Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
| Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
| linux:aide [14.03.2025 13:22. ] – [Playbook] django | linux:aide [13.04.2025 14:13. ] (aktuell) – [Konfiguration] django | ||
|---|---|---|---|
| Zeile 1: | Zeile 1: | ||
| ====== Host based Intrusion Detection System mit AIDE unter Arch Linux ====== | ====== Host based Intrusion Detection System mit AIDE unter Arch Linux ====== | ||
| ===== HIDS - was ist das und wozu nutzt man es? ===== | ===== HIDS - was ist das und wozu nutzt man es? ===== | ||
| - | Die Absicherung von Systemen ist eine der Grund- und Pflichtaufgaben eines jeden verantwortungsbewussten Systemadministrators und Administratorin. Dass dies ist kein einmaliger sondern stetig sich wiederholende Vorgang ist, versteht sich in aller Regel von selbst, so ist es unter anderem wichtig, dass regelmässig | + | Die Absicherung von Systemen ist eine der Grund- und Pflichtaufgaben eines jeden verantwortungsbewussten Systemadministrators und Administratorin. Dass dies ist kein einmaliger sondern stetig sich wiederholende Vorgang ist, versteht sich in aller Regel von selbst, so ist es unter anderem wichtig, dass regelmäßig |
| - | Weiterführende Informationen rund um Intrusion-Detection-Systeme findet man im **[[https:// | + | Weiterführende Informationen rund um Intrusion-Detection-Systeme findet man im **[[https:// |
| Eine der Herausforderungen bei der Verwendung von HIDS besteht darin, dass es auf jedem einzelnen Host installiert, | Eine der Herausforderungen bei der Verwendung von HIDS besteht darin, dass es auf jedem einzelnen Host installiert, | ||
| Zeile 16: | Zeile 16: | ||
| * Benutzer | * Benutzer | ||
| * Gruppen | * Gruppen | ||
| - | * Dateigrössen | + | * Dateigrößen |
| * mtime | * mtime | ||
| * ctime | * ctime | ||
| * atime | * atime | ||
| - | * wachsende | + | * wachsende |
| * Anzahl von Links | * Anzahl von Links | ||
| * Linknamen | * Linknamen | ||
| - | AIDE erstellt | + | AIDE erstellt |
| - | * sha1 | + | * sha1 (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt) |
| * sha256 | * sha256 | ||
| * sha512 | * sha512 | ||
| - | * md5 | + | * md5 (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt) |
| - | * rmd160 | + | * rmd160 |
| - | * tiger | + | * ghost (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt) kann kompiliert werden, sofern mhash-Unterstützung verfügbar ist. |
| - | * gost und whirlpool können | + | |
| Darüber hinaus können die erweiterten Attribute verwendet werden, sofern sie während der Kompilierung explizit aktiviert werden: | Darüber hinaus können die erweiterten Attribute verwendet werden, sofern sie während der Kompilierung explizit aktiviert werden: | ||
| Zeile 43: | Zeile 42: | ||
| </ | </ | ||
| - | **[[https:// | + | **[[https:// |
| - | In aller Regel wird ein Admin, nachdem ein neuer Host erstellt wurde, initial eine AIDE-Datenbank auf dem neuen System erstellen, bestenfalls bevor der neue Host produktiv mit dem Netzwerk verbunden wird. Diese initiale AIDE-Datenbank ist eine Momentaufnahme des Systems in seinem Normalzustand und ist der Massstab, an dem alle nachfolgenden Aktualisierungen und Änderungen gemessen werden. Diese Datenbank sollte Informationen über die wichtigsten Systembinärdateien, | + | In aller Regel wird ein Admin, nachdem ein neuer Host erstellt wurde, initial eine AIDE-Datenbank auf dem neuen System erstellen, bestenfalls bevor der neue Host produktiv mit dem Netzwerk verbunden wird. Diese initiale AIDE-Datenbank ist eine Momentaufnahme des Systems in seinem Normalzustand und ist der Maßstab, an dem alle nachfolgenden Aktualisierungen und Änderungen gemessen werden. Diese Datenbank sollte Informationen über die wichtigsten Systembinärdateien, |
| Durch erneutes Ausführen von AIDE zur Systemüberprüfung kann ein Systemadministrator Änderungen an systemrelevanten Verzeichnissen und Dateien schnell erkennen und sich ziemlich sicher sein, dass die protokollierten Ergebnisse korrekt sind. | Durch erneutes Ausführen von AIDE zur Systemüberprüfung kann ein Systemadministrator Änderungen an systemrelevanten Verzeichnissen und Dateien schnell erkennen und sich ziemlich sicher sein, dass die protokollierten Ergebnisse korrekt sind. | ||
| Zeile 51: | Zeile 50: | ||
| <WRAP center round alert 60%> | <WRAP center round alert 60%> | ||
| **ACHTUNG**: | **ACHTUNG**: | ||
| - | Ein Admin muss sich aber auch im Klaren sein, dass auch mit **AIDE** **__keine | + | Ein Admin muss sich aber auch im Klaren sein, dass auch mit **AIDE** **__keine |
| Ebenso ist vor allem in orchestrierten Umgebungen (Puppet) darauf zu achten, dass nicht etwa ein gerade initiierter Datenbank-Update durch einen Puppet-Agent Lauf abgebrochen wird. So stünde im Extremfall keine aktuelle und valide Datenbank für spätere Systemchecks zur Verfügung, was zu unzähligen false-positive Meldungen führen würde. Die Reputation des HIDS bei den Administratoren wäre in einem solch einem Fall dahin und der erhoffte bzw. geforderte Erfolg mehr als fraglich! | Ebenso ist vor allem in orchestrierten Umgebungen (Puppet) darauf zu achten, dass nicht etwa ein gerade initiierter Datenbank-Update durch einen Puppet-Agent Lauf abgebrochen wird. So stünde im Extremfall keine aktuelle und valide Datenbank für spätere Systemchecks zur Verfügung, was zu unzähligen false-positive Meldungen führen würde. Die Reputation des HIDS bei den Administratoren wäre in einem solch einem Fall dahin und der erhoffte bzw. geforderte Erfolg mehr als fraglich! | ||
| </ | </ | ||
| ==== Installation ==== | ==== Installation ==== | ||
| - | AIDE kann unter Arch Linux nicht einfach aus dem Core- oder Extras-Repository mit Hilfe des Paketverwaltungswerkzeugs **'' | + | AIDE kann unter Arch Linux nicht einfach aus dem Core- oder Extras-Repository mit Hilfe des Paketverwaltungswerkzeugs **'' |
| Da bei der Installation bzw. beim Kompilieren die Integrität des Quell-Archives an Hand dessen PGP-Signatur geprüft wird, ist es notwendig dass der PGP-Schlüssel mit der Key-ID **'' | Da bei der Installation bzw. beim Kompilieren die Integrität des Quell-Archives an Hand dessen PGP-Signatur geprüft wird, ist es notwendig dass der PGP-Schlüssel mit der Key-ID **'' | ||
| Zeile 87: | Zeile 86: | ||
| 🛴 AUR package will be installed: | 🛴 AUR package will be installed: | ||
| - | | + | |
| 🛴 Proceed with installation? | 🛴 Proceed with installation? | ||
| Zeile 101: | Zeile 100: | ||
| 🛴 Starting the build: | 🛴 Starting the build: | ||
| - | ==> Making package: aide 0.18.8-1 (Sun 09 Feb 2025 01:15:33 PM CET) | + | ==> Making package: aide 0.19-1 (Wed 09 Apr 2025 03:15:30 PM CET) |
| ==> Checking runtime dependencies... | ==> Checking runtime dependencies... | ||
| ==> Checking buildtime dependencies... | ==> Checking buildtime dependencies... | ||
| ==> Retrieving sources... | ==> Retrieving sources... | ||
| - | -> Downloading aide-0.18.8.tar.gz... | + | -> Downloading aide-0.19.tar.gz... |
| % Total % Received % Xferd Average Speed | % Total % Received % Xferd Average Speed | ||
| | | ||
| 0 | 0 | ||
| 100 374k 100 374k 0 | 100 374k 100 374k 0 | ||
| - | -> Downloading aide-0.18.8.tar.gz.asc... | + | -> Downloading aide-0.19.tar.gz.asc... |
| % Total % Received % Xferd Average Speed | % Total % Received % Xferd Average Speed | ||
| | | ||
| Zeile 119: | Zeile 118: | ||
| -> Found aidecheck.timer | -> Found aidecheck.timer | ||
| ==> Validating source files with b2sums... | ==> Validating source files with b2sums... | ||
| - | aide-0.18.8.tar.gz ... Passed | + | aide-0.19.tar.gz ... Passed |
| - | aide-0.18.8.tar.gz.asc ... Skipped | + | aide-0.19.tar.gz.asc ... Skipped |
| aide.conf ... Passed | aide.conf ... Passed | ||
| aidecheck.service ... Passed | aidecheck.service ... Passed | ||
| aidecheck.timer ... Passed | aidecheck.timer ... Passed | ||
| ==> Verifying source file signatures with gpg... | ==> Verifying source file signatures with gpg... | ||
| - | aide-0.18.8.tar.gz ... Passed | + | aide-0.19.tar.gz ... Passed |
| ==> Extracting sources... | ==> Extracting sources... | ||
| - | -> Extracting aide-0.18.8.tar.gz with bsdtar | + | -> Extracting aide-0.19.tar.gz with bsdtar |
| ==> Starting build()... | ==> Starting build()... | ||
| checking build system type... x86_64-pc-linux-gnu | checking build system type... x86_64-pc-linux-gnu | ||
| Zeile 264: | Zeile 263: | ||
| config.status: | config.status: | ||
| make all-am | make all-am | ||
| - | make[1]: Entering directory '/ | + | make[1]: Entering directory '/ |
| gcc -DHAVE_CONFIG_H -I. -I./ | gcc -DHAVE_CONFIG_H -I. -I./ | ||
| mv -f src/ | mv -f src/ | ||
| Zeile 334: | Zeile 333: | ||
| ==> Starting package()... | ==> Starting package()... | ||
| make install-am | make install-am | ||
| - | make[1]: Entering directory '/ | + | make[1]: Entering directory '/ |
| - | make[2]: Entering directory '/ | + | make[2]: Entering directory '/ |
| / | / | ||
| / | / | ||
| Zeile 342: | Zeile 341: | ||
| / | / | ||
| / | / | ||
| - | make[2]: Leaving directory '/ | + | make[2]: Leaving directory '/ |
| - | make[1]: Leaving directory '/ | + | make[1]: Leaving directory '/ |
| ==> Tidying install... | ==> Tidying install... | ||
| -> Removing libtool files... | -> Removing libtool files... | ||
| Zeile 363: | Zeile 362: | ||
| -> Compressing package... | -> Compressing package... | ||
| ==> Leaving fakeroot environment. | ==> Leaving fakeroot environment. | ||
| - | ==> Finished making: aide 0.18.8-1 (Sun 09 Feb 2025 01:15:51 PM CET) | + | ==> Finished making: aide 0.19-1 (Wed 09 Apr 2025 03:15:55 PM CET) |
| loading packages... | loading packages... | ||
| Zeile 369: | Zeile 368: | ||
| looking for conflicting packages... | looking for conflicting packages... | ||
| - | Packages (1) aide-0.18.8-1 | + | Packages (1) aide-0.19-1 |
