Changing the Output of the AIDE Report


You might want a little more flexibility in the location of the AIDE report. For example, you may not want to receive emails if everything is okay with the AIDE report, or you may want to have AIDE report into a file instead of providing standard output. AIDE has four basic options for configuring output that can be configured through the AIDE configuration file.

LINUX OUTPUT STREAMS

Linux has three generic streams of output that are created when a program runs. These streams are referred to as STDIN, STDOUT, and STDERR, which are abbreviations for Standard Input, Standard Output, and Standard Error, respectively. When you see a referral to STDOUT, it refers to the normal method of output to the screen, and STDERR indicates output as a result of an error condition. As you might expect, STDIN refers to the method of input when read from the input file descriptor.


The general AIDE configuration option called report_url configures how output is displayed. By default, output is displayed to STDOUT. Output can be displayed to any or all of the following:

  • STDOUT (default)

  • STDERR

  • Text file

  • File descriptor

Of these four possibilities, STDOUT, STDERR, and text file are of interest. Future versions of AIDE may include output configurations for automated email and automated output to the SYSLOG facility.

Of particular interest is the text file type of output for AIDE. This output type is specified using this configuration line:

 report_url=file:/<path>/<filename> 

For example, to configure AIDE reports to go to a file called aidereport.txt in the /var/log/aide directory that you create, you would use this configuration option in the AIDE configuration file:

 report_url=file:/var/log/aide/aidereport.txt 

However, the report_url configuration option is only one means for getting output into a file. Because you're running the AIDE report from cron, you could also simply redirect the output to a file. For example, recall the crontab entry shown earlier in the chapter:

 0 2 * * * /usr/local/bin/aide --check 

You could alter that cron entry to redirect the output to a file. Doing so would cause all output to go to that file and would also enable additional features such as date-based naming. This can be done with a little shell trick using runquotes (sometimes called a backtick, usually found with the tilde [~] on the keyboard). Here's the new cron entry:

 0 2 * * * /usr/local/bin/aide --check >/var/log/aide/aidereport-`date +%m%d%Y`.txt 

Now the AIDE report will run and redirect STDOUT to a file called

 /var/log/aide/aidereport-<date>.txt 

For example, for a report run on March 12, 2004, the file would be called

 /var/log/aide/aidereport-03122004.txt 

With a redirected configuration such as the one shown, you will no longer receive emails when AIDE runs through its normal cron job. Rather, you will receive emails only when an error occurs with the AIDE cron job. Because you'll no longer be receiving the emails, you may be tempted to ignore your monitoring duties and just let all the AIDE reports pile up. However, you should still monitor the AIDE reports by looking at the reports for anomalies and cleaning them up as appropriate.

Obtaining More Verbose Output

AIDE reports can be configured with additional verbosity. Adding verbosity to AIDE is valuable when you're troubleshooting rule matching. For example, when you set the verbose configuration option, you'll be able to see how AIDE builds the list of files to check. If you're seeing unexpected results or if files are being included or excluded for mysterious reasons, adding this option to the configuration or adding it as a command-line option will help.

The configuration option to add verbosity is as follows:

 verbose=<N> 

In this case, <N> is a positive integer with a maximum value of 255. In practice, only numbers above 200 give additional debugging output for most of the checks. Therefore, to add the maximum verbosity level, you would use this configuration setting:

 verbose=255 

With this configuration set, you'll see much additional output during an AIDE run:

 Mhash library initialization inserting 4096 update_md called close_md called md2line Line has 4096 copying 4096 /bin/ash attr=7100 /bin/ash attr=7101 Adding child /bin/ash encode base64, data length: 10 encode base64, data length: 10 encode base64, data length: 16 r->childs 135736080, r->parent 135383536, r->checked 512 dropping back to parent r->childs 135388080, r->parent 0, r->checked 1024 

The output is much more verbose (like you would expect) and includes the functions being called within the AIDE program itself, as well as details on the files that AIDE is checking as it is checking them. Using this output can be invaluable when you're trying to troubleshoot a problem with your AIDE configuration.




Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net