Configuring AIDE reporting

G

ghostcorps

Hi Guys

I have installed aide to help monitor my system, but I can not find the cron script or the base configuration file as opposed to /usr/local/etc/aide.conf.

From what I have read, I believe I need to locate the base config file so that I can set the MAILTO option. All the guides I have found say that the base config is /etc/default/aide, but they are all linux centric so the path is slightly incorrect but even if I go to /etc/defaults/ there is still no aide file there. Even [CMD=""]find / | grep aide[/CMD] does not find it.

My next step it to run this on a cron. Once again the guides advise that there is a cron script here /etc/cron.daily/aide. I have searched though /etc/periodic but can not find it. I did find a Linux copy of aide.cron HERE, but I am not savvy enough to modify it correctly.


Am I missing some FreeBSD magic? Or will I need to do run aide manually?
 
/usr/local/etc/aide.conf.sample

remember on FreeBSD stuff is installed in /usr/local/ (unless it's a kernel module, which needs to be in /boot/modules/, or some other specific stuff, but these are rare exceptions)

You can always check ports pkg-plist and/or Makefile to check what and where files are installed
 
graudeejs said:
/usr/local/etc/aide.conf.sample

remember on FreeBSD stuff is installed in /usr/local/ (unless it's a kernel module, which needs to be in /boot/modules/, or some other specific stuff, but these are rare exceptions)

You can always check ports pkg-plist and/or Makefile to check what and where files are installed
Click to expand...

Thanks for the reply :)

But /usr/local/etc/aide.conf does not have the MAILTO option.

This is the how-to I have been reffering to. You will see that there are two configuration files I needed to find. I had already located aide.conf before posting. :(

I'll see what Makefile tells me :)

[EDIT:] It looks like the FreeBSD port only uses one file. But that still leaves me trying to work out how to set my address. Surely it couldn't be as simple as adding [CMD=""]MAILTO=root[/CMD] to /usr/local/etc/aide.conf could it?
 
Quick manual search doesn't show anything about mail.... (I might be wrong)
But you can always write custom script to send mail, if aide test fails
 
graudeejs said:
I dunno, perhaps read manual (aide.conf(5) your locally installed manual may be newer than online version)
Click to expand...

Thanks again,

I have looked over a few versions of the aide.conf(5) and aide(1) manuals to no avail either.

As for writing a script, I wouldn't have a problem setting up a cron but a mail script would be a bit outside my limited abilities. I'm sure I could work it out but I was hoping I could use the native functions wherever possible.
 
I'm going to try to get the script below to work on FreeBSD. Any suggestions will be greatly appreciated :)

I will put the script here:
/etc/periodic/security/950.aide
Code: 
#!/bin/sh

# email address for reports
email=

# max age of logs and databases in hours
# default 2160 = 90 days
maxage=2160

if [ -f "/usr/sbin/aide" ] && [ -d "/var/lib/aide" ]; then
        dstamp=`date +"%H%M-%m%d%Y"`
        data=/var/lib/aide
        log=/var/lib/aide/aide.log
        cur_db=$data/aide.db
        new_db=$data/aide.db.new

        if [ ! -f "$cur_db" ]; then
                /bin/nice -n 19 /usr/sbin/aide --init >> /dev/null 2>&1
                cp $new_db $cur_db
	fi

	 if [ -f "$cur_db" ]; then
                cur_db_dstamp=`stat -c "%y" $cur_db | tr '.' ' ' | tr -d ':-' | awk '{print$1"-"$2}'`
                cp -f $cur_db $cur_db.$cur_db_dstamp

                /usr/bin/gzip -f $cur_db.$cur_db_dstamp

                cur_log_dstamp=`stat -c "%y" $log | tr '.' ' ' | tr -d ':-' | awk '{print$1"-"$2}'`
                cp -f $log $log.$cur_log_dstamp

                mv -f $new_db $cur_db
                /bin/nice -n 19 /usr/sbin/aide --init >> /dev/null 2>&1
                /bin/nice -n 19 /usr/sbin/aide --compare >> /dev/null 2>&1
		HOSTNAME=`hostname`
		if [ ! -z "$email" ] && [ -f "$log" ]; then
			cat $log | mail -s "AIDE report on $HOSTNAME" $email
		fi
        fi

        if [ -f "/usr/sbin/tmpwatch" ]; then
                /usr/sbin/tmpwatch $maxage $data/
        fi
fi
 
Script above assumes you have fully configured mail server (Sendmail or postfix, or whatever)

It will work fine for delivering mail to local users. (you might just need to fix some paths and/or flags)

The magic is
Code: 
cat $log | mail -s "AIDE report on $HOSTNAME" $email
 
graudeejs said:
Script above assumes you have fully configured mail server (Sendmail or postfix, or whatever)

It will work fine for delivering mail to local users. (you might just need to fix some paths and/or flags)

The magic is
Code: 
cat $log | mail -s "AIDE report on $HOSTNAME" $email
Click to expand...