| Total Installed Size: 0.22 MiB | Total Installed Size: 0.22 MiB | ||
| Zeile 413: | Zeile 412: | ||
| ++++ | ++++ | ||
| - | Darf man aus Sicherheitsgründen auf allen Zielsystemen keine Kompilierwerkzeuge vorhalten, so holt man sich das vom eigenen Maintainer erstellen Paketes vom eigenen internen Repo-Server und installiert das Paket mit Hilfe von | + | Darf man aus Sicherheitsgründen auf den Zielsystemen keine Kompilierwerkzeuge vorhalten, so holt man sich das vom eigenen Maintainer erstellen Paketes vom eigenen internen Repo-Server und installiert das Paket mit Hilfe von |
| **'' | **'' | ||
| ++++ Lokale Installation von AIDE mit Hilfe von Pacman | | ++++ Lokale Installation von AIDE mit Hilfe von Pacman | | ||
| - | Hier in dem folgenden Beispiel wird das zuvor vom eigenen Repository vorgehaltenen Paketes in der Version **'' | + | Hier in dem folgenden Beispiel wird das zuvor vom eigenen Repository vorgehaltenen Paketes in der Version **'' |
| - | # pacman -U aide-0.18.8-1-x86_64.pkg.tar.zst | + | # pacman -U aide-0.19-1-x86_64.pkg.tar.zst |
| ++++ | ++++ | ||
| - | <WRAP center round important | + | <WRAP center round important |
| Bevor das Programm AIDE gestartet werden kann muss es allerdings [[# | Bevor das Programm AIDE gestartet werden kann muss es allerdings [[# | ||
| </ | </ | ||
| Zeile 432: | Zeile 431: | ||
| ++++ Ausgabe der Befehls pacman -Qil aide | | ++++ Ausgabe der Befehls pacman -Qil aide | | ||
| < | < | ||
| - | Version | + | Version |
| Description | Description | ||
| Architecture | Architecture | ||
| Zeile 445: | Zeile 444: | ||
| Conflicts With : None | Conflicts With : None | ||
| Replaces | Replaces | ||
| - | Installed Size : 227.09 KiB | + | Installed Size : 252.71 KiB |
| Packager | Packager | ||
| - | Build Date : Fri 28 Feb 2025 04:25:53 PM CET | + | Build Date : Wed 09 Apr 2025 05:18:04 PM CEST |
| - | Install Date : Fri 28 Feb 2025 04:26:08 PM CET | + | Install Date : Wed 09 Apr 2025 07:26:41 PM CEST |
| Install Reason | Install Reason | ||
| Install Script | Install Script | ||
| Zeile 476: | Zeile 475: | ||
| ++++ | ++++ | ||
| === Programminfo === | === Programminfo === | ||
| - | Bei Bedarf können wir uns alle Optionen mit denen das AIDE-Binary gebaut wurde zusammen mit den Default Konfigurationsparametern, | + | Bei Bedarf können wir uns alle Optionen mit denen das AIDE-Binary gebaut wurde zusammen mit den Default Konfigurationsparametern, |
| ++++ Ausgabe der Befehls aide -v | | ++++ Ausgabe der Befehls aide -v | | ||
| # aide -v | # aide -v | ||
| - | < | + | < |
| Compile-time options: | Compile-time options: | ||
| use pcre2: mandatory | use pcre2: mandatory | ||
| - | use pthread: | + | use pthread: |
| use zlib compression: | use zlib compression: | ||
| use POSIX ACLs: yes | use POSIX ACLs: yes | ||
| Zeile 492: | Zeile 491: | ||
| use e2fsattrs: yes | use e2fsattrs: yes | ||
| use cURL: yes | use cURL: yes | ||
| - | use Mhash: no | + | use Nettle crypto library: yes |
| - | use GNU crypto library: | + | use GNU crypto library: |
| use Linux Auditing Framework: no | use Linux Auditing Framework: no | ||
| use locale: no | use locale: no | ||
| Zeile 519: | Zeile 518: | ||
| sha512: yes | sha512: yes | ||
| rmd160: yes | rmd160: yes | ||
| - | tiger: | + | tiger: |
| - | crc32: | + | crc32: |
| crc32b: no | crc32b: no | ||
| haval: no | haval: no | ||
| - | whirlpool: | + | whirlpool: |
| gost: yes | gost: yes | ||
| stribog256: yes | stribog256: yes | ||
| stribog512: yes | stribog512: yes | ||
| + | sha512_256: yes | ||
| + | sha3_256: yes | ||
| + | sha3_512: yes | ||
| + | |||
| + | Available file system type names: | ||
| + | 9p autofs | ||
| + | bpf | ||
| + | configfs | ||
| + | exfat | ||
| + | fusectl | ||
| + | nilfs | ||
| + | ramfs | ||
| + | sysfs | ||
| + | vfat xfs | ||
| Default compound groups: | Default compound groups: | ||
| - | R: l+p+u+g+s+c+m+i+n+md5+acl+xattrs+ftype+e2fsattrs | + | R: l+p+u+g+s+c+m+i+n+acl+xattrs+ftype+e2fsattrs+sha3_256 |
| L: l+p+u+g+i+n+acl+xattrs+ftype+e2fsattrs | L: l+p+u+g+i+n+acl+xattrs+ftype+e2fsattrs | ||
| >: l+p+u+g+s+i+n+acl+xattrs+ftype+e2fsattrs+growing | >: l+p+u+g+s+i+n+acl+xattrs+ftype+e2fsattrs+growing | ||
| - | H: md5+sha1+rmd160+tiger+crc32+gost+sha256+sha512+whirlpool+stribog256+stribog512 | + | H: sha256+sha512+stribog256+stribog512+sha512_256+sha3_256+sha3_512 |
| X: acl+xattrs+e2fsattrs</ | X: acl+xattrs+e2fsattrs</ | ||
| ++++ | ++++ | ||
| Zeile 539: | Zeile 552: | ||
| ++++ Manual-Page aide | | ++++ Manual-Page aide | | ||
| # man aide | # man aide | ||
| - | < | + | < |
| NAME | NAME | ||
| Zeile 552: | Zeile 565: | ||
| COMMANDS | COMMANDS | ||
| | | ||
| - | Checks | + | Checks |
| - | | + | do this. This is also the default command. Without any command aide does a check. |
| - | | + | |
| | | ||
| - | Initialize | + | Initialize the database. You must initialize a database and move it to the appro‐ |
| - | | + | |
| - | | + | |
| | | ||
| - | Traverse | + | Traverse the file system, match each file against the rule tree and report to std‐ |
| - | | + | |
| Neither reports nor the database are written in this mode. | Neither reports nor the database are written in this mode. | ||
| - | To change the log level in this mode please use the --log-level command line pa‐ | + | To change the log level in this mode please use the --log-level command line para‐ |
| - | | + | |
| In this mode aide exits with status 0. | In this mode aide exits with status 0. | ||
| | | ||
| - | Checks the database and updates the database non-interactively. | + | Checks the database and updates the database |
| output databases must be different. | output databases must be different. | ||
| | | ||
| - | Compares | + | Compares |
| and database_new=< | and database_new=< | ||
| + | |||
| + | | ||
| + | List the entries of the database in human readable format (analogous | ||
| + | tailed report output of new files). Note that the checksums are base16 encoded. | ||
| | | ||
| - | Stops after reading in the configuration file. Any errors will be reported. | + | Stops after reading |
| - | change | + | change the log level in this mode please use the --log-level command line |
| - | | + | |
| - | | + | |
| - | Read configuration and match provided file_type | + | (added in AIDE v0.17) |
| - | path is independent | + | Read configuration |
| - | | + | |
| - | | + | |
| - | | + | |
| + | file system types. | ||
| - | In this mode aide exits with status 0 if the file would be added to the tree, 1 | + | |
| - | | + | not to the parent directories of the path. If a restricted rule cannot be matched |
| + | against a parent directory due to the missing file system type aide raises a warn‐ | ||
| + | ing. | ||
| + | |||
| + | To change the log level in this mode please use the --log-level command line para‐ | ||
| + | meter. | ||
| + | |||
| + | | ||
| + | not and 2 if the file does not match the specified limit. | ||
| PARAMETERS | PARAMETERS | ||
| | | ||
| - | Configuration | + | Configuration |
| value). | value). | ||
| | | ||
| - | Limit command to entries matching REGEX. Note that the REGEX only matches at the | + | Limit command to entries matching REGEX. Note that the REGEX only matches |
| first position. | first position. | ||
| Example | Example | ||
| - | Only check and update the database entries matching /etc (i.e. the /etc di‐ | + | |
| - | rectory) while leaving all other entries unchecked and unchanged: | + | tory) while leaving all other entries unchecked and unchanged: |
| aide --update --limit /etc | aide --update --limit /etc | ||
| | | ||
| - | These configparameters are handled before the reading of the configuration file. | + | These configparameters are handled before the reading of the configuration |
| See aide.conf (5) for more details on what to put here. | See aide.conf (5) for more details on what to put here. | ||
| | | ||
| - | These configparameters are handled after the reading of the configuration file. | + | These configparameters |
| See aide.conf (5) for more details on what to put here. | See aide.conf (5) for more details on what to put here. | ||
| | | ||
| - | The log level to use (see aide.conf (5) for available log levels | + | The log level to use (see aide.conf (5) for available |
| tails). | tails). | ||
| | | ||
| - | Removed, | + | Removed, |
| - | | + | |
| | | ||
| Zeile 631: | Zeile 656: | ||
| | | ||
| - | Specifies the number of workers (see aide.conf (5) for details). This overwrites | + | Specifies the number of workers (see aide.conf (5) for details). |
| the num_workers value set in any configuration file. | the num_workers value set in any configuration file. | ||
| + | |||
| + | | ||
| + | Turn progress | ||
| + | connected to a terminal. | ||
| + | |||
| + | | ||
| + | Turn colored log output off explicitly. By default colored log output | ||
| + | if standard error is connected to a terminal. | ||
| | | ||
| Zeile 641: | Zeile 674: | ||
| EXIT STATUS | EXIT STATUS | ||
| - | | + | |
| - | pare or --update command was requested, in which case the exit status is defined as: | + | or --update command was requested, in which case the exit status is defined as: |
| 1 * (new files reported? | 1 * (new files reported? | ||
| Zeile 650: | Zeile 683: | ||
| 4 * (changed files reported?) | 4 * (changed files reported?) | ||
| - | | + | Since those three cases can occur together, the respective error codes are added. For ex‐ |
| - | example, if there are new files and removed files reported, the exit status will be 1 + | + | ample, if there are new files and removed files reported, the exit status will be 1 + 2 = |
| - | 2 = 3. | + | 3. |
| | | ||
| Zeile 663: | Zeile 696: | ||
| 17 Configuration error | 17 Configuration error | ||
| - | |||
| - | 18 IO error | ||
| - | |||
| - | 19 Version mismatch error | ||
| - | |||
| 18 IO error | 18 IO error | ||
