#13 AIDE Fails at finding files it previously found (when run from cron.daily)

v1.0 (example)
open
nobody
None
5
2014-08-19
2013-07-05
standard_output
No

Hello.
Running AIDE 0.14 on CentOS 6.4 (2.6.32-358)

Symptoms:
AIDE believes that all files under /selinux have been removed, even though they are present. (it finds them just fine during --init, but cannot find them during --check. CAVEAT - when run directly from the commandline as root, it finds them fine. When kicked off from /etc/cron.daily/aide [as root], it fails. I know this screams permissions, but I am pretty sure the cron kicks off as root.)
AIDE believes that many files under /usr and /bin and /sbin have changed, and shows that they have a new hashsum of "<NONE>". This also goes away when run as root from the commandline.

Below is my config file, please forgive me for not using the fancy SourceForge formatting stuff:

[root@Nebuchadnezzar aide]# cat /etc/aide.conf

------------------------------------------------------------------------------

------------------------={ Configuration Parameters }=------------------------

@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide

database=file:@@{DBDIR}/@@{HOSTNAME}.aide.db.gz
database_new=file:@@{DBDIR}/@@{HOSTNAME}.aide.db.new.gz

database_out=file:@@{DBDIR}/@@{HOSTNAME}.aide.db.new.gz

gzip_dbout=yes

verbose=5

warn_dead_symlinks=yes

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout

--------------------------={ Variable Declaration }=--------------------------

FOLDERS = p+i+n+u+g+acl+selinux+xattrs

PERMS = p+i+u+g+acl+selinux

LOG = >

INTENSIVE = p+i+l+n+u+g+s+b+m+c+acl+selinux+xattrs+md5+sha1+sha256+sha512+rmd160+tiger

INTENSIVE_I = p+l+n+u+g+s+b+m+c+acl+selinux+xattrs+md5+sha1+sha256+sha512+rmd160+tiger

INTENSIVE_IMC = p+l+n+u+g+s+b+acl+selinux+xattrs+md5+sha1+sha256+sha512+rmd160+tiger

DATAANDPERMISSIONS = p+n+u+g+s+acl+selinux+xattrs+md5+sha1+sha256+sha512+rmd160+tiger

DATAONLY = md5+sha1+sha256+sha512+rmd160+tiger

LOGFILES = p+l+n+u+g+acl+selinux+xattrs+ANF

PERMISSIONS = p+i+l+n+u+g+acl+selinux+xattrs

PERMISSIONS_I = p+l+n+u+g+acl+selinux+xattrs

DBFILES = p+i+l+n+u+g+acl+selinux+xattrs

DEVFILES = p+u+g+acl+selinux+xattrs

---------------------={ Files to Include in our Checks }=---------------------

------------------------={ Handling most folders... }=------------------------

=/$ FOLDERS
=/bin$ FOLDERS
=/boot$ FOLDERS
=/dev$ FOLDERS
=/etc$ FOLDERS
=/etc/rc.d$ FOLDERS
=/home$ FOLDERS
=/lib$ FOLDERS
=/lib64$ FOLDERS
=/media$ FOLDERS
=/misc$ FOLDERS
=/mnt$ FOLDERS
=/net$ FOLDERS
=/opt$ FOLDERS

=/proc$ FOLDERS

=/root$ FOLDERS
=/sbin$ FOLDERS
=/selinux$ FOLDERS
=/srv$ FOLDERS
=/sys$ FOLDERS
=/tmp$ FOLDERS
=/usr$ FOLDERS
=/usr/bin$ FOLDERS
=/usr/sbin$ FOLDERS
=/var$ FOLDERS
=/var/tmp$ FOLDERS

/bin/ INTENSIVE
/boot/ INTENSIVE
/lib/ INTENSIVE
/lib64/ INTENSIVE
/misc/ INTENSIVE_IMC
/net/ INTENSIVE_IMC
/opt/ INTENSIVE
/sbin/ INTENSIVE
/selinux/ INTENSIVE_IMC
!/selinux/policy
/srv/ INTENSIVE

