Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- linux:aide [14.03.2025 12:55. ] – [Vorbereitung - (Server-)Daten im Inventory] django
+++ linux:aide [13.04.2025 14:13. ] (aktuell) – [Konfiguration] django
@@ Zeile 1: / Zeile 1: @@
 ====== Host based Intrusion Detection System mit AIDE unter Arch Linux ======
 ===== HIDS - was ist das und wozu nutzt man es? =====
-Die Absicherung von Systemen ist eine der Grund- und Pflichtaufgaben eines jeden verantwortungsbewussten Systemadministrators und Administratorin. Dass dies ist kein einmaliger sondern stetig sich wiederholende Vorgang ist, versteht sich in aller Regel von selbst, so ist es unter anderem wichtig, dass regelmässig Systemüberprüfungen und Überwachung von Logmeldungen auf verdächtige und ungewöhnliche Ereignisse durchgeführt werden müssen. Zur Absicherung von Computersystem existieren unterschiedliche Ansätze. TLS-Transportverschlüsselung, SecureShell, oder Firewalls wird hier jedem interessierten Admin sofort in den Sinn kommen. Dabei gibt es zwei unterschiedliche Betrachungsweisen/-richtungen bei den einzelnen Lösungen. Betrachtet und analysiert man in erster Linie Netzwerkverkehr in Netzwerken und/oder Zonengrenzen einzelner Netzwerke und bewertet hierzu entsprechende Protokolle von Netzwerkgeräten wie Switche, Router und Firewalls spricht man von einem **NIDS**, einem **N**etzwerk based **I**ntrusion **D**etection **S**ystem. Im Gegensatz dazu spricht man von einem **HIDS** **H**ost based **I**ntrusion **D**etection **S**ystem, wenn der Blick primär auf einem Host selbst erfolgt und man mit Hilfe lokaler Informationen Bewertungen über zulässige Änderungen am betreffenden System selbst Entscheidungen über (un)zulässige Änderungen treffen muss und möchte. Ein HIDS konzentriert sich dabei auf detailliertere und interne Angriffe, indem es die Überwachung auf Host-Aktivitäten konzentriert. Dabei versucht ein HIDS wie AIDE lediglich, Systemanomalien und somit Eindringlinge zu erkennen und hat nicht zur Aufgabe aktiv mögliche Angreifer und Bedrohungen zu blockieren! Ein Intrusion Detection System (wie AIDE) versucht lediglich, Eindringlinge zu erkennen, arbeitet aber nicht aktiv daran, ihren Zugang von vornherein zu blockieren. Im Gegensatz dazu arbeitet ein **IPS** ein **I**ntrusion **P**revention **S**ystem aktiv daran, Bedrohungen zu blockieren und den Benutzerzugriff zu überprüfen.
+Die Absicherung von Systemen ist eine der Grund- und Pflichtaufgaben eines jeden verantwortungsbewussten Systemadministrators und Administratorin. Dass dies ist kein einmaliger sondern stetig sich wiederholende Vorgang ist, versteht sich in aller Regel von selbst, so ist es unter anderem wichtig, dass regelmäßig Systemüberprüfungen und Überwachung von Logmeldungen auf verdächtige und ungewöhnliche Ereignisse durchgeführt werden müssen. Zur Absicherung von Computersystem existieren unterschiedliche Ansätze. TLS-Transportverschlüsselung, SecureShell, oder Firewalls wird hier jedem interessierten Admin sofort in den Sinn kommen. Dabei gibt es zwei unterschiedliche Betrachtungsweisen/-richtungen bei den einzelnen Lösungen. Betrachtet und analysiert man in erster Linie Netzwerkverkehr in Netzwerken und/oder Zonengrenzen einzelner Netzwerke und bewertet hierzu entsprechende Protokolle von Netzwerkgeräten wie Switche, Router und Firewalls spricht man von einem **NIDS**, einem **N**etzwerk based **I**ntrusion **D**etection **S**ystem. Im Gegensatz dazu spricht man von einem **HIDS** **H**ost based **I**ntrusion **D**etection **S**ystem, wenn der Blick primär auf einem Host selbst erfolgt und man mit Hilfe lokaler Informationen Bewertungen über zulässige Änderungen am betreffenden System selbst Entscheidungen über (un)zulässige Änderungen treffen muss und möchte. Ein HIDS konzentriert sich dabei auf detailliertere und interne Angriffe, indem es die Überwachung auf Host-Aktivitäten konzentriert. Dabei versucht ein HIDS wie AIDE lediglich, Systemanomalien und somit Eindringlinge zu erkennen und hat nicht zur Aufgabe aktiv mögliche Angreifer und Bedrohungen zu blockieren! Ein Intrusion Detection System (wie AIDE) versucht lediglich, Eindringlinge zu erkennen, arbeitet aber nicht aktiv daran, ihren Zugang von vornherein zu blockieren. Im Gegensatz dazu arbeitet ein **IPS** ein **I**ntrusion **P**revention **S**ystem aktiv daran, Bedrohungen zu blockieren und den Benutzerzugriff zu überprüfen.
-Weiterführende Informationen rund um Intrusion-Detection-Systeme findet man im **[[https://www.bsi.bund.de/DE/Service-Navi/Publikationen/Studien/IDS02/gr1_htm.html|BSI-Leitfaden zur Einführung von Intrusion-Detection-Systemen]]** bzz im **[[https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KRITIS/oh_sza_en.pdf|Orientation Guide to Using Intrusion Detection Systems (IDS)]]**.
+Weiterführende Informationen rund um Intrusion-Detection-Systeme findet man im **[[https://www.bsi.bund.de/DE/Service-Navi/Publikationen/Studien/IDS02/gr1_htm.html|BSI-Leitfaden zur Einführung von Intrusion-Detection-Systemen]]** bzw. im **[[https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/KRITIS/oh_sza_en.pdf|Orientation Guide to Using Intrusion Detection Systems (IDS)]]**.
 Eine der Herausforderungen bei der Verwendung von HIDS besteht darin, dass es auf jedem einzelnen Host installiert, konfiguriert und entsprechende Berichte bzw. Logdateien dann auch bewertet werden muss, der vor Eindringlingen geschützt werden soll. Dies kann je nach zur Verfügung stehender Ressourcen zu einer Verlangsamung der Leistung des Hosts und eines eingesetzten HIDS führen. Wir werden uns später daher die Installation und Konfiguration mit Hilfe von Ansible vornehmen. Zur Auswertung der Logmeldungen greifen wir in unserer Umgebung auf [[centos:web_c7:graylog2|graylog]] zurück.
@@ Zeile 16: / Zeile 16: @@
   * Benutzer
   * Gruppen
-  * Dateigrössen
+  * Dateigrößen
   * mtime
   * ctime
   * atime
-  * wachsende Grösse
+  * wachsende Größe
   * Anzahl von Links
   * Linknamen
-AIDE erstellt ausserdem eine kryptografische Prüfsumme oder einen Hash jeder Datei unter Verwendung eines oder einer Kombination der folgenden Message-Digest-Algorithmen:
+AIDE erstellt außerdem eine kryptografische Prüfsumme oder einen Hash jeder Datei unter Verwendung eines oder einer Kombination der folgenden Message-Digest-Algorithmen:
-  * sha1
+  * sha1 (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt)
   * sha256
   * sha512
-  * md5
+  * md5 (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt)
-  * rmd160
+  * rmd160 (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt)
-  * tiger
+  * ghost (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt) kann kompiliert werden, sofern mhash-Unterstützung verfügbar ist.
-  * gost und whirlpool können kompiliert werden, sofern mhash-Unterstützung verfügbar ist.
 Darüber hinaus können die erweiterten Attribute verwendet werden, sofern sie während der Kompilierung explizit aktiviert werden:
@@ Zeile 43: / Zeile 42: @@
 </WRAP>
-**[[https://aide.github.io/|AIDE]]** ist ein Fork des bekannten HIDS **[[https://www.tripwire.com/|Tripwire]]** welches ursprünglich von Rami Lehti und Pablo Virolainen 1999 als freie Alternative zum kommerziellen Produkt Tripwire entwickelt wurde. Zwischen 2003 und 2010 wurde es von Richard van den Berg betreut. Seit Oktober 2010 übernahm Hannes von Haugwitz das Projekt. Die Homepage von AIDE ist **[[https://aide.github.io|hier]]** zu finden. Die aktuelle Version von AIDE wird derzeit auf **[[https://github.com/aide/aide|GitHub]]** verwaltet.
+**[[https://aide.github.io/|AIDE]]** ist ein Fork des bekannten HIDS **[[https://www.tripwire.com/|Tripwire]]** welches ursprünglich von Rami Lehti und Pablo Virolainen 1999 als freie Alternative zum kommerziellen Produkt Tripwire entwickelt wurde. Zwischen 2003 und 2010 wurde es von Richard van den Berg betreut. Seit Oktober 2010 übernahm Hannes von Haugwitz das Projekt. Die Homepage von AIDE ist **[[https://aide.github.io|hier]]** zu finden. Die aktuelle Version **''[[https://github.com/aide/aide/releases/tag/v0.19|v0.19]]''** von AIDE wird derzeit auf **[[https://github.com/aide/aide|GitHub]]** verwaltet.
-In aller Regel wird ein Admin, nachdem ein neuer Host erstellt wurde, initial eine AIDE-Datenbank auf dem neuen System erstellen, bestenfalls bevor der neue Host produktiv mit dem Netzwerk verbunden wird. Diese initiale AIDE-Datenbank ist eine Momentaufnahme des Systems in seinem Normalzustand und ist der Massstab, an dem alle nachfolgenden Aktualisierungen und Änderungen gemessen werden. Diese Datenbank sollte Informationen über die wichtigsten Systembinärdateien, Bibliotheken, Header-Dateien und alle Verzeichnisse sowie Dateien enthalten, die im Laufe der Zeit unverändert bleiben sollten. Dateien, welche sich häufig ändern, wie z.B. Log- und Protokolldateien Mail-Spools, proc-Dateisysteme, Home-Verzeichnisse von Benutzern oder temporäre Verzeichnisse, nimmt man in aller Regel nicht in die AIDE-Datenbank auf, das sonst später die Meldungen unnötig durch viele unerwünschte und erwartbare Meldungen überflutet werden würde.
+In aller Regel wird ein Admin, nachdem ein neuer Host erstellt wurde, initial eine AIDE-Datenbank auf dem neuen System erstellen, bestenfalls bevor der neue Host produktiv mit dem Netzwerk verbunden wird. Diese initiale AIDE-Datenbank ist eine Momentaufnahme des Systems in seinem Normalzustand und ist der Maßstab, an dem alle nachfolgenden Aktualisierungen und Änderungen gemessen werden. Diese Datenbank sollte Informationen über die wichtigsten Systembinärdateien, Bibliotheken, Header-Dateien und alle Verzeichnisse sowie Dateien enthalten, die im Laufe der Zeit unverändert bleiben sollten. Dateien, welche sich häufig ändern, wie z.B. Log- und Protokolldateien Mail-Spools, proc-Dateisysteme, Home-Verzeichnisse von Benutzern oder temporäre Verzeichnisse, nimmt man in aller Regel nicht in die AIDE-Datenbank auf, das sonst später die Meldungen unnötig durch viele unerwünschte und erwartbare Meldungen überflutet werden würde.
 Durch erneutes Ausführen von AIDE zur Systemüberprüfung kann ein Systemadministrator Änderungen an systemrelevanten Verzeichnissen und Dateien schnell erkennen und sich ziemlich sicher sein, dass die protokollierten Ergebnisse korrekt sind.
@@ Zeile 51: / Zeile 50: @@
 <WRAP center round alert 60%>
 **ACHTUNG**: \\
-Ein Admin muss sich aber auch im Klaren sein, dass auch mit **AIDE** **__keine absulute Sicherheit__** gewährleistet werden kann, denn wie alle anderen Systemdateien können auch die Binär- und/oder Datenbankdateien von AIDE komprommitiert werden können! \\ \\
+Ein Admin muss sich aber auch im Klaren sein, dass auch mit **AIDE** **__keine absolute Sicherheit__** gewährleistet werden kann, denn wie alle anderen Systemdateien können auch die Binär- und/oder Datenbankdateien von AIDE kompromittiert werden können! \\ \\
 Ebenso ist vor allem in orchestrierten Umgebungen (Puppet) darauf zu achten, dass nicht etwa ein gerade initiierter Datenbank-Update durch einen Puppet-Agent Lauf abgebrochen wird. So stünde im Extremfall keine aktuelle und valide Datenbank für spätere Systemchecks zur Verfügung, was zu unzähligen false-positive Meldungen führen würde. Die Reputation des HIDS bei den Administratoren wäre in einem solch einem Fall dahin und der erhoffte bzw. geforderte Erfolg mehr als fraglich!
 </WRAP>
 ==== Installation ====
-AIDE kann unter Arch Linux nicht einfach aus dem Core- oder Extras-Repository mit Hilfe des Paketverwaltungswerkzeugs **''pacman''** installiert werden. Jedoch gibt es aus dem **[[https://aur.archlinux.org/packages?O=0&K=aide|Arch User Repository]]** kurz **AUR**, dem Community verwaltetes Repository für Benutzer von Arch Linux, eine Paketbeschreibungen (**''PKGBUILDs''**), mit denen Sie ein Paket aus dem Quellcode mit **''makepkg''** kompilieren und dann über **''pacman''** installieren kann. Möchte man auf den entsprechenden Zielsystemen die hierzu nötigen Kompilierungswerkzeuge nicht vorhalten, so kann man das Paket auch auf einem entsprechenden geschützten Buildhost erstellen und dann lokal, auf dem entsprechendem Zielsystem mit Hilfe von **''pacman''** installieren!
+AIDE kann unter Arch Linux nicht einfach aus dem Core- oder Extras-Repository mit Hilfe des Paketverwaltungswerkzeugs **''pacman''** installiert werden. Jedoch gibt es aus dem **[[https://aur.archlinux.org/packages?O=0&K=aide|Arch User Repository]]** kurz **AUR**, dem Community verwaltetes Repository für Benutzer von Arch Linux, eine Paketbeschreibungen (**''PKGBUILDs''**), mit denen Sie ein Paket aus dem Quellcode mit **''makepkg''** kompilieren und dann über **''pacman''** installieren kann. Möchte man auf den entsprechenden Zielsystemen die hierzu nötigen Kompilierungswerkzeuge nicht vorhalten, so kann man das Paket auch auf einem entsprechenden geschützten Buildhost erstellen und dann lokal, auf dem entsprechendem Zielsystem mit Hilfe von **''pacman''** installieren.
 Da bei der Installation bzw. beim Kompilieren die Integrität des Quell-Archives an Hand dessen PGP-Signatur geprüft wird, ist es notwendig dass der PGP-Schlüssel mit der Key-ID **''F6947DAB68E7B931''** von  **[[mailto:hannes@vonhaugwitz.com|Hannes von Haugwitz]]** in unserem Keyring vorhanden ist. Hierzu importieren wir zuerst den betreffenden Public-Key von Hannes:
@@ Zeile 87: / Zeile 86: @@
 🛴 AUR package will be installed:
- aide                                                       -> 0.18.8-1
+ aide                                                       -> 0.19-1
 🛴 Proceed with installation? [Y/n]
@@ Zeile 101: / Zeile 100: @@
 🛴 Starting the build:
-==> Making package: aide 0.18.8-1 (Sun 09 Feb 2025 01:15:33 PM CET)
+==> Making package: aide 0.19-1 (Wed 09 Apr 2025 03:15:30 PM CET)
 ==> Checking runtime dependencies...
 ==> Checking buildtime dependencies...
 ==> Retrieving sources...
-  -> Downloading aide-0.18.8.tar.gz...
+  -> Downloading aide-0.19.tar.gz...
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
      0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
   374k  100  374k    0     0   454k      0 --:--:-- --:--:-- --:--:-- 5329k
-  -> Downloading aide-0.18.8.tar.gz.asc...
+  -> Downloading aide-0.19.tar.gz.asc...
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
@@ Zeile 119: / Zeile 118: @@
   -> Found aidecheck.timer
 ==> Validating source files with b2sums...
-    aide-0.18.8.tar.gz ... Passed
+    aide-0.19.tar.gz ... Passed
-    aide-0.18.8.tar.gz.asc ... Skipped
+    aide-0.19.tar.gz.asc ... Skipped
     aide.conf ... Passed
     aidecheck.service ... Passed
     aidecheck.timer ... Passed
 ==> Verifying source file signatures with gpg...
-    aide-0.18.8.tar.gz ... Passed
+    aide-0.19.tar.gz ... Passed
 ==> Extracting sources...
-  -> Extracting aide-0.18.8.tar.gz with bsdtar
+  -> Extracting aide-0.19.tar.gz with bsdtar
 ==> Starting build()...
 checking build system type... x86_64-pc-linux-gnu
@@ Zeile 264: / Zeile 263: @@
 config.status: executing depfiles commands
 make  all-am
-make[1]: Entering directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
+make[1]: Entering directory '/home/django/.cache/pikaur/build/aide/src/aide-0.19'
 gcc -DHAVE_CONFIG_H -I. -I./include  -I. -I./include -I./src -I./src  -D_GNU_SOURCE -W -Wall -g    -I/usr/include/e2p      -pthread    -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions         -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security         -fstack-clash-protection -fcf-protection         -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -g -ffile-prefix-map=/home/django/.cache/pikaur/build/aide/src=/usr/src/debug/aide -flto=auto  -fPIE -DPIE -Wundef -Wmissing-format-attribute -Wshadow -Wlogical-op -MT src/aide-aide.o -MD -MP -MF src/.deps/aide-aide.Tpo -c -o src/aide-aide.o `test -f 'src/aide.c' || echo './'`src/aide.c
 mv -f src/.deps/aide-aide.Tpo src/.deps/aide-aide.Po
@@ Zeile 334: / Zeile 333: @@
 ==> Starting package()...
 make  install-am
-make[1]: Entering directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
+make[1]: Entering directory '/home/django/.cache/pikaur/build/aide/src/aide-0.19'
-make[2]: Entering directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
+make[2]: Entering directory '/home/django/.cache/pikaur/build/aide/src/aide-0.19'
  /usr/bin/mkdir -p '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/bin'
   /usr/bin/install -c aide '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/bin'
@@ Zeile 342: / Zeile 341: @@
  /usr/bin/mkdir -p '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/share/man/man5'
  /usr/bin/install -c -m 644 doc/aide.conf.5 '/home/django/.cache/pikaur/build/aide/pkg/aide/usr/share/man/man5'
-make[2]: Leaving directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
+make[2]: Leaving directory '/home/django/.cache/pikaur/build/aide/src/aide-0.19'
-make[1]: Leaving directory '/home/django/.cache/pikaur/build/aide/src/aide-0.18.8'
+make[1]: Leaving directory '/home/django/.cache/pikaur/build/aide/src/aide-0.19'
 ==> Tidying install...
