zlib compression: yes
+use POSIX ACLs: yes
+use SELinux: no
+use xattr: yes
+use POSIX 1003.1e capabilities: no
+use e2fsattrs: yes
+use cURL: yes
+use Mhash: no
+use GNU crypto library: yes
+use Linux Auditing Framework: no
+use locale: no
+syslog ident: aide
+syslog logopt: LOG_CONS
+syslog priority: LOG_NOTICE
+default syslog facility: LOG_LOCAL0
+Default config values:
+config file: /etc/aide.conf
+database_in: file:/etc/aide.db
+database_out: file:/etc/aide.db.new
+Available compiled-in attributes:
+acl: yes
+xattrs: yes
+selinux: no
+e2fsattrs: yes
+caps: no
+Available hashsum attributes:
+md5: yes
+sha1: yes
+sha256: yes
+sha512: yes
+rmd160: yes
+tiger: yes
+crc32: yes
+crc32b: no
+haval: no
+whirlpool: yes
+gost: yes
+stribog256: yes
+stribog512: yes
+Default compound groups:
+R: l+p+u+g+s+c+m+i+n+md5+acl+xattrs+ftype+e2fsattrs
+L: l+p+u+g+i+n+acl+xattrs+ftype+e2fsattrs
+>: l+p+u+g+s+i+n+acl+xattrs+ftype+e2fsattrs+growing
+H: md5+sha1+rmd160+tiger+crc32+gost+sha256+sha512+whirlpool+stribog256+stribog512
+X: acl+xattrs+e2fsattrs</code>
+++++
+=== Manpages ===
+++++ Manual-Page aide |
+   # man aide
+<code>AIDE(1)                                  User Commands                                 AIDE(1)
+NAME
+       aide - Advanced Intrusion Detection Environment
+SYNOPSIS
+       aide [parameters] command
+DESCRIPTION
+       AIDE is an intrusion detection system for checking the integrity of files.
+COMMANDS
+       --check, -C
+              Checks  the  database for inconsistencies. You must have an initialized database
+              to do this. This is also the default command. Without any command  aide  does  a
+              check.
+       --init, -i
+              Initialize  the  database. You must initialize a database and move it to the ap‐
+              propriate place (see database_in config option) before you can use  the  --check
+              command.
+       --dry-init, -n (added in AIDE v0.17)
+              Traverse  the  file  system, match each file against the rule tree and report to
+              stdout.
+              Neither reports nor the database are written in this mode.
+              To change the log level in this mode please use the --log-level command line pa‐
+              rameter.
+              In this mode aide exits with status 0.
+       --update, -u
+              Checks the database and updates the database non-interactively.  The  input  and
+              output databases must be different.
+       --compare, -E
+              Compares  two databases. They must be defined in config file with database=<url>
+              and database_new=<url>.
+       --config-check, -D
+              Stops after reading in the configuration file. Any errors will be reported.   To
+              change  the log level in this mode please use the --log-level command line para‐
+              meter.
+       --path-check=file_type:path, -p file_type:path (added in AIDE v0.17)
+              Read configuration and match provided file_type and path against rule tree.  The
+              path  is  independent  of  what is in the actual file system and needs to be ab‐
+              solute. See RESTRICTED RULES section in aide.conf (5) for supported file types.
+              To change the log level in this mode please use the --log-level command line pa‐
+              rameter.
+              In this mode aide exits with status 0 if the file would be added to the tree,  1
+              if not and 2 if the file does not match a specified limit.
+PARAMETERS
+       --config=configfile , -c configfile
+              Configuration  is  read  from  file configfile (see --version output for default
+              value).  Use '-' for stdin.
+       --limit=REGEX , -l REGEX (added in AIDE v0.16)
+              Limit command to entries matching REGEX. Note that the REGEX only matches at the
+              first position.
+              Example
+                 Only check and update the database entries matching /etc (i.e. the  /etc  di‐
+                 rectory) while leaving all other entries unchecked and unchanged:
+                    aide --update --limit /etc
+       --before="configparameters" , -B "configparameters"
+              These configparameters are handled before the reading of the configuration file.
+              See aide.conf (5) for more details on what to put here.
+       --after="configparameters" , -A "configparameters"
+              These  configparameters are handled after the reading of the configuration file.
+              See aide.conf (5) for more details on what to put here.
+       --log-level=log_level,-Llog_level (added in AIDE v0.17)
+              The log level to use (see aide.conf (5) for available log levels  and  more  de‐
+              tails).  This overwrites the log_level value set in any configuration file.
+       --verbose=verbosity_level,-Vverbosity_level (REMOVED in AIDE v0.17)
+              Removed,  use  log_level  and report_level config options instead (see aide.conf
+              (5) for details).
+       --report=reporter,-r reporter (REMOVED in AIDE v0.17)
+              Removed, use report_url config option instead (see aide.conf (5) for details).
+       --workers=WORKERS , -W WORKERS (added in AIDE v0.18)
+              Specifies the number of workers (see aide.conf (5) for details). This overwrites
+              the num_workers value set in any configuration file.
+       --version,-v
+              Print version information and exit.
+       --help,-h
+              Prints out the standard help message.
+EXIT STATUS
+       Normally, the exit status is 0 if no errors occurred. Except when the  --check,  --com‐
+       pare or --update command was requested, in which case the exit status is defined as:
+* (new files reported?)     +
+* (removed files reported?) +
+* (changed files reported?)
+       Since  those  three cases can occur together, the respective error codes are added. For
+       example, if there are new files and removed files reported, the exit status will be 1 +
+= 3.
+       Additionally, the following exit codes are defined for generic error conditions:
+Writing error
+Invalid argument error
+Unimplemented function error
+Configuration error
+IO error
+Version mismatch error
+IO error
+Version mismatch error
+EXEC error
+File lock error
+Memory allocation error
+Thread error
+SIGNAL HANDLING
+       SIGTERM is ignored, use SIGKILL to terminate aide.
+       SIGHUP is also ignored.
+       SIGUSR1 toggles the log_level between current and debug level.
+NOTES
+       The checksums in the database and in the output are by default base64 encoded (see also
+       report_base16 option).  To decode them you can use the following shell command:
+       echo <encoded_checksum> | base64 -d | hexdump -v -e '32/1 "%02x" "\n"'
+FILES
+       See --version output for the default config file and the default database_in and  data‐
+       base_out config values.
+SEE ALSO
+       aide.conf(5)
+BUGS
+       There    are    probably    bugs    in    this   release.   Please   report   them   at
+       https://github.com/aide/aide/issues .
+DISCLAIMER
+       All trademarks are the property of their respective owners.   No  animals  were  harmed
+       while making this webpage or this piece of software. Although some pizza delivery guy's
+       feelings were hurt.
+aide v0.18.8                              2024-05-09                                   AIDE(1)
+</code>
+++++
+++++ Manual-Page aide.conf |
+   # man aide.conf
+<code>AIDE.CONF(5)                                 AIDE                                 AIDE.CONF(5)
+NAME
+       aide.conf - The configuration file for Advanced Intrusion Detection Environment
+SYNOPSIS
+       aide.conf  is  the  configuration  file  for  Advanced Intrusion Detection Environment.
+       aide.conf contains the runtime configuration aide uses to initialize or check the  AIDE
+       database.
+FILE FORMAT
+       aide.conf is case-sensitive. Leading and trailing white spaces are ignored. Each config
+       lines must end with new line.
+       AIDE  uses the backslash character (\) as escape character for ' ' (space), '@' and '\'
+       (backslash) (e.g. '\ ' or '\@'). To literally match a '\' in a file path with a regular
+       expression you have to escape the backslash twice (i.e. '\\\\').
+       There are three types of lines in aide.conf. First there are the configuration  options
+       which  are  used  to  set configuration parameters and define groups. Second, there are
+       (restricted) rules that are used to indicate which files are  added  to  the  database.
+       Third, macro lines define or undefine variables within the config file. Lines beginning
+       with # are ignored as comments.
+CONFIG OPTIONS
+       These lines have the format parameter=value. See URLS for a list of valid urls.
+       database_in (type: URL, default: see --version output, added in AIDE v0.17)
+       database (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
+              The  url  from  which database is read. There can only be one of these lines. If
+              there are multiple database lines then the first is used.
+              Examples:
+                 database_in=file:/var/lib/aide/aide.db
+                    Read database locally from /var/lib/aide/aide.db.
+                 database_in=stdin
+                    Read database from stdin.
+                 database_in=https://example.com/aide.db
+                    Read database remotely from https://example.com/aide.db.
+       database_out (type: URL, default: see --version output)
+              The url to which the new database is written to. There can only be one of  these
+              lines. If there are multiple database_out lines then the first is used.
+       database_new (type: URL, default: <none>)
+              The url from which the other database for --compare is read.
+       database_attrs (type: attribute expression, default: H, added in AIDE v0.16)
+              The attributes of the (uncompressed) database files which are to be added to the
+              reports  in  report  level >= database_attributes . Only checksum attributes are
+              supported. To disable set database_attrs to 'E'.
+       database_add_metadata (type: bool, default: true, added in AIDE v0.16)
+              Whether to add the AIDE version and the time of database generation as  comments
+              to the database file or not. This option may be set to false by default in a fu‐
+              ture release.
+       log_level (type: log level, default: warning, added in AIDE v0.17)
+              The  log level to use. Log messages are written to stderr. If there are multiple
+              log_level lines then the first one is used. The --log-level or -L  command  line
+              option overwrites this option.
+              The following log levels are available:
+                     error: show unrecoverable issues that have to be handled by the user. Er‐
+                     rors are fatal to the AIDE process.
+                     warning:  additionally  show  recoverable issues that most likely lead to
+                     unexpected behaviour and should be handled by the user
+                     notice: additionally show recoverable issues that sometimes lead to unex‐
+                     pected behaviour and might be handled by the user.
+                     info: additionally show informational messages
+                     rule: additionally show messages to help to debug the path rule matching
+                     compare: additionally show messages to help to debug file comparison  and
+                     (special) attribute handling
+                     config: additionally show messages to help to debug config and rule pars‐
+                     ing
+                     debug:  additionally  show messages that are useful to debug the applica‐
+                     tion (very verbose)
+                     thread: additionally show messages about thread processing  (e.g.  broad‐
+                     cast events)
+                     trace:  detailed  information about the flow of the application (e.g. in-
+                     loop logging) (even more verbose)
+       verbose (type: number, range: 0 - 255, default: 5, REMOVED in AIDE v0.17)
+              Removed, use log_level and report_level options instead.
+       gzip_dbout (type: bool, default: false)
+              Whether the output to the database is gzipped or not. This option  is  available
+              only if zlib support is compiled in.
+       root_prefix (type: path, default: <empty>, added in AIDE v0.16)
+              The  prefix  to strip from each file name in the file system before applying the
+              rules and writing to database. AIDE removes a trailing slash  from  the  prefix.
+              If  there are multiple root_prefix lines then the first one is used. This option
+              has no effect in compare mode.
+       acl_no_symlink_follow (type: bool, default: false)
+              Whether to check ACLs for symlinks or not. This option is available only if  acl
+              support is compiled in.
+       warn_dead_symlinks (type: path, default: false)
+              Whether to warn about dead symlinks or not.
+       config_version (type: string, default: <empty>)
+              The  value  of  config_version  is printed in the report and also printed to the
+              database. This is for informational purposes only. It has no  other  functional‐
+              ity.
+       config_check_warn_unrestricted_rules (type: bool, default: false, added in AIDE v0.18)
+              Whether  to warn on unrestricted rules during config check. To explicitly define
+              unrestricted rules use 0 (zero) as restriction character.
+       num_workers (type: number|percentage, default: 1, added in AIDE v0.18)
+              Specifies the number of simultaneous workers (threads) for file  attribute  pro‐
+              cessing (i.a. hashsum calculation).
+              The  number of workers can be a positive integer (e.g. '4') or the percentage of
+              the available processors (e.g.  '60%').  The  resulting  number  of  workers  is
+              rounded  up  to  the next integer (e.g. '60%' of 8 processors results in 5 work‐
+              ers).
+              If there are multiple num_workers lines then the first one is used.
+              Use 0 (zero) to disable multi-threading.
+              The default value 1 (single worker thread) may be changed in a future release.
+REPORT OPTIONS
+       report_url (type: URL, default: stdout)
+              The URL that the output is written to.
+              Multiple instances of the report_url option are supported.
+              Examples:
+                 report_url=file:/var/log/aide.log
+                    Write report to /var/log/aide.log.
+                 report_url=stdout
+                    Write report to stdout.
+                 report_url=syslog:<LOG_FACILITY>
+                    Write report to syslog using LOG_FACILITY.
+       The following report options are available (to take effect they have to be  set  before
+       report_url):
+       report_level (type: report level, default: changed_attributes, added in AIDE v0.17)
+              The report level to use. The available report levels are as follows:
+              minimal: print single line whether AIDE found differences to the database
+              summary: additionally print number of added, removed and changed files
+              database_attributes: additionally print database checksums
+              list_entries: additionally print lists of added, removed and changed entries
+              changed_attributes: additionally print details about changed entries
+                     Example:
+                        File: /var/lib/apt/extended_states
+                         Perm      : -rw-r--r--                       | -rw-------
+                         Uid       : 0                                | 106
+                     The  left column shows the old value (e.g. from the database_in database)
+                     and the right column shows the new value (e.g. from the file system).