| Zeile 680: | Zeile 708: | ||
| 23 Thread error | 23 Thread error | ||
| + | |||
| + | 24 Database error | ||
| + | |||
| + | 25 received SIGINT, SIGTERM or SIGHUP | ||
| SIGNAL HANDLING | SIGNAL HANDLING | ||
| - | | + | SIGINT, |
| + | |||
| + | Remove an incompletely written database (only if database | ||
| + | aide) and exit (code 25). | ||
| + | |||
| + | | ||
| + | |||
| + | Toggle the log_level between current and debug level. | ||
| + | |||
| + | SIGUSR1 is only handled after config parsing. | ||
| + | |||
| + | | ||
| + | |||
| + | Resize the progress bar (if enabled). | ||
| + | |||
| + | NOTES | ||
| + | | ||
| + | | ||
| + | |||
| + | echo < | ||
| + | |||
| + | FILES | ||
| + | See --version output for the default config file and the default | ||
| + | |||
| + | Remove an incompletely written database (only if database | ||
| + | | ||
| + | |||
| + | | ||
| + | |||
| + | Toggle the log_level between current and debug level. | ||
| + | |||
| + | SIGUSR1 is only handled after config parsing. | ||
| - | SIGHUP is also ignored. | + | SIGWINCH |
| - | | + | Resize |
| NOTES | NOTES | ||
| - | The checksums in the database and in the output are by default base64 encoded (see also | + | |
| | | ||
| Zeile 695: | Zeile 758: | ||
| FILES | FILES | ||
| - | See --version output for the default config file and the default database_in and data‐ | + | See --version output for the default config file and the default |
| | | ||
| Zeile 702: | Zeile 765: | ||
| BUGS | BUGS | ||
| - | | + | |
| | | ||
| DISCLAIMER | DISCLAIMER | ||
| - | All trademarks are the property of their respective owners. | + | All trademarks are the property of their respective owners. |
| - | while making this webpage or this piece of software. Although some pizza delivery guy' | + | |
| - | feelings | + | ings were hurt. |
| - | aide v0.18.8 2024-05-09 AIDE(1) | + | aide v0.19 2025-04-05 |
| </ | </ | ||
| Zeile 717: | Zeile 780: | ||
| ++++ Manual-Page aide.conf | | ++++ Manual-Page aide.conf | | ||
| # man aide.conf | # man aide.conf | ||
| - | < | + | < |
| NAME | NAME | ||
| Zeile 723: | Zeile 786: | ||
| SYNOPSIS | SYNOPSIS | ||
| - | | + | |
| - | | + | |
| | | ||
| FILE FORMAT | FILE FORMAT | ||
| - | | + | |
| - | lines must end with new line. | + | line must end with new line. |
| - | | + | AIDE uses the backslash character (\) as escape character for ' ' (space), |
| - | | + | |
| | | ||
| - | There are three types of lines in aide.conf. First there are the configuration | + | There are three types of lines in aide.conf. First there are the configuration |
| - | | + | |
| - | (restricted) rules that are used to indicate which files are added to the database. | + | stricted) rules that are used to indicate which files/ |
| - | Third, macro lines define or undefine variables within the config file. Lines beginning | + | are added to the database. Third, macro lines define or undefine variables within the |
| - | with # are ignored as comments. | + | config file. Lines beginning with # are ignored as comments. |
| CONFIG OPTIONS | CONFIG OPTIONS | ||
| Zeile 745: | Zeile 808: | ||
| | | ||
| - | | + | |
| - | The url from which database is read. There can only be one of these lines. If | + | The url from which database is read. There can only be one of these lines. |
| there are multiple database lines then the first is used. | there are multiple database lines then the first is used. | ||
| Zeile 764: | Zeile 827: | ||
| | | ||
| - | The url to which the new database is written to. There can only be one of these | + | The url to which the new database is written to. There can only be one of these |
| lines. If there are multiple database_out lines then the first is used. | lines. If there are multiple database_out lines then the first is used. | ||
| Zeile 771: | Zeile 834: | ||
| | | ||
| - | The attributes of the (uncompressed) database files which are to be added to the | + | The attributes of the (uncompressed) database files which are to be added to the |
| - | reports | + | reports in report level >= database_attributes . Only checksum attributes are sup‐ |
| - | | + | |
| | | ||
| - | Whether to add the AIDE version and the time of database generation as comments | + | Whether to add the AIDE version and the time of database generation as comments |
| - | | + | the database |
| - | | + | release. |
| | | ||
| - | The log level to use. Log messages are written to stderr. If there are multiple | + | The log level to use. Log messages are written to stderr. If there are multiple |
| - | log_level lines then the first one is used. The --log-level or -L command | + | log_level lines then the first one is used. The --log-level or -L command line op‐ |
| - | | + | |
| The following log levels are available: | The following log levels are available: | ||
| - | | + | |
| rors are fatal to the AIDE process. | rors are fatal to the AIDE process. | ||
| - | | + | |
| - | unexpected | + | expected |
| - | | + | |
| | | ||
| info: additionally show informational messages | info: additionally show informational messages | ||
| + | |||
| + | | ||
| + | | ||
| + | |||
| + | | ||
| + | | ||
| + | | ||
| + | | ||
| rule: additionally show messages to help to debug the path rule matching | rule: additionally show messages to help to debug the path rule matching | ||
| - | compare: additionally show messages to help to debug file comparison | + | config: additionally show messages to help to debug config |
| - | | + | |
| - | config: additionally show messages | + | debug: additionally show messages |
| - | ing | + | |
| - | debug: additionally | + | limit: additionally show messages |
| - | tion (very verbose) | + | |
| - | | + | |
| - | cast events) | + | |
| - | | + | |
| - | loop logging) (even more verbose) | + | the flow of the application (e.g. in-loop logging) (extremely |
| | | ||
| Zeile 819: | Zeile 887: | ||
| | | ||
| - | Whether the output to the database is gzipped or not. This option | + | Whether the output to the database is gzipped or not. This option |
| only if zlib support is compiled in. | only if zlib support is compiled in. | ||
| | | ||
| - | The prefix | + | The prefix |
| - | rules and writing to database. AIDE removes a trailing slash from the prefix. | + | rules and writing to database. AIDE removes a trailing slash from the prefix. |
| - | | + | there are multiple root_prefix lines then the first one is used. This option |
| - | | + | no effect in compare mode. |
| | | ||
| - | Whether to check ACLs for symlinks or not. This option is available only if acl | + | Whether to check ACLs for symlinks or not. This option is available |
| support is compiled in. | support is compiled in. | ||
| Zeile 836: | Zeile 904: | ||
| | | ||
| - | The value of config_version | + | The value of config_version is printed in the report and also printed to the data‐ |
| - | | + | |
| - | ity. | + | |
| | | ||
| - | Whether | + | Whether |
| unrestricted rules use 0 (zero) as restriction character. | unrestricted rules use 0 (zero) as restriction character. | ||
| | | ||
| - | Specifies the number of simultaneous workers (threads) for file attribute | + | Specifies the number of simultaneous workers (threads) for file attribute |
| - | | + | |
| - | The number of workers can be a positive integer (e.g. ' | + | The number of workers can be a positive integer (e.g. ' |
| - | the available processors (e.g. ' | + | the available processors (e.g. ' |
| - | | + | up to the next integer (e.g. ' |
| - | ers). | + | |
| If there are multiple num_workers lines then the first one is used. | If there are multiple num_workers lines then the first one is used. | ||
| - | Use 0 (zero) to disable multi-threading. | + | Use 0 (zero) to disable |
| The default value 1 (single worker thread) may be changed in a future release. | The default value 1 (single worker thread) may be changed in a future release. | ||
| Zeile 880: | Zeile 946: | ||
| Write report to syslog using LOG_FACILITY. | Write report to syslog using LOG_FACILITY. | ||
| - | The following report options are available (to take effect they have to be set before | + | The following report options are available (to take effect they have to be set before |
| - | report_url): | + | port_url): |
| | | ||
| Zeile 903: | Zeile 969: | ||
| | | ||
| - | | + | The left column shows the old value (e.g. from the database_in |
| and the right column shows the new value (e.g. from the file system). | and the right column shows the new value (e.g. from the file system). | ||
| - | added_removed_attributes: | + | added_removed_attributes: |
| tributes | tributes | ||
| - | added_removed_entries: | + | added_removed_entries: |
| - | tries | + | |
| | | ||
| Zeile 920: | Zeile 985: | ||
| | | ||
| - | Base16 encode the checksums in the report. The default is to report checksums in | + | Base16 encode the checksums in the report. The default is to report |
| base64 encoding. | base64 encoding. | ||
| | | ||
| - | Report | + | Report |
| - | | + | >= added_removed_entries) in initialization mode. |
| | | ||
| Zeile 934: | Zeile 999: | ||
| | | ||
| - | | + | |
| Group the files in the report by added, removed and changed files. | Group the files in the report by added, removed and changed files. | ||
| | | ||
| - | | + | |
| - | Summarize changes in the added, removed and changed files sections | + | Summarize changes in the added, removed and changed files sections of the report. |
| - | port. | + | |
| - | The general format is like the string | + | The general format is like the string |
| - | the file-type | + | the file-type |
| - | link, ' | + | link, ' |
| - | | + | a unix socket, ' |
| - | | + | type has changed and '?' |
| - | The Z is replaced as follows: A ' | + | The Z is replaced as follows: A ' |
| - | | + | |
| - | | + | string |
