aide / aide Goto Github PK

Often, /dev/null is locked by some other process, so AIDE will exit with an error when /dev/null is used as output database.

Actually it's safe to not use any lock on /dev/null.

Hashes are not generated on newly created files. This would significantly expand the usability of the AIDE platform if it were a feature.

Please add a log_url option to specify the url (e.g. syslog) to be used for log messages (in contrast to the AIDE report_url) with stderr as default value.

A strange thing is going on my phone. I have run out of free space. I have written some shell scripts doing the comparison, and quicly detected some benign apps responsible for eating. But it doesn't explain something. According to the history of size snapshots almost almost every small file (there are lot of them) has gains some hudreds of KiB. Even the ones that were not expected to change - the ones created by me that I have not touched between the snapshots. That's very strange. So I can imagine a malware that may use other apps files as its redundant distributed filesystem which data cannot be destroyed without either writing a special utility or wiping the all the valuable data infected.

But we can try to detect the changes. It is likely that the malware just adds the data into the gaps of files of suitable formats, if there is not enough gaps, it can create one. Often apps like databases have their data pages aligned, so the following approach may work: hash not the whole file, but its parts of certain size. Then detect the changed parts and show the user hexdump of them. Or analyse their content for entropy level and how it matches the entropy level of the unchanged part of file. Or even better, implement plugins parsing various formats headers and finding out if any gaps have been created.

This is https://sourceforge.net/p/aide/feature-requests/22/

Hi,

aide should - optionally - unpack compressed files before building the checksums. This would allow to successfully track log rotation where the raw log gets compressed eventually.

Hi, I am testing with Aide 0.15.1 on Oracle Linux 7 (fully app compliant with RHEL); I've been wanting to add a feature in FIM (aide) where whenever a file is created in specific directories; aide should capture SHA512 or sha256. I can see hashes in aide.db file. I ran "echo <encoded_checksum> | base64 -d | hexdump -v -e '32/1 "%02x" "\n”’ to get the original data however its doesn't seems to be valid and the length of the SHA512 is much shorter than expected
value from AIDE: +SN7oBJJ7EyLh0uxddVyc8RSI5ojh46X
value post running the base64 decode command:
f9237ba01249ec4c8b874bb175d57273c452239a23878e97
Bit length: | 192
Character length: | 48

Steps to Recreate:

Install aide from local yum repo.
yum install aide
create fim.conf with contents-
database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new GETIOC=p+i+n+u+g+s+m+sha256+sha512 /home/nutan GETIOC
initialise
aide -c fim.conf --init --verbose
rename new.db to make it initial snapshot
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Create and Make changes to test file in /home/nutan directory : "testfile"
Run aide to check on changes.
aide -c fim.conf --check --verbose

Please add support for signed database and config files. The public key used for signature verification should either be configurable exclusively at compile-time or at run-time via a config option.

Hi,

@@define BIND_CHROOT_DIR

is a syntax error. Please allow empty values for variables.

Greetings
Marc

AIDE fails with Configuration error when parsing rules containing UTF-8 characters in the regular expression:

$ aide -c aide.conf -i
185:syntax error:
185:Error while reading configuration:
Configuration error

The corresponding line in aide.conf:

186  /test/test-utf8-®-file$ R

Currently the verbose level option is used to configure the report as well as the debug/log level and accepts values from 0 to 255. Both makes it very difficult to predict which verbose level generates which output.

To ease the configuration please replace the verbose option with the report_level and log_level options.

Possible values for log_level:

• critical
• error
• warning
• config
• notice
• config-debug
• info
• debug

Possible value for report_level:

• summary
• database_attributes
• changed_entries
• changed_attributes
• added_removed_attributes
• added_removed_entries

This issue is related to #20.

Hi,

when I make a syntax error, aide complains:
450:syntax error:!
in vi, I need to type 451G to go to the faulty line.

I guess it's aide that starts counting at zero instead of at one.

Greetings
Marc

Currently AIDE reports a moved file or directory as removed from the old location and added to the new location while the checked attributes remain the same (modulo inode, ctime etc).