   -> Removing libtool files...
@@ Zeile 363: / Zeile 362: @@
   -> Compressing package...
 ==> Leaving fakeroot environment.
-==> Finished making: aide 0.18.8-1 (Sun 09 Feb 2025 01:15:51 PM CET)
+==> Finished making: aide 0.19-1 (Wed 09 Apr 2025 03:15:55 PM CET)
 loading packages...
@@ Zeile 369: / Zeile 368: @@
 looking for conflicting packages...
-Packages (1) aide-0.18.8-1
+Packages (1) aide-0.19-1
 Total Installed Size:  0.22 MiB
@@ Zeile 413: / Zeile 412: @@
 ++++
-Darf man aus Sicherheitsgründen auf allen Zielsystemen keine Kompilierwerkzeuge vorhalten, so holt man sich das vom eigenen Maintainer erstellen Paketes vom eigenen internen Repo-Server und installiert das Paket mit Hilfe von
+Darf man aus Sicherheitsgründen auf den Zielsystemen keine Kompilierwerkzeuge vorhalten, so holt man sich das vom eigenen Maintainer erstellen Paketes vom eigenen internen Repo-Server und installiert das Paket mit Hilfe von
 **''pacman''** lokal wie folgt:
 ++++ Lokale Installation von AIDE mit Hilfe von Pacman |
-Hier in dem folgenden Beispiel wird das zuvor vom eigenen Repository vorgehaltenen Paketes in der Version **''0.18.8-1''** installiert.
+Hier in dem folgenden Beispiel wird das zuvor vom eigenen Repository vorgehaltenen Paketes in der Version **''0.19-1''** installiert.
-   # pacman -U aide-0.18.8-1-x86_64.pkg.tar.zst
+   # pacman -U aide-0.19-1-x86_64.pkg.tar.zst
 ++++
-<WRAP center round important 35%>
+<WRAP center round important 45%>
 Bevor das Programm AIDE gestartet werden kann muss es allerdings [[#konfiguration|konfiguriert]] werden!
 </WRAP>
@@ Zeile 432: / Zeile 431: @@
 ++++ Ausgabe der Befehls pacman -Qil aide |
 <code>Name            : aide
-Version         : 0.18.8-1
+Version         : 0.19-1
 Description     : A file integrity checker and intrusion detection program
 Architecture    : x86_64
@@ Zeile 445: / Zeile 444: @@
 Conflicts With  : None
 Replaces        : None
-Installed Size  : 227.09 KiB
+Installed Size  : 252.71 KiB
 Packager        : Unknown Packager
-Build Date      : Fri 28 Feb 2025 04:25:53 PM CET
+Build Date      : Wed 09 Apr 2025 05:18:04 PM CEST
-Install Date    : Fri 28 Feb 2025 04:26:08 PM CET
+Install Date    : Wed 09 Apr 2025 07:26:41 PM CEST
 Install Reason  : Explicitly installed
 Install Script  : Yes
@@ Zeile 476: / Zeile 475: @@
 ++++
 === Programminfo ===
-Bei Bedarf können wir uns alle Optionen mit denen das AIDE-Binary gebaut wurde zusammen mit den Default Konfigurationsparametern, den verfügbaren einkompilierten Attributen, den verfügbaren Hass-Attributen sowie den defaultmässigen Compound Groups uns anzeigen lassen.
+Bei Bedarf können wir uns alle Optionen mit denen das AIDE-Binary gebaut wurde zusammen mit den Default Konfigurationsparametern, den verfügbaren einkompilierten Attributen, den verfügbaren Hass-Attributen sowie den defaultmäßigen Compound Groups uns anzeigen lassen.
 ++++ Ausgabe der Befehls aide -v |
    # aide -v
-<code>AIDE 0.18.8
+<code>AIDE 0.19
 Compile-time options:
 use pcre2: mandatory
-use pthread: yes
+use pthread: mandatory
 use zlib compression: yes
 use POSIX ACLs: yes
@@ Zeile 492: / Zeile 491: @@
 use e2fsattrs: yes
 use cURL: yes
-use Mhash: no
+use Nettle crypto library: yes
-use GNU crypto library: yes
+use GNU crypto library: no
 use Linux Auditing Framework: no
 use locale: no
@@ Zeile 519: / Zeile 518: @@
 sha512: yes
 rmd160: yes
-tiger: yes
+tiger: no
-crc32: yes
+crc32: no
 crc32b: no
 haval: no
-whirlpool: yes
+whirlpool: no
 gost: yes
 stribog256: yes
 stribog512: yes
+sha512_256: yes
+sha3_256: yes
+sha3_512: yes
+Available file system type names:
+p                  autofs              bcachefs            binfmt
+bpf                 btrfs               cgroup              cgroup2
+configfs            debugfs             devpts              efivarfs
+exfat               ext                 f2fs                fuse
+fusectl             hugetlbfs           mqueue              nfs
+nilfs               overlayfs           proc                pstore
+ramfs               securityfs          selinuxfs           squashfs
+sysfs               tmpfs               tracefs             udf
+vfat                xfs
 Default compound groups:
-R: l+p+u+g+s+c+m+i+n+md5+acl+xattrs+ftype+e2fsattrs
+R: l+p+u+g+s+c+m+i+n+acl+xattrs+ftype+e2fsattrs+sha3_256
 L: l+p+u+g+i+n+acl+xattrs+ftype+e2fsattrs
 >: l+p+u+g+s+i+n+acl+xattrs+ftype+e2fsattrs+growing
-H: md5+sha1+rmd160+tiger+crc32+gost+sha256+sha512+whirlpool+stribog256+stribog512
+H: sha256+sha512+stribog256+stribog512+sha512_256+sha3_256+sha3_512
 X: acl+xattrs+e2fsattrs</code>
 ++++
@@ Zeile 539: / Zeile 552: @@
 ++++ Manual-Page aide |
    # man aide
-<code>AIDE(1)                                  User Commands                                 AIDE(1)
+<code>AIDE(1)                                   User Commands                                  AIDE(1)
 NAME
@@ Zeile 552: / Zeile 565: @@
 COMMANDS
        --check, -C
-              Checks  the  database for inconsistencies. You must have an initialized database
+              Checks  the database for inconsistencies. You must have an initialized database to
-              to do this. This is also the default command. Without any command  aide  does  a
+              do this. This is also the default command. Without any command aide does a check.
-              check.
        --init, -i
-              Initialize  the  database. You must initialize a database and move it to the ap‐
+              Initialize the database. You must initialize a database and move it to the  appro‐
-              propriate place (see database_in config option) before you can use  the  --check
+              priate  place  (see database_in config option) before you can use the --check com‐
-              command.
+              mand.
        --dry-init, -n (added in AIDE v0.17)
-              Traverse  the  file  system, match each file against the rule tree and report to
+              Traverse the file system, match each file against the rule tree and report to std‐
-              stdout.
+              out.
               Neither reports nor the database are written in this mode.
-              To change the log level in this mode please use the --log-level command line pa‐
+              To change the log level in this mode please use the --log-level command line para‐
-              rameter.
+              meter.
               In this mode aide exits with status 0.
        --update, -u
-              Checks the database and updates the database non-interactively.  The  input  and
+              Checks the database and updates the database  non-interactively.   The  input  and
               output databases must be different.
        --compare, -E
-              Compares  two databases. They must be defined in config file with database=<url>
+              Compares  two  databases.  They must be defined in config file with database=<url>
               and database_new=<url>.
+       --list (added in AIDE v0.19)
+              List the entries of the database in human readable format (analogous  to  the  de‐
+              tailed report output of new files). Note that the checksums are base16 encoded.
        --config-check, -D
-              Stops after reading in the configuration file. Any errors will be reported.   To
+              Stops  after  reading  in the configuration file. Any errors will be reported.  To
-              change  the log level in this mode please use the --log-level command line para‐
+              change the log level in this mode please use the --log-level command line  parame‐
-              meter.
+              ter.
-       --path-check=file_type:path, -p file_type:path (added in AIDE v0.17)
+       --path-check=file_type[=file_system_type]:path, -p file_type[=file_system_type]:path
-              Read configuration and match provided file_type and path against rule tree.  The
+       (added in AIDE v0.17)
-              path  is  independent  of  what is in the actual file system and needs to be ab‐
+              Read  configuration  and  match  provided  file_type,  optionally file system type
-              solute. See RESTRICTED RULES section in aide.conf (5) for supported file types.
+              (added in AIDE v0.19, Linux only) and path against rule tree.
-              To change the log level in this mode please use the --log-level command line pa‐
+              The path is independent of what is in the actual file system and needs to  be  ab‐
-              rameter.
+              solute. See RESTRICTED RULES section in aide.conf (5) for supported file types and
+              file system types.
-              In this mode aide exits with status 0 if the file would be added to the tree,  1
+              Please  note  that  the specified file system type is only applied to the file and
-              if not and 2 if the file does not match a specified limit.
+              not to the parent directories of the path. If a restricted rule cannot be  matched
+              against a parent directory due to the missing file system type aide raises a warn‐
+              ing.
+              To change the log level in this mode please use the --log-level command line para‐
+              meter.
+              In this mode aide exits with status 0 if the file would be added to the tree, 1 if
+              not and 2 if the file does not match the specified limit.
 PARAMETERS
        --config=configfile , -c configfile
-              Configuration  is  read  from  file configfile (see --version output for default
+              Configuration  is  read  from  file  configfile  (see --version output for default
               value).  Use '-' for stdin.
        --limit=REGEX , -l REGEX (added in AIDE v0.16)
-              Limit command to entries matching REGEX. Note that the REGEX only matches at the
+              Limit command to entries matching REGEX. Note that the REGEX only matches  at  the
               first position.
               Example
-                 Only check and update the database entries matching /etc (i.e. the  /etc  di‐
+                 Only  check and update the database entries matching /etc (i.e. the /etc direc‐
-                 rectory) while leaving all other entries unchecked and unchanged:
+                 tory) while leaving all other entries unchecked and unchanged:
                     aide --update --limit /etc
        --before="configparameters" , -B "configparameters"
-              These configparameters are handled before the reading of the configuration file.
+              These configparameters are handled before the reading of the  configuration  file.
               See aide.conf (5) for more details on what to put here.
        --after="configparameters" , -A "configparameters"
-              These  configparameters are handled after the reading of the configuration file.
+              These  configparameters  are  handled after the reading of the configuration file.
               See aide.conf (5) for more details on what to put here.
        --log-level=log_level,-Llog_level (added in AIDE v0.17)
-              The log level to use (see aide.conf (5) for available log levels  and  more  de‐
+              The log level to use (see aide.conf (5) for available  log  levels  and  more  de‐
               tails).  This overwrites the log_level value set in any configuration file.
        --verbose=verbosity_level,-Vverbosity_level (REMOVED in AIDE v0.17)
-              Removed,  use  log_level  and report_level config options instead (see aide.conf
+              Removed,  use log_level and report_level config options instead (see aide.conf (5)
-              (5) for details).
+              for details).
        --report=reporter,-r reporter (REMOVED in AIDE v0.17)
@@ Zeile 631: / Zeile 656: @@
        --workers=WORKERS , -W WORKERS (added in AIDE v0.18)
-              Specifies the number of workers (see aide.conf (5) for details). This overwrites
+              Specifies the number of workers (see aide.conf (5) for details).  This  overwrites
               the num_workers value set in any configuration file.
+       --no-progress (added in AIDE v0.19)
+              Turn  progress  off  explicitly. By default progress is shown if standard error is
+              connected to a terminal.
+       --no-color (added in AIDE v0.19)
+              Turn colored log output off explicitly. By default colored log output  is  enabled
+              if standard error is connected to a terminal.
        --version,-v
@@ Zeile 641: / Zeile 674: @@
 EXIT STATUS
-       Normally, the exit status is 0 if no errors occurred. Except when the  --check,  --com‐
+       Normally,  the exit status is 0 if no errors occurred. Except when the --check, --compare
-       pare or --update command was requested, in which case the exit status is defined as:
+       or --update command was requested, in which case the exit status is defined as:
 * (new files reported?)     +
@@ Zeile 650: / Zeile 683: @@
 * (changed files reported?)
-       Since  those  three cases can occur together, the respective error codes are added. For
+       Since those three cases can occur together, the respective error codes are added. For ex‐
-       example, if there are new files and removed files reported, the exit status will be 1 +
+       ample, if there are new files and removed files reported, the exit status will be 1 + 2 =
-= 3.
+.
        Additionally, the following exit codes are defined for generic error conditions:
@@ Zeile 663: / Zeile 696: @@
 Configuration error
-IO error
-Version mismatch error
 IO error
@@ Zeile 680: / Zeile 708: @@
 Thread error
+Database error
+received SIGINT, SIGTERM or SIGHUP
 SIGNAL HANDLING
-       SIGTERM is ignored, use SIGKILL to terminate aide.
+       SIGINT, SIGTERM, SIGHUP
+              Remove an incompletely written database (only if  database  file  was  created  by
+              aide) and exit (code 25).
+       SIGUSR1
+              Toggle the log_level between current and debug level.
+              SIGUSR1 is only handled after config parsing.
+       SIGWINCH
+              Resize the progress bar (if enabled).
+NOTES
+       The  checksums  in the database and in the output are by default base64 encoded (see also
+       report_base16 option).  To decode them you can use the following shell command:
+       echo <encoded_checksum> | base64 -d | hexdump -v -e '32/1 "%02x" "\n"'
+FILES
+       See --version output for the default config file and the default  database_in  and  data‐
+              Remove an incompletely written database (only if  database  file  was  created  by
+              aide) and exit (code 25).
+       SIGUSR1
+              Toggle the log_level between current and debug level.
+              SIGUSR1 is only handled after config parsing.
-       SIGHUP is also ignored.
+       SIGWINCH
-       SIGUSR1 toggles the log_level between current and debug level.
+              Resize the progress bar (if enabled).
 NOTES
-       The checksums in the database and in the output are by default base64 encoded (see also
+       The  checksums  in the database and in the output are by default base64 encoded (see also
        report_base16 option).  To decode them you can use the following shell command:
@@ Zeile 695: / Zeile 758: @@
 FILES
-       See --version output for the default config file and the default database_in and  data‐
+       See --version output for the default config file and the default  database_in  and  data‐
        base_out config values.
@@ Zeile 702: / Zeile 765: @@
 BUGS
-       There    are    probably    bugs    in    this   release.   Please   report   them   at
+       There    are    probably    bugs    in    this    release.    Please   report   them   at
        https://github.com/aide/aide/issues .
 DISCLAIMER
-       All trademarks are the property of their respective owners.   No  animals  were  harmed
+       All trademarks are the property of their respective owners.  No animals were harmed while
-       while making this webpage or this piece of software. Although some pizza delivery guy's
+       making this webpage or this piece of software. Although some pizza delivery  guy's  feel‐
-       feelings were hurt.
+       ings were hurt.
-aide v0.18.8                              2024-05-09                                   AIDE(1)
+aide v0.19                                 2025-04-05                                    AIDE(1)
 </code>
@@ Zeile 717: / Zeile 780: @@
 ++++ Manual-Page aide.conf |
    # man aide.conf
-<code>AIDE.CONF(5)                                 AIDE                                 AIDE.CONF(5)
+<code>AIDE.CONF(5)                                  AIDE                                  AIDE.CONF(5)
 NAME
@@ Zeile 723: / Zeile 786: @@
 SYNOPSIS
-       aide.conf  is  the  configuration  file  for  Advanced Intrusion Detection Environment.
+       aide.conf  is  the  configuration  file  for  Advanced  Intrusion  Detection Environment.
-       aide.conf contains the runtime configuration aide uses to initialize or check the  AIDE
+       aide.conf contains the runtime configuration aide uses to initialize or  check  the  AIDE
        database.
 FILE FORMAT
-       aide.conf is case-sensitive. Leading and trailing white spaces are ignored. Each config
+       aide.conf  is  case-sensitive. Leading and trailing white spaces are ignored. Each config
-       lines must end with new line.
+       line must end with new line.
-       AIDE  uses the backslash character (\) as escape character for ' ' (space), '@' and '\'
+       AIDE uses the backslash character (\) as escape character for ' ' (space),  '@'  and  '\'
-       (backslash) (e.g. '\ ' or '\@'). To literally match a '\' in a file path with a regular
+       (backslash)  (e.g.  '\ ' or '\@'). To literally match a '\' in a file path with a regular
        expression you have to escape the backslash twice (i.e. '\\\\').
-       There are three types of lines in aide.conf. First there are the configuration  options
+       There are three types of lines in aide.conf. First there are  the  configuration  options
-       which  are  used  to  set configuration parameters and define groups. Second, there are
+       which  are used to set configuration parameters and define groups. Second, there are (re‐
-       (restricted) rules that are used to indicate which files are  added  to  the  database.
+       stricted) rules that are used to indicate which files/directoires from  the  file  system
-       Third, macro lines define or undefine variables within the config file. Lines beginning
+       are  added  to  the  database. Third, macro lines define or undefine variables within the
-       with # are ignored as comments.
+       config file. Lines beginning with # are ignored as comments.
 CONFIG OPTIONS
@@ Zeile 745: / Zeile 808: @@
        database_in (type: URL, default: see --version output, added in AIDE v0.17)
-       database (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
+       database (REMOVED in AIDE v0.19)
-              The  url  from  which database is read. There can only be one of these lines. If
+              The url from which database is read. There can only be  one  of  these  lines.  If
               there are multiple database lines then the first is used.
@@ Zeile 764: / Zeile 827: @@
        database_out (type: URL, default: see --version output)
-              The url to which the new database is written to. There can only be one of  these
+              The  url  to  which the new database is written to. There can only be one of these
               lines. If there are multiple database_out lines then the first is used.
@@ Zeile 771: / Zeile 834: @@
        database_attrs (type: attribute expression, default: H, added in AIDE v0.16)
-              The attributes of the (uncompressed) database files which are to be added to the
+              The attributes of the (uncompressed) database files which are to be added  to  the
-              reports  in  report  level >= database_attributes . Only checksum attributes are
+              reports in report level >= database_attributes . Only checksum attributes are sup‐
-              supported. To disable set database_attrs to 'E'.
+              ported. To disable set database_attrs to 'E'.
        database_add_metadata (type: bool, default: true, added in AIDE v0.16)
-              Whether to add the AIDE version and the time of database generation as  comments
+              Whether to add the AIDE version and the time of database generation as comments to
-              to the database file or not. This option may be set to false by default in a fu‐
+              the  database  file or not. This option may be set to false by default in a future
-              ture release.
+              release.
        log_level (type: log level, default: warning, added in AIDE v0.17)
-              The  log level to use. Log messages are written to stderr. If there are multiple
+              The log level to use. Log messages are written to stderr. If  there  are  multiple
-              log_level lines then the first one is used. The --log-level or -L  command  line
+              log_level lines then the first one is used. The --log-level or -L command line op‐
-              option overwrites this option.
+              tion overwrites this option.
               The following log levels are available:
-                     error: show unrecoverable issues that have to be handled by the user. Er‐
+                     error:  show  unrecoverable issues that have to be handled by the user. Er‐
                      rors are fatal to the AIDE process.
-                     warning:  additionally  show  recoverable issues that most likely lead to
+                     warning: additionally show recoverable issues that most likely lead to  un‐
-                     unexpected behaviour and should be handled by the user
+                     expected behaviour and should be handled by the user
-                     notice: additionally show recoverable issues that sometimes lead to unex‐
+                     notice:  additionally  show recoverable issues that sometimes lead to unex‐
                      pected behaviour and might be handled by the user.
                      info: additionally show informational messages
+                     compare: additionally show messages to help to debug  file  comparison  and
+                     (special) attribute handling
+                     The  log levels below are very verbose and can easily generate multiple gi‐
+                     gabytes of log data (depending on the number of  processed  files  and  the
+                     size  of  the  rule tree). For debugging it is recommended to use these log
+                     levels together with the --limit parameter (see aide (1) for details).
                      rule: additionally show messages to help to debug the path rule matching
-                     compare: additionally show messages to help to debug file comparison  and
+                     config: additionally show messages to help to debug config and rule parsing
-                     (special) attribute handling
-                     config: additionally show messages to help to debug config and rule pars‐
+                     debug: additionally show messages that are useful to debug the application
-                     ing
-                     debug:  additionally  show messages that are useful to debug the applica‐
+                     limit: additionally show messages about skipped entries due to limit match
-                     tion (very verbose)
-                     thread: additionally show messages about thread processing  (e.g.  broad‐
+                     thread: additionally show messages about thread processing (e.g.  broadcast
-                     cast events)
+                     events)
-                     trace:  detailed  information about the flow of the application (e.g. in-
+                     trace:  additionallyt  show messages about the internal data structures and
-                     loop logging) (even more verbose)
+                     the flow of the application (e.g. in-loop logging) (extremely verbose)
        verbose (type: number, range: 0 - 255, default: 5, REMOVED in AIDE v0.17)
@@ Zeile 819: / Zeile 887: @@
        gzip_dbout (type: bool, default: false)
-              Whether the output to the database is gzipped or not. This option  is  available
+              Whether the output to the database is gzipped or not.  This  option  is  available
               only if zlib support is compiled in.
        root_prefix (type: path, default: <empty>, added in AIDE v0.16)
-              The  prefix  to strip from each file name in the file system before applying the
+              The  prefix  to  strip  from each file name in the file system before applying the
-              rules and writing to database. AIDE removes a trailing slash  from  the  prefix.
+              rules and writing to database. AIDE removes a trailing slash from the prefix.   If
-              If  there are multiple root_prefix lines then the first one is used. This option
+              there  are  multiple root_prefix lines then the first one is used. This option has
-              has no effect in compare mode.
+              no effect in compare mode.
        acl_no_symlink_follow (type: bool, default: false)
-              Whether to check ACLs for symlinks or not. This option is available only if  acl
+              Whether to check ACLs for symlinks or not. This option is available  only  if  acl
               support is compiled in.
@@ Zeile 836: / Zeile 904: @@
        config_version (type: string, default: <empty>)
-              The  value  of  config_version  is printed in the report and also printed to the
+              The value of config_version is printed in the report and also printed to the data‐
-              database. This is for informational purposes only. It has no  other  functional‐
+              base. This is for informational purposes only. It has no other functionality.
-              ity.
        config_check_warn_unrestricted_rules (type: bool, default: false, added in AIDE v0.18)
-              Whether  to warn on unrestricted rules during config check. To explicitly define
+              Whether  to  warn  on unrestricted rules during config check. To explicitly define
               unrestricted rules use 0 (zero) as restriction character.
        num_workers (type: number|percentage, default: 1, added in AIDE v0.18)
-              Specifies the number of simultaneous workers (threads) for file  attribute  pro‐
+              Specifies the number of simultaneous workers (threads) for file attribute process‐
-              cessing (i.a. hashsum calculation).
+              ing (i.a. hashsum calculation).
-              The  number of workers can be a positive integer (e.g. '4') or the percentage of
+              The number of workers can be a positive integer (e.g. '4') or  the  percentage  of
-              the available processors (e.g.  '60%').  The  resulting  number  of  workers  is
+              the  available processors (e.g. '60%'). The resulting number of workers is rounded
-              rounded  up  to  the next integer (e.g. '60%' of 8 processors results in 5 work‐
+              up to the next integer (e.g. '60%' of 8 processors results in 5 workers).
-              ers).
               If there are multiple num_workers lines then the first one is used.
-              Use 0 (zero) to disable multi-threading.
+              Use 0 (zero) to disable (multi-threaded) workers.
               The default value 1 (single worker thread) may be changed in a future release.
@@ Zeile 880: / Zeile 946: @@
                     Write report to syslog using LOG_FACILITY.
-       The following report options are available (to take effect they have to be  set  before
+       The following report options are available (to take effect they have to be set before re‐
-       report_url):
+       port_url):
        report_level (type: report level, default: changed_attributes, added in AIDE v0.17)
@@ Zeile 903: / Zeile 969: @@
                          Uid       : 0                                | 106
-                     The  left column shows the old value (e.g. from the database_in database)
+                     The left column shows the old value (e.g. from  the  database_in  database)
                      and the right column shows the new value (e.g. from the file system).
-              added_removed_attributes: additionally print details about added and removed at‐
+              added_removed_attributes:  additionally  print details about added and removed at‐
               tributes
-              added_removed_entries: additionally print details about added  and  removed  en‐
+              added_removed_entries: additionally print details about added and removed entries
-              tries
        report_format (type: report format, default: plain, added in AIDE v0.18)
@@ Zeile 920: / Zeile 985: @@
        report_base16 (type: bool, default: false, added in AIDE v0.17)
-              Base16 encode the checksums in the report. The default is to report checksums in
+              Base16 encode the checksums in the report. The default is to report  checksums  in
               base64 encoding.
        report_detailed_init (type: bool, default: false, added in AIDE v0.16)
-              Report  added  files  (report  level  >= list_entries) and their details (report
+              Report  added files (report level >= list_entries) and their details (report level
-              level >= added_removed_entries) in initialization mode.
+              >= added_removed_entries) in initialization mode.
        report_quiet (type: bool, default: false, added in AIDE v0.16)
@@ Zeile 934: / Zeile 999: @@
        report_grouped (type: bool, default: true, added in AIDE v0.17)
-       grouped (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
+       grouped (REMOVED in AIDE v0.19)
               Group the files in the report by added, removed and changed files.
        report_summarize_changes (type: bool, default: true, added in AIDE v0.17)
-       summarize_changes (DEPRECATED since AIDE v0.17, will be removed in AIDE v0.19)
+       summarize_changes (REMOVED in AIDE v0.19)
-              Summarize changes in the added, removed and changed files sections  of  the  re‐
+              Summarize changes in the added, removed and changed files sections of the report.
-              port.
-              The general format is like the string YlZbpugamcinHAXSEC, where Y is replaced by
+              The general format is like the string YlZbpugamcinHAXSECF, where Y is replaced  by
-              the  file-type  ('f' for a regular file, 'd' for a directory, 'l' for a symbolic
+              the  file-type  ('f'  for  a regular file, 'd' for a directory, 'l' for a symbolic
-              link, 'c' for a character device, 'b' for a block device, 'p' for  a  FIFO,  's'
+              link, 'c' for a character device, 'b' for a block device, 'p' for a FIFO, 's'  for
-              for  a unix socket, 'D' for a Solaris door, 'P' for a Solaris event port, '!' if
+              a  unix  socket, 'D' for a Solaris door, 'P' for a Solaris event port, '!' if file
-              file type has changed and '?' otherwise).
+              type has changed and '?' otherwise).
-              The Z is replaced as follows: A '=' means that the size has not changed,  a  '<'
+              The Z is replaced as follows: A '=' means that the size has not changed, a '<' re‐
-              reports  a  shrinked  size and a '>' reports a grown size.  The other letters in
+              ports a shrinked size and a '>' reports a grown size.  The other  letters  in  the
-              the string are the actual letters that will be  output  if  the  associated  at‐
+              string  are the actual letters that will be output if the associated attribute for
-              tribute for the item has been changed or a '.' for no change.
+              the item has been changed or a '.' for no change.
-              Otherwise  a  '+' is shown if the attribute has been added, a '-' if it has been
+              Otherwise a '+' is shown if the attribute has been added, a '-' if it has been re‐
-              removed, a ':' if the attribute is ignored (but not forced) or a ' ' if the  at‐
+              moved, a ':' if the attribute is ignored (but not forced) or a  '  '  if  the  at‐
               tribute has not been checked.
-              The exceptions to this are: (1) a newly created file replaces each letter with a
+              The  exceptions  to this are: (1) a newly created file replaces each letter with a
               '+', and (2) a removed file replaces each letter with a '-'.
               The attribute that is associated with each letter is as follows:
-              o      A l means that the link name has changed.
+              o      An l means that the link name has changed.
               o      A b means that the block count has changed.
@@ Zeile 968: / Zeile 1032: @@
               o      A p means that the permissions have changed.
-              o      An u means that the uid has changed.
+              o      A u means that the uid has changed.
               o      A g means that the gid has changed.
@@ Zeile 974: / Zeile 1038: @@
               o      An a means that the access time has changed.
-              o      A m means that the modification time has changed.
+              o      An m means that the modification time has changed.
               o      A c means that the change time has changed.
@@ Zeile 980: / Zeile 1044: @@
               o      An i means that the inode has changed.
-              o      A n means that the link count has changed.
+              o      An n means that the link count has changed.
+              o      An H means that one or more message digests have changed.
-              o      A H means that one or more message digests have changed.
+              o      An F means that one file system type has changed (Linux only).
-              The  following  letters are only available when explicitly enabled using config‐
+              The following letters are only available when explicitly enabled using configure:
-              ure:
-              o      A A means that the access control list has changed.
+              o      An A means that the access control list has changed.
-              o      A X means that the extended attributes have changed.
+              o      An X means that the extended attributes have changed.
-              o      A S means that the SELinux attributes have changed.
+              o      An S means that the SELinux attributes have changed.
-              o      A E means that the file attributes on a second extended file system  have
+              o      An E means that the file attributes on a second extended file  system  have
                      changed.
@@ Zeile 1013: / Zeile 1078: @@
        report_force_attrs (type: attribute expression, default: empty, added in AIDE v0.16)
        report_attributes (REMOVED in AIDE v0.17)
-              Attributes  which  are always printed in the report for changed files. If an at‐
+              Attributes  which  are  always  printed in the report for changed files. If an at‐
-              tribute is both ignored and forced the attribute  is  not  considered  for  file
+              tribute is both ignored and forced the attribute is not considered for file change
-              change  but  printed  in the final report as long as the file has been otherwise
+              but printed in the final report as long as the file has been otherwise changed.
-              changed.
        report_ignore_e2fsattrs (type: string, default: 0, added in AIDE v0.16)
-              List (no delimiter) of ext2 file attributes which are to be ignored in  the  re‐
+              List (no delimiter) of ext2 file attributes which are to be ignored in the report.
-              port.   See  chattr(1)  for the available attributes. Use 0 (zero) to not ignore
+              See chattr(1) for the available attributes. Use 0 (zero) to  not  ignore  any  at‐
-              any attribute. Ignored attributes are represented by a ':' in the report.
+              tribute. Ignored attributes are represented by a ':' in the report.
-              By default AIDE also reports changes of the read-only  attributes  mentioned  in
+              By  default  AIDE  also  reports  changes of the read-only attributes mentioned in
               chattr(1) (see example below how to ignore those changes).
               Example:
-                 Ignore  changes of the read-only ext2 file attributes verify (V), inline data
+                 Ignore changes of the read-only ext2 file attributes verify  (V),  inline  data
                  (N), indexed directory (I) and encrypted (E):
@@ Zeile 1044: / Zeile 1108: @@
        Default groups
-       R      p+ftype+i+l+n+u+g+s+m+c+md5+X
+       R      p+ftype+i+l+n+u+g+s+m+c+sha3_256+X
        L      p+ftype+i+l+n+u+g+X
@@ Zeile 1050: / Zeile 1114: @@
        >      Growing file p+ftype+l+u+g+i+n+s+growing+X
-       H      all compiled in hashsums (added in AIDE v0.17)
+       H      all compiled in (and not deprecated) hashsums (added in AIDE v0.17)
-       X      acl+selinux+xattrs+e2fsattrs+caps (if attributes are compiled in, added in  AIDE
+       X      acl+selinux+xattrs+e2fsattrs+caps  (if  attributes  are compiled in, added in AIDE
               v0.16)
@@ Zeile 1067: / Zeile 1131: @@
               Files and directories matching the regular expression are added to the database.
-       Negative rule:
+       Recursive negative rule:
               !<regex>
-              Files  and directories matching the regular expression are ignored and not added
+              Files and directories matching the regular expression are excluded and  NOT  added
-              to the database.  The children of matching directories are also ignored.
+              to the database. The children of directories and sub-directories are recursed into
+              and only not added to the database if they also match the regular expression.
+       Non-recursive negative rule (added in AIDE v0.19)
+              -<regex>
+              Files  and  directories matching the regular expression are excluded and NOT added
+              the database. The children of directories and  sub-directories  are  not  recursed
+              into and hence not added to the database by any means.
        Equals rule:
               =<regex> <attribute expression>
-              Files and directories matching the regular expression are added to the database.
+              Files  and  directories matching the regular expression are added to the database.
-              The children of directories are only added if the regular expression ends with a
+              The children of directories are only added if the regular expression ends  with  a
-              "/".  The children of sub-directories are not added at all.
+              "/".  The children of sub-directories are not added to the database.
-       Every regular expression has to start with an explicit "/".  An implicit ^ is added  in
+       Every  regular  expression  has to start with an explicit "/".  An implicit ^ is added in
-       front  of each regular expression.  In other words, the regular expressions are matched
+       front of each regular expression.  In other words, the regular expressions are matched at
-       at the first position against the complete path.  Special characters can be escaped us‐
+       the first position against the complete path.  Special characters can  be  escaped  using
-       ing two-digit URL encoding (for example, %20 to represent a space).
+       two-digit URL encoding (for example, %20 to represent a space).
-       AIDE uses a deepest-match algorithm to find the tree node to search, but a  first-match
+       AIDE  uses  a  deepest-match algorithm to find the tree node to search, but a first-match
        algorithm inside the node.  (see also rule log level).
@@ Zeile 1093: / Zeile 1165: @@
 RESTRICTED RULES
-       Restricted  rules  are  like normal rules but can be restricted to file types (added in
+       Restricted rules are like normal rules but can be restricted to file types (added in AIDE
-       AIDE v0.16). The following file types are supported:
+       v0.16) and/or file system types (added in AIDE v0.19, Linux only).
-       f      restrict rule to regular files
+       The syntax of restricted rules is as follows:
-       d      restrict rule to directories
+       Restricted regular rule
-       l      restrict rule to symbolic links
+          <regex> <restriction expression> <attribute expression>
+          -<regex> <restriction expression>
-       c      restrict rule to character devices
+          Files and directories matching both the regular expression and the restriction expres‐
+          sion are excluded and NOT added the database. The children of directories and  sub-di‐
+          rectories are not recursed into and hence not added to the database by any means.
-       b      restrict rule to block devices
+       Restricted equals rule
-       p      restrict rule to FIFO files
+          =<regex> <restriction expression> <attribute expression>
-       s      restrict rule to UNIX sockets
+          Files and directories matching both the regular expression and the restriction expres‐
+          sion are added the database. The children of directories are only added if the regular
+          expression ends with a "/". The children of sub-directories are not added to the data‐
+          base.
-       D      restrict rule to Solaris doors
+       Restriction expression
-       P      restrict rule to Solaris event ports
+          An restriction expression is of the following form:
-      empty restriction, i.e. don't restrict rule (added in AIDE v0.18)
+          <restriction expression>: <file types>
+                       | =<file system type>
+             p      restrict rule to FIFO files
-       Multiple restrictions can be given as a comma-separated list.
+             s      restrict rule to UNIX sockets
-       The syntax of restricted rules is as follows:
+             D      restrict rule to Solaris doors
-       Restricted regular rule
+             P      restrict rule to Solaris event ports
-              <regex> <file types> <attribute expression>
-       Restricted negative rule
+          Multiple file type restrictions can be given as a comma-separated list.
-              !<regex> <file types>
-       Restricted equals rule
+       File system types (Linux only)
-              =<regex> <file types> <attribute expression>
+          The  file  system  type restriction can be specified by file system types magic number
+          (e.g. '0x01021994' for tmpfs) or by its name (use 'aide --version' to list the  avail‐
+          able  file  system type names). The magic number must start with '0x' and be formatted
+          in hexdecimal format.
