RE: AIDE defaults in debian stretch
- Date: Thu, 12 Oct 2017 08:09:15 -0400
- From: <john@xxxxxxxxxxxxxx>
- Subject: RE: AIDE defaults in debian stretch
Thanks. I will work on the config more.
From: Dejan Jocic [mailto:jodejka@xxxxxxxxx]
Sent: Wednesday, October 11, 2017 1:12 PM
Subject: Re: AIDE defaults in debian stretch
On 10-10-17, john@xxxxxxxxxxxxxx wrote:
> The Debian configuration files in AIDE on Debian seem to monitor a lot
> of files that I'm not sure need monitoring. Maybe someone could shed
> some light.
> Is there a reason I should monitor /run? What about the /var/log/
> files that are rotated. It often complains about that. How about systemd
I'm far from expert in this, just user of AIDE, so was hopping that someone
with more knowledge than me will shed some light on this.
Anyway, I did not like how AIDE works in Debian, looked overcomplicated to
me, so I've installed aide without recommends. If you do it like that, you
end up without aide-common package, which will make AIDE much more vanilla
like. You do not have any config file, nor cron job added automatically. So,
you need to do bit of learning that way and to include in that aide.conf
file what you want, and what you do not want.
Find some examples on net, like this one:
# define the path for creating the databases.
# define your own aide rule.
MYRULE = p+n+u+g+s+m+c+xattrs+md5+sha1
# choose your directories/files you want in the database and which rule
should be used.
# define your exceptions.
!/proc # ignore /proc filesystem
!/sys # ignore /sys filesystem
That one is obvious overkill, because whole system will be checked except
/proc and /sys, but is good example how you can exclude what you do not want
to. Also, that one uses /var/lib/aide for databases, which for sure is not
recommended practice. Best practice would be to put aide.conf, databases and
even aide binary on, for example, USB that would be inserted just for check.
As for should you make AIDE check /run and /var/log, not really sure. Some
think that even some things under /proc should be checked (not that AIDE can
do it anyway). But checking /var/log is annoying and bit of overkill, at
least for me.
Hope that this helps you at least a bit.