Please add a new Moved entries section to the report which only shows the changed path of the or directory when there are no other changes to report.

Hi,

File names containing literal %'s, such as /var/log/prosody/jabber%2ezugschlus%2ede/ get escaped in the database, yieding /var/log/prosody/jabber%252ezugschlus%252ede/ in the database. This is a strictly internal representation that gets mapped back in the generated reports.

However, this mapping does not happen in rule processing. To write a rule matching this file name, one needs to write %252e in the rule. I think this is at least confusing and should either be fixed (preferred!) or documented.

Greetings
Marc

This is https://sourceforge.net/p/aide/feature-requests/23/

for growing log files (option "S"), aide should be able to build checksums for the file's contents. On the next aide run, aide knows from the database the size the file had when the checksume found in the database where built, so it can verify whether the file contents has changed in the part that was already present when the reference database was built.

Hi,

having problem compiling this from the source, it feels like configure is broken:
(centos 7 x64)

checking for mhash_get_block_size in -lmhash... no
configure: WARNING: No mhash means no hmac.
checking for gpg_strerror in -lgpg-error... no
configure: error: You need to have libgpg-error.a installed to use libgcrypt.

However, I have both libgcrypt and libgcrypt-devel installed. Also downloaded and installed libgpg-error from source, I still can't build it with default settings, so I had to use --without-gcrypt .

Then during compile time at the end I think linking has failed

aide-0.16.1]# gcc -std=gnu99 -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -W -Wall -g -g -O2 -static -o aide src/aide.o src/base64.o src/be.o src/commandconf.o src/compare_db.o src/conf_lex.o src/conf_yacc.o src/db.o src/db_disk.o src/db_file.o src/db_lex.o src/db_list.o src/db_sql.o src/do_md.o src/error.o src/gen_list.o src/getopt1.o src/getopt.o src/list.o src/md.o src/snprintf.o src/symboltable.o src/util.o -lm -lpcre -pthread
/bin/ld: cannot find -lm
/bin/ld: cannot find -lpcre
/bin/ld: cannot find -lpthread
/bin/ld: cannot find -lc
collect2: error: ld returned 1 exit status

So how do you build this ? Maybe this builds on specific OS like debian etc ?

Thanks,

This is https://sourceforge.net/p/aide/feature-requests/2/ and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257134

it would be a good idea to be able to exclude proc, sys and network
mounts via file system type.

For example, if I want to have a single aide.conf for linux 2.4 and
linux 2.6 kernels, I would probably want to exclude /sys. However,
this would /sys exclude from being checksummed on 2.4 systems where
/sys probably might be a normal file system.

I would like to be able to exclude all files on file systems with type
proc and sysfs. Please consider adding this feature to aide.

Please add an compile-time option to support dynamic config files, so that AIDE adds the stdout of executable files in the config directory to the configuration at run-time. The config scripts must not be world-writable.

This issue depends on #4.

This is https://sourceforge.net/p/aide/feature-requests/27/

Periodically I've update machines' software with rpm or yum (which is a wrapper for yum).

All of the files that get touched via an update, and the directories that they live in, get changed.

It would be nice to have the packaging information associated with an RPM be used to selectively update entries in the database.

I could do:

% aide --update
% mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

but that's a sledgehammer approach, and unrelated changes would also be unwittingly captured.

The RPM package describes the user, group, mode, SHA, xattrs, and ACL associated with a file. Most of the information that's needed to prime a new (or replacement) entry into aide.db.gz ... The rest can be derived by inspection. For each entry, you'd also need to note that the dirname for that entry (its parent) had also changed, and update the modification time silently.

For new package installs that have associated directories, new entries for those directories would need to be created.

A separate libaide.so would likely be needed, along with Python bindings for it so that it might be callable from inside a yum plugin.

This is https://sourceforge.net/p/aide/feature-requests/25/

It will be great if AIDE would support Prelude-IDS via libprelude library. As Samhain does.