| - | | + | the item has been changed or a ' |
| - | Otherwise | + | Otherwise a ' |
| - | | + | |
| tribute has not been checked. | tribute has not been checked. | ||
| - | The exceptions to this are: (1) a newly created file replaces each letter with a | + | The exceptions |
| ' | ' | ||
| The attribute that is associated with each letter is as follows: | The attribute that is associated with each letter is as follows: | ||
| - | o | + | o |
| o A b means that the block count has changed. | o A b means that the block count has changed. | ||
| Zeile 968: | Zeile 1032: | ||
| o A p means that the permissions have changed. | o A p means that the permissions have changed. | ||
| - | o | + | o |
| o A g means that the gid has changed. | o A g means that the gid has changed. | ||
| Zeile 974: | Zeile 1038: | ||
| o An a means that the access time has changed. | o An a means that the access time has changed. | ||
| - | o | + | o |
| o A c means that the change time has changed. | o A c means that the change time has changed. | ||
| Zeile 980: | Zeile 1044: | ||
| o An i means that the inode has changed. | o An i means that the inode has changed. | ||
| - | o | + | o |
| + | |||
| + | o An H means that one or more message digests have changed. | ||
| - | o | + | o |
| - | The following | + | The following letters are only available when explicitly enabled using configure: |
| - | ure: | + | |
| - | o | + | o |
| - | o | + | o |
| - | o | + | o |
| - | o | + | o |
| | | ||
| Zeile 1013: | Zeile 1078: | ||
| | | ||
| | | ||
| - | Attributes | + | Attributes |
| - | tribute is both ignored and forced the attribute | + | tribute is both ignored and forced the attribute is not considered for file change |
| - | | + | but printed in the final report as long as the file has been otherwise changed. |
| - | | + | |
| | | ||
| - | List (no delimiter) of ext2 file attributes which are to be ignored in the re‐ | + | List (no delimiter) of ext2 file attributes which are to be ignored in the report. |
| - | | + | See chattr(1) for the available attributes. Use 0 (zero) to not ignore |
| - | | + | |
| - | By default AIDE also reports changes of the read-only | + | By default |
| chattr(1) (see example below how to ignore those changes). | chattr(1) (see example below how to ignore those changes). | ||
| Example: | Example: | ||
| - | | + | |
| (N), indexed directory (I) and encrypted (E): | (N), indexed directory (I) and encrypted (E): | ||
| Zeile 1044: | Zeile 1108: | ||
| | | ||
| - | | + | |
| | | ||
| Zeile 1050: | Zeile 1114: | ||
| > | > | ||
| - | | + | |
| - | | + | |
| v0.16) | v0.16) | ||
| Zeile 1067: | Zeile 1131: | ||
| Files and directories matching the regular expression are added to the database. | Files and directories matching the regular expression are added to the database. | ||
| - | Negative | + | Recursive negative |
| !< | !< | ||
| - | Files and directories matching the regular expression are ignored | + | Files and directories matching the regular expression are excluded |
| - | to the database. | + | to the database. The children of directories and sub-directories are recursed into |
| + | and only not added to the database if they also match the regular expression. | ||
| + | |||
| + | | ||
| + | -< | ||
| + | |||
| + | Files and directories matching the regular expression are excluded and NOT added | ||
| + | the database. The children of directories and sub-directories | ||
| + | into and hence not added to the database by any means. | ||
| | | ||
| =< | =< | ||
| - | Files and directories matching the regular expression are added to the database. | + | Files and directories matching the regular expression are added to the database. |
| - | The children of directories are only added if the regular expression ends with a | + | The children of directories are only added if the regular expression ends with a |
| - | "/" | + | "/" |
| - | Every regular expression has to start with an explicit "/" | + | |
| - | | + | front of each regular expression. |
| - | at the first position against the complete path. Special characters can be escaped | + | the first position against the complete path. Special characters can be escaped |
| - | ing two-digit URL encoding (for example, %20 to represent a space). | + | |
| - | AIDE uses a deepest-match algorithm to find the tree node to search, but a first-match | + | |
| | | ||
| Zeile 1093: | Zeile 1165: | ||
| RESTRICTED RULES | RESTRICTED RULES | ||
| - | | + | |
| - | AIDE v0.16). The following | + | |
| - | f restrict rule to regular files | + | The syntax of restricted rules is as follows: |
| - | d restrict | + | Restricted regular |
| - | | + | < |
| + | -< | ||
| - | | + | Files and directories matching both the regular expression and the restriction expres‐ |
| + | sion are excluded and NOT added the database. The children of directories and sub-di‐ | ||
| + | rectories are not recursed into and hence not added to the database by any means. | ||
| - | b restrict | + | Restricted equals |
| - | | + | =< |
| - | | + | Files and directories matching both the regular expression and the restriction expres‐ |
| + | sion are added the database. The children of directories are only added if the regular | ||
| + | expression ends with a "/" | ||
| + | base. | ||
| - | D restrict rule to Solaris doors | + | Restriction expression |
| - | | + | An restriction expression is of the following form: |
| - | | + | <restriction |
| + | | =<file system type> | ||
| + | | ||
| - | | + | |
| - | The syntax of restricted rules is as follows: | + | |
| - | | + | P restrict rule to Solaris event ports |
| - | < | + | |
| - | | + | Multiple |
| - | !< | + | |
| - | Restricted equals rule | + | File system types (Linux only) |
| - | | + | |
| + | The | ||
| + | (e.g. ' | ||
| + | able file system type names). The magic number must start with ' | ||
| + | in hexdecimal format. | ||
| + | |||
| + | Empty restriction | ||
| + | |||
| + | To explicitly don't restrict a rule use 0 (added in AIDE v0.18). | ||
| + | |||
| + | | ||
| + | |||
| + | / d,f R -/dev =tmpfs | ||
| + | |||
| + | | ||
| MACRO LINES | MACRO LINES | ||
| Zeile 1139: | Zeile 1231: | ||
| | | ||
| | | ||
| - | @@if begins an if statement. It must be terminated with an @@endif | + | @@if begins an if statement. It must be terminated with an @@endif statement. |
| - | | + | lines between |
| - | | + | true. If there is an @@else statement then the part between @@if and @@else |
| - | | + | used if boolean_expression evaluates to true otherwise the part between @@else and |
| - | | + | |
| Available operators and functions in boolean expressions: | Available operators and functions in boolean expressions: | ||
| not boolean_expression | not boolean_expression | ||
| - | Evaluates to true if the boolean_expression is false, | + | Evaluates |
| boolean_expression is true. | boolean_expression is true. | ||
| Zeile 1157: | Zeile 1249: | ||
| | | ||
| - | Evaluates to true if HOSTNAME equals the hostname of the machine that AIDE | + | Evaluates to true if HOSTNAME equals the hostname of the machine |
| - | is running on. hostname is the name of the host without the domainname (ie | + | is running |
| ' | ' | ||
| Zeile 1164: | Zeile 1256: | ||
| Evaluates to true if PATH exists. | Evaluates to true if PATH exists. | ||
| + | |||
| + | | ||
| + | |||
| + | Evaluates to true if VERSION_STRING1 | ||
| + | SION_STRING2 | ||
| + | sion_ge 1.1 to false). The version strings must be in the formaat | ||
| + | NOR.PATCH | ||
| + | for pre-release) will be truncated). | ||
| | | ||
| Zeile 1178: | Zeile 1278: | ||
| | | ||
| - | @@{VAR} | + | @@{VAR} is replaced with the value of the variable |
| - | defined an empty string is used. | + | The content of the file is used as if it were inserted in this part of the config |
| - | + | file. | |
| - | Variables are supported in strings | + | |
| - | lines. | + | |
| - | + | ||
| - | Pre-defined marco variables: | + | |
| - | + | ||
| - | | + | |
| - | + | ||
| - | | + | |
| - | Include FILE. | + | |
| - | The content of the file is used as if it were inserted in this part of the con‐ | + | |
| - | | + | |
| The maximum depth of nested includes is 16. | The maximum depth of nested includes is 16. | ||
| | | ||
| - | Include all (regular) files found in DIRECTORY matching regular expression REGEX | + | Include all (regular) files found in DIRECTORY matching regular |
| (sub-directories are ignored). The file are included in lexical sort order. | (sub-directories are ignored). The file are included in lexical sort order. | ||
| - | If RULE_PREFIX is set, all rules included by the statement | + | If RULE_PREFIX |
| - | | + | |
| - | | + | concatenated. |
| - | The content of the files is used as if it were inserted in this part of the con‐ | + | The content of the files is used as if it were inserted in this part of the config |
| - | | + | file. |
| | | ||
| | | ||
| - | @x_include is identical to @@include, except that if a config file is executable | + | @x_include |
| is is run and the output is used as config. | is is run and the output is used as config. | ||
| - | If the executable file exits with status greater than zero or writes to stderr | + | If the executable file exits with status greater than zero or writes |
| aide stops with an error. | aide stops with an error. | ||
| - | For security reasons DIRECTORY and each executable config file must be owned by | + | For security |
| the current user or root. They must not be group- or world-writable. | the current user or root. They must not be group- or world-writable. | ||
| | | ||
| - | Adds the variable | + | Adds the variable VAR with the value VALUE to the environment used for config |
| - | | + | execution. |
