# AIDE configuration

## gibkeeg

So I've installed AIDE, I have all the rules set correctly in the aide.conf  on the files that I want checked against.  It's running every night.

```
0 3   * * * /usr/bin/aide -u
```

The only problem I am having is that the output report is sent to .maildir in /  .  Excuse me if this is trivial, but how do I point it to my /root/.maildir ?

Here's a copy of my aide.conf , yes, I know I have some fine tuning to do, but that's a whole different area I will come to later.  Right now ,I just want my nightly reports sent to /root/.maildir instead of /.maildir .

```

@@ifndef TOPDIR

@@define TOPDIR /

@@endif

@@ifndef AIDEDIR

@@define AIDEDIR /etc/aide

@@endif

database=file:@@{AIDEDIR}/aide.db

database_out=file:@@{AIDEDIR}/aide.db.new

verbose=20

report_url=stdout

All=R+a+sha1+rmd160

Norm=s+n+b+md5+sha1+rmd160

@@{TOPDIR} Norm

!@@{TOPDIR}etc/aide

!@@{TOPDIR}dev

!@@{TOPDIR}proc

!@@{TOPDIR}root

!@@{TOPDIR}tmp

!@@{TOPDIR}var/log

!@@{TOPDIR}var/run

!@@{TOPDIR}usr/portage

=@@{TOPDIR}home Norm

```

Thanks

----------

## Cojack

I know it's a little late coming, but I figured I'd answer your question on the off chance you still haven't figured it out.    :Wink: 

```

...

database=file:@@{AIDEDIR}/aide.db

database_out=file:@@{AIDEDIR}/aide.db.new

verbose=20

report_url=stdout

All=R+a+sha1+rmd160

Norm=s+n+b+md5+sha1+rmd160

...

```

It looks like you've got it configured to report to STDOUT, and that output is being mailed by cron to whomever is running the script. You have two options:

Change report_url to some path where you'd like the output. For example:

```

report_url=file:/root/aide_reports/report

```

- or -

Change your cron job to look something like this:

```

0 3   * * * /usr/bin/aide -u | mail -s "Nightly Aide Report" your.addr@someserver.org

```

I find that the latter is probably the most flexible option if you want to report to a remote user or location. Be sure you have some kind of command line mailer set up (unless you're running a mail server on that machine, try 'emerge mailx').

I currently have my server set up such that, if AIDE detects a change as it's run periodically, it not only mails me the output of the AIDE report, but also triggers chkrootkit to run on the system and appends that output as well. It's a good setup, I think, and I'd be happy to post my script if you'd like. 

Cheers!

----------

## InAt!QuE

 *Cojack wrote:*   

> Change your cron job to look something like this:
> 
> ```
> 
> 0 3   * * * /usr/bin/aide -u | mail -s "Nightly Aide Report" your.addr@someserver.org
> ...

 

Sow what u r saying.. when I emerge mailx ... and create a cronjob like you mentioned ... I got all the reports of AIDE mailed to the specified e-mail adres...

Is mailx a package which only sends mail?? I don't want to run a mailserver...

----------

## Cojack

Yup, that's it.

mailx is just a command-line mail tool;  you'll only be able to send mail, but that's all you'll need to whip out some reports.

In fact, here's a little perl script I hacked up that takes this concept a little further:

```

#!/usr/bin/perl

use strict;

##################

my $aide_rc = `aide -u`;

unless( $aide_rc =~ /\"\@\@end_db\"$/ )

{

        $aide_rc .= "\n\n";

        $aide_rc .= `/usr/sbin/chkrootkit`;

        open( MAILOUT, "| mail -s 'Security Alert' your@emal.address" );

        print MAILOUT $aide_rc;

        close( MAILOUT );

}

my $timestamp = time();

`cp /etc/aide/aide.db.new /etc/aide/aide.db.$timestamp`;

`mv /etc/aide/aide.db.new /etc/aide/aide.db`;

my $ls_rc = `ls /etc/aide | grep aide.db.`;

foreach my $aide_file ( split( /\n/, $ls_rc ) )

{

        my $old_time;

        ( undef, $old_time ) = split( /db\./, $aide_file );

        #print $old_time;

        if( ( $timestamp - $old_time ) > 604800 ) {

                `rm /etc/aide/$aide_file`;

        }

}

```

You'll need to have chkrootkit installed, and may need to tweak the paths if it doesn't match your setup. Run from cron, this script will run AIDE, and if any mismatches are found it then runs chkrootkit and mails the output from both apps to the address(es) of your choosing. It also updates the current aide db every time it's run, keeping time-stamped backups of your AIDE db's in case you need to run AIDE against an known good (or bad) db.

