C6 : AIDE Experience

Home » CentOS » C6 : AIDE Experience
CentOS 11 Comments

Having problems with Tripwire on C6, I installed AIDE from the base repository. x86_64 0.14-3.el6_2.2 base 123 k

typing:
aide result:
“Couldn’t open file /var/lib/aide/aide.db.gz for reading”
(directory is empty and aide.db.gz does not exist.)
typing:
aide -i (for initialise the Aide database)
result:
“AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.”
(size 10 bytes)
typing:
aide result:
“Couldn’t open file /var/lib/aide/aide.db.gz for reading”
typing:
aide –init (for the second time)
result:
“AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.”
(now 2,225,108 bytes)
typing:
aide result:
“Couldn’t open file /var/lib/aide/aide.db.gz for reading”
action:
renaming aide.db.new.gz as aide.db.gz typing:
aide result:
(noticeable delay)
“AIDE, version 0.14
### All files match AIDE database. Looks okay!”
(only 1 file in /var/lib/aide = aide.db.gz)
typing:
aide -u result:
(noticeable delay)
“AIDE, version 0.14
### All files match AIDE database. Looks okay!
### New AIDE database written to /var/lib/aide/aide.db.new.gz”

Comment:
Looks like I have solved the riddle :-)
I did do a ‘yum erase aide’ followed by a ‘yum install aide’
to ensure my first experience was not a technical malfunction.

11 thoughts on - C6 : AIDE Experience

  • I’m a bit behind on this list, but as I don’t see any other replies, I’ll comment here.

    Aide does not update it’s database file. Whenever you run an init or update, it will create a new file. You then have to manually rename that file in order to start using the new database.

  • I used aide for some time after tripwire went commercial, stayed without support, and finally a bug (in e-mail…) was discovered. I moved away from aide soon after. You may think of some intrusion detection tool/system that:

    1. doesn’t keep reference database on the same box (I know, I know, they are signed, etc…)

    2. does not rely on binaries living on this same box (think about checking these binaries on another, much more trusted box before using them…)

    But of course, there is no limit to paranoia when [computer] security is concerned.

    Sorry, not mentioning what I do (“security through obscurity” helps a bit sysadmin’s paranoia ;-)

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • checkout samhain (www.la-samhna.de/*samhain*/) if your feeling really paranoid.

    Kahlil (Kal) Hodgson GPG: C9A02289
    Head of Technology (m) +61 (0) 4 2573 0382
    DealMax Pty Ltd (w) +61 (0) 3 9008 5281

    Suite 1415
    401 Docklands Drive Docklands VIC 3008 Australia

    “All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can’t get them together again, there must be a reason. By all means, do not use a hammer.” — IBM maintenance manual, 1925

    CentOS mailing list CentOS@CentOS.org http://lists.CentOS.org/mailman/listinfo/CentOS

  • I’m sure those asterisks aren’t supposed to be there. I for one have found webpage he means, and at a first glance the software sounds wonderful…:

    http://www.la-samhna.de/products.html

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Yeah. Not for the fainthearted. For full stealthiness you have to compile and maintain matching (signed) server/client pairs. Not too bad if management is well automated.

    K

LEAVE A COMMENT