+              added_removed_attributes: additionally print details about added and removed at‐
+              tributes
+              added_removed_entries: additionally print details about added  and  removed  en‐
+              tries
+       report_format (type: report format, default: plain, added in AIDE v0.18)
+              The report format to use. The available report formats are as follows:
+              plain: Print report in plain human-readable format.
+              json: Print report in json machine-readable format.
+       report_base16 (type: bool, default: false, added in AIDE v0.17)
+              Base16 encode the checksums in the report. The default is to report checksums in
+              base64 encoding.
+       report_detailed_init (type: bool, default: false, added in AIDE v0.16)
+              Report  added  files  (report  level  >= list_entries) and their details (report
+              level >= added_removed_entries) in initialization mode.
+       report_quiet (type: bool, default: false, added in AIDE v0.16)
+              Suppress report output if no differences to the database have been found.
+       report_append (type: bool, default: false, added in AIDE v0.17)
+              Append to the report URL.
+       report_grouped (type: bool, default: true, added in AIDE v0.17)
+       grouped (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
+              Group the files in the report by added, removed and changed files.
+       report_summarize_changes (type: bool, default: true, added in AIDE v0.17)
+       summarize_changes (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
+              Summarize changes in the added, removed and changed files sections  of  the  re‐
+              port.
+              The general format is like the string YlZbpugamcinHAXSEC, where Y is replaced by
+              the  file-type  ('f' for a regular file, 'd' for a directory, 'l' for a symbolic
+              link, 'c' for a character device, 'b' for a block device, 'p' for  a  FIFO,  's'
+              for  a unix socket, 'D' for a Solaris door, 'P' for a Solaris event port, '!' if
+              file type has changed and '?' otherwise).
+              The Z is replaced as follows: A '=' means that the size has not changed,  a  '<'
+              reports  a  shrinked  size and a '>' reports a grown size.  The other letters in
+              the string are the actual letters that will be  output  if  the  associated  at‐
+              tribute for the item has been changed or a '.' for no change.
+              Otherwise  a  '+' is shown if the attribute has been added, a '-' if it has been
+              removed, a ':' if the attribute is ignored (but not forced) or a ' ' if the  at‐
+              tribute has not been checked.
+              The exceptions to this are: (1) a newly created file replaces each letter with a
+              '+', and (2) a removed file replaces each letter with a '-'.
+              The attribute that is associated with each letter is as follows:
+              o      A l means that the link name has changed.
+              o      A b means that the block count has changed.
+              o      A p means that the permissions have changed.
+              o      An u means that the uid has changed.
+              o      A g means that the gid has changed.
+              o      An a means that the access time has changed.
+              o      A m means that the modification time has changed.
+              o      A c means that the change time has changed.
+              o      An i means that the inode has changed.
+              o      A n means that the link count has changed.
+              o      A H means that one or more message digests have changed.
+              The  following  letters are only available when explicitly enabled using config‐
+              ure:
+              o      A A means that the access control list has changed.
+              o      A X means that the extended attributes have changed.
+              o      A S means that the SELinux attributes have changed.
+              o      A E means that the file attributes on a second extended file system  have
+                     changed.
+              o      A C means that the file capabilities have changed.
+       report_ignore_added_attrs (type: attribute expression, default: empty, added in AIDE
+       v0.16)
+              Attributes whose addition is to be ignored in the report.
+       report_ignore_removed_attrs (type: attribute expression, default: empty, added in AIDE
+       v0.16)
+              Attributes whose removal is to be ignored in the report.
+       report_ignore_changed_attrs (type: attribute expression, default: empty, added in AIDE
+       v0.16)
+       ignore_list (REMOVED in AIDE v0.17)
+              Attributes whose change is to be ignored in the report.
+       report_force_attrs (type: attribute expression, default: empty, added in AIDE v0.16)
+       report_attributes (REMOVED in AIDE v0.17)
+              Attributes  which  are always printed in the report for changed files. If an at‐
+              tribute is both ignored and forced the attribute  is  not  considered  for  file
+              change  but  printed  in the final report as long as the file has been otherwise
+              changed.
+       report_ignore_e2fsattrs (type: string, default: 0, added in AIDE v0.16)
+              List (no delimiter) of ext2 file attributes which are to be ignored in  the  re‐
+              port.   See  chattr(1)  for the available attributes. Use 0 (zero) to not ignore
+              any attribute. Ignored attributes are represented by a ':' in the report.
+              By default AIDE also reports changes of the read-only  attributes  mentioned  in
+              chattr(1) (see example below how to ignore those changes).
+              Example:
+                 Ignore  changes of the read-only ext2 file attributes verify (V), inline data
+                 (N), indexed directory (I) and encrypted (E):
+                    report_ignore_e2fsattrs=VNIE
+GROUPS
+       Groups are aggregations of attributes.
+       Group definitions have the format <group name> = <attribute expression>.
+       Group names are limited to alphanumeric characters (A-Za-z0-9).
+       See ATTRIBUTES for a description of all available attributes.
+       Default groups
+       R      p+ftype+i+l+n+u+g+s+m+c+md5+X
+       L      p+ftype+i+l+n+u+g+X
+       >      Growing file p+ftype+l+u+g+i+n+s+growing+X
+       H      all compiled in hashsums (added in AIDE v0.17)
+       X      acl+selinux+xattrs+e2fsattrs+caps (if attributes are compiled in, added in  AIDE
+              v0.16)
+       E      Empty group
+       Use 'aide --version' to list the default compound groups.
+RULES
+       AIDE supports three types of rules:
+       Regular rule:
+              <regex> <attribute expression>
+              Files and directories matching the regular expression are added to the database.
+       Negative rule:
+              !<regex>
+              Files  and directories matching the regular expression are ignored and not added
+              to the database.  The children of matching directories are also ignored.
+       Equals rule:
+              =<regex> <attribute expression>
+              Files and directories matching the regular expression are added to the database.
+              The children of directories are only added if the regular expression ends with a
+              "/".  The children of sub-directories are not added at all.
+       Every regular expression has to start with an explicit "/".  An implicit ^ is added  in
+       front  of each regular expression.  In other words, the regular expressions are matched
+       at the first position against the complete path.  Special characters can be escaped us‐
+       ing two-digit URL encoding (for example, %20 to represent a space).
+       AIDE uses a deepest-match algorithm to find the tree node to search, but a  first-match
+       algorithm inside the node.  (see also rule log level).
+       See EXAMPLES for examples.
+       More in-depth discussion of the selection algorithm can be found in the AIDE manual.
+RESTRICTED RULES
+       Restricted  rules  are  like normal rules but can be restricted to file types (added in
+       AIDE v0.16). The following file types are supported:
+       f      restrict rule to regular files
+       d      restrict rule to directories
+       l      restrict rule to symbolic links
+       c      restrict rule to character devices
+       b      restrict rule to block devices
+       p      restrict rule to FIFO files
+       s      restrict rule to UNIX sockets
+       D      restrict rule to Solaris doors
+       P      restrict rule to Solaris event ports
+      empty restriction, i.e. don't restrict rule (added in AIDE v0.18)
+       Multiple restrictions can be given as a comma-separated list.
+       The syntax of restricted rules is as follows:
+       Restricted regular rule
+              <regex> <file types> <attribute expression>
+       Restricted negative rule
+              !<regex> <file types>
+       Restricted equals rule
+              =<regex> <file types> <attribute expression>
+MACRO LINES
+       @@define VAR val
+              Define variable VAR to value val.
+       @@undef VAR
+              Undefine variable VAR.
+       @@if boolean_expression (added in AIDE v0.18)
+       @@else
+       @@endif
+              @@if begins an if statement. It must be terminated with  an  @@endif  statement.
+              The  lines between @@if and @@endif are used if the boolean_expression evaluates
+              to true.  If there is an @@else statement then the part between @@if and  @@else
+              is  used  if  boolean_expression  evaluates  to  true otherwise the part between
+              @@else and @@endif is used.
+              Available operators and functions in boolean expressions:
+                 not boolean_expression
+                    Evaluates to true if the boolean_expression is false,  and  false  if  the
+                    boolean_expression is true.
+                 defined VARIABLE
+                    Evaluates to true if VARIABLE is defined.
+                 hostname HOSTNAME
+                    Evaluates to true if HOSTNAME equals the hostname of the machine that AIDE
+                    is running on. hostname is the name of the host without the domainname (ie
+                    'hostname', not 'hostname.example.com').
+                 exists PATH
+                    Evaluates to true if PATH exists.
+       @@ifdef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
+              same as @@if defined VARIABLE
+       @@ifndef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
+              same as @@if not defined VARIABLE
+       @@ifhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
+              same as @@if hostname HOSTNAME
+       @@ifnhost HOSTNAME (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
+              same as @@if not hostname HOSTNAME
+       @@{VAR}
+              @@{VAR}  is replaced with the value of the variable VAR.  If variable VAR is not
+              defined an empty string is used.
+              Variables are supported in strings  and  in  regular  expressions  of  selection
+              lines.
+              Pre-defined marco variables:
+                 @@{HOSTNAME}: hostname of the current system
+       @@include FILE
+              Include FILE.
+              The  content of the file is used as if it were inserted in this part of the con‐
+              fig file.
+              The maximum depth of nested includes is 16.
+       @@include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
+              Include all (regular) files found in DIRECTORY matching regular expression REGEX
+              (sub-directories are ignored). The file are included in lexical sort order.
+              If RULE_PREFIX is set, all rules included by the  statement  are  prefixed  with
+              given RULE_PREFIX (added in AIDE v0.18). Prefixes from nested include statements
+              are concatenated.
+              The content of the files is used as if it were inserted in this part of the con‐
+              fig file.
+       @@x_include FILE (added in AIDE v0.17)
+       @@x_include DIRECTORY REGEX [RULE_PREFIX]  (added in AIDE v0.17)
+              @x_include is identical to @@include, except that if a config file is executable
+              is is run and the output is used as config.
+              If  the  executable file exits with status greater than zero or writes to stderr
+              aide stops with an error.
+              For security reasons DIRECTORY and each executable config file must be owned  by
+              the current user or root. They must not be group- or world-writable.
+       @@x_include_setenv VAR VALUE (added in AIDE v0.17)
+              Adds  the  variable  VAR with the value VALUE to the environment used for config
+              file execution.
+              Environment variable names are limited to  alphanumeric  characters  (A-Za-z0-9)
+              and the underscore '_' and must not begin with a digit.
+TYPES
+       bool
+          Valid values are yes, true, no or false.
+       attribute expression
+          An attribute expression is of the following form:
+                   <attribute/group>
+                 | <expr> + <attribute/group>
+                 | <expr> - <attribute/group>
+       URLS
+          Urls  can  be  one  of  the following. Input urls cannot be used as outputs and vice
+          versa.
+                 stdout
+                 stderr Output is sent to stdout, stderr respectively.
+                 stdin  Input is read from stdin.
+                 file:/path
+                        Input is read from path or output is written to path.
+                 fd:number
+                        Input is read from filedescriptor number or output is written to  num‐
+                        ber.
+                 syslog:LOG_FACILITY
+                        Output is written to syslog using LOG_FACILITY.
+ATTRIBUTES
+       File attributes
+       ftype  file type (added in AIDE v0.15)
+       p      permissions
+       i      inode
+       l      link name
+       n      number of links
+       u      user
+       g      group
+       s      size
+       b      block count
+       m      mtime
+       a      atime
+       c      ctime
+       acl    access control list (requires libacl)
+       selinux
+              selinux attributes (requires libselinux)
+       xattrs extended attributes (requires libattr)
+       e2fsattrs
+              file  attributes  on  a  second  extended  file  system,  see  also   report_ig‐
+              nore_e2fsattrs  option (requires libext2fs, added in AIDE v0.15)
+       caps   file capabilities (requires libcap2, added in AIDE v0.17)
+       Use 'aide --version' to show which compiled-in attributes are available.
+       Special attributes
+       S      check for growing size (DEPRECATED since AIDE v0.18, will  be  removed  in  AIDE
+              v0.20)
+              Use growing+s attributes instead
+       I      ignore changed filename
+              When  I is used, the inode of the old file is used to search for a moved file in
+              the new database.
+              Source and target file have to be located in the same directory and  must  share
+              the  same  attributes  (except  for special attributes ANF, ARF, I, growing, and
+              compressed).
+              For moved entries a change of the ctime attribute is ignored.
+       growing
+              ignore growing file (added in AIDE v0.18)
+              When growing is used, changes of the following attributes are ignored:
+              size: if new size is greater than old size
+              bcount: if new bcount is greater than old bcount
+              atime: if new atime is greater than old atime
+              mtime: if new mtime is greater than old mtime
+              ctime: if new ctime is greater than old ctime
+              hashsums: if the hashsum of the new file restricted to the old size  equals  the
+              hashsums of the old file
+              For hashsum attributes the growing attribute is ignored in compare mode.