+       Empty restriction
+          To explicitly don't restrict a rule use 0 (added in AIDE v0.18).
+       Examples:
+          / d,f R          -/dev =tmpfs
+             Exclude /dev and all children, if /dev is mounted on tmpfs.
 MACRO LINES
@@ Zeile 1139: / Zeile 1231: @@
        @@else
        @@endif
-              @@if begins an if statement. It must be terminated with  an  @@endif  statement.
+              @@if begins an if statement. It must be terminated with an @@endif statement.  The
-              The  lines between @@if and @@endif are used if the boolean_expression evaluates
+              lines  between  @@if  and  @@endif are used if the boolean_expression evaluates to
-              to true.  If there is an @@else statement then the part between @@if and  @@else
+              true.  If there is an @@else statement then the part between @@if  and  @@else  is
-              is  used  if  boolean_expression  evaluates  to  true otherwise the part between
+              used if boolean_expression evaluates to true otherwise the part between @@else and
-              @@else and @@endif is used.
+              @@endif is used.
               Available operators and functions in boolean expressions:
                  not boolean_expression
-                    Evaluates to true if the boolean_expression is false,  and  false  if  the
+                    Evaluates  to  true  if  the  boolean_expression  is false, and false if the
                     boolean_expression is true.
@@ Zeile 1157: / Zeile 1249: @@
                  hostname HOSTNAME
-                    Evaluates to true if HOSTNAME equals the hostname of the machine that AIDE
+                    Evaluates to true if HOSTNAME equals the hostname of the machine  that  AIDE
-                    is running on. hostname is the name of the host without the domainname (ie
+                    is  running  on. hostname is the name of the host without the domainname (ie
                     'hostname', not 'hostname.example.com').
@@ Zeile 1164: / Zeile 1256: @@
                     Evaluates to true if PATH exists.
+                 VERSION_STRING1 version_ge VERSION_STRING2 (added in AIDE v0.19)
+                    Evaluates to true if VERSION_STRING1  is  greater  than  or  equal  to  VER‐
+                    SION_STRING2  (e.g.  0.19.1  version_ge 0.18 evaluates to true and 2.17 ver‐
+                    sion_ge 1.1 to false). The version strings must be in the formaat  MAJOR.MI‐
+                    NOR.PATCH  (minor and patch version can be omitted, any version suffix (e.g.
+                    for pre-release) will be truncated).
        @@ifdef VARIABLE (DEPRECATED since AIDE v0.18, will be removed in AIDE v0.20)
@@ Zeile 1178: / Zeile 1278: @@
        @@{VAR}
-              @@{VAR}  is replaced with the value of the variable VAR.  If variable VAR is not
+              @@{VAR} is replaced with the value of the variable V
-              defined an empty string is used.
+              The  content of the file is used as if it were inserted in this part of the config
+              file.
-              Variables are supported in strings  and  in  regular  expressions  of  selection
-              lines.
-              Pre-defined marco variables:
-                 @@{HOSTNAME}: hostname of the current system
-       @@include FILE
-              Include FILE.
-              The  content of the file is used as if it were inserted in this part of the con‐
-              fig file.
               The maximum depth of nested includes is 16.
        @@include DIRECTORY REGEX [RULE_PREFIX] (added in AIDE v0.17)
-              Include all (regular) files found in DIRECTORY matching regular expression REGEX
+              Include all (regular) files found in DIRECTORY matching regular  expression  REGEX
               (sub-directories are ignored). The file are included in lexical sort order.
-              If RULE_PREFIX is set, all rules included by the  statement  are  prefixed  with
+              If  RULE_PREFIX  (added in AIDE v0.18) is set, all rules included by the statement
-              given RULE_PREFIX (added in AIDE v0.18). Prefixes from nested include statements
+              are prefixed with given RULE_PREFIX. Prefixes from nested include  statements  are
-              are concatenated.
+              concatenated.
-              The content of the files is used as if it were inserted in this part of the con‐
+              The content of the files is used as if it were inserted in this part of the config
-              fig file.
+              file.
        @@x_include FILE (added in AIDE v0.17)
        @@x_include DIRECTORY REGEX [RULE_PREFIX]  (added in AIDE v0.17)
-              @x_include is identical to @@include, except that if a config file is executable
+              @x_include  is  identical to @@include, except that if a config file is executable
               is is run and the output is used as config.
-              If  the  executable file exits with status greater than zero or writes to stderr
+              If the executable file exits with status greater than zero  or  writes  to  stderr
               aide stops with an error.
-              For security reasons DIRECTORY and each executable config file must be owned  by
+              For  security  reasons  DIRECTORY and each executable config file must be owned by
               the current user or root. They must not be group- or world-writable.
        @@x_include_setenv VAR VALUE (added in AIDE v0.17)
-              Adds  the  variable  VAR with the value VALUE to the environment used for config
+              Adds the variable VAR with the value VALUE to the environment used for config file
-              file execution.
+              execution.
-              Environment variable names are limited to  alphanumeric  characters  (A-Za-z0-9)
+              Environment variable names are limited to alphanumeric characters (A-Za-z0-9)  and
-              and the underscore '_' and must not begin with a digit.
+              the underscore '_' and must not begin with a digit.
 TYPES
@@ Zeile 1233: / Zeile 1322: @@
           An attribute expression is of the following form:
-                   <attribute/group>
+                 <attribute expression>: <attribute/group>
-                 | <expr> + <attribute/group>
+                       | <attribute expression> + <attribute/group>
-                 | <expr> - <attribute/group>
+                       | <attribute expression> - <attribute/group>
        URLS
-          Urls  can  be  one  of  the following. Input urls cannot be used as outputs and vice
+          Urls can be one of the following. Input urls cannot be used as outputs and vice versa.
-          versa.
                  stdout
@@ Zeile 1251: / Zeile 1339: @@
                  fd:number
-                        Input is read from filedescriptor number or output is written to  num‐
+                        Input is read from filedescriptor number or output is written to number.
-                        ber.
                  syslog:LOG_FACILITY
@@ Zeile 1261: / Zeile 1348: @@
        ftype  file type (added in AIDE v0.15)
+       fstype file system type (Linux-only, added in AIDE v0.19)
        p      permissions
@@ Zeile 1266: / Zeile 1355: @@
        i      inode
-       l      link name
+       l      link name (symbolic links only)
        n      number of links
@@ Zeile 1284: / Zeile 1373: @@
        c      ctime
-       acl    access control list (requires libacl)
+       acl    access control list (requires libacl, Linux-only)
-       selinux
-              selinux attributes (requires libselinux)
-       xattrs extended attributes (requires libattr)
-       e2fsattrs
-              file  attributes  on  a  second  extended  file  system,  see  also   report_ig‐
-              nore_e2fsattrs  option (requires libext2fs, added in AIDE v0.15)
-       caps   file capabilities (requires libcap2, added in AIDE v0.17)
-       Use 'aide --version' to show which compiled-in attributes are available.
        Special attributes
-       S      check for growing size (DEPRECATED since AIDE v0.18, will  be  removed  in  AIDE
+       S      check for growing size (DEPRECATED since AIDE  v0.18,  will  be  removed  in  AIDE
               v0.20)
@@ Zeile 1308: / Zeile 1383: @@
        I      ignore changed filename
-              When  I is used, the inode of the old file is used to search for a moved file in
+              When  I  is  used,  the inode of the new file is used to search for a moved source
-              the new database.
+              file in the old database.
-              Source and target file have to be located in the same directory and  must  share
+              Source and target file have to be located in the same directory and must share the
-              the  same  attributes  (except  for special attributes ANF, ARF, I, growing, and
+              same attributes (except for special attributes ANF,  ARF,  I,  growing,  and  com‐
-              compressed).
+              pressed).
               For moved entries a change of the ctime attribute is ignored.
@@ Zeile 1332: / Zeile 1407: @@
               ctime: if new ctime is greater than old ctime
-              hashsums: if the hashsum of the new file restricted to the old size  equals  the
+              hashsums:  if  the  hashsum  of the new file restricted to the old size equals the
               hashsums of the old file
@@ Zeile 1340: / Zeile 1415: @@
               ignore compressed file (added in AIDE v0.18)
-              When  compressed  is  used, the uncompressed hashsums of the new compressed file
+              When compressed is used, the uncompressed hashsums  of  the  new  compressed  file
-              (supported compressions: gzip) are used to search for the uncompressed  file  in
+              (supported compressions: gzip) are used to search for the uncompressed file in the
-              the old database.
+              old database.
-              The  old uncompressed and the new compressed file have to be located in the same
+              The  old  uncompressed  and the new compressed file have to be located in the same
-              directory and must share the same attributes (except for special attributes ANF,
+              directory and must share the same attributes (except for special  attributes  ANF,
-              ARF, I, growing, and compressed) including at least one hashsum.
+              ARF, I, growing, and compressed) including at least one common hashsum.
               Changes of the inode, size, bcount and ctime attributes are ignored.
-              The growing attribute (i.e. the old file size) is not considered for  compressed
+              The  growing  attribute  (i.e. the old file size) is not considered for compressed
               files during the calculation of the uncompressed hashsums.
@@ Zeile 1357: / Zeile 1432: @@
        ANF    allow new files
-              When  'ANF' is used, new files are added to the new database, but are ignored in
+              When 'ANF' is used, new files are added to the new database, but  are  ignored  in
               the report.
        ARF    allow removed files
-              When 'ARF' is used, files missing on disk are omitted from the new database, but
+              When  'ARF'  is used, files missing on disk are omitted from the new database, but
               are ignored in the report.
-       Hashsums attributes
+       Hashsums attributes (regular files only)
-       md5    MD5 checksum (not in libgcrypt FIPS mode)
+          sha256 SHA-256 checksum
-       sha1   SHA-1 checksum
+          sha512 SHA-512 checksum
-       sha256 SHA-256 checksum
+          sha512_256 (added in AIDE v0.19)
+                 SHA-512 checksum truncated to 256 output bits
-       sha512 SHA-512 checksum
+          sha3_256 (added in AIDE v0.19)
+                 SHA3-256 checksum
-       rmd160 RIPEMD-160 checksum
+          sha3_512 (added in AIDE v0.19)
+                 SHA3-512 checksum
-       tiger  tiger checksum
+          stribog256 (added in AIDE v0.17)
+                 GOST R 34.11-2012, 256 bit checksum
-       haval  haval256 checksum (libmhash only)
+          stribog512 (added in AIDE v0.17)
+                 GOST R 34.11-2012, 512 bit checksum
-       crc32  crc32 checksum
+          md5 (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21)
+                 MD5 checksum (not in libgcrypt FIPS mode)
-       crc32b crc32 checksum (libmhash only)
+          sha1 (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21)
+                 SHA-1 checksum
-       gost   GOST R 34.11-94 checksum
+          rmd160 (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21)
+                 RIPEMD-160 checksum
-       whirlpool
+          gost (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21)
-              whirlpool checksum
+                 GOST R 34.11-94 checksum
-       stribog256
+          crc32 (REMOVED in AIDE v0.19)
-              GOST R 34.11-2012, 256 bit checksum (libgcrypt only, added in AIDE v0.17)
+                 crc32 checksum
-       stribog512
+          crc32b (REMOVED in AIDE v0.19)
-              GOST R 34.11-2012, 512 bit checksum (libgcrypt only, added in AIDE v0.17)
+                 crc32 checksum
-       Use 'aide --version' to show which hashsums are available.
+          haval (REMOVED in AIDE v0.19)
+                 haval256 checksum
+          tiger (REMOVED in AIDE v0.19)
+                 tiger checksum
+          whirlpool (REMOVED in AIDE v0.19)
+                 whirlpool checksum
+          Use 'aide --version' to show which hashsums are available.
+          Hashsum transitions (since AIDE v0.19):
+          AIDE has limited support for hashsum transitions  (i.e.  ensuring  hashsum  validation
+          when  hashsums  are  added/removed from existing entries). If both the old and the new
+          entry do mot share common hashsum(s) AIDE tries to additionally calculate the  removed
+          hashsum(s)  also for the new entry (this is especieally not supported for moved (I at‐
+          tribute) and compressed (compressed attribute) entries).
 EXAMPLES
-       / R    This adds all files on your machine to the database.  This one line is  a  fully
+       / R    This adds all files on your machine to the database.  This one  line  is  a  fully
               qualified configuration file.
@@ Zeile 1405: / Zeile 1505: @@
        =/foo R
-              Only  /foo  and /foobar are taken into the database.  None of their children are
+              Only  /foo  and  /foobar  are taken into the database.  None of their children are
               added.
        =/foo/ R
-              Only /foo and its children (e.g. /foo/file and /foo/directory)  are  taken  into
+              Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into  the
-              the database.  The children of sub-directories (e.g. /foo/directory/bar) are not
+              database.   The  children  of  sub-directories  (e.g.  /foo/directory/bar) are not
               added.
@@ Zeile 1437: / Zeile 1537: @@
        Full = ftype+p+l+u+g+s+m+c+a+i+b+n+H+X
        / 0 Full
-              This  line  defines group Full.  It has all attributes, all compiled in hashsums
+              This line defines group Full.  It has all attributes, all compiled in hashsums (H)
-              (H) and all compiled in extra file attributes (X).  See '--version'  output  for
+              and all compiled in extra file attributes (X).  See  '--version'  output  for  the
-              the  compiled  in  hashsums  and  extra groups.  The example rule is the typical
+              compiled  in hashsums and extra groups.  The example rule is the typical catch-all
-              catch-all rule at the end of the rule list.
+              rule at the end of the rule list.
        VarTime = InodeData+Checksums
        /etc/ssl/certs/ca-certificates\\.crt$ VarTime
               Files that change their mtimes or ctimes but not their contents.
-       VarInode = VarTime-i
-       /var/lib/nfs/etab$ f VarInode
-              Files that are recreated regularly but do not change their contents
-       VarFile = OwnerMode+n+l+X
-       /etc/resolv\\.conf$ f VarFile
-              Files that change their contents during system operation
-       VarDir = OwnerMode+n+i+X
-       /var/lib/snmp$ d VarDir
-              Directories that change their contents during system operation
-       RecreatedDir = OwnerMode+n+X
        /run/samba$ d RecreatedDir
               Directories that are recreated regularly and change their contents
@@ Zeile 1464: / Zeile 1550: @@
        Log Handling
-       Logs pose a number of special challenges to AIDE.  An active log is  nearly  constantly
+       Logs pose a number of special challenges to AIDE.  An active log is nearly constantly be‐
-       being  written  to.   The process of log rotation changes file names for files that are
+       ing written to.  The process of log rotation changes file names for files that  are  sup‐
-       supposed to have unaltered contents.  To save space, Logs are compressed in the process
+       posed  to  have unaltered contents.  To save space, Logs are compressed in the process of
-       of their rotation, and finally, they get deleted.  AIDE is supposed to handle all those
+       their rotation, and finally, they get deleted.  AIDE is  supposed  to  handle  all  those
-       cases without generating reports, and it is still expected to flag the  cases  when  an
+       cases  without generating reports, and it is still expected to flag the cases when an at‐
-       attacker tampers with logs.
+       tacker tampers with logs.
-       The following examples suggest a way to handle the common case of log rotation with the
+       The following examples suggest a way to handle the common case of log rotation  with  the
-       logrotate(8)  program, with its options compress, delaycompress and nocopytruncate set.
+       logrotate(8)  program,  with  its options compress, delaycompress and nocopytruncate set.
        The vast majority of logs are rotated this way on most Linux systems.
        ActLog=Full+growing+ANF+I
        /var/log/foo\\.log$ f ActLog
-              An Active Log is typically named foo.log.  It is  constanty  being  written  to.
+              An Active Log is typically named foo.log.  It is constanty being written to.   The
-              The  file  does neither change its mode nor its inode number.  The size only in‐
+              file  does neither change its mode nor its inode number.  The size only increases,
-              creases, and what is written to the file is not supposed  to  change  (growing).
+              and what is written to the file is not supposed to change (growing).   During  log
-              During  log  rotation,  foo.log is typically renamed to foo.log.1 (or foo.log.0)
+              rotation, foo.log is typically renamed to foo.log.1 (or foo.log.0) and the process
-              and the process is instructed to write to a new foo.log.  Log content is written
+              is  instructed  to  write  to a new foo.log.  Log content is written to a new file
-              to a new file (ANF) and will eventually be renamed to foo.log.1 (I).  The  grow‐
+              (ANF) and will eventually be renamed to foo.log              rename foo.log to foo.log.1 to foo.2.log.gz.
-              ing  attribute  suppresses reports for files that just had content appended when
-              compared to the database.  A change of the old content is still reported!
-       RotLog=Full
-       /var/log/foo\\.log\\.1$ f RotLog
-              foo.log.0 or foo.log.1 is called the Rotated Log, the previously active log  re‐
-              named  to the first name of the Log Series that is formed by the rotation mecha‐
-              nism.  Right after rotation, the file might still being written to by  the  dae‐
-              mon.  To aide, this looks like the Active Log's size decreases and its inode and
-              timestamps  change.   The  Rotated  Log is not supposed to change its attributes
-              once the process has stopped writing to it.  Reports might be generated if  aide
-              runs  while  the  process still writes to the Rotated Log, but this is quite un‐
-              likely to happen.  Some log rotation mechanisms rename foo.log to  foo.log.0  to
-              foo.log.1.gz, others rename foo.log to foo.log.1 to foo.2.log.gz.
        CompSerLog=Full+I+compressed
        /var/log/foo\\.log\\.2\\.gz$ f CompSerLog
-              In  the  next rotation step, foo.log.1 gets compressed to foo.log.2.gz, becoming
+              In the next rotation step, foo.log.1 gets compressed to foo.log.2.gz, becoming the
-              the Compressed Log in the Log Series.  With this rule, AIDE does not report this
+              Compressed Log in the Log Series.  With this rule, AIDE does not report this  step
-              step because it uncompresses the contents of the file and takes the checksum  of
+              because it uncompresses the contents of the file and takes the checksum of the un‐
-              the  uncompressed  content.   The contents strictly doesn't change, but some at‐
+              compressed  content.   The  contents  strictly  doesn't change, but some attribute
-              tribute changes are ignored (compressed).
+              changes are ignored (compressed).