Hi. how to make multi-directory exclusion on aide?
I tried !/var/www/*/data/www/assets/* on config, but when creating the database I see errors:
get_file_status: lstat() failed for /var/www/site1/data/www/assets/captcha5d8085ae7dd54.png: No such file or directory
get_file_status: lstat() failed for /var/www/site2/data/www/assets/captcha5d8098ee56a1a.png: No such file or directory

Hi, I am testing with Aide 0.15.1 on Oracle Linux 7 (fully app compliant with RHEL); I've been wanting to add a feature in FIM (aide) where whenever a file is created in specific directories; aide should capture md5 or sha256. I can see hashes in aide.db file, but when those hashes do not appear to be either md5 or sha256.
Also, when "aide --check" is executed after initial snapshot is created. aide.log has similar hashes in them which do not appear to be md5.

Steps to Recreate:

1. Install aide from local yum repo.
   yum install aide
2. create fim.conf with contents-
   database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new GETIOC=p+i+n+u+g+s+m+md5 /home/nutan GETIOC
3. initialise
   aide -c fim.conf --init --verbose
4. rename new.db to make it initial snapshot
   mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
5. Create and Make changes to test file in /home/nutan directory : "testfile"
6. Run aide to check on changes.
   aide -c fim.conf --check --verbose
   9 Note the results on screen and in aide.log. It has MD5 hash value but the value is not actually MD5.
   `

Changed files:

changed: /home/nutan
changed: /home/nutan/aide
changed: /home/nutan/testfile

Detailed information about changes:

Directory: /home/nutan
Mtime : 2019-10-21 15:15:59 , 2019-10-21 15:39:44
Directory: /home/nutan/aide
Size : 22 , 65
Mtime : 2019-10-21 15:17:42 , 2019-10-21 15:22:42

File: /home/nutan/testfile
Size : 253 , 280
Mtime : 2019-10-21 14:37:25 , 2019-10-21 15:39:44
MD5 : ivtmaHWScBWzGlhyjiFWtQ== , M+HNNIcqB/9cIClhZgVK9g==`

My Ask

It appears the MD5 is encoded in some form; Given the "==" I tried decoding those using base64, but that too did not reveal actual MD5.
what config chage can be done retrieve actual MD5 of the file in aide.log;
Also, while we talk of MD5 in this example, SHA256 has same issues.

I have some weird issues, and I'm not entirely sure why or how this has happened.
Here's the information I have so far.
I've installed aide using:
apt install aide

When I run aide -v, it shows that CONFIG_FILE is in /usr/local/etc/aide.conf, but the actual configuration file lies in /etc/aide/aide.conf.

When I run aide -C it comes with this error:
Couldn't open file /usr/local/etc/aide.db for reading
Looking into that directory, the file doesn't exist.

I also tried to check the DB with the actual config file with aide --config=/etc/aide/aide.conf -C and got this error:

38:Error in expression:acl
Configuration error

And line 38 in the configuration file:

InodeData = OwnerMode+n+i+Size+l+acl+xattrs+e2fsattrs+selinux

I see it mention acl in the string.
Is my installation completely messed up?

If you must know, it's a debian 6.0.10

Hi,

see the following aide.conf:

database=file:/home/mh/aide/aide.db
database_out=file:/home/mh/aide/aide.db.new
database_new=file:/home/mh/aide/aide.db.new
gzip_dbout=no
summarize_changes=yes
grouped=no

!/(etc|var|usr|home|dev|proc|sys)
!/run/udev/(data|links|tags|watch)$ d
/ sha256+sha512+rmd160+haval+gost+crc32+tiger+p+u+g+ftype+s+b+n+i+acl+xattrs+e2fsattrs+selinux

When running aide --init with this configuration no contents of /run/udev/data/ is included in the database. Removing the !/run/udev/... line, /run/udev/data's contents is there.

The use case is getting an aide notice if an unexpected file shows up in /run/udev/data by excluding the directory entries themseves, and the usual contents of /run/udev/data/. That way, if a file shows up that isn't "the usual contents", aide would report that.

