AIDE : Database updating

Using a script

Rotating has been a process that gets repeated enough that using a script file was deemed worthwhile. See if the script file exists:

which aidedbup
If the script exists

If it does, then, great. Go ahead and use it (if you trust the software on this machine).

aidedbup "optionalUpdateDescription"
Otherwise

If the script doesn't exist yet, determine whether it should be installed. The key reason not to use the script is just that the current version requires OpenSSH's ksh (or a suitably compatible shell; bash is also currently believed to be suitable enough to work). If such a shell is undesirable, then using the older method may be needed.

If you are going to be using the script, start by obtaining, and then installing it as follows:

export AIDEWSCF=http://cyberpillar.com/dirsver/1/mainsite/techns/bhndscen/protsoft/filintgr/aide/mkaidecf/aidecfsc/aidecfs1

If a private server is going to be used, have that variable be set to point to the desired location.

ftp -v -o ~/aideupdt.gz ${AIDEWSCF}/aidescr1/aideupd1.gz
ln ~/aideupdt.gz ~/gztoextr.gz
gzip -d ~/gztoextr.gz
sudo mv -i ~/gztoextr /usr/local/bin/aidedbup
sudo chown :wheel /usr/local/bin/aidedbup
sudo chmod ug+x /usr/local/bin/aidedbup

Also, check that a required directory exists:

ls -ld /var/log/aide
  • The /var/log/aide/ directory should be writable (which implies that it exists). (If the directory is not writable, commands to take care of that are in the filesystem integrity checker section, which provides information and resources for setting up this software.) Checking this is not typically something that needs to happen every time that the database is updated. This check is simply being done to verify that this got taken care of, at least once, probably around the time that the software was initially being configured.
Installing required programs
Overview

The current version of the script uses pv and gzip. (If those programs are unavailable, cat could be used instead of pv, and there are other compressors avaiable. However, the script does not check for suitable alternative programs. So, if possible, install the programs that the script seeks to use. Then there won't be the need to alter the script.)

Installing required programs
Programs to download/install
Installing pv in OpenBSD
sudo -i pkg_add -ivv pv

Additionally, the “rotate data” script should be installed before running this script.

When using this script, there won't be a need to manually perform rotation, because this script rotates files by running another script named aidertat (which is a script that does not exist by default, and needed to be installed seperately).

aidedbup firstAIDEdbUp

That will likely start showing some output, incliding lines like “encode base64, data length: ”, and may take some time (a few minutes, or maybe many more minutes).

The older approach

For a while, the intended process was to perform “copy and paste” of some commands for rotating database files and updating database files. Experience indicated that process was more cumbersome than it should be, considering how often rotations are recommended, and so installing script files is worthwhile. Still, these old instructions remain avaiable.

It is recommended to start out by rotating the database files.

These instructions expect that some variables got set. These variables are set when following this guide's instructions for rotating the database files. If, for some reason, there is a desire to skip the step of rotating the database, then still make sure that these required environment variables are set. See: AIDE AIDEDBFL and AIDEOUTF environment variables.

ls -ld /var/log/aide

The /var/log/aide/ directory should be writable (which implies that it exists). (If the directory is not writable, commands to take care of that are in the filesystem integrity checker section, which provides information and resources for setting up this software.) Checking this is not typically something that needs to happen every time that the database is updated. This check is simply being done to verify that this got taken care of, at least once, probably around the time that the software was initially being configured.

The preferred syntax of the next line is designed for OpenBSD's ksh and similar/compatible shells:

Preferred syntax

This can be accomplished with OpenBSD's ksh and similar/compatible shells by using:

{ sudo time aide -u -V231 ; echo Err=${?} ; } 2>&1 | sudo -n tee -a /var/log/aide/aide-latest-check-$(date +%F%H%M%S%Z%a).txt

After this is run, you can check the number reported after Err= to see the “error”/return code. Details for interpreting that are at: AIDE: Return code

Other shells

If the shell does not support that preferred syntax, one could just remove the comment character from the following example command:

time #aide -u -V231 | tee -a /var/log/aide/aide-latest-check.txt

This does not capture the error code. (Trying to print the exit code after piping the results to tee will just show the exit code of the tee command.)

Note: If any files have been changed, then a non-zero “error level”/”return code” is normal. With many commands, seeing a non-zero error code is an indicator of a problem. (This is noted by Advanced Shell Scripting Guide (focused on Bash) Appendix E: Exit Codes With Special Meanings.) With this command, that is not a problem (unless the report was expected to show that no changes have happened).

After updating the database, the next thing that is recommended is to rotate the database files.

A common activity to do (after updating the files, and then rotating the files), is to view the resulting report. Details for doing that are at: AIDE “resulting report” showing (older method: AIDE: Reviewing the report).