[Solved] Configuring AIDE reporting

ghostcorps · #1 September 21st, 2011, 06:05

Hi Guys

I have installed aide to help monitor my system, but I can not find the cron script or the base configuration file as opposed to /usr/local/etc/aide.conf.

From what I have read, I believe I need to locate the base config file so that I can set the MAILTO option. All the guides I have found say that the base config is /etc/default/aide, but they are all linux centric so the path is slightly incorrect but even if I go to /etc/defaults/ there is still no aide file there. Even find / | grep aide does not find it.

My next step it to run this on a cron. Once again the guides advise that there is a cron script here /etc/cron.daily/aide. I have searched though /etc/periodic but can not find it. I did find a Linux copy of aide.cron HERE, but I am not savvy enough to modify it correctly.

Am I missing some FreeBSD magic? Or will I need to do run aide manually?

graudeejs · #2 September 21st, 2011, 06:15

/usr/local/etc/aide.conf.sample

remember on FreeBSD stuff is installed in /usr/local/ (unless it's a kernel module, which needs to be in /boot/modules/, or some other specific stuff, but these are rare exceptions)

You can always check ports pkg-plist and/or Makefile to check what and where files are installed

ghostcorps · #3 September 21st, 2011, 06:47

Quote:

Originally Posted by graudeejs

/usr/local/etc/aide.conf.sample

remember on FreeBSD stuff is installed in /usr/local/ (unless it's a kernel module, which needs to be in /boot/modules/, or some other specific stuff, but these are rare exceptions)

You can always check ports pkg-plist and/or Makefile to check what and where files are installed

Thanks for the reply

But /usr/local/etc/aide.conf does not have the MAILTO option.

This is the how-to I have been reffering to. You will see that there are two configuration files I needed to find. I had already located aide.conf before posting.

I'll see what Makefile tells me

[EDIT:] It looks like the FreeBSD port only uses one file. But that still leaves me trying to work out how to set my address. Surely it couldn't be as simple as adding MAILTO=root to /usr/local/etc/aide.conf could it?

graudeejs · #4 September 21st, 2011, 07:29

I dunno, perhaps read manual (aide.conf(5) your locally installed manual may be newer than online version)

graudeejs · #5 September 21st, 2011, 07:30

Quick manual search doesn't show anything about mail.... (I might be wrong)
But you can always write custom script to send mail, if aide test fails

ghostcorps · #6 September 21st, 2011, 07:36

Quote:

Originally Posted by graudeejs

I dunno, perhaps read manual (aide.conf(5) your locally installed manual may be newer than online version)

Thanks again,

I have looked over a few versions of the aide.conf(5) and aide(1) manuals to no avail either.

As for writing a script, I wouldn't have a problem setting up a cron but a mail script would be a bit outside my limited abilities. I'm sure I could work it out but I was hoping I could use the native functions wherever possible.

ghostcorps · #7 September 21st, 2011, 07:56

I'm going to try to get the script below to work on FreeBSD. Any suggestions will be greatly appreciated

I will put the script here:
/etc/periodic/security/950.aide

Code:

#!/bin/sh

# email address for reports
email=

# max age of logs and databases in hours
# default 2160 = 90 days
maxage=2160

if [ -f "/usr/sbin/aide" ] && [ -d "/var/lib/aide" ]; then
        dstamp=`date +"%H%M-%m%d%Y"`
        data=/var/lib/aide
        log=/var/lib/aide/aide.log
        cur_db=$data/aide.db
        new_db=$data/aide.db.new

        if [ ! -f "$cur_db" ]; then
                /bin/nice -n 19 /usr/sbin/aide --init >> /dev/null 2>&1
                cp $new_db $cur_db
	fi

	 if [ -f "$cur_db" ]; then
                cur_db_dstamp=`stat -c "%y" $cur_db | tr '.' ' ' | tr -d ':-' | awk '{print$1"-"$2}'`
                cp -f $cur_db $cur_db.$cur_db_dstamp