        MidlSerLog=Full+I
        /var/log/foo\\.log\\.[345]\\.gz$ f MidlSerLog
-              In the next log rotation, all foo.log.{x} get  renamed  to  foo.log.{x+1}.   The
+              In the next log rotation, all foo.log.{x} get renamed to foo.log.{x+1}.  The other
-              other attributes are not supposed to change.
+              attributes are not supposed to change.
        LastSerLog=Full+ARF
        /var/log/foo\\.log\\.6\\.gz$ f LastSerLog
-              The  configuration of the log rotation process specifies a number of log genera‐
+              The configuration of the log rotation process specifies a number  of  log  genera‐
-              tions to keep. The last log in the series is therefore  removed  from  the  disk
+              tions  to  keep.  The  last  log  in the series is therefore removed from the disk
               (ARF).
@@ Zeile 1520: / Zeile 1592: @@
        empty files
-              It might be the case that a log is actually created, but never written to.  This
+              It might be the case that a log is actually created, but never written  to.   This
-              commonly  happens  on  rarely  used  web  servers that use the log rotation as a
+              commonly  happens on rarely used web servers that use the log rotation as a method
-              method to cater for data protection regulation.  In result, all files in  a  se‐
+              to cater for data protection regulation.  In result, all files  in  a  series  are
-              ries  are  identical, breaking the heuristics that aide uses to detect log rota‐
+              identical,  breaking the heuristics that aide uses to detect log rotation.  A pos‐
-              tion.  A possible workaround is to begin a newly rotated log with  a  timestamp.
+              sible workaround is to begin a newly rotated log with a  timestamp.   With  logro‐
-              With logrotate, this can be done in a postrotate scriptlet.
+              tate, this can be done in a postrotate scriptlet.
        nodelaycompress
-              With  logrotate's  nodelaycompress option, a log is immediately compressed after
+              With logrotate's nodelaycompress option, a log is immediately compressed after re‐
-              renaming it from the Active Log name.  For the time being, it is recommended  to
+              naming  it from the Active Log name.  For the time being, it is recommended to al‐
-              always use the delaycompress option to avoid this behavior.
+              ways use the delaycompress option to avoid this behavior.
        copytruncate
-              tions to keep. The last log in the series is therefore  removed  from  the  disk
-              (ARF).
-       aide 0.18 does not yet support the following cases of log rotation:
        empty files
-              It might be the case that a log is actually created, but never written to.  This
+              It might be the case that a log is actually created, but never written  to.   This
-              commonly  happens  on  rarely  used  web  servers that use the log rotation as a
+              commonly  happens on rarely used web servers that use the log rotation as a method
-              method to cater for data protection regulation.  In result, all files in  a  se‐
+              to cater for data protection regulation.  In result, all files  in  a  series  are
-              ries  are  identical, breaking the heuristics that aide uses to detect log rota‐
+              identical,  breaking the heuristics that aide uses to detect log rotation.  A pos‐
-              tion.  A possible workaround is to begin a newly rotated log with  a  timestamp.
+              sible workaround is to begin a newly rotated log with a  timestamp.   With  logro‐
-              With logrotate, this can be done in a postrotate scriptlet.
+              tate, this can be done in a postrotate scriptlet.
        nodelaycompress
-              With  logrotate's  nodelaycompress option, a log is immediately compressed after
+              With logrotate's nodelaycompress option, a log is immediately compressed after re‐
-              renaming it from the Active Log name.  For the time being, it is recommended  to
+              naming  it from the Active Log name.  For the time being, it is recommended to al‐
-              always use the delaycompress option to avoid this behavior.
+              ways use the delaycompress option to avoid this behavior.
        copytruncate
-              With  logrotate's  copytruncate  option, the Active Log is not renamed and newly
+              With logrotate's copytruncate option, the Active Log is not renamed and newly cre‐
-              created but copied to the new file name.  After the copy operation, the old file
+              ated but copied to the new file name.  After the copy operation, the old  file  is
-              is truncated to zero size, allowing the daemon to continuously write to the  al‐
+              truncated  to  zero size, allowing the daemon to continuously write to the already
-              ready  open  file  handle.   aide  uses  the Inode number to detect the rotation
+              open file handle.  aide uses the Inode number  to  detect  the  rotation  process.
-              process.  That doesn't work with copytruncate because the Inode stays  with  the
+              That  doesn't  work with copytruncate because the Inode stays with the Active Log.
-              Active Log.  For the time being, it is recommended to avoid the copytruncate op‐
+              For the time being, it is recommended to avoid the copytruncate  option  to  avoid
-              tion to avoid this behavior.
+              this behavior.
 HINTS
@@ Zeile 1571: / Zeile 1638: @@
 DISCLAIMER
-       All  trademarks  are  the  property of their respective owners.  No animals were harmed
+       All trademarks are the property of their respective owners.  No animals were harmed while
-       while making this webpage or this piece of software.
+       making this webpage or this piece of software.
-aide v0.18.8                              2024-05-09                              AIDE.CONF(5)</code>
+aide v0.19                                 2025-04-05                               AIDE.CONF(5)
+</code>
 ++++
@@ Zeile 1583: / Zeile 1651: @@
 So können wir später leichter Änderungen mit Hilfe von **''vimdiff''** vergleichen!
-Anpassungen und Änderungen an der Konfiguration nehmen mit mit dem Editor unserer Wahl , wie z.B. **''vim''** vor.
+Anpassungen und Änderungen an der Konfiguration nehmen mit mit dem Editor unserer Wahl, wie z.B. **''vim''** vor.
    # sudo vim /etc/aide/aide.conf
-<file bash /etc/aide/aide.conf># Example configuration file for AIDE.
+<file bash /etc/aide/aide.conf># BEGIN ANSIBLE MANAGED - DO NOT EDIT BLOCK
-# More information about configuration options available in the aide.conf manpage.
+# Ansible managed configuration file, do not modify manually!
-# Inspired from https://src.fedoraproject.org/rpms/aide/raw/rawhide/f/aide.conf
+#
+# ┌──────────────────────────────────────────────────────────────────────┐
-# ┌───────────────────────────────────────────────────────────────┐
+# │ Contents of configuration file aide.conf                             │
-# │ CONTENTS OF aide.conf                                         │
+# ├──────────────────────────────────────────────────────────────────────┤
-# ├───────────────────────────────────────────────────────────────┘
+# │                                                                      │
-# │
+# ├──┬───── 1.    VARIABLES                                              │
-# ├──┐VARIABLES
+# │  ├───── 1.1   DATABASE                                               │
-# │  ├── DATABASE
+# │  └───── 1.2   REPORT                                                 │
-# │  └── REPORT
+# │                                                                      │
-# ├──┐RULES
+# ├──┬───── 2.    RULES                                                  │
-# │  ├── LIST OF ATTRIBUTES
+# │  ├───── 2.1   LIST OF ATTRIBUTES                                     │
-# │  ├── LIST OF CHECKSUMS
+# │  ├───── 2.2   LIST OF CHECKSUMS                                      │
-# │  └── AVAILABLE RULES
+# │  └───── 2.3   AVAILABLE RULES                                        │
-# ├──┐PATHS
+# │                                                                      │
-# │  ├──┐EXCLUDED
+# ├──┬───── 3.    PATHS                                                  │
-# │  │  ├── ETC
+# │  ├──┬── 3.1   EXCLUDED                                               │
-# │  │  ├── USR
+# │  │  ├── 3.1.1 ETC                                                    │
-# │  │  └── VAR
+# │  │  ├── 3.1.2 USR                                                    │
-# │  └──┐INCLUDED
+# │  │  ├── 3.1.3 VAR                                                    │
-# │     ├── ETC
+# │  │  └── 3.1.4 OTHERS                                                 │
-# │     ├── USR
+# │  └──┬── 3.2.  INCLUDED                                               │
-# │     ├── VAR
+# │     ├── 3.2.1 ETC                                                    │
-# │     └── OTHERS
+# │     ├── 3.2.2 USR                                                    │
-# │
+# │     ├── 3.2.3 VAR                                                    │
-# └───────────────────────────────────────────────────────────────
+# │     └── 3.2.4 OTHERS                                                 │
+# │                                                                      │
-# ################################################################ VARIABLES
+# └──────────────────────────────────────────────────────────────────────┘
+#
-# ################################ DATABASE
+## 1.  VARIABLES
+## 1.1 DATABASE
 @@define DBDIR /var/lib/aide
@@ Zeile 1622: / Zeile 1691: @@
 # The location of the database to be read.
-database_in=file:@@{DBDIR}/aide.db.gz
+database_in = http://10.0.0.40/local/pml010074.aide-database
 # The location of the database to be written.
-#database_out=sql:host:port:database:login_name:passwd:table
+database_out = file:@@{DBDIR}/pml010074.aide-database
-#database_out=file:aide.db.new
-database_out=file:@@{DBDIR}/aide.db.new.gz
-# Whether to gzip the output to database
+# Whether to gzip the output to database.
-gzip_dbout=yes
+gzip_dbout = no
-# ################################ REPORT
+## 1.2 REPORT
-# Default.
+# Default
 log_level=warning
 report_level=changed_attributes
+report_url=syslog:LOG_AUTH
-report_url=file:@@{LOGDIR}/aide.log
+## 2.  RULES
-report_url=stdout
+## 2.1 LIST OF ATTRIBUTES
-#report_url=stderr
-#NOT IMPLEMENTED report_url=mailto:root@foo.com
-#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
-# ################################################################ RULES
-# ################################ LIST OF ATTRIBUTES
 # These are the default parameters we can check against.
-#p:             permissions
+# p:            permissions
-#i:             inode:
+# i:            inode
-#n:             number of links
+# n:            number of links
-#u:             user
+# u:            user
-#g:             group
+# g:            group
-#s:             size
+# s:            size
-#b:             block count
+# b:            block count
-#m:             mtime
+# m:            mtime
-#a:             atime
+# a:            atime
-#c:             ctime
+# c:            ctime
-#S:             check for growing size
+# S:            check for growing size
-#acl:           Access Control Lists
+# acl:          Access Control Lists
-#selinux        SELinux security context (must be enabled at compilation time)
+# selinux       SELinux security context
-#xattrs:        Extended file attributes
+#               (must be enabled at compilation time)
+# xattrs:       Extended file attributes
-# ################################ LIST OF CHECKSUMS
+# 2.2 LIST OF CHECKSUMS
-#md5:           md5 checksum
+# md5:          md5 checksum
-#sha1:          sha1 checksum
+# sha1:         sha1 checksum
-#sha256:        sha256 checksum
+# sha256:       sha256 checksum
-#sha512:        sha512 checksum
+# sha512:       sha512 checksum
-#rmd160:        rmd160 checksum
+# rmd160:       rmd160 checksum
-#tiger:         tiger checksum
+# tiger:        tiger checksum
-#haval:         haval checksum (MHASH only)
+# haval:        haval checksum (MHASH only)
-#gost:          gost checksum (MHASH only)
+# gost:         gost checksum (MHASH only)
-#crc32:         crc32 checksum (MHASH only)
+# crc32:        crc32 checksum (MHASH only)
-#whirlpool:     whirlpool checksum (MHASH only)
+# whirlpool:    whirlpool checksum (MHASH only)
-# ################################ AVAILABLE RULES
+# 2.3 AVAILABLE RULES
 # These are the default rules
-#R:             p+i+l+n+u+g+s+m+c+md5
+# R:            p+i+l+n+u+g+s+m+c+md5
-#L:             p+i+l+n+u+g
+# L:            p+i+l+n+u+g
-#E:             Empty group
+# E:            Empty group
-#>:             Growing logfile p+l+u+g+i+n+S
+# >:            Growing logfile p+l+u+g+i+n+S
+# Default compound groups:
+# R:            l+p+u+g+s+c+m+i+n+md5+acl+xattrs+ftype+e2fsattrs
+# L:            l+p+u+g+i+n+acl+xattrs+ftype+e2fsattrs
+# >:            l+p+u+g+s+i+n+acl+xattrs+ftype+e2fsattrs+growing
+# H:            md5+sha1+rmd160+tiger+crc32+gost+sha256+sha512+whirlpool
+#                  +stribog256+stribog512
+# X:            acl+xattrs+e2fsattrs
+# You can create custom rules - my home made rule definition goes like this
+# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
-# You can create custom rules - my home made rule definition goes like this
-ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
-ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
 # Everything but access time (Ie. all changes)
-EVERYTHING = R+ALLXTRAHASHES
+EVERYTHING = R+sha256+sha512
 # Sane, with multiple hashes
@@ Zeile 1713: / Zeile 1783: @@
 DATAONLY = p+n+u+g+s+acl+xattrs+sha256
-# ################################################################ PATHS
+## 3. PATHS
+#
+# Here we define which directories and files we want to view or not view
+# when monitoring with AIDE.
+#
+## 3.1 EXCLUDED
+## 3.1.1 ETC
-# Next decide what directories/files you want in the database.
+# Ignore root cache files
+!/root/.*
-# ################################ EXCLUDED
-# ################ ETC
 # Ignore backup files
@@ Zeile 1727: / Zeile 1800: @@
 !/etc/mtab
-# ################ USR
+## 3.1.2 USR
 # These are too volatile
@@ Zeile 1733: / Zeile 1806: @@
 !/usr/tmp
-# ################ VAR
+## 3.1.3 VAR
 # Ignore logs
 !/var/lib/pacman/.*
 !/var/cache/.*
 !/var/log/.*
-!/var/log/aide.log
+!/var/run/.*
-!/var/run/.*
 !/var/spool/.*
-# ################################ INCLUDED
+## 3.1.4 OTHERS
+# Ignore cups
+!/etc/cups
+# Ignore backup files
+!/root/.*
-# ################ ETC
+## 3.2 INCLUDED
+## 3.2.1 ETC
-# Check only permissions, inode, user and group for /etc, but cover some important files closely.
+# Check only permissions, inode, user and group for /etc, but cover some
+# important files closely.
 /etc                               PERMS
 /etc/aliases                       FIPSR
@@ Zeile 1810: / Zeile 1890: @@
 /etc/zshrc                         NORMAL
-# ################ USR
+## 3.2.2 USR
 /usr                               NORMAL
 /usr/sbin/stunnel                  FIPSR
-# ################ VAR
+## 3.2.3 VAR
 /var/log/faillog                   FIPSR
@@ Zeile 1822: / Zeile 1902: @@
 /var/spool/cron/root               FIPSR
-# ################ OTHERS
+## 3.2.4 OTHERS
 /boot                              NORMAL
@@ Zeile 1830: / Zeile 1910: @@
 /opt                               NORMAL
 /root                              NORMAL
-</file>
-Wie eigentlich immer bei der Konfiguration von neuen Programmen lohnt es sich die zugehörige Konfigurationsdatei - in unserem Falle von **AIDE** die **''/etc/aide.conf''** einmal komplett zu lesen! So erhält man einen  Überblick welche Einstellungsoptionen uns AIDE grundsätzlich bietet.
-  * Die ersten Einstellungen die man sich überlegen sollte, wären wo die Datenbanken erstellt und vorgehalten werden sollen und ob diese gepackt werden sollen.
+# Host based OTHERS
-  * Anschließend sollte man sich Gedanken machen, welche Hashingalgorithmen verwendet werden sollen. In den Standardeinstellungen bildet AIDE sieben verschiedene Checksummen für jede überwachte Datei. Zu beachten ist hierbei ggf. ob der bei der Erzeugung der Hash-Werte benötige Rechenaufwand gerechtfertigt ist, oder ob man auf einige davon aus Performancegründen besser verzichtet! In der Regel solten eigentlich zwei verschiedene Hash-Werte Pro Datei ausreichen.
+# local user scripts
-  * Ferner kann über Regelsätze definiert werden welche Eigenschaften (Parameter) von Verzeichnissen und/oder Dateien überwacht werden sollen. Hier können entsprechende Vorgaben in der Default-Konfigurationsdatei übernommen bzw. auch ganz eigene individiuelle Rule-Sets definiert werden. Folgende Parameter können dabei bei der Bewertung und Überwachung herangezogen werden:
+/usr/local/bin/                    FIPSR
+# local scripts with root rights
+/usr/local/sbin/                   FIPSR
+#
+# END ANSIBLE MANAGED - DO NOT EDIT BLOCK</file>
+Wie eigentlich immer bei der Konfiguration von neuen Programmen lohnt es sich die zugehörige Konfigurationsdatei - in unserem Falle von **AIDE** die **''/etc/aide.conf''** einmal komplett zu lesen! So erhält man einen Überblick welche Einstellungsoptionen uns AIDE grundsätzlich bietet.
+  * Die ersten Einstellungen die man sich überlegen sollte, wären wo die Datenbanken erstellt und vorgehalten werden sollen und ob diese gepackt werden sollen.\\ Die Erstellung der AIDE-Datenbank erfolgt lokal. **''database_in''** hingegen wählen wir remote, da wir so sicherstellen können, dass ein lokaler Angreifer dieser nur **ro**-beziehbaren Daten nicht manipulieren kann und somit aufwändiges digitales Signieren bzw. verwenden von **ro**-Filesystemen und oder Geräten nicht nötig ist. <WRAP center round tip 100%>
+Leider existiert aktuell((Stand: April 2025)) ein **[[https://github.com/aide/aide/issues/184|AIDE does not decompress remote databases]]** so dass wir aktuell auf die Komprimierung der Datenbank verzichten und die Option entsprechend einstellen müssen (**''gzip_dbout = no''**).