| - | Environment variable names are limited to alphanumeric | + | Environment variable names are limited to alphanumeric characters (A-Za-z0-9) |
| - | | + | the underscore ' |
| TYPES | TYPES | ||
| Zeile 1233: | Zeile 1322: | ||
| An attribute expression is of the following form: | An attribute expression is of the following form: | ||
| - | < | + | < |
| - | | + | |
| - | | + | |
| URLS | URLS | ||
| - | Urls can be one of the following. Input urls cannot be used as outputs and vice | + | Urls can be one of the following. Input urls cannot be used as outputs and vice versa. |
| - | | + | |
| | | ||
| Zeile 1251: | Zeile 1339: | ||
| | | ||
| - | Input is read from filedescriptor number or output is written to | + | Input is read from filedescriptor number or output is written to number. |
| - | ber. | + | |
| | | ||
| Zeile 1261: | Zeile 1348: | ||
| | | ||
| + | |||
| + | | ||
| | | ||
| Zeile 1266: | Zeile 1355: | ||
| | | ||
| - | | + | |
| | | ||
| Zeile 1284: | Zeile 1373: | ||
| | | ||
| - | | + | |
| - | + | ||
| - | | + | |
| - | selinux attributes (requires libselinux) | + | |
| - | + | ||
| - | | + | |
| - | + | ||
| - | | + | |
| - | file attributes | + | |
| - | nore_e2fsattrs | + | |
| - | + | ||
| - | | + | |
| - | + | ||
| - | Use 'aide --version' | + | |
| | | ||
| - | | + | |
| v0.20) | v0.20) | ||
| Zeile 1308: | Zeile 1383: | ||
| | | ||
| - | When I is used, the inode of the old file is used to search for a moved file in | + | When I is used, the inode of the new file is used to search for a moved source |
| - | the new database. | + | |
| - | Source and target file have to be located in the same directory and must share | + | Source and target file have to be located in the same directory and must share the |
| - | | + | same attributes (except for special attributes ANF, ARF, I, growing, |
| - | | + | |
| For moved entries a change of the ctime attribute is ignored. | For moved entries a change of the ctime attribute is ignored. | ||
| Zeile 1332: | Zeile 1407: | ||
| ctime: if new ctime is greater than old ctime | ctime: if new ctime is greater than old ctime | ||
| - | hashsums: if the hashsum of the new file restricted to the old size equals | + | hashsums: |
| hashsums of the old file | hashsums of the old file | ||
| Zeile 1340: | Zeile 1415: | ||
| ignore compressed file (added in AIDE v0.18) | ignore compressed file (added in AIDE v0.18) | ||
| - | When compressed | + | When compressed is used, the uncompressed hashsums |
| - | (supported compressions: | + | (supported compressions: |
| - | | + | old database. |
| - | The old uncompressed and the new compressed file have to be located in the same | + | The old uncompressed |
| - | directory and must share the same attributes (except for special attributes ANF, | + | directory and must share the same attributes (except for special |
| - | ARF, I, growing, and compressed) including at least one hashsum. | + | ARF, I, growing, and compressed) including at least one common |
| Changes of the inode, size, bcount and ctime attributes are ignored. | Changes of the inode, size, bcount and ctime attributes are ignored. | ||
| - | The growing attribute (i.e. the old file size) is not considered for compressed | + | The growing |
| files during the calculation of the uncompressed hashsums. | files during the calculation of the uncompressed hashsums. | ||
| Zeile 1357: | Zeile 1432: | ||
| | | ||
| - | When ' | + | When ' |
| the report. | the report. | ||
| | | ||
| - | When ' | + | When ' |
| are ignored in the report. | are ignored in the report. | ||
| - | | + | |
| - | | + | sha256 SHA-256 |
| - | | + | sha512 |
| - | | + | sha512_256 (added in AIDE v0.19) |
| + | SHA-512 checksum | ||
| - | | + | sha3_256 (added in AIDE v0.19) |
| + | SHA3-256 checksum | ||
| - | | + | sha3_512 (added in AIDE v0.19) |
| + | SHA3-512 checksum | ||
| - | | + | stribog256 (added in AIDE v0.17) |
| + | GOST R 34.11-2012, 256 bit checksum | ||
| - | | + | stribog512 |
| + | GOST R 34.11-2012, 512 bit checksum | ||
| - | | + | md5 (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21) |
| + | | ||
| - | | + | sha1 (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21) |
| + | SHA-1 checksum | ||
| - | | + | rmd160 (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21) |
| + | | ||
| - | | + | gost (DEPRECATED since AIDE v0.19, will be removed in AIDE v0.21) |
| - | | + | GOST R 34.11-94 |
| - | | + | crc32 (REMOVED |
| - | GOST R 34.11-2012, 256 bit checksum | + | crc32 checksum |
| - | | + | crc32b |
| - | GOST R 34.11-2012, 512 bit checksum | + | crc32 checksum |
| - | Use 'aide --version' | + | haval (REMOVED in AIDE v0.19) |
| + | | ||
| + | |||
| + | tiger (REMOVED in AIDE v0.19) | ||
| + | tiger checksum | ||
| + | |||
| + | whirlpool (REMOVED in AIDE v0.19) | ||
| + | | ||
| + | |||
| + | | ||
| + | |||
| + | Hashsum transitions (since AIDE v0.19): | ||
| + | |||
| + | AIDE has limited support for hashsum transitions | ||
| + | when hashsums | ||
| + | entry do mot share common hashsum(s) AIDE tries to additionally calculate the removed | ||
| + | hashsum(s) | ||
| + | tribute) and compressed (compressed attribute) entries). | ||
| EXAMPLES | EXAMPLES | ||
| - | / R This adds all files on your machine to the database. | + | / R This adds all files on your machine to the database. |
| qualified configuration file. | qualified configuration file. | ||
| Zeile 1405: | Zeile 1505: | ||
| =/foo R | =/foo R | ||
| - | Only /foo and /foobar are taken into the database. | + | Only /foo and / |
| added. | added. | ||
| | | ||
| - | Only /foo and its children (e.g. /foo/file and / | + | Only /foo and its children (e.g. /foo/file and / |
| - | | + | database. |
| added. | added. | ||
| Zeile 1437: | Zeile 1537: | ||
| Full = ftype+p+l+u+g+s+m+c+a+i+b+n+H+X | Full = ftype+p+l+u+g+s+m+c+a+i+b+n+H+X | ||
| / 0 Full | / 0 Full | ||
| - | This line defines group Full. It has all attributes, all compiled in hashsums | + | This line defines group Full. It has all attributes, all compiled in hashsums (H) |
| - | | + | |
| - | | + | compiled |
| - | | + | |
| | | ||
| / | / | ||
| Files that change their mtimes or ctimes but not their contents. | Files that change their mtimes or ctimes but not their contents. | ||
| - | |||
| - | | ||
| - | / | ||
| - | Files that are recreated regularly but do not change their contents | ||
| - | |||
| - | | ||
| - | / | ||
| - | Files that change their contents during system operation | ||
| - | |||
| - | | ||
| - | / | ||
| - | Directories that change their contents during system operation | ||
| - | |||
| - | | ||
| / | / | ||
| Directories that are recreated regularly and change their contents | Directories that are recreated regularly and change their contents | ||
| Zeile 1464: | Zeile 1550: | ||
| Log Handling | Log Handling | ||
| - | Logs pose a number of special challenges to AIDE. An active log is nearly | + | Logs pose a number of special challenges to AIDE. An active log is nearly constantly |
| - | being | + | ing written to. The process of log rotation changes file names for files that are |
| - | supposed | + | posed |
| - | of their rotation, and finally, they get deleted. | + | their rotation, and finally, they get deleted. |
| - | cases without generating reports, and it is still expected to flag the cases when an | + | |
| - | attacker | + | tacker |
| - | The following examples suggest a way to handle the common case of log rotation with the | + | The following examples suggest a way to handle the common case of log rotation |
| - | | + | |
| The vast majority of logs are rotated this way on most Linux systems. | The vast majority of logs are rotated this way on most Linux systems. | ||
| | | ||
| / | / | ||
| - | An Active Log is typically named foo.log. | + | An Active Log is typically named foo.log. |
| - | | + | file does neither change its mode nor its inode number. |
| - | | + | and what is written to the file is not supposed to change (growing). |
| - | | + | |
| - | | + | |
| - | | + | |
| - | ing attribute | + | |
| - | compared to the database. | + | |
| - | + | ||
| - | | + | |
| - | / | + | |
| - | foo.log.0 or foo.log.1 is called the Rotated Log, the previously active log re‐ | + | |
| - | named to the first name of the Log Series that is formed by the rotation mecha‐ | + | |
| - | nism. Right after rotation, the file might still being written to by the dae‐ | + | |
| - | mon. To aide, this looks like the Active Log's size decreases and its inode and | + | |
| - | timestamps | + | |
| - | once the process has stopped writing to it. Reports might be generated if aide | + | |
| - | runs while the process still writes to the Rotated Log, but this is quite un‐ | + | |
| - | likely to happen. | + | |
| - | foo.log.1.gz, | + | |
| | | ||
| / | / | ||
| - | In the next rotation step, foo.log.1 gets compressed to foo.log.2.gz, | + | In the next rotation step, foo.log.1 gets compressed to foo.log.2.gz, |
| - | | + | Compressed Log in the Log Series. |
| - | | + | because it uncompresses the contents of the file and takes the checksum of the un‐ |
| - | | + | |
| - | | + | changes are ignored (compressed). |
| | | ||
| / | / | ||
| - | In the next log rotation, all foo.log.{x} get renamed | + | In the next log rotation, all foo.log.{x} get renamed to foo.log.{x+1}. |
| - | | + | attributes are not supposed to change. |
| | | ||
| / | / | ||
| - | The configuration of the log rotation process specifies a number of log genera‐ | + | The configuration of the log rotation process specifies a number |
| - | tions to keep. The last log in the series is therefore | + | tions to keep. The last log in the series is therefore removed from the disk |
| (ARF). | (ARF). | ||
| Zeile 1520: | Zeile 1592: | ||
| empty files | empty files | ||
| - | It might be the case that a log is actually created, but never written to. This | + | It might be the case that a log is actually created, but never written |