                /usr/bin/gzip -f $cur_db.$cur_db_dstamp

                cur_log_dstamp=`stat -c "%y" $log | tr '.' ' ' | tr -d ':-' | awk '{print$1"-"$2}'`
                cp -f $log $log.$cur_log_dstamp

                mv -f $new_db $cur_db
                /bin/nice -n 19 /usr/sbin/aide --init >> /dev/null 2>&1
                /bin/nice -n 19 /usr/sbin/aide --compare >> /dev/null 2>&1
		HOSTNAME=`hostname`
		if [ ! -z "$email" ] && [ -f "$log" ]; then
			cat $log | mail -s "AIDE report on $HOSTNAME" $email
		fi
        fi

        if [ -f "/usr/sbin/tmpwatch" ]; then
                /usr/sbin/tmpwatch $maxage $data/
        fi
fi

graudeejs · #8 September 21st, 2011, 08:00

Script above assumes you have fully configured mail server (Sendmail or postfix, or whatever)

It will work fine for delivering mail to local users. (you might just need to fix some paths and/or flags)

The magic is

Code:

cat $log | mail -s "AIDE report on $HOSTNAME" $email

ghostcorps · #9 September 21st, 2011, 08:16

Quote:

Originally Posted by graudeejs

Script above assumes you have fully configured mail server (Sendmail or postfix, or whatever)

It will work fine for delivering mail to local users. (you might just need to fix some paths and/or flags)

The magic is

Code:

cat $log | mail -s "AIDE report on $HOSTNAME" $email

Thanks for your patience,

I have corrected all the paths, which 'seemed' easy enough. It doesn't work yet though, this is what I have come up with so far:

Code:

#!/bin/sh

# email address for reports
email=mymail@gmail.com

# max age of logs and databases in hours
# default 2160 = 90 days
maxage=2160

if [ -f "/usr/local/bin/aide" ] && [ -d "/var/db/aide" ]; then
        dstamp=`date +"%H%M-%m%d%Y"`
        data=/var/db/aide/databases
        log=/var/db/aide/aide.log
        cur_db=$data/aide.db
        new_db=$data/aide.db.new

        if [ ! -f "$cur_db" ]; then
                /usr/bin/nice -n 19 /usr/local/bin/aide --init >> /dev/null 2>&1
                cp $new_db $cur_db
        fi

         if [ -f "$cur_db" ]; then
                cur_db_dstamp=`stat -c "%y" $cur_db | tr '.' ' ' | tr -d ':-' | awk '{print$1"-"$2}'`
                cp -f $cur_db $cur_db.$cur_db_dstamp

                /usr/bin/gzip -f $cur_db.$cur_db_dstamp

                cur_log_dstamp=`stat -c "%y" $log | tr '.' ' ' | tr -d ':-' | awk '{print$1"-"$2}'`
                cp -f $log $log.$cur_log_dstamp

                mv -f $new_db $cur_db
                /usr/bin/nice -n 19 /usr/local/bin/aide --init >> /dev/null 2>&1
                /usr/bin/nice -n 19 /usr/local/bin/aide --compare >> /dev/null 2>&1
                HOSTNAME=`hostname`
                if [ ! -z "$email" ] && [ -f "$log" ]; then
                        cat $log | mail -s "AIDE report on $HOSTNAME" $email
                fi
        fi

        if [ -f "/usr/local/sbin/tmpwatch" ]; then
                /usr/local/sbin/tmpwatch $maxage $data/
        fi
fi

This is what happens:

# ./etc/periodic/security/950.aide

Code:

stat: illegal option -- c
usage: stat [-FlLnqrsx] [-f format] [-t timefmt] [file ...]
stat: illegal option -- c
usage: stat [-FlLnqrsx] [-f format] [-t timefmt] [file ...]
cp: /var/db/aide/aide.log: No such file or directory
mv: rename /var/db/aide/databases/aide.db.new to /var/db/aide/databases/aide.db: No such file or directory

So I change stat -c to stat -f and I get this:

# ./etc/periodic/security/950.aide

Code:

stat: %y: bad format
stat: /var/db/aide/aide.log: stat: No such file or directory
cp: /var/db/aide/aide.log: No such file or directory

%y in Linux is the Time of last modification. The FreeBSD analog is %m.

