search

imthenachoman / How-To-Secure-A-Linux-Server

An evolving how-to guide for securing a Linux server.
Creative Commons Attribution Share Alike 4.0 International
17.25k stars 1.1k forks source link

Issue setting up AIDE monitoring #58

Closed smcalilly closed 4 years ago

smcalilly commented 4 years ago

I've asked this on stackexchange and r/linuxfornoobs but nobody has answered so I'm gonna see if I can get a hit here.

I’m setting up AIDE monitoring on Raspbian. I first tried over ssh but it timed out due to my timeout settings. Then I setup the new AIDE db directly on the RPi command line. I had to overwrite the DB that was created on the first try.

I ran sudo aide.wrapper --check after it successfully initialized and it returned a ton of files with mismatched hashes. Some of the mismatched original hashes were dated 8/30 and but I init'd on 8/31. I have no idea why...I installed AIDE on 8/31 and the system should be clean because it’s like three days old. Is that date based on the original creation of the file?

Two more questions:

  1. should I be worried about all these changed hashes?
  2. if not, how do I delete the aide database and start afresh? Is it as simple as deleting it via the path /var/lib/aide/aide.db.new
imthenachoman commented 4 years ago

Sorry for the late reply -- I'm just now getting time to reply.

I see you closed this. Did you figure it out?

smcalilly commented 3 years ago

@imthenachoman No worries, thanks for following up. I realized that the hashes were changed because of logging, so I set the AIDE config to ignore some logging