| - | commonly | + | commonly |
| - | | + | to cater for data protection regulation. |
| - | | + | identical, |
| - | | + | |
| - | | + | |
| | | ||
| - | With logrotate' | + | With logrotate' |
| - | | + | |
| - | | + | |
| | | ||
| - | tions to keep. The last log in the series is therefore | ||
| - | (ARF). | ||
| - | |||
| - | aide 0.18 does not yet support the following cases of log rotation: | ||
| - | |||
| empty files | empty files | ||
| - | It might be the case that a log is actually created, but never written to. This | + | It might be the case that a log is actually created, but never written |
| - | commonly | + | commonly |
| - | | + | to cater for data protection regulation. |
| - | | + | identical, |
| - | | + | |
| - | | + | |
| | | ||
| - | With logrotate' | + | With logrotate' |
| - | | + | |
| - | | + | |
| | | ||
| - | With logrotate' | + | With logrotate' |
| - | | + | |
| - | | + | truncated |
| - | | + | open file handle. |
| - | | + | |
| - | | + | |
| - | tion to avoid this behavior. | + | |
| HINTS | HINTS | ||
| Zeile 1571: | Zeile 1638: | ||
| DISCLAIMER | DISCLAIMER | ||
| - | | + | All trademarks are the property of their respective owners. |
| - | while making this webpage or this piece of software. | + | |
| - | aide v0.18.8 2024-05-09 | + | aide v0.19 |
| + | </ | ||
| ++++ | ++++ | ||
| Zeile 1583: | Zeile 1651: | ||
| So können wir später leichter Änderungen mit Hilfe von **'' | So können wir später leichter Änderungen mit Hilfe von **'' | ||
| - | Anpassungen und Änderungen an der Konfiguration nehmen mit mit dem Editor unserer Wahl , wie z.B. **'' | + | Anpassungen und Änderungen an der Konfiguration nehmen mit mit dem Editor unserer Wahl, wie z.B. **'' |
| # sudo vim / | # sudo vim / | ||
| - | <file bash / | + | <file bash / |
| - | # More information about configuration | + | # Ansible managed |
| - | # Inspired from https:// | + | # |
| - | + | # ┌──────────────────────────────────────────────────────────────────────┐ | |
| - | # ┌───────────────────────────────────────────────────────────────┐ | + | # │ Contents of configuration file aide.conf |
| - | # │ CONTENTS OF aide.conf | + | # ├──────────────────────────────────────────────────────────────────────┤ |
| - | # ├───────────────────────────────────────────────────────────────┘ | + | # │ |
| - | # │ | + | # ├──┬───── 1. |
| - | # ├──┐VARIABLES | + | # │ ├───── 1.1 DATABASE |
| - | # │ ├── DATABASE | + | # │ └───── 1.2 REPORT |
| - | # │ └── REPORT | + | # │ │ |
| - | # ├──┐RULES | + | # ├──┬───── 2. |
| - | # │ ├── LIST OF ATTRIBUTES | + | # │ ├───── 2.1 LIST OF ATTRIBUTES |
| - | # │ ├── LIST OF CHECKSUMS | + | # │ ├───── 2.2 LIST OF CHECKSUMS |
| - | # │ └── AVAILABLE RULES | + | # │ └───── 2.3 AVAILABLE RULES │ |
| - | # ├──┐PATHS | + | # │ │ |
| - | # │ ├──┐EXCLUDED | + | # ├──┬───── 3. |
| - | # │ │ ├── ETC | + | # │ ├──┬── 3.1 EXCLUDED |
| - | # │ │ ├── USR | + | # │ │ ├── |
| - | # │ │ | + | # │ │ ├── |
| - | # │ └──┐INCLUDED | + | # │ │ |
| - | # │ | + | # │ |
| - | # │ | + | # │ └──┬── 3.2. |
| - | # │ | + | # │ |
| - | # │ | + | # │ |
| - | # │ | + | # │ |
| - | # └─────────────────────────────────────────────────────────────── | + | # │ |
| - | + | # │ | |
| - | # ################################################################ | + | # └──────────────────────────────────────────────────────────────────────┘ |
| - | + | # | |
| - | # ################################ | + | ## 1. |
| + | ## 1.1 DATABASE | ||
| @@define DBDIR / | @@define DBDIR / | ||
| Zeile 1622: | Zeile 1691: | ||
| # The location of the database to be read. | # The location of the database to be read. | ||
| - | database_in=file:@@{DBDIR}/aide.db.gz | + | database_in = http://10.0.0.40/ |
| # The location of the database to be written. | # The location of the database to be written. | ||
| - | # | + | database_out = file: |
| - | # | + | |
| - | database_out=file: | + | |
| - | # Whether to gzip the output to database | + | # Whether to gzip the output to database. |
| - | gzip_dbout=yes | + | gzip_dbout = no |
| - | # ################################ | + | ## 1.2 REPORT |
| - | # Default. | + | # Default |
| log_level=warning | log_level=warning | ||
| report_level=changed_attributes | report_level=changed_attributes | ||
| + | report_url=syslog: | ||
| - | report_url=file: | + | ## 2. RULES |
| - | report_url=stdout | + | ## 2.1 LIST OF ATTRIBUTES |
| - | #report_url=stderr | + | |
| - | #NOT IMPLEMENTED report_url=mailto: | + | |
| - | #NOT IMPLEMENTED report_url=syslog: | + | |
| - | + | ||
| - | # ################################################################ | + | |
| - | + | ||
| - | # ################################ | + | |
| # These are the default parameters we can check against. | # These are the default parameters we can check against. | ||
| - | #p: | + | # p: permissions |
| - | #i: | + | # i: inode |
| - | #n: | + | # n: number of links |
| - | #u: | + | # u: user |
| - | #g: | + | # g: group |
| - | #s: | + | # s: size |
| - | #b: | + | # b: block count |
| - | #m: | + | # m: mtime |
| - | #a: | + | # a: atime |
| - | #c: | + | # c: ctime |
| - | #S: | + | # S: check for growing size |
| - | #acl: | + | # acl: Access Control Lists |
| - | # | + | # selinux |
| - | # | + | # (must be enabled at compilation time) |
| + | # xattrs: | ||
| - | # ################################ | + | # 2.2 LIST OF CHECKSUMS |
| - | #md5: | + | # md5: md5 checksum |
| - | # | + | # sha1: |
| - | # | + | # sha256: |
| - | # | + | # sha512: |
| - | # | + | # rmd160: |
| - | # | + | # tiger: |
| - | # | + | # haval: |
| - | # | + | # gost: |
| - | # | + | # crc32: |
| - | # | + | # whirlpool: |
| - | # ################################ | + | # 2.3 AVAILABLE RULES |
| # These are the default rules | # These are the default rules | ||
| - | #R: | + | # R: p+i+l+n+u+g+s+m+c+md5 |
| - | #L: | + | # L: p+i+l+n+u+g |
| - | #E: | + | # E: Empty group |
| - | #>: | + | # >: Growing logfile p+l+u+g+i+n+S |
| + | |||
| + | # Default compound groups: | ||
| + | # R: l+p+u+g+s+c+m+i+n+md5+acl+xattrs+ftype+e2fsattrs | ||
| + | # L: l+p+u+g+i+n+acl+xattrs+ftype+e2fsattrs | ||
| + | # >: l+p+u+g+s+i+n+acl+xattrs+ftype+e2fsattrs+growing | ||
| + | # H: md5+sha1+rmd160+tiger+crc32+gost+sha256+sha512+whirlpool | ||
| + | # +stribog256+stribog512 | ||
| + | # X: acl+xattrs+e2fsattrs | ||
| + | |||
| + | # You can create custom rules - my home made rule definition goes like this | ||
| + | # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger | ||
| - | # You can create custom rules - my home made rule definition goes like this | ||
| - | ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 | ||
| - | ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger | ||
| # Everything but access time (Ie. all changes) | # Everything but access time (Ie. all changes) | ||
| - | EVERYTHING = R+ALLXTRAHASHES | + | EVERYTHING = R+sha256+sha512 |
| # Sane, with multiple hashes | # Sane, with multiple hashes | ||
| Zeile 1713: | Zeile 1783: | ||
| DATAONLY = p+n+u+g+s+acl+xattrs+sha256 | DATAONLY = p+n+u+g+s+acl+xattrs+sha256 | ||
| - | # ################################################################ | + | ## 3. PATHS |
| + | # | ||
| + | # Here we define which directories and files we want to view or not view | ||
| + | # when monitoring with AIDE. | ||
| + | # | ||
| + | ## 3.1 EXCLUDED | ||
| + | ## 3.1.1 ETC | ||
| - | # Next decide what directories/files you want in the database. | + | # Ignore root cache files |
| - | + | !/root/.* | |
| - | # ################################ | + | |
| - | + | ||
| - | # ################ | + | |
| # Ignore backup files | # Ignore backup files | ||
| Zeile 1727: | Zeile 1800: | ||
| !/etc/mtab | !/etc/mtab | ||
| - | # ################ | + | ## 3.1.2 USR |
| # These are too volatile | # These are too volatile | ||
| Zeile 1733: | Zeile 1806: | ||
| !/usr/tmp | !/usr/tmp | ||
| - | # ################ | + | ## 3.1.3 VAR |
| # Ignore logs | # Ignore logs | ||
| !/ | !/ | ||
| !/ | !/ | ||
| - | !/ | + | !/ |
| - | !/ | + | !/ |
| - | !/ | + | |
| !/ | !/ | ||
| - | # ################################ | + | ## 3.1.4 OTHERS |
| + | # Ignore cups | ||
| + | !/etc/cups | ||
| - | # ################ | + | # Ignore backup files |
| + | !/root/.* | ||
| + | |||
| + | |||
| + | ## 3.2 INCLUDED | ||
| + | ## 3.2.1 ETC | ||
| - | # Check only permissions, | + | # Check only permissions, |
| + | # important files closely. | ||
| /etc PERMS | /etc PERMS | ||
| / | / | ||
| Zeile 1810: | Zeile 1890: | ||
| / | / | ||
| - | # ################ | + | ## 3.2.2 USR |
| /usr | /usr | ||
| / | / | ||
| - | # ################ | + | ## 3.2.3 VAR |
| / | / | ||
| Zeile 1822: | Zeile 1902: | ||
| / | / | ||
| - | # ################ | + | ## 3.2.4 OTHERS |
| /boot NORMAL | /boot NORMAL | ||
| Zeile 1830: | Zeile 1910: | ||
| /opt | /opt | ||
| /root NORMAL | /root NORMAL | ||
| - | </ | ||
| - | Wie eigentlich immer bei der Konfiguration von neuen Programmen lohnt es sich die zugehörige Konfigurationsdatei - in unserem Falle von **AIDE** die **''/ | ||
| - | | + | # Host based OTHERS |
| - | * Anschließend sollte man sich Gedanken machen, welche Hashingalgorithmen verwendet werden sollen. In den Standardeinstellungen bildet AIDE sieben verschiedene | + | # local user scripts |
| - | * Ferner kann über Regelsätze definiert werden welche Eigenschaften (Parameter) von Verzeichnissen und/oder Dateien überwacht werden sollen. Hier können entsprechende Vorgaben in der Default-Konfigurationsdatei übernommen bzw. auch ganz eigene | + | / |
| + | |||
| + | # local scripts with root rights | ||
| + | / | ||
| + | |||
| + | |||
| + | # | ||
| + | # END ANSIBLE MANAGED - DO NOT EDIT BLOCK</ | ||
| + | |||