+</WRAP>
+  * Logging : Der Parameter **''report_url''** legt fest wie **AIDE** Ergebnisse seiner Arbeit dokumentieren soll. \\ **''report_url=file:@@{LOGDIR}/aide.log''** definiert z.B. - sofern als **''LOGDIR %%==%% /var/log/''** gesetzt ist, dass die Ergebnisse in der Logdatei **''/var/log/aide.log''** festgehalten werden. \\ **''
+report_url=stdout''** wiederum  definiert als Ausgabe die Konsole. Dies kann hilfreich sein, wenn auf einem Host manuell der Aufruf von **''aide''** auf der Konsole ausgegeben werden soll. \\ **''report_url=syslog:LOG_AUTH''** definiert als Logziel das Sys(tem)log|journal. \\
+  * Anschließend sollte man sich Gedanken machen, welche Hashingalgorithmen verwendet werden sollen. In den Standardeinstellungen bildet AIDE sieben verschiedene Prüfsummen für jede überwachte Datei. Zu beachten ist hierbei ggf. ob der bei der Erzeugung der Hash-Werte benötige Rechenaufwand gerechtfertigt ist, oder ob man auf einige davon aus Performancegründen besser verzichtet! In der Regel sollten eigentlich zwei verschiedene Hash-Werte Pro Datei ausreichen. \\ \\
+  * Ferner kann über Regelsätze definiert werden welche Eigenschaften (Parameter) von Verzeichnissen und/oder Dateien überwacht werden sollen. Hier können entsprechende Vorgaben in der Default-Konfigurationsdatei übernommen bzw. auch ganz eigene individuelle Rule-Sets definiert werden. Folgende Parameter können dabei bei der Bewertung und Überwachung herangezogen werden:
     * p: Überprüfen Sie die Dateiberechtigungen der ausgewählten Dateien oder Verzeichnisse.
     * i: Überprüfen Sie die Inode-Nummer. Jeder Dateiname hat eine eindeutige Inode-Nummer, die sich nicht ändern sollte.
@@ Zeile 1848: / Zeile 1943: @@
     * S: Auf eine geänderte Dateigröße prüfen.
     * I: Änderungen des Dateinamens ignorieren. \\ Folgende Hash-Werte können bei der berechnung der Prüfsummen verwendet werden:
-    * md5: md5 Prüfsumme (Die Verwendung von sha256 oder sha512 ist hier empfohlen.)
+    * md5: md5 Prüfsumme (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt - die Verwendung von sha256 oder sha512 ist hier empfohlen.)
-    * sha1: sha1 Prüfsumme (Die Verwendung von sha256 oder sha512 ist hier empfohlen.)
+    * sha1: sha1 Prüfsumme (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt - die Verwendung von sha256 oder sha512 ist hier empfohlen.)
     * sha256: sha256 Prüfsumme
     * sha512: sha512 Prüfsumme
-    * rmd160: rmd160 Prüfsumme
+    * rmd160: rmd160 Prüfsumme (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt)
     * tiger: tiger Prüfsumme
     * haval: haval Prüfsumme (MHASH only)
-    * gost: gost Prüfsumme (MHASH only)
+    * gost: gost Prüfsumme ((deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt - MHASH only)
     * crc32: crc32 Prüfsumme (MHASH only)
-    * whirlpool: whirlpool Prüfsumme (MHASH only)
+    * whirlpool: whirlpool Prüfsumme (MHASH only) \\ \\
-  * Zum Schluß muss man sich noch Gedanken machen welche Dateien und Verzeichniss ggf. ausgenommen werden sollen und welche Dateien und Verzeichnisse man in welcher Tiefe überwachen möchte. Die manpage zu **''aide.conf''** liefert hierzu wertvolle und tiefergehende Informationen!
+  * Zum Schluß muss man sich noch Gedanken machen welche Dateien und Verzeichnis ggf. ausgenommen werden sollen und welche Dateien und Verzeichnisse man in welcher Tiefe überwachen möchte. Die manpage zu **''aide.conf''** liefert hierzu wertvolle und tiefer gehende Informationen!
 Ist man mit der Konfiguration von **AIDE** soweit zufrieden und fertig, ist man gut beraten mit Hilfe der Option **''%%--%%config-check''** oder kurz **''-D''** einen Syntax-Check der Konfigurationsdatei vorzunehmen.
@@ Zeile 1867: / Zeile 1962: @@
 Bevor wir nun die AIDE-Datenbank initial erstellen, werfen wir noch kurz einen Blick auf die Optionen, die bei Aufruf von **''aide''** bei Bedarf verwendet werden können.
    # aide --help
-<code>AIDE 0.18.8
+<code>AIDE 0.19
 Usage: aide [options] command
@@ Zeile 1877: / Zeile 1972: @@
   -u, --update		Check and update the database non-interactively
   -E, --compare		Compare two databases
+      --list		List the entries of the database in human readable format
 Miscellaneous:
@@ Zeile 1891: / Zeile 1987: @@
   -L LEVEL	--log-level=LEVEL	Set log message level to LEVEL
   -W WORKERS	--workers=WORKERS	Number of simultaneous workers (threads) for file attribute processing (i.a. hashsum calculation)
-</code>
+  		--no-progress		Turn progress off explicitly
+  		--no-color		TUrn color off explicitly</code>
 === Datenbank erstellen ===
@@ Zeile 1897: / Zeile 1994: @@
   [django@pml010074 ~]$ sudo aide --init
-<code>Start timestamp: 2025-02-09 13:17:55 +0100 (AIDE 0.18.8)
+<code>Start timestamp: 2025-04-09 20:21:40 +0200 (AIDE 0.19)
 AIDE successfully initialized database.
-New AIDE database written to /var/lib/aide/aide.db.new.gz
+New AIDE database written to /var/lib/aide/pml010074.aide-database
-Number of entries:	470065
+Number of entries:	470035
 ---------------------------------------------------
@@ Zeile 1907: / Zeile 2004: @@
 ---------------------------------------------------
-/var/lib/aide/aide.db.new.gz
+/var/lib/aide/pml010074.aide-database
- MD5       : akLMQIg8ljGsrqITWUMmXQ==
+ SHA256    : DeZuXvruf0L9fG11oZh5mk1ZepKGFkO/
- SHA1      : uobft85sR3iSd/wzsu4PniRHjeM=
+             Op1EaaqYtAA=
- SHA256    : X5dNJKwN1CMso7uEyG3Kl0HhINFukXYU
+ SHA512    : 8QtxyYTlwFZVWggkhEjqnS4HhwV6k/Ri
-             nYBsXz2aSMo=
+             drMK/NU8OQzveDMAAiFJT6bqJ0KRBLTX
- SHA512    : DLG7d3whDo3s70PJZi4URK3ci/rScE9t
+             rZNy4XA1RSrNQGuekuccYw==
-             YBrKfqpm/AjNnQywrQPv8AcjX7/TOMAH
+ STRIBOG256: Q/i0VJgmvm/9Jo9pjhlEj3bVTWkgmG0C
-ihTjdCy5LAD3ZlfdJYC7g==
+             cLssvKnNxRc=
- RMD160    : zKkglTAFd6tCn+zxVzNTjeegJG0=
+ STRIBOG512: w/jP8nke9Mr9WuMvyhUFV4VRdhJ7A0z3
- TIGER     : Hj2m4H+yydhksoj0wMAAE5CWQu1TqXHz
+             NuKc0P1oq6G880fu2yOczsFD0Sm8Vy7z
- CRC32     : fv1+yQ==
+             kGvmNQD0z5DDOZbeaRy+/w==
- WHIRLPOOL : IgsuYwxy+0OvCYShwQsQmpC/V0ibURuy
+ SHA512/256: XyVqxWTI2O+KJzjmfvUcm/359DZpclp1
-             +U3PpE0jtafK8ct3zRj+1wP6L8qSBecU
+             UVHA7epku8k=
-             uR+4N66Mn7NBhJl8+GkmEw==
+ SHA3-256  : bZ29uT+xik09tjNTMe6RZresToqcoyQn
- GOST      : 8jdDWTrwWuHxDouI5CKySf8zrAyt5jem
+             wW+98W156UI=
-             jUXKnFWkCeo=
+ SHA3-512  : dCRa+TdT97HYTbMx/gcuqNPgudSPUxF7
- STRIBOG256: /FuAlw3yffSGNWpoUwfKO/wgYkrbZ02U
+             RpoOGeJPdWjg/l9j/zMfmuF++LQrV7HY
-             NEbUlsM1RX8=
+             dqo6Dc3mLcR9OQWIHroN1g==
- STRIBOG512: c2uv2hcchsbSE681IRNXu78ntDz2ZF60
-             XoxZNbkLev2ZUkvGPhfhxvFWomZfSXiW
-             /fnsqLQg6W/kSikrQJrHIw==
-End timestamp: 2025-02-09 13:22:34 +0100 (run time: 4m 39s)
+End timestamp: 2025-04-09 20:24:33 +0200 (run time: 2m 53s)
 </code>
@@ Zeile 1936: / Zeile 2030: @@
 Mit der Option **''%%--%%check''** bzw. **''-C''** könne wir nun eine Überprüfung des Dateisystems gegen die zuvor erstellte AIDE-Datenbank durchführen.
   [django@pml010074 ~]$ sudo aide --check
-<code>Start timestamp: 2025-02-09 16:47:30 +0100 (AIDE 0.18.8)
+<code>Start timestamp: 2025-04-09 20:25:26 +0200 (AIDE 0.19)AIDE found NO differences between database and filesystem. Looks okay!!
-AIDE found NO differences between database and filesystem. Looks okay!!
 Number of entries:	470065
@@ Zeile 1945: / Zeile 2038: @@
 ---------------------------------------------------
-/var/lib/aide/aide.db.gz
+http://10.0.0.40/local/pml010074.aide-database
- MD5       : jyY8ktcG+E5Kq0AtGA5YGQ==
+ SHA256    : QOiWNRdttVhB5R/npB68/OhUQ7/9e5Ky
- SHA1      : KogexIU6LuOslIB81mGvMSL1rYo=
+             TG1aZhv2fdQ=
- SHA256    : QyabDWuO37ZO+xzXmPF28qT7t5WJdSB2
+ SHA512    : UARen/wHQ+F2ll9YBbxsggQVM07jFuG4
-             EwwNVmU1Rlc=
+             oUNqjiGX5280oAj0tUrnkHHpUmd3P6HP
- SHA512    : LrcRp1//aeMxufbKBbodCM1YA0NU5EtP
+             q0OaDsEyL8aRgnLX1eLu3w==
-             QdriP1Uh+A7qFULU4WjK9qolnNfZLuDY
+ STRIBOG256: EATID6SUAKrXxSuM9FqgotPE3/LGDR/7
-             kIPg9LY+g0q1j75Z44T1dA==
+v/Si6AGsys=
- RMD160    : 51KDSlTiMtIXqe+VQ6A3pDN/uZ8=
+ STRIBOG512: kn8Vcdj/PVReXgzz7QU5uxAadnTNNeQZ
- TIGER     : 8A61b3JqbPNltkAPxvVgQ7UON2AlRn3q
+             cE0rXtHgoaJ+CICnM1tjwI4D54xYdJtV
- CRC32     : IpaktA==
+VpIXkLvWWzQccwQMWCLTg==
- WHIRLPOOL : dcQVsfrdV7TGbpAyhNATDGFQ8c7mBG4O
+ SHA512/256: hj73+/VwVX1owrU1q6Q+kPSeQ4klkicl
-             cX7ZufgFpa8seOIs+gyWHjeWUq4FCsk4
+             NpY7sghzMFI=
-             U0qZ+Ela67DDrsVkN5xGCA==
+ SHA3-256  : Qdgr3PyJkMnqUt2hLBzz/ZgMypMifj/v
- GOST      : ltIg5YJ+6BFVE5kbORVh3gRGbwJ4EP0/
+             ynEbwVKOlME=
-iJY8o51fUo=
+ SHA3-512  : NRTDCp+sy+xfYsxOLc/bn+h7vd8n9ypI
- STRIBOG256: lmE/qdAVUeE4zEbd7WBISCDXWsUb1bGJ
+             Azoln6PqUuDbgSVxwzfaoGLZUQAaThHP
-             FxSlN0RABQ4=
+             MQd/ehBFNBna8ZNp70u3VQ==
- STRIBOG512: Ox8c77PeIe0dCgFLPawLqWYzMK/9inc4
-             FPH6aHMBchh4ctW71d4wZwy3/f42ZUG6
-             xz7VX4MQ+X0SFz28//jSsg==
-End timestamp: 2025-02-09 16:53:10 +0100 (run time: 5m 40s)
+End timestamp: 2025-04-09 20:27:51 +0200 (run time: 2m 25s)
 </code>
@@ Zeile 1982: / Zeile 2072: @@
   [django@pml010074 ~]$ sudo aide --check
-<code>Start timestamp: 2025-02-09 18:09:12 +0100 (AIDE 0.18.8)
+<code>Start timestamp: 2025-04-09 20:25:26 +0200 (AIDE 0.19)
 AIDE found differences between database and filesystem!!
 Summary:
-  Total number of entries:	470065
+  Total number of entries:	470035
   Added entries:		1
-  Removed entries:		1
+  Removed entries:		0
-  Changed entries:		5
+  Changed entries:		2
 ---------------------------------------------------
@@ Zeile 1996: / Zeile 2086: @@
 f+++++++++++++++: /usr/bin/sg_evil_copy
----------------------------------------------------
-Removed entries:
----------------------------------------------------
-f---------------: /root/.cache/vim/swap/%etc%aide.conf.swp
 ---------------------------------------------------
@@ Zeile 2007: / Zeile 2091: @@
 ---------------------------------------------------
-d = ... mc..    : /root
+f   ...   i  .   : /etc/aide.conf
-d < ... mc..    : /root/.cache/vim/swap
+d = ... mc..     : /root
-f > ... mci.H   : /root/.lesshst
-f < ... mci.H   : /root/.viminfo
-d > ... mc..    : /usr/bin
 ---------------------------------------------------
 Detailed information about changes:
 ---------------------------------------------------
+File: /etc/aide.conf
+ Inode     : 4265479                          | 4396623
 Directory: /root
- Mtime     : 2025-02-09 13:17:48 +0100        | 2025-02-09 18:04:06 +0100
+ Mtime     : 2025-04-08 15:39:09 +0200        | 2025-04-09 19:27:42 +0200
- Ctime     : 2025-02-09 13:17:48 +0100        | 2025-02-09 18:04:06 +0100
+ Ctime     : 2025-04-08 15:39:09 +0200        | 2025-04-09 19:27:42 +0200
-Directory: /root/.cache/vim/swap
- Size      : 36                               | 0
- Mtime     : 2025-02-09 15:17:08 +0100        | 2025-02-09 17:54:25 +0100
- Ctime     : 2025-02-09 15:17:08 +0100        | 2025-02-09 17:54:25 +0100
-File: /root/.lesshst
- Size      : 108                              | 120
- Mtime     : 2024-07-23 20:50:00 +0200        | 2025-02-09 18:04:06 +0100
- Ctime     : 2024-07-23 20:50:00 +0200        | 2025-02-09 18:04:06 +0100
- Inode     : 1333674                          | 3542013
- SHA256    : zZOZrRdXCuRtg037QvYWyDbVy3t4W6R7 | n7A97JsrI0Va3lyGTzpL/t81Xvml/inc
-             LwOxBOqzgkg=                     | hA9gyl3LPc0=
-File: /root/.viminfo
- Size      : 12742                            | 12357
- Mtime     : 2025-02-09 13:17:48 +0100        | 2025-02-09 17:54:25 +0100
- Ctime     : 2025-02-09 13:17:48 +0100        | 2025-02-09 17:54:25 +0100
- Inode     : 3541891                          | 3542007
- SHA256    : mQ8jfMRnqAgFqRmkIexg3hOniGUoY9wm | G0AtQsaESSv2s6mnrPFYR+eIDXkR/G/9
-             gGpvrhaO6ZY=                     | Ft44RhULh+Q=
-Directory: /usr/bin
- Size      : 65822                            | 65846
- Mtime     : 2025-02-09 13:15:53 +0100        | 2025-02-09 18:05:16 +0100
- Ctime     : 2025-02-09 13:15:53 +0100        | 2025-02-09 18:05:16 +0100
@@ Zeile 2052: / Zeile 2110: @@
 ---------------------------------------------------
-/var/lib/aide/aide.db.gz
+http://10.0.0.40/local/pml010074.aide-database
- MD5       : jyY8ktcG+E5Kq0AtGA5YGQ==
+ SHA256    : QOiWNRdttVhB5R/npB68/OhUQ7/9e5Ky
- SHA1      : KogexIU6LuOslIB81mGvMSL1rYo=
+             TG1aZhv2fdQ=
- SHA256    : QyabDWuO37ZO+xzXmPF28qT7t5WJdSB2
+ SHA512    : UARen/wHQ+F2ll9YBbxsggQVM07jFuG4
-             EwwNVmU1Rlc=
+             oUNqjiGX5280oAj0tUrnkHHpUmd3P6HP
- SHA512    : LrcRp1//aeMxufbKBbodCM1YA0NU5EtP
+             q0OaDsEyL8aRgnLX1eLu3w==
-             QdriP1Uh+A7qFULU4WjK9qolnNfZLuDY
+ STRIBOG256: EATID6SUAKrXxSuM9FqgotPE3/LGDR/7
-             kIPg9LY+g0q1j75Z44T1dA==
+v/Si6AGsys=
- RMD160    : 51KDSlTiMtIXqe+VQ6A3pDN/uZ8=
+ STRIBOG512: kn8Vcdj/PVReXgzz7QU5uxAadnTNNeQZ
- TIGER     : 8A61b3JqbPNltkAPxvVgQ7UON2AlRn3q
+             cE0rXtHgoaJ+CICnM1tjwI4D54xYdJtV
- CRC32     : IpaktA==
+VpIXkLvWWzQccwQMWCLTg==
- WHIRLPOOL : dcQVsfrdV7TGbpAyhNATDGFQ8c7mBG4O
+ SHA512/256: hj73+/VwVX1owrU1q6Q+kPSeQ4klkicl
-             cX7ZufgFpa8seOIs+gyWHjeWUq4FCsk4
+             NpY7sghzMFI=
-             U0qZ+Ela67DDrsVkN5xGCA==
+ SHA3-256  : Qdgr3PyJkMnqUt2hLBzz/ZgMypMifj/v
- GOST      : ltIg5YJ+6BFVE5kbORVh3gRGbwJ4EP0/
+             ynEbwVKOlME=
-iJY8o51fUo=
+ SHA3-512  : NRTDCp+sy+xfYsxOLc/bn+h7vd8n9ypI
- STRIBOG256: lmE/qdAVUeE4zEbd7WBISCDXWsUb1bGJ
+             Azoln6PqUuDbgSVxwzfaoGLZUQAaThHP
-             FxSlN0RABQ4=
+             MQd/ehBFNBna8ZNp70u3VQ==
- STRIBOG512: Ox8c77PeIe0dCgFLPawLqWYzMK/9inc4
-             FPH6aHMBchh4ctW71d4wZwy3/f42ZUG6
-             xz7VX4MQ+X0SFz28//jSsg==
-End timestamp: 2025-02-09 18:15:03 +0100 (run time: 5m 51s)
+End timestamp: 2025-04-09 20:27:51 +0200 (run time: 2m 25s)
 </code>
-In der Zusammenfassung sehen wir also in Summe 470.065 Datenbankeinträge, sowie von den Einträgen her ein neuer, ein entfernter sowie ein geänderter Eintrag:
+In der Zusammenfassung sehen wir also in Summe 470.035 Datenbankeinträge, sowie von den Einträgen her ein neuer, sowie zwei geänderte Einträge:
-  Total number of entries:	470065
+  Total number of entries:	470035
-  Added entries:		        1
+  Added entries:		1
-  Removed entries:		1
+  Removed entries:		0
-  Changed entries:		5
+  Changed entries:		2
 Die Datei **''/usr/bin/sg_evil_copy''** ist neu hinzugekommen sowie die SWAP-Datei **''/root/.cache/vim/swap/%etc%aide.conf.swp''** entfernt worden.
