AIDE huge daily reports
AIDE is giving me HUGE daily reports on moderately used sites.
It was originally installed simply using ‘apt-get isntall aide’, and then I ran /usr/sbin/aideinit.
This generated 144 files in the /etc/aide/aide.conf.d folder and has been sending me an email every morning since with such a huge volume of changes, that it is useless.
The first item to cover is determining exactly what is in the reports. the way that AIDE works, it is not incremental by day, so if any file has changed since the day that you originally ran the aideinit command, it will be reported daily. So if you have not run the aideinit report since you made configuration changes or installed something, you need to do that, otherwise those configuration changes or installs will show up.
Use the -y switch to avoid having to wait and type ‘y’ in order to overwrite the old database
Then run the daily cron which should show you that no changes have occured.
/usr/sbin/aideinit -y /etc/cron.daily/aide
If your report is huge with log files or other standard, acceptable and planned for changes, you may want to exclude those from being monitored.
One school of thought might have been to remove EVERYTHING and then only put in place the items you want specifically to track, however I thought it would be better to explicitly remove the items which do not need to be monitored as they are sent to me. It seems more prudent, as we could potentially miss items we are not thinking about.
(Be sure to update your policy documents when making this change)
To address this on the command line, I went into the /etc/aide/aide.conf.d folder and started to remove the items I do not need.