+       compressed
+              ignore compressed file (added in AIDE v0.18)
+              When  compressed  is  used, the uncompressed hashsums of the new compressed file
+              (supported compressions: gzip) are used to search for the uncompressed  file  in
+              the old database.
+              The  old uncompressed and the new compressed file have to be located in the same
+              directory and must share the same attributes (except for special attributes ANF,
+              ARF, I, growing, and compressed) including at least one hashsum.
+              Changes of the inode, size, bcount and ctime attributes are ignored.
+              The growing attribute (i.e. the old file size) is not considered for  compressed
+              files during the calculation of the uncompressed hashsums.
+              The compressed attribute is ignored in compare mode.
+       ANF    allow new files
+              When  'ANF' is used, new files are added to the new database, but are ignored in
+              the report.
+       ARF    allow removed files
+              When 'ARF' is used, files missing on disk are omitted from the new database, but
+              are ignored in the report.
+       Hashsums attributes
+       md5    MD5 checksum (not in libgcrypt FIPS mode)
+       sha1   SHA-1 checksum
+       sha256 SHA-256 checksum
+       sha512 SHA-512 checksum
+       rmd160 RIPEMD-160 checksum
+       tiger  tiger checksum
+       haval  haval256 checksum (libmhash only)
+       crc32  crc32 checksum
+       crc32b crc32 checksum (libmhash only)
+       gost   GOST R 34.11-94 checksum
+       whirlpool
+              whirlpool checksum
+       stribog256
+              GOST R 34.11-2012, 256 bit checksum (libgcrypt only, added in AIDE v0.17)
+       stribog512
+              GOST R 34.11-2012, 512 bit checksum (libgcrypt only, added in AIDE v0.17)
+       Use 'aide --version' to show which hashsums are available.
+EXAMPLES
+       / R    This adds all files on your machine to the database.  This one line is  a  fully
+              qualified configuration file.
+       !/dev$ This ignores the /dev directory structure.
+       =/foo R
+              Only  /foo  and /foobar are taken into the database.  None of their children are
+              added.
+       =/foo/ R
+              Only /foo and its children (e.g. /foo/file and /foo/directory)  are  taken  into
+              the database.  The children of sub-directories (e.g. /foo/directory/bar) are not
+              added.
+       / d,f R
+              Only add directories and files to the database
+       !/run d
+       /run R Add all but directory entries to the database
+       /run d R-m-c-i
+       /run R Use specific rule for directories
+       Suggested Groups
+       OwnerMode = p+u+g+ftype
+              Check permissions, owner, group and file type
+       Size = s+b
+              Check size and block count
+       InodeData = OwnerMode+n+i+Size+l+X
+       StaticFile = m+c+Checksums
+              Files that stay static
+       Full = InodeData+StaticFile
+       Full = ftype+p+l+u+g+s+m+c+a+i+b+n+H+X
+       / 0 Full
+              This  line  defines group Full.  It has all attributes, all compiled in hashsums
+              (H) and all compiled in extra file attributes (X).  See '--version'  output  for
+              the  compiled  in  hashsums  and  extra groups.  The example rule is the typical
+              catch-all rule at the end of the rule list.
+       VarTime = InodeData+Checksums
+       /etc/ssl/certs/ca-certificates\\.crt$ VarTime
+              Files that change their mtimes or ctimes but not their contents.
+       VarInode = VarTime-i
+       /var/lib/nfs/etab$ f VarInode
+              Files that are recreated regularly but do not change their contents
+       VarFile = OwnerMode+n+l+X
+       /etc/resolv\\.conf$ f VarFile
+              Files that change their contents during system operation
+       VarDir = OwnerMode+n+i+X
+       /var/lib/snmp$ d VarDir
+              Directories that change their contents during system operation
+       RecreatedDir = OwnerMode+n+X
+       /run/samba$ d RecreatedDir
+              Directories that are recreated regularly and change their contents
+       Log Handling
+       Logs pose a number of special challenges to AIDE.  An active log is  nearly  constantly
+       being  written  to.   The process of log rotation changes file names for files that are
+       supposed to have unaltered contents.  To save space, Logs are compressed in the process
+       of their rotation, and finally, they get deleted.  AIDE is supposed to handle all those
+       cases without generating reports, and it is still expected to flag the  cases  when  an
+       attacker tampers with logs.
+       The following examples suggest a way to handle the common case of log rotation with the
+       logrotate(8)  program, with its options compress, delaycompress and nocopytruncate set.
+       The vast majority of logs are rotated this way on most Linux systems.
+       ActLog=Full+growing+ANF+I
+       /var/log/foo\\.log$ f ActLog
+              An Active Log is typically named foo.log.  It is  constanty  being  written  to.
+              The  file  does neither change its mode nor its inode number.  The size only in‐
+              creases, and what is written to the file is not supposed  to  change  (growing).
+              During  log  rotation,  foo.log is typically renamed to foo.log.1 (or foo.log.0)
+              and the process is instructed to write to a new foo.log.  Log content is written
+              to a new file (ANF) and will eventually be renamed to foo.log.1 (I).  The  grow‐
+              ing  attribute  suppresses reports for files that just had content appended when
+              compared to the database.  A change of the old content is still reported!
+       RotLog=Full
+       /var/log/foo\\.log\\.1$ f RotLog
+              foo.log.0 or foo.log.1 is called the Rotated Log, the previously active log  re‐
+              named  to the first name of the Log Series that is formed by the rotation mecha‐
+              nism.  Right after rotation, the file might still being written to by  the  dae‐
+              mon.  To aide, this looks like the Active Log's size decreases and its inode and
+              timestamps  change.   The  Rotated  Log is not supposed to change its attributes
+              once the process has stopped writing to it.  Reports might be generated if  aide
+              runs  while  the  process still writes to the Rotated Log, but this is quite un‐
+              likely to happen.  Some log rotation mechanisms rename foo.log to  foo.log.0  to
+              foo.log.1.gz, others rename foo.log to foo.log.1 to foo.2.log.gz.
+       CompSerLog=Full+I+compressed
+       /var/log/foo\\.log\\.2\\.gz$ f CompSerLog
+              In  the  next rotation step, foo.log.1 gets compressed to foo.log.2.gz, becoming
+              the Compressed Log in the Log Series.  With this rule, AIDE does not report this
+              step because it uncompresses the contents of the file and takes the checksum  of
+              the  uncompressed  content.   The contents strictly doesn't change, but some at‐
+              tribute changes are ignored (compressed).
+       MidlSerLog=Full+I
+       /var/log/foo\\.log\\.[345]\\.gz$ f MidlSerLog
+              In the next log rotation, all foo.log.{x} get  renamed  to  foo.log.{x+1}.   The
+              other attributes are not supposed to change.
+       LastSerLog=Full+ARF
+       /var/log/foo\\.log\\.6\\.gz$ f LastSerLog
+              The  configuration of the log rotation process specifies a number of log genera‐
+              tions to keep. The last log in the series is therefore  removed  from  the  disk
+              (ARF).
+       aide 0.18 does not yet support the following cases of log rotation:
+       empty files
+              It might be the case that a log is actually created, but never written to.  This
+              commonly  happens  on  rarely  used  web  servers that use the log rotation as a
+              method to cater for data protection regulation.  In result, all files in  a  se‐
+              ries  are  identical, breaking the heuristics that aide uses to detect log rota‐
+              tion.  A possible workaround is to begin a newly rotated log with  a  timestamp.
+              With logrotate, this can be done in a postrotate scriptlet.
+       nodelaycompress
+              With  logrotate's  nodelaycompress option, a log is immediately compressed after
+              renaming it from the Active Log name.  For the time being, it is recommended  to
+              always use the delaycompress option to avoid this behavior.
+       copytruncate
+              tions to keep. The last log in the series is therefore  removed  from  the  disk
+              (ARF).
+       aide 0.18 does not yet support the following cases of log rotation:
+       empty files
+              It might be the case that a log is actually created, but never written to.  This
+              commonly  happens  on  rarely  used  web  servers that use the log rotation as a
+              method to cater for data protection regulation.  In result, all files in  a  se‐
+              ries  are  identical, breaking the heuristics that aide uses to detect log rota‐
+              tion.  A possible workaround is to begin a newly rotated log with  a  timestamp.
+              With logrotate, this can be done in a postrotate scriptlet.
+       nodelaycompress
+              With  logrotate's  nodelaycompress option, a log is immediately compressed after
+              renaming it from the Active Log name.  For the time being, it is recommended  to
+              always use the delaycompress option to avoid this behavior.
+       copytruncate
+              With  logrotate's  copytruncate  option, the Active Log is not renamed and newly
+              created but copied to the new file name.  After the copy operation, the old file
+              is truncated to zero size, allowing the daemon to continuously write to the  al‐
+              ready  open  file  handle.   aide  uses  the Inode number to detect the rotation
+              process.  That doesn't work with copytruncate because the Inode stays  with  the
+              Active Log.  For the time being, it is recommended to avoid the copytruncate op‐
+              tion to avoid this behavior.
+HINTS
+       In the following, the first is not allowed in AIDE. Use the latter instead.
+              /foo epug
+              /foo e+p+u+g
+SEE ALSO
+       aide(1)
+DISCLAIMER
+       All  trademarks  are  the  property of their respective owners.  No animals were harmed
+       while making this webpage or this piece of software.
+aide v0.18.8                              2024-05-09                              AIDE.CONF(5)</code>
+++++
+==== Konfiguration ====
+Die Konfiguration wird über die Dateien **''/etc/aide/aide.conf''** vorgenommen. Um später Änderungen und Neuerungen bei Paketupdates besser verfolgen zu können kopieren wir uns als erstes die mitgelieferte Konfigurationsdatei **''aide.conf''**.
+   # cp -av /etc/aide/aide.conf /etc/aide/aide.conf.orig
+So können wir später leichter Änderungen mit Hilfe von **''vimdiff''** vergleichen!
+Anpassungen und Änderungen an der Konfiguration nehmen mit mit dem Editor unserer Wahl , wie z.B. **''vim''** vor.
+   # sudo vim /etc/aide/aide.conf
+<file bash /etc/aide/aide.conf># Example configuration file for AIDE.
+# More information about configuration options available in the aide.conf manpage.
+# Inspired from https://src.fedoraproject.org/rpms/aide/raw/rawhide/f/aide.conf
+# ┌───────────────────────────────────────────────────────────────┐
+# │ CONTENTS OF aide.conf                                         │
+# ├───────────────────────────────────────────────────────────────┘
+# │
+# ├──┐VARIABLES
+# │  ├── DATABASE
+# │  └── REPORT
+# ├──┐RULES
+# │  ├── LIST OF ATTRIBUTES
+# │  ├── LIST OF CHECKSUMS
+# │  └── AVAILABLE RULES
+# ├──┐PATHS
+# │  ├──┐EXCLUDED
+# │  │  ├── ETC
+# │  │  ├── USR
+# │  │  └── VAR
+# │  └──┐INCLUDED
+# │     ├── ETC
+# │     ├── USR
+# │     ├── VAR
+# │     └── OTHERS
+# │
+# └───────────────────────────────────────────────────────────────
+# ################################################################ VARIABLES
+# ################################ DATABASE
+@@define DBDIR /var/lib/aide
+@@define LOGDIR /var/log/aide
+# The location of the database to be read.
+database_in=file:@@{DBDIR}/aide.db.gz
+# The location of the database to be written.
+#database_out=sql:host:port:database:login_name:passwd:table
+#database_out=file:aide.db.new
+database_out=file:@@{DBDIR}/aide.db.new.gz
+# Whether to gzip the output to database
+gzip_dbout=yes
+# ################################ REPORT
+# Default.
+log_level=warning
+report_level=changed_attributes
+report_url=file:@@{LOGDIR}/aide.log
+report_url=stdout
+#report_url=stderr
+#NOT IMPLEMENTED report_url=mailto:root@foo.com
+#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
+# ################################################################ RULES
+# ################################ LIST OF ATTRIBUTES
+# These are the default parameters we can check against.
