I have a server configured with AIDE and I’m trying to tune out false positives. I received an alert this morning that a file had been added to a folder that I believe should only alert on ACL changes, unless I’m misunderstanding something.
Here are the relevant parts of the config file:
... # Access control only. PERMS = p+u+g+acl+selinux+xattrs ... /var/run/faillock/ PERMS
And the alert generated when I run
aide --check
:AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2020-01-30 09:37:22 Summary: Total number of files: 69687 Added files: 1 Removed files: 0 Changed files: 0 --------------------------------------------------- Added files: --------------------------------------------------- added: /var/run/faillock/testfile
OS is CentOS 7, if that’s relevant.
Answer
aide
is alerting you that a file has been added to the directory. It has not checked it against ACL changes or anything else because it’s never seen it before. You want this check in case a file gets added that you don’t expect. If there is a specific pattern of file you want ignored, use the !
to negate it in the config.
Rerun aide --init
and copy the aide.db.new.gz to aide.db.gz and rerun aide --check
.
Once it’s recorded in the aide.db.gz it will work as you expect.
You will see a clean result.
To test your config file, change the permissions of the file and run aide --check
again. You’ll see something like this:
# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2020-01-30 18:20:22
Summary:
Total number of files: 69135
Added files: 0
Removed files: 0
Changed files: 1
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /tmp/blah
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /tmp/blah
Perm : -rw-r--r-- , -rw-------
ACL : old = A:
----
user::rw-
group::r--
other::r--
----
D: <NONE>
new = A:
----
user::rw-
group::---
other::---
----
D: <NONE>
To ignore a new file you’ll need to specifically add it to the aide.conf
. As stated in the reference, if you want to scan /var/log/messages but not /var/log/messages.[0-9] you can do something like this:
=/var/log/messages$ R+a
!/var/log/messages\.[0-9]$
Now only messages files ending in number 0-9 are not included in the database. Note an intruder could disguise a rootkit by creating a directory called messages.9. If messages.9 does not already exist that is.
Reference
Attribution
Source : Link , Question Author : ebarrere , Answer Author : kenlukas