1

I have a server configured with AIDE and I'm trying to tune out false positives. I received an alert this morning that a file had been added to a folder that I believe should only alert on ACL changes, unless I'm misunderstanding something.

Here are the relevant parts of the config file:

...
# Access control only.
PERMS = p+u+g+acl+selinux+xattrs
...
/var/run/faillock/ PERMS

And the alert generated when I run aide --check:

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2020-01-30 09:37:22

Summary:
  Total number of files:    69687
  Added files:          1
  Removed files:        0
  Changed files:        0


---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/run/faillock/testfile

OS is CentOS 7, if that's relevant.

ebarrere
  • 331
  • 1
  • 3
  • 13

1 Answers1

0

aide is alerting you that a file has been added to the directory. It has not checked it against ACL changes or anything else because it's never seen it before. You want this check in case a file gets added that you don't expect. If there is a specific pattern of file you want ignored, use the ! to negate it in the config.

Rerun aide --init and copy the aide.db.new.gz to aide.db.gz and rerun aide --check. Once it's recorded in the aide.db.gz it will work as you expect.

You will see a clean result.

To test your config file, change the permissions of the file and run aide --check again. You'll see something like this:

# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2020-01-30 18:20:22

Summary:
  Total number of files:    69135
  Added files:          0
  Removed files:        0
  Changed files:        1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /tmp/blah

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /tmp/blah
 Perm     : -rw-r--r--                       , -rw-------
 ACL      : old = A:
----
user::rw-
group::r--
other::r--
----
                  D: <NONE>
            new = A:
----
user::rw-
group::---
other::---
----
                  D: <NONE>

To ignore a new file you'll need to specifically add it to the aide.conf. As stated in the reference, if you want to scan /var/log/messages but not /var/log/messages.[0-9] you can do something like this:

=/var/log/messages$ R+a
!/var/log/messages\.[0-9]$

Now only messages files ending in number 0-9 are not included in the database. Note an intruder could disguise a rootkit by creating a directory called messages.9. If messages.9 does not already exist that is.

Reference

AIDE doc

kenlukas
  • 2,886
  • 2
  • 14
  • 25
  • Okay, I suppose I just assumed that the rule list would _override_ other rule lists, but there is some default to notify on file creation. What I'm trying to achieve is basically just minimize false-positives, and it appears the CentOS default still generates a lot of noise. Do you have any suggestions on a config file to do this? – ebarrere Jan 31 '20 at 19:51
  • I added a pointer for ignoring specific files/patterns in the answer. The reference I added has some great pointers as well. – kenlukas Feb 01 '20 at 21:30