+#p:             permissions
+#i:             inode:
+#n:             number of links
+#u:             user
+#g:             group
+#s:             size
+#b:             block count
+#m:             mtime
+#a:             atime
+#c:             ctime
+#S:             check for growing size
+#acl:           Access Control Lists
+#selinux        SELinux security context (must be enabled at compilation time)
+#xattrs:        Extended file attributes
+# ################################ LIST OF CHECKSUMS
+#md5:           md5 checksum
+#sha1:          sha1 checksum
+#sha256:        sha256 checksum
+#sha512:        sha512 checksum
+#rmd160:        rmd160 checksum
+#tiger:         tiger checksum
+#haval:         haval checksum (MHASH only)
+#gost:          gost checksum (MHASH only)
+#crc32:         crc32 checksum (MHASH only)
+#whirlpool:     whirlpool checksum (MHASH only)
+# ################################ AVAILABLE RULES
+# These are the default rules
+#R:             p+i+l+n+u+g+s+m+c+md5
+#L:             p+i+l+n+u+g
+#E:             Empty group
+#>:             Growing logfile p+l+u+g+i+n+S
+# You can create custom rules - my home made rule definition goes like this
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+# Everything but access time (Ie. all changes)
+EVERYTHING = R+ALLXTRAHASHES
+# Sane, with multiple hashes
+# NORMAL = R+rmd160+sha256+whirlpool
+# NORMAL = R+sha256+sha512
+NORMAL = p+i+l+n+u+g+s+m+c+sha256
+# For directories, don't bother doing hashes
+DIR = p+i+n+u+g+acl+xattrs
+# Access control only
+PERMS = p+i+u+g+acl
+# Logfile are special, in that they often change
+LOG = >
+# Just do sha256 and sha512 hashes
+FIPSR = p+i+n+u+g+s+m+c+acl+xattrs+sha256
+LSPP = FIPSR+sha512
+# Some files get updated automatically, so the inode/ctime/mtime change
+# but we want to know when the data inside them changes
+DATAONLY = p+n+u+g+s+acl+xattrs+sha256
+# ################################################################ PATHS
+# Next decide what directories/files you want in the database.
+# ################################ EXCLUDED
+# ################ ETC
+# Ignore backup files
+!/etc/.*~
+# Ignore mtab
+!/etc/mtab
+# ################ USR
+# These are too volatile
+!/usr/src
+!/usr/tmp
+# ################ VAR
+# Ignore logs
+!/var/lib/pacman/.*
+!/var/cache/.*
+!/var/log/.*
+!/var/log/aide.log
+!/var/run/.*
+!/var/spool/.*
+# ################################ INCLUDED
+# ################ ETC
+# Check only permissions, inode, user and group for /etc, but cover some important files closely.
+/etc                               PERMS
+/etc/aliases                       FIPSR
+/etc/at.allow                      FIPSR
+/etc/at.deny                       FIPSR
+/etc/audit/                        FIPSR
+/etc/bash_completion.d/            NORMAL
+/etc/bashrc                        NORMAL
+/etc/cron.allow                    FIPSR
+/etc/cron.daily/                   FIPSR
+/etc/cron.deny                     FIPSR
+/etc/cron.d/                       FIPSR
+/etc/cron.hourly/                  FIPSR
+/etc/cron.monthly/                 FIPSR
+/etc/crontab                       FIPSR
+/etc/cron.weekly/                  FIPSR
+/etc/cups                          FIPSR
+/etc/exports                       NORMAL
+/etc/fstab                         NORMAL
+/etc/group                         NORMAL
+/etc/grub/                         FIPSR
+/etc/gshadow                       NORMAL
+/etc/hosts.allow                   NORMAL
+/etc/hosts.deny                    NORMAL
+/etc/hosts                         FIPSR
+/etc/inittab                       FIPSR
+/etc/issue                         FIPSR
+/etc/issue.net                     FIPSR
+/etc/ld.so.conf                    FIPSR
+/etc/libaudit.conf                 FIPSR
+/etc/localtime                     FIPSR
+/etc/login.defs                    FIPSR
+/etc/login.defs                    NORMAL
+/etc/logrotate.d                   NORMAL
+/etc/modprobe.conf                 FIPSR
+/etc/nscd.conf                     NORMAL
+/etc/pam.d                         FIPSR
+/etc/passwd                        NORMAL
+/etc/postfix                       FIPSR
+/etc/profile.d/                    NORMAL
+/etc/profile                       NORMAL
+/etc/rc.d                          FIPSR
+/etc/resolv.conf                   DATAONLY
+/etc/securetty                     FIPSR
+/etc/securetty                     NORMAL
+/etc/security                      FIPSR
+/etc/security/opasswd              NORMAL
+/etc/shadow                        NORMAL
+/etc/skel                          NORMAL
+/etc/ssh/ssh_config                FIPSR
+/etc/ssh/sshd_config               FIPSR
+/etc/stunnel                       FIPSR
+/etc/sudoers                       NORMAL
+/etc/sysconfig                     FIPSR
+/etc/sysctl.conf                   FIPSR
+/etc/vsftpd.ftpusers               FIPSR
+/etc/vsftpd                        FIPSR
+/etc/X11/                          NORMAL
+/etc/zlogin                        NORMAL
+/etc/zlogout                       NORMAL
+/etc/zprofile                      NORMAL
+/etc/zshrc                         NORMAL
+# ################ USR
+/usr                               NORMAL
+/usr/sbin/stunnel                  FIPSR
+# ################ VAR
+/var/log/faillog                   FIPSR
+/var/log/lastlog                   FIPSR
+/var/spool/at                      FIPSR
+/var/spool/cron/root               FIPSR
+# ################ OTHERS
+/boot                              NORMAL
+/bin                               NORMAL
+/lib                               NORMAL
+/lib64                             NORMAL
+/opt                               NORMAL
+/root                              NORMAL
+</file>
+Wie eigentlich immer bei der Konfiguration von neuen Programmen lohnt es sich die zugehörige Konfigurationsdatei - in unserem Falle von **AIDE** die **''/etc/aide.conf''** einmal komplett zu lesen! So erhält man einen  Überblick welche Einstellungsoptionen uns AIDE grundsätzlich bietet.
+  * Die ersten Einstellungen die man sich überlegen sollte, wären wo die Datenbanken erstellt und vorgehalten werden sollen und ob diese gepackt werden sollen.
+  * Anschließend sollte man sich Gedanken machen, welche Hashingalgorithmen verwendet werden sollen. In den Standardeinstellungen bildet AIDE sieben verschiedene Checksummen für jede überwachte Datei. Zu beachten ist hierbei ggf. ob der bei der Erzeugung der Hash-Werte benötige Rechenaufwand gerechtfertigt ist, oder ob man auf einige davon aus Performancegründen besser verzichtet! In der Regel solten eigentlich zwei verschiedene Hash-Werte Pro Datei ausreichen.
+  * Ferner kann über Regelsätze definiert werden welche Eigenschaften (Parameter) von Verzeichnissen und/oder Dateien überwacht werden sollen. Hier können entsprechende Vorgaben in der Default-Konfigurationsdatei übernommen bzw. auch ganz eigene individiuelle Rule-Sets definiert werden. Folgende Parameter können dabei bei der Bewertung und Überwachung herangezogen werden:
+    * p: Überprüfen Sie die Dateiberechtigungen der ausgewählten Dateien oder Verzeichnisse.
+    * i: Überprüfen Sie die Inode-Nummer. Jeder Dateiname hat eine eindeutige Inode-Nummer, die sich nicht ändern sollte.
+    * n: Überprüfen Sie die Anzahl der Links, die auf die betreffende Datei verweisen.
+    * u: Überprüfen Sie, ob sich der Eigentümer der Datei geändert hat.
+    * g: Überprüfen Sie, ob sich die Gruppe der Datei geändert hat.
+    * s: Überprüfen Sie, ob sich die Dateigröße geändert hat.
+    * b: Prüfen, ob sich die von der Datei verwendete Blockanzahl geändert hat.
+    * m: Prüfen, ob sich das Änderungsdatum der Datei geändert hat.
+    * c: Prüfen, ob sich die Zugriffszeit der Datei geändert hat.
+    * S: Auf eine geänderte Dateigröße prüfen.
+    * I: Änderungen des Dateinamens ignorieren. \\ Folgende Hash-Werte können bei der berechnung der Prüfsummen verwendet werden:
+    * md5: md5 Prüfsumme (Die Verwendung von sha256 oder sha512 ist hier empfohlen.)
+    * sha1: sha1 Prüfsumme (Die Verwendung von sha256 oder sha512 ist hier empfohlen.)
+    * sha256: sha256 Prüfsumme
+    * sha512: sha512 Prüfsumme
+    * rmd160: rmd160 Prüfsumme
+    * tiger: tiger Prüfsumme
+    * haval: haval Prüfsumme (MHASH only)
+    * gost: gost Prüfsumme (MHASH only)
+    * crc32: crc32 Prüfsumme (MHASH only)
+    * whirlpool: whirlpool Prüfsumme (MHASH only)
+  * Zum Schluß muss man sich noch Gedanken machen welche Dateien und Verzeichniss ggf. ausgenommen werden sollen und welche Dateien und Verzeichnisse man in welcher Tiefe überwachen möchte. Die manpage zu **''aide.conf''** liefert hierzu wertvolle und tiefergehende Informationen!
+Ist man mit der Konfiguration von **AIDE** soweit zufrieden und fertig, ist man gut beraten mit Hilfe der Option **''%%--%%config-check''** oder kurz **''-D''** einen Syntax-Check der Konfigurationsdatei vorzunehmen.
+   # aide --config-check
+==== Betrieb ====
+=== AIDE Command Options ===
+Bevor wir nun die AIDE-Datenbank initial erstellen, werfen wir noch kurz einen Blick auf die Optionen, die bei Aufruf von **''aide''** bei Bedarf verwendet werden können.
+   # aide --help
+<code>AIDE 0.18.8
+Usage: aide [options] command
+Commands:
+  -i, --init		Initialize the database
+  -n, --dry-init	Traverse the file system and match each file against rule tree
+  -C, --check		Check the database
+  -u, --update		Check and update the database non-interactively
+  -E, --compare		Compare two databases
+Miscellaneous:
+  -D,			--config-check			Test the configuration file
+  -p FILE_TYPE:PATH	--path-check=FILE_TYPE:PATH	Match file type and path against rule tree
+  -v,			--version			Show version of AIDE and compilation options
+  -h,			--help				Show this help message
+Options:
+  -c CFGFILE	--config=CFGFILE	Get config options from CFGFILE
+  -l REGEX	--limit=REGEX		Limit command to entries matching REGEX
+  -B "OPTION"	--before="OPTION"	Before configuration file is read define OPTION
+  -A "OPTION"	--after="OPTION"	After configuration file is read define OPTION
+  -L LEVEL	--log-level=LEVEL	Set log message level to LEVEL
+  -W WORKERS	--workers=WORKERS	Number of simultaneous workers (threads) for file attribute processing (i.a. hashsum calculation)
+</code>
+=== Datenbank erstellen ===
+Zunächst erstellen wir initial unsere AIDE Datenbank entsprechend unserer [[#konfiguration|zuvor definierten Parameter]].
+  [django@pml010074 ~]$ sudo aide --init
+<code>Start timestamp: 2025-02-09 13:17:55 +0100 (AIDE 0.18.8)
+AIDE successfully initialized database.
+New AIDE database written to /var/lib/aide/aide.db.new.gz
+Number of entries:	470065
+---------------------------------------------------
+The attributes of the (uncompressed) database(s):
+---------------------------------------------------
+/var/lib/aide/aide.db.new.gz
+ MD5       : akLMQIg8ljGsrqITWUMmXQ==
+ SHA1      : uobft85sR3iSd/wzsu4PniRHjeM=
+ SHA256    : X5dNJKwN1CMso7uEyG3Kl0HhINFukXYU
+             nYBsXz2aSMo=
+ SHA512    : DLG7d3whDo3s70PJZi4URK3ci/rScE9t
+             YBrKfqpm/AjNnQywrQPv8AcjX7/TOMAH
+ihTjdCy5LAD3ZlfdJYC7g==
+ RMD160    : zKkglTAFd6tCn+zxVzNTjeegJG0=
+ TIGER     : Hj2m4H+yydhksoj0wMAAE5CWQu1TqXHz
+ CRC32     : fv1+yQ==
+ WHIRLPOOL : IgsuYwxy+0OvCYShwQsQmpC/V0ibURuy
+             +U3PpE0jtafK8ct3zRj+1wP6L8qSBecU
+             uR+4N66Mn7NBhJl8+GkmEw==
+ GOST      : 8jdDWTrwWuHxDouI5CKySf8zrAyt5jem
+             jUXKnFWkCeo=
+ STRIBOG256: /FuAlw3yffSGNWpoUwfKO/wgYkrbZ02U
+             NEbUlsM1RX8=
+ STRIBOG512: c2uv2hcchsbSE681IRNXu78ntDz2ZF60
+             XoxZNbkLev2ZUkvGPhfhxvFWomZfSXiW
+             /fnsqLQg6W/kSikrQJrHIw==
+End timestamp: 2025-02-09 13:22:34 +0100 (run time: 4m 39s)
+</code>
+=== positive Prüfen des Filesystems gegen die Datenbank ===
+Mit der Option **''%%--%%check''** bzw. **''-C''** könne wir nun eine Überprüfung des Dateisystems gegen die zuvor erstellte AIDE-Datenbank durchführen.
+  [django@pml010074 ~]$ sudo aide --check
+<code>Start timestamp: 2025-02-09 16:47:30 +0100 (AIDE 0.18.8)
+AIDE found NO differences between database and filesystem. Looks okay!!
+Number of entries:	470065
+---------------------------------------------------
+The attributes of the (uncompressed) database(s):
+---------------------------------------------------
+/var/lib/aide/aide.db.gz
+ MD5       : jyY8ktcG+E5Kq0AtGA5YGQ==
+ SHA1      : KogexIU6LuOslIB81mGvMSL1rYo=
+ SHA256    : QyabDWuO37ZO+xzXmPF28qT7t5WJdSB2
+             EwwNVmU1Rlc=
+ SHA512    : LrcRp1//aeMxufbKBbodCM1YA0NU5EtP
+             QdriP1Uh+A7qFULU4WjK9qolnNfZLuDY
+             kIPg9LY+g0q1j75Z44T1dA==
+ RMD160    : 51KDSlTiMtIXqe+VQ6A3pDN/uZ8=
+ TIGER     : 8A61b3JqbPNltkAPxvVgQ7UON2AlRn3q
+ CRC32     : IpaktA==
+ WHIRLPOOL : dcQVsfrdV7TGbpAyhNATDGFQ8c7mBG4O
+             cX7ZufgFpa8seOIs+gyWHjeWUq4FCsk4
+             U0qZ+Ela67DDrsVkN5xGCA==
+ GOST      : ltIg5YJ+6BFVE5kbORVh3gRGbwJ4EP0/
+iJY8o51fUo=
+ STRIBOG256: lmE/qdAVUeE4zEbd7WBISCDXWsUb1bGJ
+             FxSlN0RABQ4=
+ STRIBOG512: Ox8c77PeIe0dCgFLPawLqWYzMK/9inc4
+             FPH6aHMBchh4ctW71d4wZwy3/f42ZUG6
+             xz7VX4MQ+X0SFz28//jSsg==
+End timestamp: 2025-02-09 16:53:10 +0100 (run time: 5m 40s)
+</code>
+Die Zeile:
+  AIDE found NO differences between database and filesystem. Looks okay!!
+zeigt uns an, dass es keine Änderungen im und am System gab.
+=== negative Prüfen des Filesystems gegen die Datenbank ===
+Im nächsten Beispiel kompromittieren wir unser System, in dem wir von einem bestehenden Binary einen vermeintlichen bösen Klone erstellen:
+   # cp /usr/bin/sg /usr/bin/sg_evil_copy
+Führen wir erneut eine Überprüfung unseres Systems aus, sollte die neue unbekannte Datei entsprechend detektiert werden.
+  [django@pml010074 ~]$ sudo aide --check
+<code>Start timestamp: 2025-02-09 18:09:12 +0100 (AIDE 0.18.8)
+AIDE found differences between database and filesystem!!
+Summary:
+  Total number of entries:	470065
+  Added entries:		1
+  Removed entries:		1
+  Changed entries:		5
+---------------------------------------------------
+Added entries:
+---------------------------------------------------
+f+++++++++++++++: /usr/bin/sg_evil_copy
+---------------------------------------------------
+Removed entries:
+---------------------------------------------------
+f---------------: /root/.cache/vim/swap/%etc%aide.conf.swp
+---------------------------------------------------
+Changed entries:
+---------------------------------------------------
+d = ... mc..    : /root
+d < ... mc..    : /root/.cache/vim/swap
+f > ... mci.H   : /root/.lesshst
+f < ... mci.H   : /root/.viminfo
+d > ... mc..    : /usr/bin
+---------------------------------------------------
+Detailed information about changes:
+---------------------------------------------------
+Directory: /root
+ Mtime     : 2025-02-09 13:17:48 +0100        | 2025-02-09 18:04:06 +0100
+ Ctime     : 2025-02-09 13:17:48 +0100        | 2025-02-09 18:04:06 +0100
+Directory: /root/.cache/vim/swap
+ Size      : 36                               | 0
+ Mtime     : 2025-02-09 15:17:08 +0100        | 2025-02-09 17:54:25 +0100
+ Ctime     : 2025-02-09 15:17:08 +0100        | 2025-02-09 17:54:25 +0100
+File: /root/.lesshst
+ Size      : 108                              | 120
+ Mtime     : 2024-07-23 20:50:00 +0200        | 2025-02-09 18:04:06 +0100
+ Ctime     : 2024-07-23 20:50:00 +0200        | 2025-02-09 18:04:06 +0100
+ Inode     : 1333674                          | 3542013
+ SHA256    : zZOZrRdXCuRtg037QvYWyDbVy3t4W6R7 | n7A97JsrI0Va3lyGTzpL/t81Xvml/inc
+             LwOxBOqzgkg=                     | hA9gyl3LPc0=
+File: /root/.viminfo
+ Size      : 12742                            | 12357
+ Mtime     : 2025-02-09 13:17:48 +0100        | 2025-02-09 17:54:25 +0100
+ Ctime     : 2025-02-09 13:17:48 +0100        | 2025-02-09 17:54:25 +0100
+ Inode     : 3541891                          | 3542007
+ SHA256    : mQ8jfMRnqAgFqRmkIexg3hOniGUoY9wm | G0AtQsaESSv2s6mnrPFYR+eIDXkR/G/9
+             gGpvrhaO6ZY=                     | Ft44RhULh+Q=
+Directory: /usr/bin
+ Size      : 65822                            | 65846
+ Mtime     : 2025-02-09 13:15:53 +0100        | 2025-02-09 18:05:16 +0100
+ Ctime     : 2025-02-09 13:15:53 +0100        | 2025-02-09 18:05:16 +0100
+---------------------------------------------------
+The attributes of the (uncompressed) database(s):
+---------------------------------------------------
+/var/lib/aide/aide.db.gz
+ MD5       : jyY8ktcG+E5Kq0AtGA5YGQ==
+ SHA1      : KogexIU6LuOslIB81mGvMSL1rYo=
+ SHA256    : QyabDWuO37ZO+xzXmPF28qT7t5WJdSB2
+             EwwNVmU1Rlc=
+ SHA512    : LrcRp1//aeMxufbKBbodCM1YA0NU5EtP
+             QdriP1Uh+A7qFULU4WjK9qolnNfZLuDY
+             kIPg9LY+g0q1j75Z44T1dA==
+ RMD160    : 51KDSlTiMtIXqe+VQ6A3pDN/uZ8=
+ TIGER     : 8A61b3JqbPNltkAPxvVgQ7UON2AlRn3q
+ CRC32     : IpaktA==
+ WHIRLPOOL : dcQVsfrdV7TGbpAyhNATDGFQ8c7mBG4O
+             cX7ZufgFpa8seOIs+gyWHjeWUq4FCsk4
+             U0qZ+Ela67DDrsVkN5xGCA==
+ GOST      : ltIg5YJ+6BFVE5kbORVh3gRGbwJ4EP0/
+iJY8o51fUo=
+ STRIBOG256: lmE/qdAVUeE4zEbd7WBISCDXWsUb1bGJ
+             FxSlN0RABQ4=
+ STRIBOG512: Ox8c77PeIe0dCgFLPawLqWYzMK/9inc4
+             FPH6aHMBchh4ctW71d4wZwy3/f42ZUG6
+             xz7VX4MQ+X0SFz28//jSsg==
+End timestamp: 2025-02-09 18:15:03 +0100 (run time: 5m 51s)
+</code>
+In der Zusammenfassung sehen wir also in Summe 470.065 Datenbankeinträge, sowie von den Einträgen her ein neuer, ein entfernter sowie ein geänderter Eintrag:
+  Total number of entries:	470065
+  Added entries:		        1
+  Removed entries:		1
+  Changed entries:		5
+Die Datei **''/usr/bin/sg_evil_copy''** ist neu hinzugekommen sowie die SWAP-Datei **''/root/.cache/vim/swap/%etc%aide.conf.swp''** entfernt worden.
+Im Abschnitt **''Changed entries''** sehen wir:
+<code>d = ... mc..    : /root
+d < ... mc..    : /root/.cache/vim/swap
+f > ... mci.H   : /root/.lesshst
+f < ... mci.H   : /root/.viminfo
+d > ... mc..    : /usr/bin</code>
+  * In der ersten Spalte kennzeichnet ein **''d''** ein Verzeichnis und ein **''f''** eine Datei.
+  * In der zweiten Spalte wird eine Änderung angezeigt, ob sich die Grösse einer Datei bzw. des Verzeichnisses geändert hat. **''=''** bedeutet keine Änderung, **''>''** zeigt eine Vergrösserung und **''<''** eine Verkleinerung an.
+  * Die mit jedem Buchstaben verbundenen Attribute sind wie folgt:
+    * **''l''** bedeutet, dass sich der Link-Name geändert hat.
+    * **''b''** bedeutet, dass sich die Blockanzahl geändert hat.
+    * **''p''** bedeutet, dass sich die Berechtigungen geändert haben.
+    * **''u''** bedeutet, dass sich die uid geändert hat.
+    * **''g''** bedeutet, dass sich die gid geändert hat.
+    * **''a''** bedeutet, dass sich die Zugriffszeit geändert hat.
+    * **''m''** bedeutet, dass sich die Änderungszeit geändert hat.
+    * **''c''** bedeutet, dass sich die Änderungszeit geändert hat.
+    * **''i''** bedeutet, dass sich der Inode geändert hat.
+    * **''n''** bedeutet, dass sich die Linkanzahl geändert hat.
+    * **''H''** bedeutet, dass sich eine oder mehrere Prüfsummen geändert haben.
+  * Die folgenden Buchstaben sind nur verfügbar, wenn sie explizit mit „configure“ aktiviert werden:
+    * **''A''** bedeutet, dass sich die Zugriffskontrollliste geändert hat.
+    * **''X''** bedeutet, dass sich die erweiterten Attribute geändert haben.
+    * **''S''** bedeutet, dass sich die SELinux-Attribute geändert haben.
+    * **''E''** bedeutet, dass sich die Dateiattribute auf einem zweiten erweiterten Dateisystem geändert haben.
+    * **''C''** bedeutet, dass sich die Dateifähigkeiten geändert haben.
+Im Abschnitt **''Detailed information about changes:''** sehen wir dann jeweils die detaillierten Informationen zu den Änderungen.
+=== Update Database ===
+Nach Änderungen am System, z.B. bei Konfigurationsänderungen, Updates oder Neuinstallationen von Paketen muss zwingend eine Aktualisierung der Datenbank erfolgen. Hier steht uns die Option **''%%--%%update''** oder kurz **''-u''** zu Verfügung.
+   $ sudo aide --update
+Alternativ kann man auch direkt die Datenbank neu initialisieren:
+   $ sudo aide --init
+**''aide %%--%%update''** kombiniert im Grunde einen Check und eine Initialisierung einer neuen Datenbank. Der Vorteil der Verwendung von **''%%--%%update''** gegenüber **''%%--%%check''** und **''%%--%%init''** besteht darin, dass der Bericht und die neue Datenbank immer auf denselben Dateisystemdaten basieren.
+Ein anderer Ansatz wäre dann ein **''%%--%%init''** gefolgt von einem **''%%--%%compare''** zu verwenden, jedoch ist dabei zum beachten, dass nicht alle Attribute (nämlich „growing“ und „compressed“) im Vergleichsmodus unterstützt werden.
+=== tägliche checks enablen ===
+Wiederkehrende  tägliche Checks führt man am besten und einfachsten des sytemd **''aidecheck.timer''** aus. Zum Aktivieren dieser zeitgesteuerten Checks verwenden wir folgenden Befehl:
+  [django@pml010074 ~] $ sudo systemctl enable --now aidecheck.timer
+  Created symlink '/etc/systemd/system/multi-user.target.wants/aidecheck.timer' → '/usr/lib/systemd/system/aidecheck.timer'.
+Den Status können wir wie gewohnt via **''systemctl''** abfragen:
+  [django@pml010074 ~] $ sudo systemctl status aidecheck.timer
+<html><pre class="code">
+<font style="color: rgb(29, 180, 29)"><b>●</b></font> aidecheck.timer - Aide check every day at 5AM
+     Loaded: loaded (/usr/lib/systemd/system/aidecheck.timer; </font><font style="color: rgb(29, 180, 29)"><b>enabled</b></font>; preset: <font style="color: rgb(201, 214, 95)"><b>disabled</b></font>)
+   Active:<font style="color: rgb(29, 180, 29)"><b>active (running)</b></font>since Sun 2025-02-09 13:47:17 CET; 49min ago
+ Invocation: 9eb7be3eccc043be82f4dd4e9b5b72ed
+    Trigger: Mon 2025-02-10 05:00:00 CET; 14h left
+   Triggers: ● aidecheck.service
+Feb 09 13:47:17 pml010074 systemd[1]: Started Aide check every day at 5AM.</font></pre>
+</html>
+=== jounald (tägliche) logs ===
+In der Konfigurationsdatei **''/etc/aide.conf''** definieren wir für die Speicherung der AIDE-Logs im Jounal:
+   # vim /etc/aide.conf
+<code>...
+# Default
+log_level=warning
+report_level=changed_attributes
+report_url=stdout
+report_url=syslog:LOG_AUTH
+...</code>
+Somit können wir einfach die Logeinträge von AIDE einfach ausgeben.
+   # journalctl -f /usr/bin/aide
+++++ Ausgabe der AIDE Logeinträge im Journal |
+<code>Mar 14 16:20:38 pml010070 aide[102360]: Start timestamp: 2025-03-14 16:18:57 +0100 (AIDE 0.18.8)
+Mar 14 16:20:38 pml010070 aide[102360]: AIDE successfully initialized database.
