AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : pb_thunderbird_icedove_failed_opening_offline_store_for_imap notes_-_test_bande_passante_reseau reseau_-_bonding_-_agregation_de_liens cloud_lvm_autoresize_partition_pv pb_smtp_451_internal_resource_temporarily awx_-_build_to_run conf_conky_conkyrc test_de_perf_io_reseau notes_port_serie_rs-232_ttyusb0 controle_d_integrite_fichiers_avec_aide
tech:controle_d_integrite_fichiers_avec_aide

Table des matières

,

Contrôle d'intégrité des fichiers avec AIDE

Voir aussi

Voir :

Install

apt-get install aide aide-common

Utilisation

Initialisation 

aideinit

Contrôle 

aide.wrapper --check
 
aide.wrapper --check --limit /etc

Mise à jour de la base 

aide.wrapper -u

Configuration

/etc/aide/aide.conf.d/31_aide_plop
#/var/log$ VarDir

# Exlusion list
!/var/lib/docker/
!/var/log/journal/
!/var/log/commands.log
!/run/
!/mnt/
!/etc/.git/
!/etc/.etckeeper
!/var/tmp/
!/var/log/
!/root/.viminfo
!/root/.bash_history
!/root/.lesshst
!/var/lib/sss/mc/passwd
!/usr/NX/var/tmp/
!/var/lib/sss/db/

Check conf 

aide.wrapper --config-check

Pb

Segmentation fault (core dumped)

# aideinit
Overwrite existing /var/lib/aide/aide.db.new [Yn]? Y
Running aide --init...
Segmentation fault (core dumped)
AIDE --init return code 139
# dmesg |tail
[169712.662630] aide[428807]: segfault at 0 ip 00007f9fd5e7b14b sp 00007ffc48052578 error 4 in libc-2.31.so[7f9fd5d80000+178000]
[169712.662645] Code: 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 8b 05 25 ad 0c 00 48 83 ff 10 74 47 48 83 ff 1a 74 49 48 8b 40 60 <48> 8b 10 48 85 d2 75 12 eb 1b 0f 1f 00
48 8b 50 10 48 83 c0 10 48

Solution : Exclure les dossiers problématiques

Trouver la où se plante avec lsof ou strace 

aideinit &
 
while PID_AIDE=$(pgrep aide ||exit 2) ; do lsof -p $(pgrep -n aide) |tee -a aide_lsof.log ; done
 
watch -d lsof -p $(pgrep -n aide)

Créer une liste d'exclusions

/etc/aide/aide.conf.d/31_aide_plop
!/var/lib/docker/
!/var/log/journal/

puis relancer 

aideinit

Erreur Database does not have attr field.

aide --check -c /etc/aide/aide.conf
Database does not have attr field.
Comparation may be incorrect
Generating attr-field from dbspec
It might be a good Idea to regenerate databases. Sorry.
db_char2line():Error while reading database

La base n'est pas complete. Vérifier la taille de /var/lib/aide/aide.db.new.

Solution

Si paquet aide-common installé 

aideinit

Sinon 

aide --init -c /etc/aide/aide.conf
cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Notes

Debug 

aide -D
aide -V255 --config=/etc/aide/aide.conf -C

Conf

/etc/aide/aide.conf.d/31_aide_plop
#/var/log$ VarDir
!/var/lib/docker/
!/var/log/journal/
!/var/log/commands.log
!/run/
!/etc/.git/
!/etc/.etckeeper
!/var/tmp/
!/var/log/
!/root/.viminfo
!/root/.bash_history
!/root/.lesshst

Source : https://raw.githubusercontent.com/duritong/puppet-aide/master/files/aide.conf

/etc/aide.conf
# AIDE conf

database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes

# Here are all the things we can check - these are the default rules 
#
#p:      permissions
#i:      inode
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#md5:    md5 checksum
#sha1:   sha1 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
#R:      p+i+n+u+g+s+m+c+md5
#L:      p+i+n+u+g
#E:      Empty group
#>:      Growing logfile p+u+g+i+n+S
#haval:         haval checksum
#gost:          gost checksum
#crc32:         crc32 checksum

# Defines formerly set here have been moved to /etc/default/aide.

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1

# Next decide what directories/files you want in the database

# Kernel, system map, etc.
=/boot$ Binlib
# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
#/usr/games Binlib
# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib
# Log files
#=/var/log$ StaticDir
#!/var/log/ksymoops
#/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
#/var/log/aide/error.log(.[0-9])?(.gz)? Databases
#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
#!/var/log/aide
#/var/log Logs
# Devices
!/dev/pts
# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
# you may uncomment this to get rid of them. They're harmless but sometimes
# annoying.
#!/dev/cpu/mtrr
#!/dev/xconsole
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
!/var/run
# Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc

# You can look through these examples to get further ideas

# MD5 sum files - especially useful with debsums -g
#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1

# Check crontabs
#/var/spool/anacron/cron.daily Databases
#/var/spool/anacron/cron.monthly Databases
#/var/spool/anacron/cron.weekly Databases
#/var/spool/cron Databases
#/var/spool/cron/crontabs Databases

# manpages can be trojaned, especially depending on *roff implementation
#/usr/man ManPages
/usr/share/man ManPages
/usr/local/man ManPages

# docs
#/usr/doc ManPages
/usr/share/doc ManPages

# check users' home directories
#/home Binlib

# check sources for modifications
#/usr/src L
#/usr/local/src L

# Check headers for same
/usr/include L
#/usr/local/include L

#!/var/log/portage/elog
#!/var/log/puppet/puppet.log
!/var/log     # ignore the log dir it changes too often
!/dev/disk/by-uuid  # ignore, because its only crypt-swap, that changes every boot ...
tech/controle_d_integrite_fichiers_avec_aide.txt · Dernière modification : de 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki