On 10-10-17, j...@bluemarble.net wrote: > The Debian configuration files in AIDE on Debian seem to monitor a lot of > files that I'm not sure need monitoring. Maybe someone could shed some > light. > > Is there a reason I should monitor /run? What about the /var/log/ files that > are rotated. It often complains about that. How about systemd journal files? > > Thanks. > >
I'm far from expert in this, just user of AIDE, so was hopping that someone with more knowledge than me will shed some light on this. Anyway, I did not like how AIDE works in Debian, looked overcomplicated to me, so I've installed aide without recommends. If you do it like that, you end up without aide-common package, which will make AIDE much more vanilla like. You do not have any config file, nor cron job added automatically. So, you need to do bit of learning that way and to include in that aide.conf file what you want, and what you do not want. Find some examples on net, like this one: # define the path for creating the databases. database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new # define your own aide rule. MYRULE = p+n+u+g+s+m+c+xattrs+md5+sha1 # choose your directories/files you want in the database and which rule should be used. / MYRULE # define your exceptions. !/proc # ignore /proc filesystem !/sys # ignore /sys filesystem That one is obvious overkill, because whole system will be checked except /proc and /sys, but is good example how you can exclude what you do not want to. Also, that one uses /var/lib/aide for databases, which for sure is not recommended practice. Best practice would be to put aide.conf, databases and even aide binary on, for example, USB that would be inserted just for check. As for should you make AIDE check /run and /var/log, not really sure. Some think that even some things under /proc should be checked (not that AIDE can do it anyway). But checking /var/log is annoying and bit of overkill, at least for me. Hope that this helps you at least a bit.