@@ Zeile 2127: / Zeile 2182: @@
 === tägliche checks enablen ===
-Wiederkehrende  tägliche Checks führt man am besten und einfachsten des sytemd **''aidecheck.timer''** aus. Zum Aktivieren dieser zeitgesteuerten Checks verwenden wir folgenden Befehl:
+Wiederkehrende  tägliche Checks führt man am besten und einfachsten des systemd **''aidecheck.timer''** aus. Zum Aktivieren dieser zeitgesteuerten Checks verwenden wir folgenden Befehl:
   [django@pml010074 ~] $ sudo systemctl enable --now aidecheck.timer
@@ Zeile 2146: / Zeile 2201: @@
 </html>
+=== jounald (tägliche) logs ===
+In der Konfigurationsdatei **''/etc/aide.conf''** definieren wir für die Speicherung der AIDE-Logs im Jounal:
+   # vim /etc/aide.conf
+<code>...
+# Default
+log_level=warning
+report_level=changed_attributes
+report_url=stdout
+report_url=syslog:LOG_AUTH
+...</code>
+Somit können wir einfach die Logeinträge von AIDE einfach ausgeben.
+   # journalctl -f /usr/bin/aide
+++++ Ausgabe der AIDE Logeinträge im Journal |
+<code>Mar 14 16:20:38 pml010070 aide[102360]: Start timestamp: 2025-03-14 16:18:57 +0100 (AIDE 0.18.8)
+Mar 14 16:20:38 pml010070 aide[102360]: AIDE successfully initialized database.
+Mar 14 16:20:38 pml010070 aide[102360]: New AIDE database written to /var/lib/aide/pml010070.aide-database
+Mar 14 16:20:38 pml010070 aide[102360]:
+                                        Number of entries:        415354
+Mar 14 16:20:38 pml010070 aide[102360]:
+                                        ---------------------------------------------------
+                                        The attributes of the (uncompressed) database(s):
+                                        ---------------------------------------------------
+Mar 14 16:20:38 pml010070 aide[102360]:
+Mar 14 16:20:38 pml010070 aide[102360]: /var/lib/aide/pml010070.aide-database
+Mar 14 16:20:38 pml010070 aide[102360]:  MD5       : cKcw5jV3zJWP6TMJeRZrWA==
+Mar 14 16:20:38 pml010070 aide[102360]:  SHA1      : WigC6cPTyrQRFNIhCwKpZqfKm4w=
+Mar 14 16:20:38 pml010070 aide[102360]:  SHA256    : WGSt7wa0Hg5muPhyqm7djZ2hFEpOuxAb
+Mar 14 16:20:38 pml010070 aide[102360]:              fbIgEeDhb2E=
+Mar 14 16:20:38 pml010070 aide[102360]:  SHA512    : U1ybuczO4cQuiNQeaC/+ifx2A35LN12P
+Mar 14 16:20:38 pml010070 aide[102360]:              khwMFF0cow+EJBgpU/rgPWZ1pHT0R/ft
+Mar 14 16:20:38 pml010070 aide[102360]:              sqVmFI2kYXTTZVgMC/6exg==
+Mar 14 16:20:38 pml010070 aide[102360]:  RMD160    : mlbLBlEUShR/TiPhGrfFHxargCg=
+Mar 14 16:20:38 pml010070 aide[102360]:  TIGER     : RwucrlxNyW0VQZLxlPZcgwK9E1V1AE5E
+Mar 14 16:20:38 pml010070 aide[102360]:  CRC32     : DBPsjQ==
+Mar 14 16:20:38 pml010070 aide[102360]:  WHIRLPOOL : Ae/6G8dKIlhG3LWIhPPQIoX/Ft2s6IwZ
+Mar 14 16:20:38 pml010070 aide[102360]:              VM43NRfO1t8P9+kjyHO3B4ix4QPSlT8C
+Mar 14 16:20:38 pml010070 aide[102360]:              3u81OG360J1VWXK7IynzLA==
+Mar 14 16:20:38 pml010070 aide[102360]:  GOST      : ZmqxZHVeDyiJIR1mzgTvleoetI9fYn77
+Mar 14 16:20:38 pml010070 aide[102360]:              gU7jrp4K9d0=
+Mar 14 16:20:38 pml010070 aide[102360]:  STRIBOG256: hAF0w3sUx7G5a16cg96B6aUI3ig8BB+2
+Mar 14 16:20:38 pml010070 aide[102360]:              qAf4Fd3/X+c=
+Mar 14 16:20:38 pml010070 aide[102360]:  STRIBOG512: vLDF/5VqfXyLeuDt6Yj2LfrBVBYamJwn
+Mar 14 16:20:38 pml010070 aide[102360]:              dMHKJrrKaXNlY2Y/TVwtnb6bNnpNz9YO
+Mar 14 16:20:38 pml010070 aide[102360]:              Xs0mvlY+fXVlKPiEzKQvQg==
+Mar 14 16:20:38 pml010070 aide[102360]:
+                                        End timestamp: 2025-03-14 16:20:38 +0100 (run time: 1m 41s)
+</code>
+++++
 ===== Orchestrierung - Installation und Konfiguration von AIDE mit Hilfe von Ansible  =====
 ==== Aufgabenstellung ====
@@ Zeile 2162: / Zeile 2272: @@
          -O - | tar -xz --strip-components=1 -C ~/devel/ansible</code>
-Nach Anpassung der Daten im Inventory kann man anschliessend direkt **[[#ausfuehrung_-_playbooklauf|zur Ausführung schreiten]]**.
+Nach Anpassung der Daten im Inventory kann man anschließend direkt **[[#ausfuehrung_-_playbooklauf|zur Ausführung schreiten]]**.
 </WRAP>
@@ Zeile 2198: / Zeile 2308: @@
 ++++
-Unser Beispiels-Inventory hat also nunmehr folgenden Aufbau:
+Unser Beispiel-Inventory hat also nunmehr folgenden Aufbau:
 <code>inventories/production/
 ├── group_vars
@@ Zeile 2263: / Zeile 2373: @@
 </code>
 ++++
+== tasks ==
 Wie wir sehen ist die Rolle durchaus überschaubar, im Task **''main.yaml''** verweisen wir lediglich auf die eigentlichen Tasks **''install''**, **''config''** und **''transfer''**
    $ vim roles/hids/tasks/main.yml
@@ Zeile 2270: / Zeile 2380: @@
 ++++
-Die Installation von AIDE wird in der ersten Task-Gruppe mit dem tag **''install''** vorgenommen. In den Variablen der Gruppe **''arch''** sind hierbei die Versionsnummer **''aide_version''** wie auch Ort und Stelle **''aide_repo''** definiert von welchem interen Repo-Server wir uns das aide-Paket zum Installieren holen wollen.
+Die Installation von AIDE wird in der ersten Task-Gruppe mit dem tag **''install''** vorgenommen. In den Variablen der Gruppe **''arch''** sind hierbei die Versionsnummer **''aide_version''** wie auch Ort und Stelle **''aide_repo''** definiert von welchem internen Repository/Spiegel-Server wir uns das aide-Paket zum Installieren holen wollen.
    $ vim roles/hids/tasks/install.yml
 ++++ roles/hids/tasks/install.yml |
@@ Zeile 2276: / Zeile 2386: @@
 ++++
-Die eigentliche Installation Konfiguration sowie das erstellen der initialen AIDE-Datenbank erfolgt im anschließenden Task **''config''**.
+Die eigentliche Installation Konfiguration sowie das Erstellen der initialen AIDE-Datenbank erfolgt im anschließenden Task **''config''**.
    $ vim roles/hids/tasks/config.yml
 ++++ roles/hids/tasks/config.yml |
@@ Zeile 2282: / Zeile 2392: @@
 ++++
-Was nun noch fehlt ist das Kopieren der erstellten AIDE-Datenbank auf unseren internen Repository-/Spiegel-Server, was im letzten Task **''transfer''** erledigt wird. Der interne Repository-Serever wird hierbei über den Host-Alias-NAmen **''repo''** angesprochen!
+Was nun noch fehlt ist das Kopieren der erstellten AIDE-Datenbank auf unseren internen Repository-/Spiegel-Server, was im letzten Task **''transfer''** erledigt wird. Der interne Repository-Serever wird hierbei über den Host-Alias-Namen **''repo''** angesprochen!
    $ vim roles/hids/tasks/transfer.yml
 ++++ roles/hids/tasks/transfer.yml |
@@ Zeile 2288: / Zeile 2398: @@
 ++++
+== templates ==
+Für die Erstellung der AIDE-Konfigurationsdatei **''/etc/aide.conf''** und auch für die individuelle Systemd-Timer Defintion von AIDE **''/etc/systemd/system/aidecheck.timer''** - also wann genau der Check des Systems gegen die Datenbank erfolgen soll - brauchen wir nun noch jeweils ein **[[https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_templating.html|Jinja2]]** Template. Mit Hilfe dieser beiden Templates **''aide_config.j2''** und der darin enthaltenen Schleifendefinitionen werden dann mit Hilfe der Daten aus dem Inventory die benötigte Konfigurationsdateie erzeugt.
+<WRAP center round tip 80%>
+Damit nicht nun später alle unsere 42 VMs zum selben Zeitpunkt mit dem Check des jeweiligen Systems beginnen und somit einen vermeidbaren Peak auf unserem Repository-/Spiegel-Server und auf den jeweiligen Virtualisierungsmaschinen verursachen, gilt es nun die Startzeitpunkte der einzelnen Hosts zu streuen. Wir wollen hier natürlich auch nicht bei jedem Lauf des Playbooks später dann unterschiedliche Zufallswerte Produzieren, was die Idee der Idempotenz auch konterkarieren würde. Wir generieren daher für die Minutenzahl von **''00 - 59''** basierend auf den Seed des Hostnamens eine statische zufällige Minutenzahl zwischen **''00''** und **''59''**, die für jeden Host unterschiedlich aber dennoch für diesen gleich bleiben wird. Hierzu Nutzen wir die Ansible-Variable: **''%%{{%% 59 |random(seed=inventory_hostname) %%}}%%''**. Somit werden später alle Checks der System im Zeitraum von **''05:00:00 - 05:59:00''** erfolgen.
+</WRAP>
+   $ vim roles/hids/templates/aide_config.j2
+++++ roles/hids/templates/aide_config.j2 |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/templates/aide_config.j2 }}
+++++
+   $ vim roles/hids/templates/systemd.j2
+++++ roles/hids/templates/systemd.j2 |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/templates/systemd.j2 }}
+++++
+== handlers ==
+Sollte bei der Abarbeitung des Playbook die individuelle systemd-timer Konfigurationsdatei **''/etc/systemd/system/aidecheck.timer.d/override.conf''** verändert werden, ist natürlich hierbei eine entsprechende Information zum Relaod des System-Daemon notwenig. Hierzu verwenden wir die **[[https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_handlers.html|Ansible Playbook Handlers]]**. Diese Handler werden in den beiden Tasks zur Erstellung der **''aidecheck.timer.d/override.conf''**-Konfigurationsdatei mit Hilfe eines **handler**-Calls aufgerufen, sofern sich die Datei verändert hat.
+Zu guter Letzt brauchen wir noch eine Konfiguration der Aufgaben die bei einem **''notify''** abgearbeitet werden sollen.
+   $ vim roles/hids/handlers/main.yml
+++++ roles/hids/handlers/main.yml |
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/roles/hids/handlers/main.yml }}
+++++
@@ Zeile 2294: / Zeile 2429: @@
    $ vim playbooks/arch_hids.yml
 ++++ playbooks/arch_hids.yml |
-{{gh> https://gitlab.nausch.org/django/example_kea/-/blob/main/playbooks/arch_hids.yml }}
+{{gh> https://gitlab.nausch.org/django/example_aide/-/blob/main/playbooks/arch_hids.yml }}
 ++++
+=== Ausführung - Playbooklauf ===
+Die orchestrierte Variante der Installation und Konfiguration unseres **AIDE**-Daemon gestaltet sich ab sofort sehr einfach, brauchen wir doch lediglich die Konfigurationswerte im Inventory zu hinterlegen und zu pflegen und letztendlich das Playbook entsprechend aufzurufen, wenn z.B. gewollte Änderungen an einem System durch einen Admin bzw. durch den Lauf eines der Ansible-Playbooks erfolgten.
+In nachfolgendem Beispiel installieren wir nun unseren AIDE-Daemon auf dem Host **''pml010070''**:
+   $ ansible-playbook playbooks/arch_hids.yml --limit pml010070
+<html><pre class="code">
+<font style="color: rgb(0, 0, 0)">[14:38:36] Gathering Facts</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 1.18s</font>
+<font style="color: rgb(0, 0, 0)">[14:38:37] hids : Installation von AIDE/HIDS.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 8ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:37]     ↳ install: Aktuelles AIDE Paket vom internen Mirror holen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 500mss</font>
+<font style="color: rgb(0, 0, 0)">[14:38:37]     ↳ install: AIDE-Paket installieren.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 2.00s</font>
+<font style="color: rgb(0, 0, 0)">[14:38:39]     ↳ install: Temporäre lokale Paketdatei löschen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 389ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:40] hids : Konfiguration von AIDE/HIDS.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 7ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:40]     ↳ config: Checken ob es bereits eine Backupdatei der aide.conf gibt.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 356ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:40]     ↳ config: Backupdatei der aide.conf Konfigurationsdatei erstellen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 338ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:40]     ↳ config: AIDE Konfigurationsdatei erzeugen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 634ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:41]     ↳ config: Systemd Timer für AIDE Daemon erzeugen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 478ms</font>
+<font style="color: rgb(0, 0, 0)">[14:38:42]     ↳ config: AIDE Datenbank erstellen.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 1m40s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:22] hids : AIDE-Datenbank auf Reposerver transferieren.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 10ms</font>
+<font style="color: rgb(0, 0, 0)">[14:40:22]     ↳ transfer: Temporäre lokale Aide-Datenbank Datei löschen.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 368ms</font>
+<font style="color: rgb(0, 0, 0)">[14:40:23]     ↳ transfer: Temporäre remote Aide-Datenbank Datei löschen.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 1.24s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:24]     ↳ transfer: AIDE-Datenbank lokal kopieren.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 511ms</font>
+<font style="color: rgb(0, 0, 0)">[14:40:25]     ↳ transfer: AIDE-Datenbank auf Repository-Server kopieren.</font>
+<font style="color: rgb(25, 100, 5)">↳  pml010070 | SUCCESS | 1.63s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:27]     ↳ transfer: AIDE-Datenbank ins Repo verschieben.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 5.14s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:32]     ↳ transfer: Temporäre lokale Aide-Datenbank Datei löschen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 317ms</font>
+<font style="color: rgb(0, 0, 0)">[14:40:32]     ↳ transfer: Temporäre remote Aide-Datenbank Datei löschen.</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 861ms</font>
+<font style="color: rgb(25, 100, 5)">triggering handler | hids : Reload aidecheck</font>
+<font style="color: rgb(196, 160, 0)">↳  pml010070 | CHANGED | 1.21s</font>
+<font style="color: rgb(0, 0, 0)">[14:40:33] system</font>
+<font style="color: rgb(25, 100, 5)">-- Play recap --</font>
+<font style="color: rgb(196, 160, 0)">pml010070                  </font><font style="color: rgb(0, 0, 0)">: </font><font style="color: rgb(25, 100, 5)">ok=20   </font><font style="color: rgb(196, 160, 0)">changed=11    </font>unreachable=0    failed=0    <font style="color: rgb(0, 0, 0)">skipped=0</font>    <font style="color: rgb(0, 0, 0)">rescued=0    ignored=0</font>
+</pre>
+</html>
+==== Ergebniskontrolle ====
+Bei einem Blick in unser System-Journal finden wir nun unter anderem zunächst einmal das Setzen des **''systemd-timers''** täglich um **''05:51:00''** für unseren Host
+   # journalctl -f /usr/bin/aide
+<code>Mar 14 14:40:36 pml010070 systemd[1]: Reloading finished in 162 ms.
+Mar 14 14:40:36 pml010070 systemd[1]: Started Aide check every day at 05:51:00.
+Mar 14 14:40:36 pml010070 systemd[1]: Started Aide Check.</code>
+Des weiteren finden wir auch Informationen zum initialen Erstellen der Aide-Datenbank.
+   # journalctl -f /usr/bin/aide
+++++ journal bei Erstellung der initialen Datenbank |
+<code>Mar 14 14:43:07 pml010070 aide[94384]: Start timestamp: 2025-03-14 14:40:36 +0100 (AIDE 0.19)
+Mar 14 14:43:07 pml010070 aide[94384]: AIDE found NO differences between database and filesystem. Looks okay!!