+Mar 14 16:20:38 pml010070 aide[102360]: New AIDE database written to /var/lib/aide/pml010070.aide-database
+Mar 14 16:20:38 pml010070 aide[102360]:
+                                        Number of entries:        415354
+Mar 14 16:20:38 pml010070 aide[102360]:
+                                        ---------------------------------------------------
+                                        The attributes of the (uncompressed) database(s):
+                                        ---------------------------------------------------
+Mar 14 16:20:38 pml010070 aide[102360]:
+Mar 14 16:20:38 pml010070 aide[102360]: /var/lib/aide/pml010070.aide-database
+Mar 14 16:20:38 pml010070 aide[102360]:  MD5       : cKcw5jV3zJWP6TMJeRZrWA==
+Mar 14 16:20:38 pml010070 aide[102360]:  SHA1      : WigC6cPTyrQRFNIhCwKpZqfKm4w=
+Mar 14 16:20:38 pml010070 aide[102360]:  SHA256    : WGSt7wa0Hg5muPhyqm7djZ2hFEpOuxAb
+Mar 14 16:20:38 pml010070 aide[102360]:              fbIgEeDhb2E=
+Mar 14 16:20:38 pml010070 aide[102360]:  SHA512    : U1ybuczO4cQuiNQeaC/+ifx2A35LN12P
+Mar 14 16:20:38 pml010070 aide[102360]:              khwMFF0cow+EJBgpU/rgPWZ1pHT0R/ft
+Mar 14 16:20:38 pml010070 aide[102360]:              sqVmFI2kYXTTZVgMC/6exg==
+Mar 14 16:20:38 pml010070 aide[102360]:  RMD160    : mlbLBlEUShR/TiPhGrfFHxargCg=
+Mar 14 16:20:38 pml010070 aide[102360]:  TIGER     : RwucrlxNyW0VQZLxlPZcgwK9E1V1AE5E
+Mar 14 16:20:38 pml010070 aide[102360]:  CRC32     : DBPsjQ==
+Mar 14 16:20:38 pml010070 aide[102360]:  WHIRLPOOL : Ae/6G8dKIlhG3LWIhPPQIoX/Ft2s6IwZ
+Mar 14 16:20:38 pml010070 aide[102360]:              VM43NRfO1t8P9+kjyHO3B4ix4QPSlT8C
+Mar 14 16:20:38 pml010070 aide[102360]:              3u81OG360J1VWXK7IynzLA==
+Mar 14 16:20:38 pml010070 aide[102360]:  GOST      : ZmqxZHVeDyiJIR1mzgTvleoetI9fYn77
+Mar 14 16:20:38 pml010070 aide[102360]:              gU7jrp4K9d0=
+Mar 14 16:20:38 pml010070 aide[102360]:  STRIBOG256: hAF0w3sUx7G5a16cg96B6aUI3ig8BB+2
+Mar 14 16:20:38 pml010070 aide[102360]:              qAf4Fd3/X+c=
+Mar 14 16:20:38 pml010070 aide[102360]:  STRIBOG512: vLDF/5VqfXyLeuDt6Yj2LfrBVBYamJwn
+Mar 14 16:20:38 pml010070 aide[102360]:              dMHKJrrKaXNlY2Y/TVwtnb6bNnpNz9YO
+Mar 14 16:20:38 pml010070 aide[102360]:              Xs0mvlY+fXVlKPiEzKQvQg==
+Mar 14 16:20:38 pml010070 aide[102360]:
+                                        End timestamp: 2025-03-14 16:20:38 +0100 (run time: 1m 41s)
+</code>
+++++
+===== Orchestrierung - Installation und Konfiguration von AIDE mit Hilfe von Ansible  =====
+==== Aufgabenstellung ====
+Natürlich wird man im Jahr 2025 nicht mehr ernsthaft, manuell Server aufsetzen und betreiben wollen. Vielmehr wird man auf ein Orchestrierungswerkzeug wie z.B. **[[linux:ansible:start|Ansible]]** zurückgreifen. Setzen wir einen neue virtuellen Server unter Arch Linux neu auf, oder wollen wir bei einem bestehenden Host die Konfiguration aktualisieren, verwenden wir wie zuvor schon angeschnitten [[https://www.ansible.com/|Ansible]] als Orchestrierungswerkzeug. So ist sichergestellt dass zum einen all unsere Hosts entsprechend gleich aufgebaut, konfiguriert und betrieben werden, es also keine Bastel-/Frickellösung geben wird.
+In diesem Konfigurationsbeispiel gehen wir davon aus, dass wir auf zwei Hosts im Intranet AIDE installieren und konfigurieren möchten. Ferner holen wir uns das AIDE-Installationspaket von einem internen Repository-/Spiegelserver, auf dem wir dann auch die generierten AIDE Datenbanken ablegen werden. Somit stehen die Datenbanken manipulationssicher auf den beiden Hosts zur Verfügung, sollte wider erwarten Ein Eindringling auf diesen Maschinen versuchen durch einen manuellen Update der AIDE-Datenbank sein Tun zu verschleiern. AIDE wird bei jedem Check dann via **''get_url''** die aktuelle Datenbank holen und das Dateisystem dagegen prüfen.
+Wir werden uns nun nachfolgend die Server-Installation und -konfiguration genauer betrachten.
+==== Lösung ====
+<WRAP center round tip 80%>
+Der ungeduldigen Leser kann auch direkt zur Tat schreiten und das manuelle Anlegen der Inventory-Hülle, des Playbooks und der zugehörigen Rolle überspringen und diese Aufgaben mit folgendem Befehl sozusagen auf einem Rutsch erledigen:
+<code> $ mkdir -p ~/devel/ansible ; wget https://gitlab.nausch.org/django/example_aide/-/archive/main/example_aide-main.tar.gz \
+         -O - | tar -xz --strip-components=1 -C ~/devel/ansible</code>
+Nach Anpassung der Daten im Inventory kann man anschliessend direkt **[[#ausfuehrung_-_playbooklauf|zur Ausführung schreiten]]**.
+</WRAP>
+=== Vorbereitung - Daten im Inventory ===
+Bei unserem Konfigurationsbeispiel hier gehen wir von folgenden Parametern aus:
+  * **''group: arch''**
+  * **''hostname: pml010070''**
+  * **''hostname: pml010070''**
+Die Konfigurationsdatei unseres **inventory** in unsere, Ansible-Verzeichnis beinhaltet demnach unter anderem:
+   $ vim inventories/production/hosts
+++++ inventories/production/hosts |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/inventories/production/hosts  }}
+++++
+Für alle Host aus der Gruppe **''arch''** definieren wir nun noch eine Datei mit den Definitionen der Variablen dieser Gruppe.
+   $ vim inventories/production/group_vars/arch/aide
+++++ inventories/production/group_vars/arch/aide |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/inventories/production/group_vars/arch/aide  }}
+++++
+Die beiden Beispiel-Hosts aus der Gruppe|Zone **''intra''** in diesem Inventory symbolisieren folgende zwei Knoten.
+  * Der Host **''pml010070''** steht exemplarisch für einen Client im Intranet. In dessen Inventory-File **''inventories/production/host_vars/pml010070''** sind die ihn beschreibenden Daten enthalten.
+  * Der Host **''pml010074''** steht exemplarisch für einen Client im Intranet. In dessen Inventory-File **''inventories/production/host_vars/pml010074''** sind die ihn beschreibenden Daten enthalten.
+Wir legen uns also nun die Definitionsdateien für die beiden Hosts im SOHO an.
+   $ vim inventories/production/host_vars/pml010070
+++++ inventories/production/host_vars/pml010070 |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/inventories/production/host_vars/pml010070  }}
+++++
+   $ vim inventories/production/host_vars/pml010074
+++++ inventories/production/host_vars/pml010074 |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/inventories/production/host_vars/pml010074  }}
+++++
+Unser Beispiels-Inventory hat also nunmehr folgenden Aufbau:
+<code>inventories/production/
+├── group_vars
+│   └── arch
+│       └── aide
+├── hosts
+└── hosts_vars
+    ├── pml010070
+    └── pml010074
+directories, 4 files</code>
+=== Rolle ===
+Für die Installation und Konfiguration von **aide** verwenden wir eine eigene Rolle **''hids''**, die wir bei unserem zuvor angelegten Playbooks später einfach mit aufrufen werden. Hierzu kopieren wir uns zunächst die Mustervorlage **''common''**.
+   $ cp -avr roles/common/ roles/hids
+++++ Ausgabe von cp -avr roles/common/ roles/hids |
+<code>'roles/common/' -> 'roles/kea_dhcp'
+'roles/common/defaults' -> 'roles/kea_dhcp/defaults'
+'roles/common/defaults/.gitkeep' -> 'roles/kea_dhcp/defaults/.gitkeep'
+'roles/common/files' -> 'roles/kea_dhcp/files'
+'roles/common/files/.gitkeep' -> 'roles/kea_dhcp/files/.gitkeep'
+'roles/common/handlers' -> 'roles/kea_dhcp/handlers'
+'roles/common/handlers/.gitkeep' -> 'roles/kea_dhcp/handlers/.gitkeep'
+'roles/common/library' -> 'roles/kea_dhcp/library'
+'roles/common/library/.gitkeep' -> 'roles/kea_dhcp/library/.gitkeep'
+'roles/common/lookup_plugins' -> 'roles/kea_dhcp/lookup_plugins'
+'roles/common/lookup_plugins/.gitkeep' -> 'roles/kea_dhcp/lookup_plugins/.gitkeep'
+'roles/common/meta' -> 'roles/kea_dhcp/meta'
+'roles/common/meta/.gitkeep' -> 'roles/kea_dhcp/meta/.gitkeep'
+'roles/common/module_utils' -> 'roles/kea_dhcp/module_utils'
+'roles/common/module_utils/.gitkeep' -> 'roles/kea_dhcp/module_utils/.gitkeep'
+'roles/common/tasks' -> 'roles/kea_dhcp/tasks'
+'roles/common/tasks/main.yml' -> 'roles/kea_dhcp/tasks/main.yml'
+'roles/common/templates' -> 'roles/kea_dhcp/templates'
+'roles/common/templates/.gitkeep' -> 'roles/kea_dhcp/templates/.gitkeep'
+'roles/common/vars' -> 'roles/kea_dhcp/vars'
+'roles/common/vars/.gitkeep' -> 'roles/kea_dhcp/vars/.gitkeep'
+</code>
+++++
+Bei Bedarf können wir uns später die Struktur, die somit angelegt wurde und die wir nun gleich mit Inhalten befüllen wollen, mit nachfolgendem Befehl anzeigen lassen.
+   $ tree roles/hids/
+++++ Ausgabe von tree roles/hids/ |
+<code>roles/hids/
+├── defaults
+├── files
+├── handlers
+│   └── main.yml
+├── library
+├── lookup_plugins
+├── meta
+├── module_utils
+├── tasks
+│   ├── config.yml
+│   ├── install.yml
+│   ├── main.yml
+│   └── transfer.yml
+├── templates
+│   ├── aide_config.j2
+│   └── systemd.j2
+└── vars
+directories, 7 files
+</code>
+++++
+== tasks ==
+Wie wir sehen ist die Rolle durchaus überschaubar, im Task **''main.yaml''** verweisen wir lediglich auf die eigentlichen Tasks **''install''**, **''config''** und **''transfer''**
+   $ vim roles/hids/tasks/main.yml
+++++ roles/hids/tasks/main.yml |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/tasks/main.yml }}
+++++
+Die Installation von AIDE wird in der ersten Task-Gruppe mit dem tag **''install''** vorgenommen. In den Variablen der Gruppe **''arch''** sind hierbei die Versionsnummer **''aide_version''** wie auch Ort und Stelle **''aide_repo''** definiert von welchem internen Repository/Spiegel-Server wir uns das aide-Paket zum Installieren holen wollen.
+   $ vim roles/hids/tasks/install.yml
+++++ roles/hids/tasks/install.yml |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/tasks/install.yml }}
+++++
+Die eigentliche Installation Konfiguration sowie das erstellen der initialen AIDE-Datenbank erfolgt im anschliessenden Task **''config''**.
+   $ vim roles/hids/tasks/config.yml
+++++ roles/hids/tasks/config.yml |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/tasks/config.yml }}
+++++
+Was nun noch fehlt ist das Kopieren der erstellten AIDE-Datenbank auf unseren internen Repository-/Spiegel-Server, was im letzten Task **''transfer''** erledigt wird. Der interne Repository-Serever wird hierbei über den Host-Alias-NAmen **''repo''** angesprochen!
+   $ vim roles/hids/tasks/transfer.yml
+++++ roles/hids/tasks/transfer.yml |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/tasks/transfer.yml }}
+++++
+== templates ==
+Für die Erstellung der AIDE-Konfigurationsdatei **''/etc/aide.conf''** und auch für die Systemd-Timer Defintion von AIDE **''/etc/systemd/system/aidecheck.timer.d/override.conf''** - also wann genau der Check des Systems gegen die Datenbank erfolgen soll - brauchen wir nun noch jeweils ein **[[https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_templating.html|Jinja2]]** Template. Mit Hilfe dieser beiden Templates **''aide_config.j2''** und der darin enthaltenen Schleifendefinitionen werden dann mit Hilfe der Daten aus dem Inventory die benötigte Konfigurationsdateie erzeugt.