| + | Wie eigentlich immer bei der Konfiguration von neuen Programmen lohnt es sich die zugehörige Konfigurationsdatei - in unserem Falle von **AIDE** die **''/ | ||
| + | |||
| + | | ||
| + | Leider existiert aktuell((Stand: | ||
| + | </ | ||
| + | * Logging : Der Parameter **'' | ||
| + | report_url=stdout'' | ||
| + | * Anschließend sollte man sich Gedanken machen, welche Hashingalgorithmen verwendet werden sollen. In den Standardeinstellungen bildet AIDE sieben verschiedene | ||
| + | * Ferner kann über Regelsätze definiert werden welche Eigenschaften (Parameter) von Verzeichnissen und/oder Dateien überwacht werden sollen. Hier können entsprechende Vorgaben in der Default-Konfigurationsdatei übernommen bzw. auch ganz eigene | ||
| * p: Überprüfen Sie die Dateiberechtigungen der ausgewählten Dateien oder Verzeichnisse. | * p: Überprüfen Sie die Dateiberechtigungen der ausgewählten Dateien oder Verzeichnisse. | ||
| * i: Überprüfen Sie die Inode-Nummer. Jeder Dateiname hat eine eindeutige Inode-Nummer, | * i: Überprüfen Sie die Inode-Nummer. Jeder Dateiname hat eine eindeutige Inode-Nummer, | ||
| Zeile 1848: | Zeile 1943: | ||
| * S: Auf eine geänderte Dateigröße prüfen. | * S: Auf eine geänderte Dateigröße prüfen. | ||
| * I: Änderungen des Dateinamens ignorieren. \\ Folgende Hash-Werte können bei der berechnung der Prüfsummen verwendet werden: | * I: Änderungen des Dateinamens ignorieren. \\ Folgende Hash-Werte können bei der berechnung der Prüfsummen verwendet werden: | ||
| - | * md5: md5 Prüfsumme (Die Verwendung von sha256 oder sha512 ist hier empfohlen.) | + | * md5: md5 Prüfsumme (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt - die Verwendung von sha256 oder sha512 ist hier empfohlen.) |
| - | * sha1: sha1 Prüfsumme (Die Verwendung von sha256 oder sha512 ist hier empfohlen.) | + | * sha1: sha1 Prüfsumme (deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt - die Verwendung von sha256 oder sha512 ist hier empfohlen.) |
| * sha256: sha256 Prüfsumme | * sha256: sha256 Prüfsumme | ||
| * sha512: sha512 Prüfsumme | * sha512: sha512 Prüfsumme | ||
| - | * rmd160: rmd160 Prüfsumme | + | * rmd160: rmd160 Prüfsumme |
| * tiger: tiger Prüfsumme | * tiger: tiger Prüfsumme | ||
| * haval: haval Prüfsumme (MHASH only) | * haval: haval Prüfsumme (MHASH only) | ||
| - | * gost: gost Prüfsumme (MHASH only) | + | * gost: gost Prüfsumme ((deprecated seit AIDE v0.19, wird in AIDE v0.21 entfernt - MHASH only) |
| * crc32: crc32 Prüfsumme (MHASH only) | * crc32: crc32 Prüfsumme (MHASH only) | ||
| - | * whirlpool: whirlpool Prüfsumme (MHASH only) | + | * whirlpool: whirlpool Prüfsumme (MHASH only) \\ \\ |
| - | * Zum Schluß muss man sich noch Gedanken machen welche Dateien und Verzeichniss | + | * Zum Schluß muss man sich noch Gedanken machen welche Dateien und Verzeichnis |
| Ist man mit der Konfiguration von **AIDE** soweit zufrieden und fertig, ist man gut beraten mit Hilfe der Option **'' | Ist man mit der Konfiguration von **AIDE** soweit zufrieden und fertig, ist man gut beraten mit Hilfe der Option **'' | ||
| Zeile 1867: | Zeile 1962: | ||
| Bevor wir nun die AIDE-Datenbank initial erstellen, werfen wir noch kurz einen Blick auf die Optionen, die bei Aufruf von **'' | Bevor wir nun die AIDE-Datenbank initial erstellen, werfen wir noch kurz einen Blick auf die Optionen, die bei Aufruf von **'' | ||
| # aide --help | # aide --help | ||
| - | < | + | < |
| Usage: aide [options] command | Usage: aide [options] command | ||
| Zeile 1877: | Zeile 1972: | ||
| -u, --update Check and update the database non-interactively | -u, --update Check and update the database non-interactively | ||
| -E, --compare Compare two databases | -E, --compare Compare two databases | ||
| + | --list List the entries of the database in human readable format | ||
| Miscellaneous: | Miscellaneous: | ||
| Zeile 1891: | Zeile 1987: | ||
| -L LEVEL --log-level=LEVEL Set log message level to LEVEL | -L LEVEL --log-level=LEVEL Set log message level to LEVEL | ||
| -W WORKERS --workers=WORKERS Number of simultaneous workers (threads) for file attribute processing (i.a. hashsum calculation) | -W WORKERS --workers=WORKERS Number of simultaneous workers (threads) for file attribute processing (i.a. hashsum calculation) | ||
| - | </ | + | --no-progress Turn progress off explicitly |
| + | --no-color TUrn color off explicitly</ | ||
| === Datenbank erstellen === | === Datenbank erstellen === | ||
| Zeile 1897: | Zeile 1994: | ||
| [django@pml010074 ~]$ sudo aide --init | [django@pml010074 ~]$ sudo aide --init | ||
| - | < | + | < |
| AIDE successfully initialized database. | AIDE successfully initialized database. | ||
| - | New AIDE database written to / | + | New AIDE database written to / |
| - | Number of entries: 470065 | + | Number of entries: 470035 |
| --------------------------------------------------- | --------------------------------------------------- | ||
| Zeile 1907: | Zeile 2004: | ||
| --------------------------------------------------- | --------------------------------------------------- | ||
| - | / | + | / |
| - | | + | |
| - | | + | Op1EaaqYtAA= |
| - | | + | |
| - | nYBsXz2aSMo= | + | drMK/NU8OQzveDMAAiFJT6bqJ0KRBLTX |
| - | | + | rZNy4XA1RSrNQGuekuccYw== |
| - | YBrKfqpm/AjNnQywrQPv8AcjX7/ | + | STRIBOG256: Q/ |
| - | 8ihTjdCy5LAD3ZlfdJYC7g== | + | cLssvKnNxRc= |
| - | RMD160 | + | STRIBOG512: w/jP8nke9Mr9WuMvyhUFV4VRdhJ7A0z3 |
| - | TIGER : Hj2m4H+yydhksoj0wMAAE5CWQu1TqXHz | + | NuKc0P1oq6G880fu2yOczsFD0Sm8Vy7z |
| - | | + | kGvmNQD0z5DDOZbeaRy+/w== |
| - | WHIRLPOOL | + | SHA512/256: XyVqxWTI2O+KJzjmfvUcm/ |
| - | +U3PpE0jtafK8ct3zRj+1wP6L8qSBecU | + | UVHA7epku8k= |
| - | uR+4N66Mn7NBhJl8+GkmEw== | + | SHA3-256 |
| - | GOST | + | wW+98W156UI= |
| - | jUXKnFWkCeo= | + | SHA3-512 |
| - | STRIBOG256: / | + | RpoOGeJPdWjg/l9j/zMfmuF++LQrV7HY |
| - | NEbUlsM1RX8= | + | |
| - | STRIBOG512: c2uv2hcchsbSE681IRNXu78ntDz2ZF60 | + | |
| - | | + | |
| - | /fnsqLQg6W/kSikrQJrHIw== | + | |
| - | End timestamp: 2025-02-09 13:22:34 +0100 (run time: 4m 39s) | + | End timestamp: 2025-04-09 20:24:33 +0200 (run time: 2m 53s) |
| </ | </ | ||
| Zeile 1936: | Zeile 2030: | ||
| Mit der Option **'' | Mit der Option **'' | ||
| [django@pml010074 ~]$ sudo aide --check | [django@pml010074 ~]$ sudo aide --check | ||
| - | < | + | < |
| - | AIDE found NO differences between database and filesystem. Looks okay!! | + | |
| Number of entries: | Number of entries: | ||
| Zeile 1945: | Zeile 2038: | ||
| --------------------------------------------------- | --------------------------------------------------- | ||
| - | /var/lib/aide/aide.db.gz | + | http://10.0.0.40/local/pml010074.aide-database |
| - | | + | |
| - | | + | TG1aZhv2fdQ= |
| - | | + | |
| - | EwwNVmU1Rlc= | + | oUNqjiGX5280oAj0tUrnkHHpUmd3P6HP |
| - | | + | q0OaDsEyL8aRgnLX1eLu3w== |
| - | QdriP1Uh+A7qFULU4WjK9qolnNfZLuDY | + | STRIBOG256: EATID6SUAKrXxSuM9FqgotPE3/LGDR/7 |
| - | kIPg9LY+g0q1j75Z44T1dA== | + | 1v/Si6AGsys= |
| - | RMD160 | + | STRIBOG512: kn8Vcdj/ |
| - | TIGER : 8A61b3JqbPNltkAPxvVgQ7UON2AlRn3q | + | cE0rXtHgoaJ+CICnM1tjwI4D54xYdJtV |
| - | | + | 3VpIXkLvWWzQccwQMWCLTg== |
| - | WHIRLPOOL | + | SHA512/256: hj73+/VwVX1owrU1q6Q+kPSeQ4klkicl |
| - | cX7ZufgFpa8seOIs+gyWHjeWUq4FCsk4 | + | NpY7sghzMFI= |
| - | U0qZ+Ela67DDrsVkN5xGCA== | + | SHA3-256 |
| - | GOST | + | ynEbwVKOlME= |
| - | 8iJY8o51fUo= | + | SHA3-512 |
| - | STRIBOG256: lmE/qdAVUeE4zEbd7WBISCDXWsUb1bGJ | + | Azoln6PqUuDbgSVxwzfaoGLZUQAaThHP |
| - | FxSlN0RABQ4= | + | MQd/ehBFNBna8ZNp70u3VQ== |
| - | STRIBOG512: Ox8c77PeIe0dCgFLPawLqWYzMK/9inc4 | + | |
| - | FPH6aHMBchh4ctW71d4wZwy3/ | + | |
| - | xz7VX4MQ+X0SFz28/ | + | |
| - | End timestamp: 2025-02-09 16:53:10 +0100 (run time: 5m 40s) | + | End timestamp: 2025-04-09 20:27:51 +0200 (run time: 2m 25s) |
| </ | </ | ||
| Zeile 1982: | Zeile 2072: | ||
| [django@pml010074 ~]$ sudo aide --check | [django@pml010074 ~]$ sudo aide --check | ||
| - | < | + | < |
| AIDE found differences between database and filesystem!! | AIDE found differences between database and filesystem!! | ||
| Summary: | Summary: | ||
| - | Total number of entries: 470065 | + | Total number of entries: 470035 |
| Added entries: 1 | Added entries: 1 | ||
| - | Removed entries: 1 | + | Removed entries: 0 |
| - | Changed entries: 5 | + | Changed entries: 2 |
| --------------------------------------------------- | --------------------------------------------------- | ||
| Zeile 1996: | Zeile 2086: | ||
| f+++++++++++++++: | f+++++++++++++++: | ||
| - | |||
| - | --------------------------------------------------- | ||
| - | Removed entries: | ||
| - | --------------------------------------------------- | ||
| - | |||
| - | f---------------: | ||
| --------------------------------------------------- | --------------------------------------------------- | ||
| Zeile 2007: | Zeile 2091: | ||
| --------------------------------------------------- | --------------------------------------------------- | ||
| - | d = ... mc.. : /root | + | f |
| - | d < ... mc.. : / | + | d = ... mc.. |
| - | f > ... mci.H | + | |
| - | f < ... mci.H : /root/.viminfo | + | |
| - | d > ... mc.. : /usr/bin | + | |
| --------------------------------------------------- | --------------------------------------------------- | ||
| Detailed information about changes: | Detailed information about changes: | ||
| --------------------------------------------------- | --------------------------------------------------- | ||
| + | |||
| + | File: / | ||
| + | | ||
| Directory: /root | Directory: /root | ||
| - | | + | |
| - | | + | |
| - | + | ||
| - | Directory: / | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | File: / | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | File: / | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | Directory: /usr/bin | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| Zeile 2052: | Zeile 2110: | ||