Greetings
Marc

Please add a command-line option (e.g. --list,-L) to list parts of the database in human readable format (analogous to the detailed report output of new files).

Hi,

I am getting reports like this:
d ... . .. E: /var/cache/apt-cacher-ng/debian/dists/bullseye/main/binary-i386/Packages.diff
Directory: /var/cache/apt-cacher-ng/debian/dists/bullseye/main/binary-i386/Packages.diff
E2FSAttrs: -----------------e--- | --------------I--e---

According to man chattr, I means that a directory is indexed using hashed trees. This looks to me like some filesystem internal which cannot be set manually. If my assessment is true, I think that this should not be reported by aide (or at least excludeable).

Greetings
Marc

I just installed AIDE 0.16 on a Ubuntu 18.04 LTS server via apt.
Whenever I run sudo aide -c /etc/aide/aide.conf --check I get a long list of items like the following:

do_md(): open() for /var/lib/lxcfs/cgroup/blkio/blkio.reset_stats failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/blkio/system.slice/blkio.reset_stats failed: Permission denied
do_md(): open() for /var/lib/lxcfs/cgroup/blkio/system.slice/accounts-daemon.service/blkio.reset_stats failed: Permission denied
...

The same list is mailed to me daily after the cron job is runned.
Does anyone of you know what is it all about?

To better support processing of the report by machines, AIDE should support JSON as report format.

This is https://sourceforge.net/p/aide/feature-requests/21/

different output options, such has a mysql database or even csv/tsv data would be easier to parse to send to a database with an external command.

This would definitely need the output to have a structure that is similar throughout the different types of alerts that are written by aide.

This is https://sourceforge.net/p/aide/feature-requests/19/

Hi,

for debugging, it might be useful to use /dev/null as
input and as output database. This is currently not
allowed, but makes sense in this special case.

Please consider allowing this special case.

Greetings
Marc

I'm getting SELinux denials indicating that /usr/sbin/aide is trying to access a socket used by SSSD: the socket path is /var/lib/sss/pipes/nss. I posted this on Serverfault last week and was advised to bring it up here. Here is the link to that post which contains more information:

https://serverfault.com/questions/971435/selinux-aide-trying-to-access-sssd-socket/971580#971580

Hi,

I would like to be able to write something like

!/usr/share/locale/[^/]/LC_MESSAGES/.*.mo$ mime=application/x-gettext-translation

to exclude everything that matches the given MIME type. That would probably help in reducing the amount of aide reports in directories with many known harmless files which could be used by an attacker to hide away executables or scripts or tools.

I know that this will link in libmagic which has a rather complicated security history, but the use case would be helpful anyway.

Greetings
Marc

Hi,

restricted selection lines are a vast improvement of aide rule flexibility. I would love to encourage people ot use the feature. For myself, I am checking my rules with

awk '{if ($2 !~ '/[fdlsbcp]/') { print }}' FS=" "

but wouldnt it be nice to have aide check for that and have it issue a warning in higher verbosity levels.

Grüße
Marc

I mean creating databases often and then storing only diffs between the adjacent databases. Then it should be possible to see the picture of what happens in the system in time.

Hi,

when I want to check the SHA512 checksum of the generated database in a script, I need some ugliness like:

< output.aide awk '/^\/var\/lib\/aide\/aide\.db\.new$/,/^$/' | sed -n '/^[[:space:]]\+SHA512[[:space:]]\+: \(.*\)/{s//\1/;N;N;s/[[:space:]]\+//g;p;}'

or

< output.aide awk '/^\/var\/lib\/aide\/aide\.db\.new/{lastrec=1}lastrec==1 && $1=="SHA512"{sha512=1}sha512==1{a=a+1; if(a==1){printf $3}else if(a<=3){printf $1}}'

since the output of the summary database is like:

