Re: AIDE defaults in debian stretch

To: debian-user@lists.debian.org
Subject: Re: AIDE defaults in debian stretch
From: Dejan Jocic <jodejka@gmail.com>
Date: Wed, 11 Oct 2017 19:12:12 +0200
Message-id: <[🔎] 20171011171212.z3sek77fwir5zy2j@ddeb.ddeb.net>
In-reply-to: <[🔎] 014601d341d7$94a016d0$bde04470$@bluemarble.net>
References: <[🔎] 014601d341d7$94a016d0$bde04470$@bluemarble.net>

On 10-10-17, john@bluemarble.net wrote:
> The Debian configuration files in AIDE on Debian seem to monitor a lot of
> files that I'm not sure need monitoring. Maybe someone could shed some
> light.
> 
> Is there a reason I should monitor /run? What about the /var/log/ files that
> are rotated. It often complains about that. How about systemd journal files?
> 
> Thanks.
> 
> 

I'm far from expert in this, just user of AIDE, so was hopping that
someone with more knowledge than me will shed some light on this.
Anyway, I did not like how AIDE works in Debian, looked overcomplicated
to me, so I've installed aide without recommends. If you do it like
that, you end up without aide-common package, which will make AIDE much
more vanilla like. You do not have any config file, nor cron job added
automatically. So, you need to do bit of learning that way and to
include in that aide.conf file what you want, and what you do not want.
Find some examples on net, like this one:

# define the path for creating the databases.
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new

# define your own aide rule.
MYRULE =  p+n+u+g+s+m+c+xattrs+md5+sha1

# choose your directories/files you want in the database and which rule should be used.
/ MYRULE

# define your exceptions.
!/proc   # ignore /proc filesystem
!/sys    # ignore /sys filesystem

That one is obvious overkill, because whole system will be checked
except /proc and /sys, but is good example how you can exclude what you
do not want to. Also, that one uses /var/lib/aide for databases, which
for sure is not recommended practice. Best practice would be to put
aide.conf, databases and even aide binary on, for example, USB that
would be inserted just for check. As for should you make AIDE check /run
and /var/log, not really sure. Some think that even some things under
/proc should be checked (not that AIDE can do it anyway). But checking
/var/log is annoying and bit of overkill, at least for me.

Hope that this helps you at least a bit.

Reply to:

Follow-Ups:
- RE: AIDE defaults in debian stretch
  - From: <john@bluemarble.net>

References:
- AIDE defaults in debian stretch
  - From: <john@bluemarble.net>

Prev by Date: Re: What happened to libreoffice-common in archive?
Next by Date: Re: RE
Previous by thread: AIDE defaults in debian stretch
Next by thread: RE: AIDE defaults in debian stretch
Index(es):
- Date
- Thread