+<WRAP center round tip 80%>
+Damit nicht nun später alle unsere 42 VMs zum selben Zeitpunkt mit dem Check des jeweiligen Systems beginnen und somit einen vermeidbaren Peak auf unserem Repository-/Spiegel-Server und auf den jeweiligen Virtualisierungsmaschinen verursachen, gilt es nun die Startzeitpunkte der einzelnen Hosts zu streuen. Wir wollen hier natürlich auch nicht bei jedem Lauf des Playbooks später dann unterschiedliche Zufallswerte Produzieren, was die Idee der Idempotenz auch konterkarieren würde. Wir generieren daher für die Minutenzahl von **''00 - 59''** basierend auf den Seed des Hostnamens eine statische zufällige Minutenzahl zwischen **''00''** und **''59''**, die für jeden Host unterschiedlich aber dennoch für diesen gleich bleiben wird. Hierzu Nutzen wir die Ansible-Variable: **''%%{{%% 59 |random(seed=inventory_hostname) %%}}%%''**. Somit werden später alle Checks der System im Zeitraum von **''05:00:00 - 05:59:00''** erfolgen.
+</WRAP>
+   $ vim roles/hids/templates/aide_config.j2
+++++ roles/hids/templates/aide_config.j2 |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/templates/aide_config.j2 }}
+++++
+   $ vim roles/hids/templates/systemd.j2
+++++ roles/hids/templates/systemd.j2 |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/templates/systemd.j2 }}
+++++
+== handlers ==
+Sollte bei der Abarbeitung des Playbook die individuelle systemd-timer Konfigurationsdatei **''/etc/systemd/system/aidecheck.timer.d/override.conf''** verändert werden, ist natürlich hierbei eine entsprechende Information zum Relaod des System-Daemon notwenig. Hierzu verwenden wir die **[[https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_handlers.html|Ansible Playbook Handlers]]**. Diese Handler werden in den beiden Tasks zur Erstellung der **''aidecheck.timer.d/override.conf''**-Konfigurationsdateie mit Hilfe eines **handler**-Calls aufgerufen, sofern sich die Datei verändert hat.
+Zu guter Letzt brauchen wir noch eine Konfiguration der Aufgaben die bei einem **''notify''** abgearbeitet werden sollen.
+   $ vim roles/hids/handlers/main.yml
+++++ roles/hids/handlers/main.yml |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/handlers/main.yml }}
+++++
+=== Playbook ===
+Unser Playbook zum Installieren und Konfigurieren unseres HIDS auf Basis AIDE, ist wie immer schlank, unscheinbar und unspektakulär, beinhaltet aber Hinweise zur Aufgabe und wie es aufzurufen ist.
+   $ vim playbooks/arch_hids.yml
+++++ playbooks/arch_hids.yml |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/playbooks/arch_hids.yml }}
+++++
+=== Ausführung - Playbooklauf ===
+Die orchestrierte Variante der Installation und Konfiguration unseres **AIDE**-Daemons gestaltet sich ab sofort sehr einfach, brauchen wir doch lediglich die Konfigurationswerte im Inventory zu hinterlegen und zu pflegen und letztendlich das Playbook entsprechend aufzurufen, wenn z.B. gewollte Änderungen an einem System durch einen Admin bzw. durch den Lauf eines der Ansible-Playbooks erfolgten.
+In nachfolgendem Beispiel installieren wir nun unseren AIDE-Daemon auf dem Host **''pml010070''**:
+   $ ansible-playbook playbooks/arch_hids.yml --limit pml010070
+<html><pre class="code">
+<font style="color: rgb(0, 0, 0)">[14:38:36] Gathering Facts</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 1.18s</font>
+<font style="color: rgb(0, 0, 0)">[14:38:37] hids : Installation von AIDE/HIDS.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 8ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:37]     ↳ install: Aktuelles AIDE Paket vom internen Mirror holen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 500mss</font>
+<font style="color: rgb(0, 0, 0)">[14:38:37]     ↳ install: AIDE-Paket installieren.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 2.00s</font>
+<font style="color: rgb(0, 0, 0)">[14:38:39]     ↳ install: Temporäre lokale Paketdatei löschen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 389ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:40] hids : Konfiguration von AIDE/HIDS.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 7ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:40]     ↳ config: Checken ob es bereits eine Backupdatei der aide.conf gibt.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 356ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:40]     ↳ config: Backupdatei der aide.conf Konfigurationsdatei erstellen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 338ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:40]     ↳ config: AIDE Konfigurationsdatei erzeugen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 634ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:41]     ↳ config: Verzeichnis für lokale override timer erzeugen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 251ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:41]     ↳ config: Systemd Timer für AIDE Daemon erzeugen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 478ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:42]     ↳ config: AIDE Datenbank erstellen.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 1m40s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:22] hids : AIDE-Datenbank auf Reposerver transferieren.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 10ms</font>
+<font style="color: rgb(0, 0, 0)">[14:40:22]     ↳ transfer: Temporäre lokale Aide-Datenbank Datei löschen.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 368ms</font>
+<font style="color: rgb(0, 0, 0)">[14:40:23]     ↳ transfer: Temporäre remote Aide-Datenbank Datei löschen.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 1.24s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:24]     ↳ transfer: AIDE-Datenbank lokal kopieren.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 511ms</font>
+<font style="color: rgb(0, 0, 0)">[14:40:25]     ↳ transfer: AIDE-Datenbank auf Repository-Server kopieren.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 1.63s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:27]     ↳ transfer: AIDE-Datenbank ins Repo verschieben.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 5.14s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:32]     ↳ transfer: Temporäre lokale Aide-Datenbank Datei löschen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 317ms</font>
+<font style="color: rgb(0, 0, 0)">[14:40:32]     ↳ transfer: Temporäre remote Aide-Datenbank Datei löschen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 861ms</font>
+<font style="color: rgb(25, 100, 5)">triggering handler | hids : Reload aidecheck</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 1.21s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:33] system</font>
+<font style="color: rgb(25, 100, 5)">-- Play recap --</font>
+<font style="color: rgb(196, 160, 0)">pml010070                  </font><font style="color: rgb(0, 0, 0)">: </font><font style="color: rgb(25, 100, 5)">ok=21   </font><font style="color: rgb(196, 160, 0)">changed=12    </font>unreachable=0    failed=0    <font style="color: rgb(0, 0, 0)">skipped=0</font>    <font style="color: rgb(0, 0, 0)">rescued=0    ignored=0</font>
+</pre>
+</html>
+==== Ergebniskontrolle ====
+Bei einem Blick in unser System-Journal finden wir nun unter anderem zunächst einmal das Setzen des **''systemd-timers''** täglich um **''05:51:00''** für unseren Host
+   # journalctl -f /usr/bin/aide
+<code>Mar 14 14:40:36 pml010070 systemd[1]: Reloading finished in 162 ms.
+Mar 14 14:40:36 pml010070 systemd[1]: Started Aide check every day at 05:51:00.
+Mar 14 14:40:36 pml010070 systemd[1]: Started Aide Check.</code>
+Desweiteren finden wir auch Informationen zum initialen Erstellen der Aide-Datenbank.
+   # journalctl -f /usr/bin/aide
+++++ journal bei Erstellung der initialen Datenbank |
+<code>Mar 14 14:43:07 pml010070 aide[94384]: Start timestamp: 2025-03-14 14:40:36 +0100 (AIDE 0.18.8)
+Mar 14 14:43:07 pml010070 aide[94384]: AIDE found NO differences between database and filesystem. Looks okay!!
+Mar 14 14:43:07 pml010070 aide[94384]:
+                                       Number of entries:        415370
+Mar 14 14:43:07 pml010070 aide[94384]:
+                                       ---------------------------------------------------
+                                       The attributes of the (uncompressed) database(s):
+                                       ---------------------------------------------------
+Mar 14 14:43:07 pml010070 aide[94384]:
+Mar 14 14:43:07 pml010070 aide[94384]: http://10.0.0.40/local/pml010070.aide-database
+Mar 14 14:43:07 pml010070 aide[94384]:  MD5       : FqaMpI9bZvV3FiZB8nJowA==
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA1      : vGllC7x5U6FndAR7T2k6v5M3zpw=
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA256    : OGRb4RHabaNJGxw8rJ3eqMN1dQ5BR/od
+Mar 14 14:43:07 pml010070 aide[94384]:              TWY8w+4k8j8=
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA512    : 45Gqayh6d8UU2bOhDw3heHvo8K2P3NkB
+Mar 14 14:43:07 pml010070 aide[94384]:              OG2DBHfVUWkdqiFkUxmnJzkNKr5OuJJU
+Mar 14 14:43:07 pml010070 aide[94384]:              1I5jztmwx5yMROqpN+LGzA==
+Mar 14 14:43:07 pml010070 aide[94384]:  RMD160    : tmRQ4H5i9HtK44+neY+PcA9oBOI=
+Mar 14 14:43:07 pml010070 aide[94384]:  TIGER     : lMSvw4apa4sTp/2wGf/9bENtoP/rGdWg
+Mar 14 14:43:07 pml010070 aide[94384]:  CRC32     : lNOWHg==
+Mar 14 14:43:07 pml010070 aide[94384]:  WHIRLPOOL : RpJ0mjh34mGWGOOxPI982f1J6+xsc1BQ
+Mar 14 14:43:07 pml010070 aide[94384]:              6Qf3j/70QH6YaZ0xKnDioNvEGUZeSrXK
+Mar 14 14:43:07 pml010070 aide[94384]: Start timestamp: 2025-03-14 14:40:36 +0100 (AIDE 0.18.8)
+Mar 14 14:43:07 pml010070 aide[94384]: AIDE found NO differences between database and filesystem. Looks okay!!
+Mar 14 14:43:07 pml010070 aide[94384]: Number of entries:        415370
+Mar 14 14:43:07 pml010070 aide[94384]: ---------------------------------------------------
+Mar 14 14:43:07 pml010070 aide[94384]: The attributes of the (uncompressed) database(s):
+Mar 14 14:43:07 pml010070 aide[94384]: ---------------------------------------------------
+Mar 14 14:43:07 pml010070 aide[94384]: http://10.0.0.40/local/pml010070.aide-database
+Mar 14 14:43:07 pml010070 aide[94384]:  MD5       : FqaMpI9bZvV3FiZB8nJowA==
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA1      : vGllC7x5U6FndAR7T2k6v5M3zpw=
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA256    : OGRb4RHabaNJGxw8rJ3eqMN1dQ5BR/od
+Mar 14 14:43:07 pml010070 aide[94384]:              TWY8w+4k8j8=
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA512    : 45Gqayh6d8UU2bOhDw3heHvo8K2P3NkB
+Mar 14 14:43:07 pml010070 aide[94384]:              OG2DBHfVUWkdqiFkUxmnJzkNKr5OuJJU
+Mar 14 14:43:07 pml010070 aide[94384]:              1I5jztmwx5yMROqpN+LGzA==
+Mar 14 14:43:07 pml010070 aide[94384]:  RMD160    : tmRQ4H5i9HtK44+neY+PcA9oBOI=
+Mar 14 14:43:07 pml010070 aide[94384]:  TIGER     : lMSvw4apa4sTp/2wGf/9bENtoP/rGdWg
+Mar 14 14:43:07 pml010070 aide[94384]:  CRC32     : lNOWHg==
+Mar 14 14:43:07 pml010070 aide[94384]:  WHIRLPOOL : RpJ0mjh34mGWGOOxPI982f1J6+xsc1BQ
+Mar 14 14:43:07 pml010070 aide[94384]:              6Qf3j/70QH6YaZ0xKnDioNvEGUZeSrXK
+Mar 14 14:43:07 pml010070 aide[94384]:              S88Yf1dE76zmSxan8K9lIw==
+Mar 14 14:43:07 pml010070 aide[94384]:  GOST      : 6jc71FdttaZW/sUrNA04kyuipL3c6Uek
+Mar 14 14:43:07 pml010070 aide[94384]:              eu+La9lk8tk=
+Mar 14 14:43:07 pml010070 aide[94384]:  STRIBOG256: 8sSN/117ue7MfpZ9fvv6FlfNSeRKAg+m
+Mar 14 14:43:07 pml010070 aide[94384]:              MdP0ErwHN88=
+Mar 14 14:43:07 pml010070 aide[94384]:  STRIBOG512: lpC/Mc6AYEOh580mPp/Hv47qADCJktQw
+Mar 14 14:43:07 pml010070 aide[94384]:              th4EzUKygQsx+WQ04E4+GHwahMuM5zuw
+Mar 14 14:43:07 pml010070 aide[94384]:              kffXnQAsP1YkZra5jn7pnQ==
+Mar 14 14:43:07 pml010070 aide[94384]: End timestamp: 2025-03-14 14:43:07 +0100 (run time: 2m 31s)
+Mar 14 14:43:07 pml010070 aide[94384]:              S88Yf1dE76zmSxan8K9lIw==
+Mar 14 14:43:07 pml010070 aide[94384]:  GOST      : 6jc71FdttaZW/sUrNA04kyuipL3c6Uek
+Mar 14 14:43:07 pml010070 aide[94384]:              eu+La9lk8tk=
+Mar 14 14:43:07 pml010070 aide[94384]:  STRIBOG256: 8sSN/117ue7MfpZ9fvv6FlfNSeRKAg+m
+Mar 14 14:43:07 pml010070 aide[94384]:              MdP0ErwHN88=
+Mar 14 14:43:07 pml010070 aide[94384]:  STRIBOG512: lpC/Mc6AYEOh580mPp/Hv47qADCJktQw
+Mar 14 14:43:07 pml010070 aide[94384]:              th4EzUKygQsx+WQ04E4+GHwahMuM5zuw
+Mar 14 14:43:07 pml010070 aide[94384]:              kffXnQAsP1YkZra5jn7pnQ==
+Mar 14 14:43:07 pml010070 aide[94384]:
+                                       End timestamp: 2025-03-14 14:43:07 +0100 (run time: 2m 31s)
+Mar 14 14:43:07 pml010070 systemd[1]: aidecheck.service: Deactivated successfully.