/var/lib/aide/aide.db.new
  MD5      : ujh8SuEtmmNqHoYVamNRgQ==
  SHA1     : Uo1hMTdnvy7vj5wxbIXmbBzPqEc=
  RMD160   : HvPp9Lz+CTTqIgJvxTWGjQ3bqz0=
  TIGER    : FhCXXdhFR0i6D/mhWJ6vlreCm1vkXY9w
  SHA256   : IK7yUtHmx+UZbVZo9ofrxBdthp7iUh6K
             zpPf9aC1X50=
  SHA512   : rrgb/cJ5YsQebiO6QlV4eLj+2nFFIVMw
             lFlSAbYFQYaET4xKfs6R7vKr/wk0FCLL
             MNIaMRe+8fSANsUJJb8Dpw==
  CRC32    : aNaXDw==
  HAVAL    : f5Ug7AzAvydwIcu2ZGwBdw7GDWKTYEkl
             dbkS2AzTC+g=
  GOST     : hXHrVy8eoZzjl/XQKeXw+5o2yPKCcJnG
             8A+NbCuAdtM=
  WHIRLPOOL: h3WmJ+lW/A31Z2b/BozVzV4Eu1DTLKTY
             C0lXY33qA1piAz/Nvxovu3nt8k1M9D+I
             EBHY878xKRM9bm+xbfGA2Q==

how about a config option like

meta_database_out=/path/to/dbfile

which actually writes out a one-line aide database containing the checksums of the newly generated file? That's much more easily parseable.

Greetings
Marc

AIDE supports multiple instances of the report_url option, but does not support different report options (e.g. report_base64) for each report_url.

This is https://sourceforge.net/p/aide/feature-requests/24/

It would be cool if you could specify the url of a remote database either on the command line or in the config file that would be used as the base for comparison. Rather than storing the database on protected media, you could generate it, then move to another server.

Please add an include directive for aide.conf to include entire directories (e.g. /etc/aide/aide.conf.d/); so the configuration can be modularized into separate snippets. To avoid to include backup or other disabled files it would be helpful to support a regexp of allowed file names (e.g. \.conf$).

This is https://sourceforge.net/p/aide/feature-requests/15/

Hi,

-V255 prints information about each config line read,
such as

72:Selrule
87:Variable substitution

It would be great to print the actual line as well,
and for variable substitutions which variables are
being substituted with which value.

Additionally, the line numbering seems to be off by
one.

Hi, this is https://sourceforge.net/p/aide/feature-requests/4/

gzip support for compressing aide.db is cool, but bzip2 would
be even better because it will allow storing the .db on a floppy
disk more often due to its better compression rate.

(adapt this to more modern compressors, the original issue is from 2005)

This is https://sourceforge.net/p/aide/feature-requests/13/

Hi,

it would be great for the Debian packaging if it were
possible to @include entire directories like
/etc/aide/aide.conf.d/.

aide would have to take precautions to avoid including
backup files and other disabled files. In Debian, for
example, it is common to exclude files ending in
.dpkg-*. There are multiple approaches:

• Insist on a certain extension (.conf, for example)
• Having a regexp of allowed file names (settable at
  compile time is acceptable, run time of course preferred)
• Having a regexp of file names to be ignored

This would allow packages to bring their own aide
configuration snippet and to have it enabled
automatically. The Debian aide packages currently
implement this behavior by having aide wrapped and the
real configuration file built just before aide is
invoked, but that's a fragile hack. Would be better to
have that functionality in aide proper.

Thanks for considering.

This is a summary of https://sourceforge.net/p/aide/feature-requests/1/ and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289174

Hi,

even if i have some background in regular expressions
it's in some cases not clear to me what happens and why
some directories are added and others not.

What i miss is a kind of simulation mode where i can
see which directories or files will be added. Its very
hard if you have to wait for the result after a small
change in the config file. Also it's very hard to check
the database file whether a directory was added or not.
With this simulation mode you may check immediately
whether your appliied rules deliver the result you
expected.

Regards,

Wilhelm

Hi,

even after using aide for five years now, I need multiple attempts to
get the regexps right. aide's way of demanding and not demanding
escape backslashes does not seem to be consistent to neither standard,
extended or perl regexps.

Debugging this is quite tedious since the turnaround times are bad
because one needs to do cryptographic operations.

How about having an option which parses the config file and the
filesystem, and outputs for each file found the aide expression that
would be used for this file if a real aide run would be invoked with
this config file.

Greetings
Marc

This is https://sourceforge.net/p/aide/feature-requests/28/

The issue is your report format is next to impossible to normalize within a SEIM architecture.

Please add to the aide.conf (example) variations for logging:

i.e.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
database=file:@@{DBDIR}/aide.db.gz
database_out=file:@@{DBDIR}/aide.db.gz
gzip_dbout=yes
verbose=5
report_url=stdout
report_url=file:@@{LOGDIR}/aide.log
report_url=syslog:LOG_AUTH

Also; please add a comment on how to append to the log instead of creating a new one.

I would recommend a better format for logging (vice reporting).

I would recommend the following:

log_url = (Take the same paramters)
log_format = syslog_IEFT, JSON, csv

I would recommend on syslog_IEFT format that you have individual lines for:

something like this:
AIDE: Start timestamp: 2016-05-17 22:02:37 : Total number of files: 40872 : Added files:0 : Removed files: 0 : Changed files: 2
AIDE: Change timestamp: 2016-05-17 22:02:37 : File: /etc/aide.conf : Inode : 133 , 907946
AIDE: Change timestamp: 2016-05-17 22:02:37 : File: /etc/fstab : Inode : 907941 , 907945 : RMD160 : 6ESZcmz1AkxzWEiCHTeInV07QeI= , Iv6sOdBI1J3a6BbDBhHelIe3NAI= SHA256 : PPxCVeCdH3tHYPT+rfY2PTwIvOepG2kF , zPMueGeaJVa/JOtwI8mrxPjOHk16J9/V
AIDE: Added timestamp: 2016-05-17 22:02:37 : File: /etc/cron.daily/test.file
AIDE: End timestamp: 2016-05-17 22:02:37 : Total number of files: 40872 : Added files:0 : Removed files: 0 : Changed files: 2

Format JSON it would be one line for all.
Some syslog takes JSON in syslog per line so that would be good.
If logging JSON format to a directory; one json file per aide run (preferably compressed)

Also in your default aide.conf:

[Perhaps one for Debian and one for RHEL variations]

You may want to add as a default:

Directories:
/etc/sysctl.d
/etc/modprobe.d
/etc/audit/rules.d

Files
/etc/default/grub

Whenever we run aide --update to create a new aide db, the aide.log file in /var/log/aide is overwritten. This presents a challenge a I'd like to maintain a record of aide activities. Is there a setting to cause this log to be appended vs replaced?

Please add support to check for Linux capabilities attribute (see capabilities(7)).

I'm trying to exclude the following file autogenerated with the name begin with session_

!/home/root/tmp/^session_.+$

example: session_jdskaj293829jdks, session_92ujds29030jsd

and the system still notifies new file added or changed beginning with the name session_ at that directory.

Am I missing something?

As nowadays AIDE is CPU bound with fast storage (e.g. SSDs) it should benefit from multithreading (e.g. via pthreads)

If --disable-lfs is not given, then configure.ac makes the mistake
of defining the following also for Darwin (Apple MacOS):

#define AIDE_STAT_TYPE stat64
#define AIDE_OFF_TYPE off64_t
#define AIDE_BLKCNT_TYPE blkcnt64_t

The correct values are

#define AIDE_STAT_TYPE stat
#define AIDE_OFF_TYPE off_t
#define AIDE_BLKCNT_TYPE blkcnt_t

Example of error from the compiler:

src/db_disk.c:198:24: error: variable has incomplete type 'struct stat64'
        struct AIDE_STAT_TYPE fs;
                              ^
src/db_disk.c:198:9: note: forward declaration of 'struct stat64'
        struct AIDE_STAT_TYPE fs;
               ^
./config.h:47:24: note: expanded from macro 'AIDE_STAT_TYPE'
#define AIDE_STAT_TYPE stat64
                       ^

A temporary solution is to --disable-lfs when configuring for this platform.