+Mar 14 14:43:07 pml010070 aide[94384]:
+                                       Number of entries:        415370
+Mar 14 14:43:07 pml010070 aide[94384]:
+                                       ---------------------------------------------------
+                                       The attributes of the (uncompressed) database(s):
+                                       ---------------------------------------------------
+Mar 14 14:43:07 pml010070 aide[94384]:
+Mar 14 14:43:07 pml010070 aide[94384]: http://10.0.0.40/local/pml010070.aide-database
+Mar 14 14:43:07 pml010070 aide[94384]:  MD5       : FqaMpI9bZvV3FiZB8nJowA==
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA1      : vGllC7x5U6FndAR7T2k6v5M3zpw=
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA256    : OGRb4RHabaNJGxw8rJ3eqMN1dQ5BR/od
+Mar 14 14:43:07 pml010070 aide[94384]:              TWY8w+4k8j8=
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA512    : 45Gqayh6d8UU2bOhDw3heHvo8K2P3NkB
+Mar 14 14:43:07 pml010070 aide[94384]:              OG2DBHfVUWkdqiFkUxmnJzkNKr5OuJJU
+Mar 14 14:43:07 pml010070 aide[94384]:              1I5jztmwx5yMROqpN+LGzA==
+Mar 14 14:43:07 pml010070 aide[94384]:  RMD160    : tmRQ4H5i9HtK44+neY+PcA9oBOI=
+Mar 14 14:43:07 pml010070 aide[94384]:  TIGER     : lMSvw4apa4sTp/2wGf/9bENtoP/rGdWg
+Mar 14 14:43:07 pml010070 aide[94384]:  CRC32     : lNOWHg==
+Mar 14 14:43:07 pml010070 aide[94384]:  WHIRLPOOL : RpJ0mjh34mGWGOOxPI982f1J6+xsc1BQ
+Mar 14 14:43:07 pml010070 aide[94384]:              6Qf3j/70QH6YaZ0xKnDioNvEGUZeSrXK
+Mar 14 14:43:07 pml010070 aide[94384]: Start timestamp: 2025-03-14 14:40:36 +0100 (AIDE 0.19)
+Mar 14 14:43:07 pml010070 aide[94384]: AIDE found NO differences between database and filesystem. Looks okay!!
+Mar 14 14:43:07 pml010070 aide[94384]: Number of entries:        415370
+Mar 14 14:43:07 pml010070 aide[94384]: ---------------------------------------------------
+Mar 14 14:43:07 pml010070 aide[94384]: The attributes of the (uncompressed) database(s):
+Mar 14 14:43:07 pml010070 aide[94384]: ---------------------------------------------------
+Mar 14 14:43:07 pml010070 aide[94384]: http://10.0.0.40/local/pml010070.aide-database
+Mar 14 14:43:07 pml010070 aide[94384]:  MD5       : FqaMpI9bZvV3FiZB8nJowA==
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA1      : vGllC7x5U6FndAR7T2k6v5M3zpw=
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA256    : OGRb4RHabaNJGxw8rJ3eqMN1dQ5BR/od
+Mar 14 14:43:07 pml010070 aide[94384]:              TWY8w+4k8j8=
+Mar 14 14:43:07 pml010070 aide[94384]:  SHA512    : 45Gqayh6d8UU2bOhDw3heHvo8K2P3NkB
+Mar 14 14:43:07 pml010070 aide[94384]:              OG2DBHfVUWkdqiFkUxmnJzkNKr5OuJJU
+Mar 14 14:43:07 pml010070 aide[94384]:              1I5jztmwx5yMROqpN+LGzA==
+Mar 14 14:43:07 pml010070 aide[94384]:  RMD160    : tmRQ4H5i9HtK44+neY+PcA9oBOI=
+Mar 14 14:43:07 pml010070 aide[94384]:  TIGER     : lMSvw4apa4sTp/2wGf/9bENtoP/rGdWg
+Mar 14 14:43:07 pml010070 aide[94384]:  CRC32     : lNOWHg==
+Mar 14 14:43:07 pml010070 aide[94384]:  WHIRLPOOL : RpJ0mjh34mGWGOOxPI982f1J6+xsc1BQ
+Mar 14 14:43:07 pml010070 aide[94384]:              6Qf3j/70QH6YaZ0xKnDioNvEGUZeSrXK
+Mar 14 14:43:07 pml010070 aide[94384]:              S88Yf1dE76zmSxan8K9lIw==
+Mar 14 14:43:07 pml010070 aide[94384]:  GOST      : 6jc71FdttaZW/sUrNA04kyuipL3c6Uek
+Mar 14 14:43:07 pml010070 aide[94384]:              eu+La9lk8tk=
+Mar 14 14:43:07 pml010070 aide[94384]:  STRIBOG256: 8sSN/117ue7MfpZ9fvv6FlfNSeRKAg+m
+Mar 14 14:43:07 pml010070 aide[94384]:              MdP0ErwHN88=
+Mar 14 14:43:07 pml010070 aide[94384]:  STRIBOG512: lpC/Mc6AYEOh580mPp/Hv47qADCJktQw
+Mar 14 14:43:07 pml010070 aide[94384]:              th4EzUKygQsx+WQ04E4+GHwahMuM5zuw
+Mar 14 14:43:07 pml010070 aide[94384]:              kffXnQAsP1YkZra5jn7pnQ==
+Mar 14 14:43:07 pml010070 aide[94384]: End timestamp: 2025-03-14 14:43:07 +0100 (run time: 2m 31s)
+Mar 14 14:43:07 pml010070 aide[94384]:              S88Yf1dE76zmSxan8K9lIw==
+Mar 14 14:43:07 pml010070 aide[94384]:  GOST      : 6jc71FdttaZW/sUrNA04kyuipL3c6Uek
+Mar 14 14:43:07 pml010070 aide[94384]:              eu+La9lk8tk=
+Mar 14 14:43:07 pml010070 aide[94384]:  STRIBOG256: 8sSN/117ue7MfpZ9fvv6FlfNSeRKAg+m
+Mar 14 14:43:07 pml010070 aide[94384]:              MdP0ErwHN88=
+Mar 14 14:43:07 pml010070 aide[94384]:  STRIBOG512: lpC/Mc6AYEOh580mPp/Hv47qADCJktQw
+Mar 14 14:43:07 pml010070 aide[94384]:              th4EzUKygQsx+WQ04E4+GHwahMuM5zuw
+Mar 14 14:43:07 pml010070 aide[94384]:              kffXnQAsP1YkZra5jn7pnQ==
+Mar 14 14:43:07 pml010070 aide[94384]:
+                                       End timestamp: 2025-03-14 14:43:07 +0100 (run time: 2m 31s)
+Mar 14 14:43:07 pml010070 systemd[1]: aidecheck.service: Deactivated successfully.
+Mar 14 14:43:07 pml010070 systemd[1]: aidecheck.service: Consumed 3min 26.741s CPU time, 708.5M memory peak.</code>
+++++
+Täglich um **05:51** Uhr wird nun unser Host die aktuelle Datenbank gegen die bestehende AIDE-Datenbank auf unserem internen Repository-/Spiegelserver holen und diese beim Check des Dateisystems verwenden.
+   # journalctl
+++++ journal beim täglichen check um 05:51 Uhr dieses Hosts |
+<code>Mar 15 05:51:09 pml010070 systemd[1]: Started Aide Check.
+Mar 15 05:51:27 pml010070 rtkit-daemon[1200]: Supervising 8 threads of 5 processes of 1 users.
+Mar 15 05:51:27 pml010070 rtkit-daemon[1200]: Supervising 8 threads of 5 processes of 1 users.
+Mar 15 05:53:01 pml010070 aide[57175]: Start timestamp: 2025-03-15 05:51:09 +0100 (AIDE 0.19)
+Mar 15 05:53:01 pml010070 aide[57175]: AIDE found differences between database and filesystem!!
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       Summary:
+                                         Total number of entries:        415370
+                                         Added entries:                  0
+                                         Removed entries:                0
+                                         Changed entries:                2
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       ---------------------------------------------------
+                                       Changed entries:
+                                       ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       d = ... mc.. .. : /etc/cups
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       d = ... mc..    : /root
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       ---------------------------------------------------
+                                       Detailed information about changes:
+                                       ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]:
+Mar 15 05:53:01 pml010070 aide[57175]: Directory:
+Mar 15 05:53:01 pml010070 aide[57175]: /etc/cups
+Mar 15 05:53:01 pml010070 aide[57175]:  Mtime     : 2025-03-13 13:49:27 +0100        | 2025-03-14 05:22:46 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:  Ctime     : 2025-03-13 13:49:27 +0100        | 2025-03-14 05:22:46 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:
+Mar 15 05:53:01 pml010070 aide[57175]: Directory:
+Mar 15 05:53:01 pml010070 aide[57175]: /root
+Mar 15 05:53:01 pml010070 aide[57175]:  Mtime     : 2025-03-11 19:16:06 +0100        | 2025-03-13 17:47:03 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:  Ctime     : 2025-03-11 19:16:06 +0100        | 2025-03-13 17:47:03 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       ---------------------------------------------------
+                                       The attributes of the (uncompressed) database(s):
+                                       ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]:
+Mar 15 05:53:01 pml010070 aide[57175]: http://10.0.0.40/local/pml010070.aide-database
+Mar 15 05:53:01 pml010070 aide[57175]:  MD5       : JkDe+MaQ3jiZXGx4TPiP9w==
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA1      : ulm0dLAs62vjmWKNuh6LyV3HORE=
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA256    : S/BG2ZPAZogkojazoc13F6sme84JWTik
+Mar 15 05:53:01 pml010070 aide[57175]:              zH4ysMjRjnQ=
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA512    : o4mqYllOZrjONDaZP/hywLlZHcSv69Z1
+Mar 15 05:53:01 pml010070 aide[57175]:              CkdMvaD3LZdr+bzK7zjwnpbG4nONTmDx
+Mar 15 05:53:01 pml010070 aide[57175]:              p5sXILkYA+REaSrbAIft0Q==
+Mar 15 05:53:01 pml010070 aide[57175]:  RMD160    : 1+EE+mVMQl0wLRZQk5qSwegYvLY=
+Mar 15 05:53:01 pml010070 aide[57175]:  TIGER     : mvvYirLAo30g35dnku/8KcCkoHfg4Dz+
+Mar 15 05:53:01 pml010070 aide[57175]:  CRC32     : h+Fz5Q==
+Mar 15 05:53:01 pml010070 aide[57175]:  WHIRLPOOL : 5wn7egFu5xf5IPQnBCdZbRsz+UXf1BdQ
+Mar 15 05:53:01 pml010070 aide[57175]:              QauE/6ZI2VaMzGs3antSVbmkHmCnMoWT
+Mar 15 05:53:01 pml010070 aide[57175]:              xj4keofx/JSJWKvUUMLnnA==
+Mar 15 05:53:01 pml010070 aide[57175]:  GOST      : iHuOTlg03FrPEX9ror1szxOomv/c+eUc
+Mar 15 05:53:01 pml010070 aide[57175]:              olR6ymPJlBM=
+Mar 15 05:53:01 pml010070 aide[57175]:  STRIBOG256: FJPuiouF2Rs9qxvN9czdHdVbp1eAHdwc
+Mar 15 05:53:01 pml010070 aide[57175]:              nVp7Q31aqCE=
+Mar 15 05:53:01 pml010070 aide[57175]:  STRIBOG512: HMJSk//+5BxO2Z3620Zz4u/blN5yPvRC
+Mar 15 05:53:01 pml010070 aide[57175]:              d0yzK7LYs9uC3cZx1GxpL6sBIWqMMn1x
+Mar 15 05:53:01 pml010070 aide[57175]:              4rib/WieOl1eeUTP8YefKQ==
+Mar 15 05:53:01 pml010070 aide[57175]:
+                                       End timestamp: 2025-03-15 05:53:01 +0100 (run time: 1m 52s)
+Mar 15 05:53:01 pml010070 aide[57175]: Start timestamp: 2025-03-15 05:51:09 +0100 (AIDE 0.19)
+Mar 15 05:53:01 pml010070 aide[57175]: AIDE found differences between database and filesystem!!
+Mar 15 05:53:01 pml010070 aide[57175]: Summary:
+Mar 15 05:53:01 pml010070 aide[57175]:   Total number of entries:        415370
+Mar 15 05:53:01 pml010070 aide[57175]:   Added entries:                0
+Mar 15 05:53:01 pml010070 aide[57175]:   Removed entries:                0
+Mar 15 05:53:01 pml010070 aide[57175]:   Changed entries:                2
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: Changed entries:
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: d = ... mc.. .. : /etc/cups
+Mar 15 05:53:01 pml010070 aide[57175]: d = ... mc..    : /root
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: Detailed information about changes:
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: Directory: /etc/cups
+Mar 15 05:53:01 pml010070 aide[57175]:  Mtime     : 2025-03-13 13:49:27 +0100        | 2025-03-14 05:22:46 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:  Ctime     : 2025-03-13 13:49:27 +0100        | 2025-03-14 05:22:46 +0100
+Mar 15 05:53:01 pml010070 aide[57175]: Directory: /root
+Mar 15 05:53:01 pml010070 aide[57175]:  Mtime     : 2025-03-11 19:16:06 +0100        | 2025-03-13 17:47:03 +0100
+Mar 15 05:53:01 pml010070 aide[57175]:  Ctime     : 2025-03-11 19:16:06 +0100        | 2025-03-13 17:47:03 +0100
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: The attributes of the (uncompressed) database(s):
+Mar 15 05:53:01 pml010070 aide[57175]: ---------------------------------------------------
+Mar 15 05:53:01 pml010070 aide[57175]: http://10.0.0.40/local/pml010070.aide-database
+Mar 15 05:53:01 pml010070 aide[57175]:  MD5       : JkDe+MaQ3jiZXGx4TPiP9w==
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA1      : ulm0dLAs62vjmWKNuh6LyV3HORE=
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA256    : S/BG2ZPAZogkojazoc13F6sme84JWTik
+Mar 15 05:53:01 pml010070 aide[57175]:              zH4ysMjRjnQ=
+Mar 15 05:53:01 pml010070 aide[57175]:  SHA512    : o4mqYllOZrjONDaZP/hywLlZHcSv69Z1
+Mar 15 05:53:01 pml010070 aide[57175]:              CkdMvaD3LZdr+bzK7zjwnpbG4nONTmDx
+Mar 15 05:53:01 pml010070 aide[57175]:              p5sXILkYA+REaSrbAIft0Q==
+Mar 15 05:53:01 pml010070 aide[57175]:  RMD160    : 1+EE+mVMQl0wLRZQk5qSwegYvLY=
+Mar 15 05:53:01 pml010070 aide[57175]:  TIGER     : mvvYirLAo30g35dnku/8KcCkoHfg4Dz+
+Mar 15 05:53:01 pml010070 aide[57175]:  CRC32     : h+Fz5Q==
+Mar 15 05:53:01 pml010070 aide[57175]:  WHIRLPOOL : 5wn7egFu5xf5IPQnBCdZbRsz+UXf1BdQ
+Mar 15 05:53:01 pml010070 aide[57175]:              QauE/6ZI2VaMzGs3antSVbmkHmCnMoWT
+Mar 15 05:53:01 pml010070 aide[57175]:              xj4keofx/JSJWKvUUMLnnA==
+Mar 15 05:53:01 pml010070 aide[57175]:  GOST      : iHuOTlg03FrPEX9ror1szxOomv/c+eUc
+Mar 15 05:53:01 pml010070 aide[57175]:              olR6ymPJlBM=
+Mar 15 05:53:01 pml010070 aide[57175]:  STRIBOG256: FJPuiouF2Rs9qxvN9czdHdVbp1eAHdwc
+Mar 15 05:53:01 pml010070 aide[57175]:              nVp7Q31aqCE=
+Mar 15 05:53:01 pml010070 aide[57175]:  STRIBOG512: HMJSk//+5BxO2Z3620Zz4u/blN5yPvRC
+Mar 15 05:53:01 pml010070 aide[57175]:              d0yzK7LYs9uC3cZx1GxpL6sBIWqMMn1x
+Mar 15 05:53:01 pml010070 aide[57175]:              4rib/WieOl1eeUTP8YefKQ==
+Mar 15 05:53:01 pml010070 aide[57175]: End timestamp: 2025-03-15 05:53:01 +0100 (run time: 1m 52s)
+Mar 15 05:53:01 pml010070 systemd[1]: aidecheck.service: Main process exited, code=exited, status=4/NOPERMISSION
+Mar 15 05:53:01 pml010070 systemd[1]: aidecheck.service: Failed with result 'exit-code'.
+Mar 15 05:53:01 pml010070 systemd[1]: aidecheck.service: Consumed 2min 36.983s CPU time, 708.7M memory peak.
+</code>
+++++
+===== Fazit und Ausblick =====
+<WRAP center round tip 80%>
+Mit **AIDE** haben wir nun ein Instrument an der Hand, mit der wir die Dateisysteme unserer Host einfach auf Anomalien hin überwachen kann. Mit Hilfe unseres Ansible-Playbooks können wir nun auch nicht nur die Installation und Konfiguration des Aide-Daemon erledigen, sondern auch einfach die jeweiligen AIDE-Datenbanken der Hosts nach Änderungen durch den Admin bzw. bei Updates oder Ansible-Läufen, aktualisieren und automatisiert zum zentralen internen Repository-/Spiegelserver transferieren. Somit erübrigt sich ein Aufwändiges Signieren oder Wegsichern der Datenbank auf RO-Devices. Die AIDE-Datenbanken wir somit getrennt von den verwalteten Systemen gespeichert und ist folglich vor ungewollten Änderungen geschützt, sollte ein Remote-System kompromittiert worden sein!
+In diesem Konfigurationsbeispiel wurde lediglich aufgezeigt, wie man einfach mit Hilfe von Ansible installieren, konfigurieren und Datenbanken der Host erstellen und weg sichern kann. Die AIDE-Protokolldateien müssen nun natürlich entsprechend überwacht und ausgewertet werden! Diesen Aspekt werden wir uns noch eingehend bei unserer Installation und Konfiguration eines zentralen Logauswertungstool wie z.B. [[centos:web_c7:graylog2|graylog]]
+noch im Detail ansehen!
+</WRAP>
+====== Links ======
+  * **[[linux:ansible:detail|zurück zum Kapitel "Ansible - Erweiterte Konfigurationsbeispiele"]] <= **
+  * **=> [[linux:dhcpd|weiter zum Kapitel "DNS Server für IPv4|6 unter Arch Linux einrichten und nutzen"]] <= **
+  * **[[linux:start#ansible|Zurück zur "Ansible"-Übersicht]]**
+  * **[[wiki:start|Zurück zu >>Projekte und Themenkapitel<<]]**
+  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
-FIXME!