Hashes not generated on newly created files about aide HOT 7 CLOSED

Can you please provide more information about your issue (e.g. operating system, AIDE version, used configuration, used commands, expected output, etc)?

Generally AIDE creates hashes for new files as long as there exists a corresponding rule for the file path.

from aide.

I would prefer not to have that discussion over a public GitHub thread. Any chance you would mind sharing your email address so I can reach you?

from aide.

I cannot see how the requested information, such as operating system or the AIDE version should contain sensitive information. If the configuration or the rules contain sensitive information, please create a minimal example configuration which reproduces your issues.

from aide.

@hvhaugwitz - related to some of my previous work, I saw a similar behaviour as stated here.

Objective - Capture hashes of files which are created (dropped) in /tmp, /var/tmp or /home/... directories. (assume some whitelisting is in place in aide.conf and the type of files we are expecting are going to be low in numbers, but when those files appear, we want to capture it's hash).

"verbose" seemed to have helped; changed its value to 20 for desired effect; newly created files and hashes were also written in aide.log

Used similar config as below -

database=file:@@{DBDIR}/aide.db.gz
database_out=file:@@{DBDIR}/aide.db.new.gz
gzip_dbout=yes
verbose=20
report_url=syslog:LOG_LOCAL3
report_url=stdout
PCI = l+p+i+u+g+acl+sha256
PCI_LOG = l+p+i+u+g+acl+S+l+ftype+n
/etc            PCI
/bin            PCI
/sbin           PCI
/lib            PCI
/home           PCI
/var/tmp       PCI
/tmp              PCI

/var/log/kern.log$ PCI_LOG
/var/log/last.log$ PCI_LOG

When this config was run with aide 0.15.1, newly created files (but not modified)were only logged as file=/etc/boss.py; added; even with verbose set to 20;

but

when tested with latest version available, newly created files did get logged along with its hash.

My Question, or rather ask for help, would be, which piece of code is making that difference? I do not posses coding skills to feel confident about it but if there are any tweaks in config, which I can do, or get a patch of aide 0.15, that would be great to know.

There are certain reason's beyond my control which do not allow me to update to Aide 0.16.2-21-gfcf0f3a.

from aide.

@nutanv I'm not sure if I understand your issue correctly. Are you looking for the commit that adds details about added and removed entries to the report (05d3911)? If not, you can use git bisect to find the commit that adds the desired behaviour.

from aide.

The issue is - Report hash values (in aide.log) of newly created files (not neccessarily modified but just created) in watched directories. I'll check your commit above and get back. thanks for the tip of bisect.

from aide.

@bengbrewer2 @nutanv Can you please try AIDE 0.17.1 and report back if the issues you were seeing still exist? Especially look at the new report_level and log_level config options.. Otherwise I will close this issue within the next couple of weeks.

from aide.