Home / server / Questions / 1001097
Accepted
ebarrere
Asked: 2020-01-31 08:55:20 +0800 CST

AIDE reporting file additions to folder marked ACL only

  • 772

I have a server configured with AIDE and I'm trying to tune out false positives. I received an alert this morning that a file had been added to a folder that I believe should only alert on ACL changes, unless I'm misunderstanding something.

Here are the relevant parts of the config file:

...
# Access control only.
PERMS = p+u+g+acl+selinux+xattrs
...
/var/run/faillock/ PERMS

And the alert generated when I run aide --check:

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2020-01-30 09:37:22

Summary:
  Total number of files:    69687
  Added files:          1
  Removed files:        0
  Changed files:        0


---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/run/faillock/testfile

OS is CentOS 7, if that's relevant.

centos7 aide

1 Answers

  1. Best Answer

    aide is alerting you that a file has been added to the directory. It has not checked it against ACL changes or anything else because it's never seen it before. You want this check in case a file gets added that you don't expect. If there is a specific pattern of file you want ignored, use the ! to negate it in the config.

    Rerun aide --init and copy the aide.db.new.gz to aide.db.gz and rerun aide --check. Once it's recorded in the aide.db.gz it will work as you expect.

    You will see a clean result.

    To test your config file, change the permissions of the file and run aide --check again. You'll see something like this:

    # aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2020-01-30 18:20:22

Summary:
  Total number of files:    69135
  Added files:          0
  Removed files:        0
  Changed files:        1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /tmp/blah

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /tmp/blah
 Perm     : -rw-r--r--                       , -rw-------
 ACL      : old = A:
----
user::rw-
group::r--
other::r--
----
                  D: <NONE>
            new = A:
----
user::rw-
group::---
other::---
----
                  D: <NONE>

    To ignore a new file you'll need to specifically add it to the aide.conf. As stated in the reference, if you want to scan /var/log/messages but not /var/log/messages.[0-9] you can do something like this:

    =/var/log/messages$ R+a
!/var/log/messages\.[0-9]$

    Now only messages files ending in number 0-9 are not included in the database. Note an intruder could disguise a rootkit by creating a directory called messages.9. If messages.9 does not already exist that is.

    Reference

    AIDE doc

    • 0