So after these minor changes, this is the result:

# ./etc/periodic/security/950.aide

Code:

stat: /var/db/aide/aide.log: stat: No such file or directory
cp: /var/db/aide/aide.log: No such file or directory

Which I think was easily fixed by touching /var/db/aide/aide.log

I now get this as the only output:

# ./etc/periodic/security/950.aide

Code:

Null message body; hope that's ok

I don't think that is ok, is it? aide.log is empty also.

On the other note, I am pretty sure my mail server works as I receive daily reports to my gmail account. Is this a fair assumption?

graudeejs · #10 September 21st, 2011, 08:47

I suppose

Dies_Irae · #11 September 21st, 2011, 09:58

Quote:

Originally Posted by ghostcorps

This is the how-to I have been reffering to.

One of the worst guide I have ever seen. The most useful info is "Also read the aide.conf manual page".

Quote:

Originally Posted by ghostcorps

I don't think that is ok, is it? aide.log is empty also.

aide won't create any logs, unless you tell him to act differently. The output is printed on standard output by default, see aide.conf(5)

Code:

report_url
    The url that the output is written to. There can be multiple instances of this
parameter. Output is written to all of them. The default is stdout.

All depends from how you have configured aide.conf, but if you have not touched the "report_url" setting your aide is sending the output to stdout - which your script discards happily.

Code:

/usr/bin/nice -n 19 /usr/local/bin/aide --init >> /dev/null 2>&1
/usr/bin/nice -n 19 /usr/local/bin/aide --compare >> /dev/null 2>&1

ghostcorps · #12 September 21st, 2011, 12:13

Quote:

Originally Posted by graudeejs

The magic is

Code:

cat $log | mail -s "AIDE report on $HOSTNAME" $email

It certainly is!

Turns out the emails were going to the spam folder but they are empty.

So close.

Dies_Irae · #13 September 21st, 2011, 13:53

Your emails are empty because in your script the body of the message is the content of the file /var/db/aide/aide.log which is empty - and nothing is going to write something into it.

You should redirect the output of aide to this file:

Code:

/usr/bin/nice -n 19 /usr/local/bin/aide --init > /var/db/aide/aide.log 2>&1
/usr/bin/nice -n 19 /usr/local/bin/aide --compare > /var/db/aide/aide.log 2>&1

or set the "report_url" in your aide.conf:

Code:

report_url=file:/var/db/aide/aide.log

ghostcorps · #14 September 22nd, 2011, 00:11

Quote:

Originally Posted by Dies_Irae

Your emails are empty because in your script the body of the message is the content of the file /var/db/aide/aide.log which is empty - and nothing is going to write something into it.

You should redirect the output of aide to this file:

Code:

/usr/bin/nice -n 19 /usr/local/bin/aide --init > /var/db/aide/aide.log 2>&1
/usr/bin/nice -n 19 /usr/local/bin/aide --compare > /var/db/aide/aide.log 2>&1

or set the "report_url" in your aide.conf:

Code:

report_url=file:/var/db/aide/aide.log

Champion!

Thankyou

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Solved] Portmaster reporting error?	Mayhem30	Installation and Maintenance of FreeBSD Ports or Packages	5	June 26th, 2011 14:26
suhosin reporting canary mismatch with php-5.2.10	neildarlow	Installation and Maintenance of FreeBSD Ports or Packages	3	November 13th, 2010 17:38
System monitoring with e-mail reporting	ilemur	System Hardware	2	March 5th, 2010 12:28
Portaudit reporting nsd2 vulnerable	nerdsite	Installation and Maintenance of FreeBSD Ports or Packages	0	June 29th, 2009 18:01
Squid Transparent Proxy Reporting Issue	bdyzel	Networking	1	June 9th, 2009 12:18

The Following User Says Thank You to graudeejs For This Useful Post:
ghostcorps (September 21st, 2011)

The Following User Says Thank You to Dies_Irae For This Useful Post:
ghostcorps (September 21st, 2011)