Handling /lib

!/lib/udev
!/lib64/dbus-1
!/lib64/security/pam_krb5

------------------------------------------------------------------------------

------------------------------------------------------------------------------

------------------------------------------------------------------------------

!/tmp/ INTENSIVE

------------------------------------------------------------------------------

------------------------------------------------------------------------------

!/usr

!/usr/src$
!/usr/tmp$
/usr/ INTENSIVE_IMC+ANF

------------------------------------------------------------------------------

----------------------------={ Handling /dev... }=----------------------------

/dev/ DEVFILES

!/dev/pts/0$
!/dev/pts/1$

----------------------------={ Handling /etc... }=----------------------------

/etc/ PERMISSIONS

!/etc/adjtime$
!/etc/asound.state$
!/etc/blkid.tab
!/etc/lvm/.cache$
!/etc/mtab$
!/etc/ntp.drift$
!/etc/prelink.cache$
!/etc/sysconfig/hwconf$

!/etc/.*~

/etc/modprobe.conf$ DATAONLY

/etc/fstab$ INTENSIVE

/etc/inittab$ DATAONLY
/etc/grub/ DATAONLY
/etc/rc.d/ DATAONLY

/etc/localtime DATAONLY

/etc/yum.conf$ INTENSIVE
/etc/yumex.conf$ INTENSIVE
/etc/yumex.profiles.conf$ INTENSIVE
/etc/yum/ INTENSIVE
/etc/yum.repos.d/ INTENSIVE

/etc/passwd$ INTENSIVE
/etc/sudoers$ INTENSIVE
/etc/skel$ INTENSIVE
/etc/pam.d DATAONLY
/etc/login.defs$ DATAONLY
/etc/securetty$ DATAONLY
/etc/security$ DATAONLY
/etc/issue$ DATAONLY
/etc/issue.net$ DATAONLY
/etc/securetty$ INTENSIVE

/etc/hosts$ DATAONLY
/etc/sysconfig$ DATAONLY
/etc/sysctl.conf$ DATAONLY
/etc/hosts.allow$ INTENSIVE
/etc/hosts.deny$ INTENSIVE
/etc/resolv.conf$ DATAANDPERMISSIONS
/etc/nscd.conf$ INTENSIVE

/etc/ssh/sshd_config$ DATAONLY
/etc/ssh/ssh_config$ DATAONLY
/etc/stunnel$ DATAONLY

/etc/vsftpd.ftpusers$ DATAONLY
/etc/vsftpd$ DATAONLY

/etc/profile$ INTENSIVE
/etc/bashrc$ INTENSIVE
/etc/bash_completion.d/ INTENSIVE
/etc/login.defs$ INTENSIVE
/etc/zprofile$ INTENSIVE
/etc/zshrc$ INTENSIVE
/etc/zlogin$ INTENSIVE
/etc/zlogout$ INTENSIVE
/etc/profile.d/ INTENSIVE
/etc/X11/ INTENSIVE

/etc/cups$ DATAONLY

/etc/at.allow$ DATAONLY
/etc/at.deny$ DATAONLY
/etc/cron.allow$ DATAONLY
/etc/cron.deny$ DATAONLY
/etc/cron.d/ DATAONLY
/etc/cron.daily/ DATAONLY
/etc/cron.hourly/ DATAONLY
/etc/cron.monthly/ DATAONLY
/etc/cron.weekly/ DATAONLY
/etc/crontab$ DATAONLY

/etc/ld.so.conf$ DATAONLY
/etc/aliases$ DATAONLY
/etc/postfix$ DATAONLY
/etc/exports$ INTENSIVE
/etc/logrotate.d INTENSIVE
/etc/audit/ DATAONLY
/etc/libaudit.conf$ DATAONLY
/usr/sbin/stunnel DATAONLY

!/etc/symantec
/etc/symantec PERMISSIONS_I

----------------------------={ Handling /var... }=----------------------------

/var/$ INTENSIVE

/var LOGFILES

/var/log LOGFILES

/var/log/aide LOGFILES+ARF

!/var/lib/aide

/var/log/faillog LOGFILES
/var/log/lastlog LOGFILES

!/var/log/sa
/var/spool/at DATAONLY
/var/spool/cron/root DATAONLY

/var/run/utmp LOGFILES

/var/tmp LOGFILES

---------------------------={ Handling /root... }=---------------------------

=/root$ FOLDERS
/root PERMISSIONS_I

!/root/Desktop

!/root/.mozilla/firefox
!/root/.xsession-errors
!/root/.metacity/sessions
!/root/.nautilus

---------------------------={ Handling /home... }=---------------------------

=/home$ FOLDERS

------------------------={ Handling /lost+found... }=------------------------

=/lost+found$ INTENSIVE

------------------------------------------------------------------------------

Discussion

  • Apparently, the file got clobbered somewhat, here it is as an attachment. Sorry.

     
    Attachments