| --------------------------------------------------- | --------------------------------------------------- | ||
| - | /var/lib/aide/aide.db.gz | + | http://10.0.0.40/local/pml010074.aide-database |
| - | | + | |
| - | | + | TG1aZhv2fdQ= |
| - | | + | |
| - | EwwNVmU1Rlc= | + | oUNqjiGX5280oAj0tUrnkHHpUmd3P6HP |
| - | | + | q0OaDsEyL8aRgnLX1eLu3w== |
| - | QdriP1Uh+A7qFULU4WjK9qolnNfZLuDY | + | STRIBOG256: EATID6SUAKrXxSuM9FqgotPE3/LGDR/7 |
| - | kIPg9LY+g0q1j75Z44T1dA== | + | 1v/Si6AGsys= |
| - | RMD160 | + | STRIBOG512: kn8Vcdj/ |
| - | TIGER : 8A61b3JqbPNltkAPxvVgQ7UON2AlRn3q | + | cE0rXtHgoaJ+CICnM1tjwI4D54xYdJtV |
| - | | + | 3VpIXkLvWWzQccwQMWCLTg== |
| - | WHIRLPOOL | + | SHA512/256: hj73+/VwVX1owrU1q6Q+kPSeQ4klkicl |
| - | cX7ZufgFpa8seOIs+gyWHjeWUq4FCsk4 | + | NpY7sghzMFI= |
| - | U0qZ+Ela67DDrsVkN5xGCA== | + | SHA3-256 |
| - | GOST | + | ynEbwVKOlME= |
| - | 8iJY8o51fUo= | + | SHA3-512 |
| - | STRIBOG256: lmE/qdAVUeE4zEbd7WBISCDXWsUb1bGJ | + | Azoln6PqUuDbgSVxwzfaoGLZUQAaThHP |
| - | FxSlN0RABQ4= | + | MQd/ehBFNBna8ZNp70u3VQ== |
| - | STRIBOG512: Ox8c77PeIe0dCgFLPawLqWYzMK/9inc4 | + | |
| - | FPH6aHMBchh4ctW71d4wZwy3/ | + | |
| - | xz7VX4MQ+X0SFz28/ | + | |
| - | End timestamp: 2025-02-09 18:15:03 +0100 (run time: 5m 51s) | + | End timestamp: 2025-04-09 20:27:51 +0200 (run time: 2m 25s) |
| </ | </ | ||
| - | In der Zusammenfassung sehen wir also in Summe 470.065 Datenbankeinträge, | + | In der Zusammenfassung sehen wir also in Summe 470.035 Datenbankeinträge, |
| - | Total number of entries: 470065 | + | Total number of entries: 470035 |
| - | Added entries: | + | Added entries: 1 |
| - | Removed entries: 1 | + | Removed entries: 0 |
| - | Changed entries: 5 | + | Changed entries: 2 |
| Die Datei **''/ | Die Datei **''/ | ||
| Zeile 2127: | Zeile 2182: | ||
| === tägliche checks enablen === | === tägliche checks enablen === | ||
| - | Wiederkehrende | + | Wiederkehrende |
| [django@pml010074 ~] $ sudo systemctl enable --now aidecheck.timer | [django@pml010074 ~] $ sudo systemctl enable --now aidecheck.timer | ||
| Zeile 2146: | Zeile 2201: | ||
| </ | </ | ||
| + | === jounald (tägliche) logs === | ||
| + | In der Konfigurationsdatei **''/ | ||
| + | |||
| + | # vim / | ||
| + | < | ||
| + | |||
| + | # Default | ||
| + | log_level=warning | ||
| + | report_level=changed_attributes | ||
| + | report_url=stdout | ||
| + | report_url=syslog: | ||
| + | |||
| + | ...</ | ||
| + | |||
| + | Somit können wir einfach die Logeinträge von AIDE einfach ausgeben. | ||
| + | # journalctl -f / | ||
| + | ++++ Ausgabe der AIDE Logeinträge im Journal | | ||
| + | < | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Number of entries: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | | ||
| + | --------------------------------------------------- | ||
| + | The attributes of the (uncompressed) database(s): | ||
| + | --------------------------------------------------- | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | Mar 14 16:20:38 pml010070 aide[102360]: | ||
| + | | ||
| + | End timestamp: 2025-03-14 16:20:38 +0100 (run time: 1m 41s) | ||
| + | |||
| + | </ | ||
| + | ++++ | ||
| ===== Orchestrierung - Installation und Konfiguration von AIDE mit Hilfe von Ansible | ===== Orchestrierung - Installation und Konfiguration von AIDE mit Hilfe von Ansible | ||
| ==== Aufgabenstellung ==== | ==== Aufgabenstellung ==== | ||
| Zeile 2162: | Zeile 2272: | ||
| -O - | tar -xz --strip-components=1 -C ~/ | -O - | tar -xz --strip-components=1 -C ~/ | ||
| - | Nach Anpassung der Daten im Inventory kann man anschliessend | + | Nach Anpassung der Daten im Inventory kann man anschließend |
| </ | </ | ||
| Zeile 2198: | Zeile 2308: | ||
| ++++ | ++++ | ||
| - | Unser Beispiels-Inventory hat also nunmehr folgenden Aufbau: | + | Unser Beispiel-Inventory hat also nunmehr folgenden Aufbau: |
| < | < | ||
| ├── group_vars | ├── group_vars | ||
| Zeile 2270: | Zeile 2380: | ||
| ++++ | ++++ | ||
| - | Die Installation von AIDE wird in der ersten Task-Gruppe mit dem tag **'' | + | Die Installation von AIDE wird in der ersten Task-Gruppe mit dem tag **'' |
| $ vim roles/ | $ vim roles/ | ||
| ++++ roles/ | ++++ roles/ | ||
| Zeile 2276: | Zeile 2386: | ||
| ++++ | ++++ | ||
| - | Die eigentliche Installation Konfiguration sowie das erstellen | + | Die eigentliche Installation Konfiguration sowie das Erstellen |
| $ vim roles/ | $ vim roles/ | ||
| ++++ roles/ | ++++ roles/ | ||
| Zeile 2282: | Zeile 2392: | ||
| ++++ | ++++ | ||
| - | Was nun noch fehlt ist das Kopieren der erstellten AIDE-Datenbank auf unseren internen Repository-/ | + | Was nun noch fehlt ist das Kopieren der erstellten AIDE-Datenbank auf unseren internen Repository-/ |
| $ vim roles/ | $ vim roles/ | ||
| ++++ roles/ | ++++ roles/ | ||
| Zeile 2289: | Zeile 2399: | ||
| == templates == | == templates == | ||
| - | Für die Erstellung der AIDE-Konfigurationsdatei **''/ | + | Für die Erstellung der AIDE-Konfigurationsdatei **''/ |
| <WRAP center round tip 80%> | <WRAP center round tip 80%> | ||
| Zeile 2297: | Zeile 2407: | ||
| $ vim roles/ | $ vim roles/ | ||
| ++++ roles/ | ++++ roles/ | ||
| - | {{gh> https:// | + | {{gh> https:// |
| ++++ | ++++ | ||
| Zeile 2306: | Zeile 2416: | ||
| == handlers == | == handlers == | ||
| - | Sollte bei der Abarbeitung des Playbook | + | Sollte bei der Abarbeitung des Playbook die individuelle systemd-timer Konfigurationsdatei **''/ |
| Zu guter Letzt brauchen wir noch eine Konfiguration der Aufgaben die bei einem **'' | Zu guter Letzt brauchen wir noch eine Konfiguration der Aufgaben die bei einem **'' | ||
| Zeile 2319: | Zeile 2429: | ||
| $ vim playbooks/ | $ vim playbooks/ | ||
| ++++ playbooks/ | ++++ playbooks/ | ||
| - | {{gh> https:// | + | {{gh> https:// |
| ++++ | ++++ | ||
| + | === Ausführung - Playbooklauf === | ||
| + | Die orchestrierte Variante der Installation und Konfiguration unseres **AIDE**-Daemon gestaltet sich ab sofort sehr einfach, brauchen wir doch lediglich die Konfigurationswerte im Inventory zu hinterlegen und zu pflegen und letztendlich das Playbook entsprechend aufzurufen, wenn z.B. gewollte Änderungen an einem System durch einen Admin bzw. durch den Lauf eines der Ansible-Playbooks erfolgten. | ||
| + | In nachfolgendem Beispiel installieren wir nun unseren AIDE-Daemon auf dem Host **'' | ||
| + | $ ansible-playbook playbooks/ | ||
| + | < | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | <font style=" | ||
| + | </ | ||
| + | </ | ||
| + | ==== Ergebniskontrolle ==== | ||
| + | Bei einem Blick in unser System-Journal finden wir nun unter anderem zunächst einmal das Setzen des **'' | ||
| + | # journalctl -f / | ||
| + | < | ||
| + | Mar 14 14:40:36 pml010070 systemd[1]: Started Aide check every day at 05:51:00. | ||
| + | Mar 14 14:40:36 pml010070 systemd[1]: Started Aide Check.</ | ||
| + | |||
| + | Des weiteren finden wir auch Informationen zum initialen Erstellen der Aide-Datenbank. | ||
| + | # journalctl -f / | ||
| + | ++++ journal bei Erstellung der initialen Datenbank | | ||
| + | < | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | |||
| + | | ||
| + | The attributes of the (uncompressed) database(s): | ||
| + | | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | Mar 14 14:43:07 pml010070 aide[94384]: | ||
| + | |||
| + | End timestamp: 2025-03-14 14:43:07 +0100 (run time: 2m 31s) | ||
| + | Mar 14 14:43:07 pml010070 systemd[1]: aidecheck.service: | ||
| + | Mar 14 14:43:07 pml010070 systemd[1]: aidecheck.service: | ||
| + | ++++ | ||
| + | |||
| + | Täglich um **05:51** Uhr wird nun unser Host die aktuelle Datenbank gegen die bestehende AIDE-Datenbank auf unserem internen Repository-/ | ||
| + | # journalctl | ||
| + | ++++ journal beim täglichen check um 05:51 Uhr dieses Hosts | | ||
| + | < | ||
| + | Mar 15 05:51:27 pml010070 rtkit-daemon[1200]: | ||
| + | Mar 15 05:51:27 pml010070 rtkit-daemon[1200]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | | ||
| + | Total number of entries: | ||
| + | Added entries: | ||
| + | | ||
| + | | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | |||
| + | | ||
| + | | ||
| + | | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | d = ... mc.. .. : /etc/cups | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | d = ... mc.. : /root | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | |||
| + | | ||
| + | | ||
| + | | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | | ||
| + | The attributes of the (uncompressed) database(s): | ||
| + | | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | |||
| + | End timestamp: 2025-03-15 05:53:01 +0100 (run time: 1m 52s) | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 aide[57175]: | ||
| + | Mar 15 05:53:01 pml010070 systemd[1]: aidecheck.service: | ||
| + | Mar 15 05:53:01 pml010070 systemd[1]: aidecheck.service: | ||
| + | Mar 15 05:53:01 pml010070 systemd[1]: aidecheck.service: | ||
| + | </ | ||
| + | ++++ | ||
| + | |||
| + | ===== Fazit und Ausblick ===== | ||
| + | <WRAP center round tip 80%> | ||
| + | Mit **AIDE** haben wir nun ein Instrument an der Hand, mit der wir die Dateisysteme unserer Host einfach auf Anomalien hin überwachen kann. Mit Hilfe unseres Ansible-Playbooks können wir nun auch nicht nur die Installation und Konfiguration des Aide-Daemon erledigen, sondern auch einfach die jeweiligen AIDE-Datenbanken der Hosts nach Änderungen durch den Admin bzw. bei Updates oder Ansible-Läufen, | ||
| + | |||
| + | In diesem Konfigurationsbeispiel wurde lediglich aufgezeigt, wie man einfach mit Hilfe von Ansible installieren, | ||
| + | noch im Detail ansehen! | ||
| + | </ | ||
| + | ====== Links ====== | ||
| + | * **[[linux: | ||
| + | * **=> [[linux: | ||
| + | * **[[linux: | ||
| + | * **[[wiki: | ||
| + | * **[[http:// | ||
| - | FIXME FIXME FIXME | ||
django