+Mar 14 14:43:07 pml010070 systemd[1]: aidecheck.service: Consumed 3min 26.741s CPU time, 708.5M memory peak.</code>
+++++
+Täglich um **05:01** Uhr wird nun unser Host die aktuelle Datenbank gegen die bestehende AIDE-Datenbank auf unserem internen Repository-/Spiegelserver holen und diese beim Check des Dateisystems verwenden.
+   # journalctl
+++++ journal beim täglichen check um 05:51 Uhr dieses Hosts |
+<code>Mar 15 05:51:09 pml010070 systemd[1]: Started Aide Check.
+Mar 15 05:51:27 pml010070 rtkit-daemon[1200]: Supervising 8 threads of 5 processes of 1 users.
+Mar 15 05:51:27 pml010070 rtkit-daemon[1200]: Supervising 8 threads of 5 processes of 1 users.
+Mar 15 05:53:01 pml010070 aide[57175]: Start timestamp: 2025-03-15 05:51:09 +0100 (AIDE 0.18.8)
+Mar 15 05:53:01 pml010070 aide[57175]: AIDE found differences between database and filesystem!!
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       Summary:
+                                         Total number of entries:        415370
+                                         Added entries:                0
+                                         Removed entries:                0
+                                         Changed entries:                2
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       ---------------------------------------------------
+                                       Changed entries:
+                                       ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       d = ... mc.. .. : /etc/cups
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       d = ... mc..    : /root
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       ---------------------------------------------------
+                                       Detailed information about changes:
+                                       ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]:
+Mar 15 05:53:01 pml010070 aide[57175]: Directory:
+Mar 15 05:53:01 pml010070 aide[57175]: /etc/cups
+Mar 15 05:53:01 pml010070 aide[57175]:  Mtime     : 2025-03-13 13:49:27 +0100        | 2025-03-14 05:22:46 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:  Ctime     : 2025-03-13 13:49:27 +0100        | 2025-03-14 05:22:46 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:
+Mar 15 05:53:01 pml010070 aide[57175]: Directory:
+Mar 15 05:53:01 pml010070 aide[57175]: /root
+Mar 15 05:53:01 pml010070 aide[57175]:  Mtime     : 2025-03-11 19:16:06 +0100        | 2025-03-13 17:47:03 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:  Ctime     : 2025-03-11 19:16:06 +0100        | 2025-03-13 17:47:03 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       ---------------------------------------------------
+                                       The attributes of the (uncompressed) database(s):
+                                       ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]:
+Mar 15 05:53:01 pml010070 aide[57175]: http://10.0.0.40/local/pml010070.aide-database
+Mar 15 05:53:01 pml010070 aide[57175]:  MD5       : JkDe+MaQ3jiZXGx4TPiP9w==
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA1      : ulm0dLAs62vjmWKNuh6LyV3HORE=
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA256    : S/BG2ZPAZogkojazoc13F6sme84JWTik
+Mar 15 05:53:01 pml010070 aide[57175]:              zH4ysMjRjnQ=
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA512    : o4mqYllOZrjONDaZP/hywLlZHcSv69Z1
+Mar 15 05:53:01 pml010070 aide[57175]:              CkdMvaD3LZdr+bzK7zjwnpbG4nONTmDx
+Mar 15 05:53:01 pml010070 aide[57175]:              p5sXILkYA+REaSrbAIft0Q==
+Mar 15 05:53:01 pml010070 aide[57175]:  RMD160    : 1+EE+mVMQl0wLRZQk5qSwegYvLY=
+Mar 15 05:53:01 pml010070 aide[57175]:  TIGER     : mvvYirLAo30g35dnku/8KcCkoHfg4Dz+
+Mar 15 05:53:01 pml010070 aide[57175]:  CRC32     : h+Fz5Q==
+Mar 15 05:53:01 pml010070 aide[57175]:  WHIRLPOOL : 5wn7egFu5xf5IPQnBCdZbRsz+UXf1BdQ
+Mar 15 05:53:01 pml010070 aide[57175]:              QauE/6ZI2VaMzGs3antSVbmkHmCnMoWT
+Mar 15 05:53:01 pml010070 aide[57175]:              xj4keofx/JSJWKvUUMLnnA==
+Mar 15 05:53:01 pml010070 aide[57175]:  GOST      : iHuOTlg03FrPEX9ror1szxOomv/c+eUc
+Mar 15 05:53:01 pml010070 aide[57175]:              olR6ymPJlBM=
+Mar 15 05:53:01 pml010070 aide[57175]:  STRIBOG256: FJPuiouF2Rs9qxvN9czdHdVbp1eAHdwc
+Mar 15 05:53:01 pml010070 aide[57175]:              nVp7Q31aqCE=
+Mar 15 05:53:01 pml010070 aide[57175]:  STRIBOG512: HMJSk//+5BxO2Z3620Zz4u/blN5yPvRC
+Mar 15 05:53:01 pml010070 aide[57175]:              d0yzK7LYs9uC3cZx1GxpL6sBIWqMMn1x
+Mar 15 05:53:01 pml010070 aide[57175]:              4rib/WieOl1eeUTP8YefKQ==
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       End timestamp: 2025-03-15 05:53:01 +0100 (run time: 1m 52s)
+Mar 15 05:53:01 pml010070 aide[57175]: Start timestamp: 2025-03-15 05:51:09 +0100 (AIDE 0.18.8)
+Mar 15 05:53:01 pml010070 aide[57175]: AIDE found differences between database and filesystem!!
+Mar 15 05:53:01 pml010070 aide[57175]: Summary:
+Mar 15 05:53:01 pml010070 aide[57175]:   Total number of entries:        415370
+Mar 15 05:53:01 pml010070 aide[57175]:   Added entries:                0
+Mar 15 05:53:01 pml010070 aide[57175]:   Removed entries:                0
+Mar 15 05:53:01 pml010070 aide[57175]:   Changed entries:                2
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: Changed entries:
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: d = ... mc.. .. : /etc/cups
+Mar 15 05:53:01 pml010070 aide[57175]: d = ... mc..    : /root
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: Detailed information about changes:
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: Directory: /etc/cups
+Mar 15 05:53:01 pml010070 aide[57175]:  Mtime     : 2025-03-13 13:49:27 +0100        | 2025-03-14 05:22:46 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:  Ctime     : 2025-03-13 13:49:27 +0100        | 2025-03-14 05:22:46 +0100
+Mar 15 05:53:01 pml010070 aide[57175]: Directory: /root
+Mar 15 05:53:01 pml010070 aide[57175]:  Mtime     : 2025-03-11 19:16:06 +0100        | 2025-03-13 17:47:03 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:  Ctime     : 2025-03-11 19:16:06 +0100        | 2025-03-13 17:47:03 +0100
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: The attributes of the (uncompressed) database(s):
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: http://10.0.0.40/local/pml010070.aide-database
+Mar 15 05:53:01 pml010070 aide[57175]:  MD5       : JkDe+MaQ3jiZXGx4TPiP9w==
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA1      : ulm0dLAs62vjmWKNuh6LyV3HORE=
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA256    : S/BG2ZPAZogkojazoc13F6sme84JWTik
+Mar 15 05:53:01 pml010070 aide[57175]:              zH4ysMjRjnQ=
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA512    : o4mqYllOZrjONDaZP/hywLlZHcSv69Z1
+Mar 15 05:53:01 pml010070 aide[57175]:              CkdMvaD3LZdr+bzK7zjwnpbG4nONTmDx
+Mar 15 05:53:01 pml010070 aide[57175]:              p5sXILkYA+REaSrbAIft0Q==
+Mar 15 05:53:01 pml010070 aide[57175]:  RMD160    : 1+EE+mVMQl0wLRZQk5qSwegYvLY=
+Mar 15 05:53:01 pml010070 aide[57175]:  TIGER     : mvvYirLAo30g35dnku/8KcCkoHfg4Dz+
+Mar 15 05:53:01 pml010070 aide[57175]:  CRC32     : h+Fz5Q==
+Mar 15 05:53:01 pml010070 aide[57175]:  WHIRLPOOL : 5wn7egFu5xf5IPQnBCdZbRsz+UXf1BdQ
+Mar 15 05:53:01 pml010070 aide[57175]:              QauE/6ZI2VaMzGs3antSVbmkHmCnMoWT
+Mar 15 05:53:01 pml010070 aide[57175]:              xj4keofx/JSJWKvUUMLnnA==
+Mar 15 05:53:01 pml010070 aide[57175]:  GOST      : iHuOTlg03FrPEX9ror1szxOomv/c+eUc
+Mar 15 05:53:01 pml010070 aide[57175]:              olR6ymPJlBM=
+Mar 15 05:53:01 pml010070 aide[57175]:  STRIBOG256: FJPuiouF2Rs9qxvN9czdHdVbp1eAHdwc
+Mar 15 05:53:01 pml010070 aide[57175]:              nVp7Q31aqCE=
+Mar 15 05:53:01 pml010070 aide[57175]:  STRIBOG512: HMJSk//+5BxO2Z3620Zz4u/blN5yPvRC
+Mar 15 05:53:01 pml010070 aide[57175]:              d0yzK7LYs9uC3cZx1GxpL6sBIWqMMn1x
+Mar 15 05:53:01 pml010070 aide[57175]:              4rib/WieOl1eeUTP8YefKQ==
+Mar 15 05:53:01 pml010070 aide[57175]: End timestamp: 2025-03-15 05:53:01 +0100 (run time: 1m 52s)
+Mar 15 05:53:01 pml010070 systemd[1]: aidecheck.service: Main process exited, code=exited, status=4/NOPERMISSION
+Mar 15 05:53:01 pml010070 systemd[1]: aidecheck.service: Failed with result 'exit-code'.
+Mar 15 05:53:01 pml010070 systemd[1]: aidecheck.service: Consumed 2min 36.983s CPU time, 708.7M memory peak.
+</code>
+++++
+===== Fazit und Ausblick =====
+<WRAP center round tip 80%>
+Mit **AIDE** haben wir nun ein Instrument an der Hand, mit der wir die Dateisysteme unserer Host einfach auf Anomalien hin überwachen kann. Mit Hilfe unseres Ansible-Playbooks können wir nun auch nicht nur die Installation und Konfiguration des Aide-Daemon erledigen, sondern auch einfach die jeweiligen AIDE-DAtenbanken der Hosts nach Änderungen durch den Admin bzw. bei Updates oder Ansible-Läufen, aktuualisieren und automatisiert zum zentralen internen Repository-/Spiegelserver transverieren. Somit erübrigt sich ein Aufwändiges Signieren oder Wegsichern der Datenbank auf RO-Devices. Die AIDE-Datenbanken wir somit getrennt von den verwalteten Systemen gespeichert und ist folglich vor ungewollten Änderungen geschützt, sollte ein Remote-System kompromittiert worden sein!
+In diesem Konfigurationsbeispiel wurde lediglich aufgezeigt, wie man einfach mit Hilfe von Ansible installieren, konfigurieren und Datenbanken der Host erstellen und wegsichern kann. Die AIDE-Protokolldateien müssen nun natürlich entsprechend überwacht und ausgewertet werden! Diesen Aspekt werden wir uns noch eingehend bei unserer Installation und Konfiguration eines zentralen Logauswertungstool wie z.B. [[centos:web_c7:graylog2|graylog]]
+noch im Detail ansehen!
+</WRAP>
+====== Links ======
+  * **[[linux:ansible:detail|zurück zum Kapitel "Ansible - Erweiterte Konfigurationsbeispiele"]] <= **
+  * **=> [[linux:dhcpd|weiter zum Kapitel "DNS Server für IPv4|6 unter Arch Linux einrichten und nutzen"]] <= **
+  * **[[linux:start#ansible|Zurück zur "Ansible"-Übersicht]]**
+  * **[[wiki:start|Zurück zu >>Projekte und Themenkapitel<<]]**
+  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**