Thanks for your patience,


I have corrected all the paths, which 'seemed' easy enough. It doesn't work yet though, this is what I have come up with so far:

Code: 
#!/bin/sh

# email address for reports
email=mymail@gmail.com

# max age of logs and databases in hours
# default 2160 = 90 days
maxage=2160

if [ -f "/usr/local/bin/aide" ] && [ -d "/var/db/aide" ]; then
        dstamp=`date +"%H%M-%m%d%Y"`
        data=/var/db/aide/databases
        log=/var/db/aide/aide.log
        cur_db=$data/aide.db
        new_db=$data/aide.db.new

        if [ ! -f "$cur_db" ]; then
                /usr/bin/nice -n 19 /usr/local/bin/aide --init >> /dev/null 2>&1
                cp $new_db $cur_db
        fi

         if [ -f "$cur_db" ]; then
                cur_db_dstamp=`stat -c "%y" $cur_db | tr '.' ' ' | tr -d ':-' | awk '{print$1"-"$2}'`
                cp -f $cur_db $cur_db.$cur_db_dstamp

                /usr/bin/gzip -f $cur_db.$cur_db_dstamp

                cur_log_dstamp=`stat -c "%y" $log | tr '.' ' ' | tr -d ':-' | awk '{print$1"-"$2}'`
                cp -f $log $log.$cur_log_dstamp

                mv -f $new_db $cur_db
                /usr/bin/nice -n 19 /usr/local/bin/aide --init >> /dev/null 2>&1
                /usr/bin/nice -n 19 /usr/local/bin/aide --compare >> /dev/null 2>&1
                HOSTNAME=`hostname`
                if [ ! -z "$email" ] && [ -f "$log" ]; then
                        cat $log | mail -s "AIDE report on $HOSTNAME" $email
                fi
        fi

        if [ -f "/usr/local/sbin/tmpwatch" ]; then
                /usr/local/sbin/tmpwatch $maxage $data/
        fi
fi

This is what happens:

[CMD=""]# ./etc/periodic/security/950.aide[/CMD]
Code: 
stat: illegal option -- c
usage: stat [-FlLnqrsx] [-f format] [-t timefmt] [file ...]
stat: illegal option -- c
usage: stat [-FlLnqrsx] [-f format] [-t timefmt] [file ...]
cp: /var/db/aide/aide.log: No such file or directory
mv: rename /var/db/aide/databases/aide.db.new to /var/db/aide/databases/aide.db: No such file or directory

So I change stat -c to stat -f and I get this:

[CMD=""]# ./etc/periodic/security/950.aide[/CMD]
Code: 
stat: %y: bad format
stat: /var/db/aide/aide.log: stat: No such file or directory
cp: /var/db/aide/aide.log: No such file or directory

%y in Linux is the Time of last modification. The FreeBSD analog is %m.

So after these minor changes, this is the result:

[CMD=""]# ./etc/periodic/security/950.aide[/CMD]
Code: 
stat: /var/db/aide/aide.log: stat: No such file or directory
cp: /var/db/aide/aide.log: No such file or directory

Which I think was easily fixed by touching /var/db/aide/aide.log

I now get this as the only output:

[CMD=""]# ./etc/periodic/security/950.aide[/CMD]
Code: 
Null message body; hope that's ok

I don't think that is ok, is it? aide.log is empty also.



On the other note, I am pretty sure my mail server works as I receive daily reports to my gmail account. Is this a fair assumption?
 
ghostcorps said:
This is the how-to I have been reffering to.
Click to expand...

One of the worst guide I have ever seen. The most useful info is "Also read the aide.conf manual page".

ghostcorps said:
I don't think that is ok, is it? aide.log is empty also.
Click to expand...
aide won't create any logs, unless you tell him to act differently. The output is printed on standard output by default, see aide.conf(5)
Code: 
report_url
    The url that the output is written to. There can be multiple instances of this
parameter. Output is written to all of them. The default is stdout.

All depends from how you have configured aide.conf, but if you have not touched the "report_url" setting your aide is sending the output to stdout - which your script discards happily.

Code: 
/usr/bin/nice -n 19 /usr/local/bin/aide --init >> /dev/null 2>&1
/usr/bin/nice -n 19 /usr/local/bin/aide --compare >> /dev/null 2>&1
 
Your emails are empty because in your script the body of the message is the content of the file /var/db/aide/aide.log which is empty - and nothing is going to write something into it.

You should redirect the output of aide to this file:
Code: 
/usr/bin/nice -n 19 /usr/local/bin/aide --init > /var/db/aide/aide.log 2>&1
/usr/bin/nice -n 19 /usr/local/bin/aide --compare > /var/db/aide/aide.log 2>&1

or set the "report_url" in your aide.conf:
Code: 
report_url=file:/var/db/aide/aide.log
 
Dies_Irae said:
Your emails are empty because in your script the body of the message is the content of the file /var/db/aide/aide.log which is empty - and nothing is going to write something into it.

You should redirect the output of aide to this file:
Code: 
/usr/bin/nice -n 19 /usr/local/bin/aide --init > /var/db/aide/aide.log 2>&1
/usr/bin/nice -n 19 /usr/local/bin/aide --compare > /var/db/aide/aide.log 2>&1

or set the "report_url" in your aide.conf:
Code: 
report_url=file:/var/db/aide/aide.log
Click to expand...

Champion!

Thankyou :)
 
You must log in or register to reply here.
Back
Top