Hope you find this useful!

----------

## InAt!QuE

do I have to configure mailx first or is just emerging it enough?

I can't find any .conf files of it (probably I'm not searching right but hee ... keep in mind i'm still new to gentoo, linux at all )

BTW: This mail option sends mail to any mail address on the net or only locally?

The script has to be run from as cronjob right?? so

```
0 3   * * * ./usr/scripts/aide
```

would be good ???

----------

## Cojack

As best as I can remember, mailx doesn't take any configuration to get working. Just emerge it and you've got it. In this kind of application, one would use it by piping the result of some program's output (in this case, AIDE and chkrootkit) to mail and then passing the address on the command line. For example, the following command will mail the contents of a pretend world update to the administrator:

```

$ emerge -pu --deep world | mail -S 'World Update' admin@yourdomain.com

```

And yes, you can send to any public email address, so be gentle.   :Wink: 

This script doesn't HAVE to be run from cron, but it's intended to be run automatically, so run it as frequently as you feel your situation warrants. I placed the script into /root/bin ,  but you don't have to. I'm just paranoid about exposing any sort of security related task to the rest of the system. If the scipt is in /root/bin, try the following cron listing:

```

0  3  *  *  *  /root/bin/security_check.pl

```

Whereever you end up putting the script, place the full path to the script in the crontab. Also, this script requires read/write permissions to the /etc/aide directory and read permissions to any other restricted place that you set AIDE up to check. Hence, it should probably be run from root's crontab, unless you're going to set up an AIDE group or something.

Good luck!

----------

## InAt!QuE

Something is wrong by running the script security_check.pl

```
#/root/bin/security_check.pl

Global symbol "@hotmail" requires explicit package name at /root/bin/security_check.pl line 15.

Execution of /root/bin/security_check.pl aborted due to compilation errors.
```

What's wrong??

----------

## Cojack

Sorry, I forgot to mention, you have to escape any special characters (including the @-symbol) in your email address at that line. Otherwise perl will interpolate it as a variable, which is causing your error.

So, the offending line would be re-written thusly:

```

open( MAILOUT, "| mail -s 'Security Alert' your.name\@hotmail.com" ); 

```

If that doesn't work, let me know.

----------

## InAt!QuE

thnx I'll try it... I'll let you know..

But can you also take a look at this : https://forums.gentoo.org/viewtopic.php?t=137107&highlight=

Dunno how to fix that.. maybe you do

----------

## InAt!QuE

ok it works ... now only the aide -i faults to fix

----------

## Basti_litho

what's wrong?

```

.../$ echo "Hallo" |mail -s "test" root

09:54:23 /var/spool/mail $ send-mail: Cannot open mail:25

```

i've emerge mailx.  :Sad: 

For this Problem (aide and cron and mail), i've write to litle scripts:

/usr/sbin/sendmail:

```

#!/bin/bash

cat >> /var/spool/mail/root

```

/bin/mail:

```

#!/bin/bash

less /var/spool/mail/root

cat  /dev/null > /var/spool/mail/root

```

but the way with "mailx" it's realy better - but /bin/mail can't send without a smpt on port 25.  :Sad: 

----------

## InAt!QuE

Basti_litho:

Your problem can be found here : https://forums.gentoo.org/viewtopic.php?t=137109&highlight=

Good luck

----------

## Basti_litho

Thanks for your answer - but:

 *Quote:*   

> 
> 
> Maybe you have ssmtp installed and the /etc/ssmtp/ssmtp.conf file defined mailhub=mail (the default). 
> 
> In this case all mail originating from your machine (including the mail command) will be directed to a mail server named 'mail'. That's why you get the "cannot open mail:25" error. You should enter your mail gateway name in the ssmtp.conf file.
> ...

 

I don't understand "mail gateway" - i don't have any mail gateway - i'll only send the mail from cron to /var/spool/mail/...

----------

## Basti_litho

anybody a idea?

----------

## InAt!QuE

In my case, I used the mailgateway from my ISP as mailhub...

example:

```
mailhub=mail.home.nl
```

I geuss you have a mail gateway from your ISP. Normally you should have one.

----------

