aide
Version information
This version is compatible with:
- Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2016.4.x
- Puppet >= 4.10.0 < 7.0.0
- , , ,
Tasks:
- aideinit
Start using this module
Add this module to your Puppetfile:
mod 'iu-aide', '1.3.5'
Learn more about managing modules with a PuppetfileDocumentation
puppet-aide (AIDE - Advanced Intrusion Detection Enviroment).
Table of Contents
- Description
- Setup - The basics of getting started with aide
- Examples
- Cron Entry
- Reference - What the module is doing and how
- Assigning parameters using Hiera
- Limitations
- Contributing to the development of this module
- Credits
Description
This is a module for managing the installation, configuration and initial database creation of AIDE (Advanced Intrustion Detection Environment)package.
AIDE creates a database of files and their attributes from the rules that it finds in its configuration file. Once this database is initialized, it can be used to verify the integrity of the files contained within it. If the file attributes change according to the rules supplied, a summary of changes is logged and can be acted upon.
Refer to the AIDE manual for further details about configuration options.
This module will also add a cron job to periodically run the aide --check
command to verify the integrity of the AIDE database. Results will be logged to the log file (defaults to /var/log/aide/aide.log
) and to the AUTH log facility.
Setup Requirements
This module requires some additional modules, but it is highly likely that they are already installed on your puppet server. They are as follows:
puppetlabs/concat
4.0 - 8.0
puppetlabs/stdlib
4.0 - 8.0
puppet/cron
1.0 - 6.0
Examples
==========
Include the aide class and set cron run time to 6am with mail to a user other than root
class { 'aide':
minute => 0,
hour => 6,
}
Watch permissions of all files on filesystem
The simplest use of iu/aide
is to place a watch on the root directory, as follows.
aide::watch { 'example':
path => '/',
rules => 'p'
}
This example adds the line / P
which watches the permissions of all files on the operating system. Obviously, this is a simplistic non useful solution.
Note that the path parameter is optional with the default being the watch name, e.g.
aide::watch { '/etc':
rules => 'p'
}
Watch permissions and md5sums of all files in /etc
aide::watch { 'watch etc':
path => '/etc',
rules => 'p+md5'
}
This example adds the line /etc p+md5
which watches /etc
with both permissions and md5sums. This could also be implemented as follows.
aide::watch { '/etc':
rules => ['p', 'md5']
}
Create a common rule for watching multiple directories
Sometimes you wish to use the same rule to watch multiple directories and in keeping up with the Don't Repeat Yourself(DRY) viewpoint, we should create a common name for the rule. This can be done via the aide::rule
stanza.
aide::rule { 'MyRule':
name => 'MyRule',
rules => ['p', 'md5']
}
aide::watch { '/etc':
rules => 'MyRule'
}
aide::watch { 'otherApp':
path => '/path/to/other/config/dir',
rules => 'MyRule'
}
Here we are defining a rule called MyRule which will add the line MyRule = p+md5
. The next two stanzas can reference that rule. They will show up as /etc MyRule
and /path/to/other/config/dir MyRule
.
Create a rule to exclude directories
aide::watch { 'Exclude /var/log':
path => '/var/log',
type => 'exclude'
}
This with ignore all files under /var/log. It adds the line !/var/log
to the config file.
Create a rule to watch only specific files
aide::watch { '/var/log/messages':
type => 'equals',
rules => 'MyRule'
}
This will watch only the file /var/log/messages. It will ignore /var/log/messages/thingie. It adds the line =/var/log/messages MyRule
to the config file.
Cron
A cron job is created during installation to run aide checks that use the hour
and minute
parameters to specify the run time.
This cron job can be disabled by setting the aide::nocheck
parameter.
Reference
The following parameters are accepted by the ::aide
class:
Installation Options
package
Data type: String.
AIDE package name.
Default value: aide
.
version
Data type: String.
AIDE version for installation passed to Package::ensure
Default value: latest
.
Configuration Options
conf_path
Data type: String.
Location of AIDE configuration file
Default value: /etc/aide.conf
.
db_path
Data type: String.
Location of AIDE database file
Default value: /var/lib/aide/aide.db
.
db_temp_path
Data type: String.
Location of update AIDE database file
Default value: /var/lib/aide/aide.db.new
.
gzip_dbout
Data type: Boolean.
Gzip the AIDE database file (may affect performance)
Default value: false
.
aide_path
Data type: String.
Location of aide binary.
Default value: /usr/sbin/aide
.
mail_path
Data type: string.
Location of mail binary.
Default value: /usr/bin/mail
.
config_template
Data type: String.
Template to use for aide configuration.
Default value: aide/aide.conf.erb
.
report_ignore_e2fsattrs
Data type: string
List (no delimiter) of ext2 file attributes which are to be ignored in the final report.
Default value: undef
Logging Options
aide_log
Data type: String.
AIDE check output log.
Default value: /var/log/aide/aide.log
.
syslogout
Data type: Boolean.
Enables logging to the system logging service AUTH facility and /var/log/messages
.
Default value: true
.
Cron scheduling Options
minute
Data type: Integer.
Minute of cron job to run
Default value: 0
.
hour
Data type: Integer.
Hour of cron job to run
Default value: 0
.
nocheck
Data type: Boolean.
Whether to enable or disable scheduled checks
Default value: true
.
mailto
Data type: String
Set this vaule to send email of results from aide --check in cron.
Default value: undef
mail_only_on_changes
Data type: Boolean
Whether to only send emails when changes are detected.
Default value: false
init_timeout
Data type: Integer.
Timeout of "aide --init" run.
Default value: 300
.
Hiera
Values can be set using hiera, for example:
aide::syslogout: false
aide::hour: 1
Tasks
The aide module has a task that allows a user to manually initialize aide and copy the database. This is paticular useful when multiple changes are detected on more than one server. The commands the task executes are below and has been tested on Ubuntu.
aideinit
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Limitations
This module currently supports RedHat, CentOS, Debian and Ubuntu Linux but it has been fully tested on Ubuntu 16.04 and Ubuntu 18.04.
Contributing
Pull requests for new functionality or bug fixes are welcome but all code must meet the following requirements:
- Is fully tested
- All tests must pass
- Follows the Puppet language style guide
Credits
This module was adopted based on the initial refacter work of Warren Powell and Matt Lauber which uses parameter based classes rather than includes and also includes additional features for:
- enabling gzip for database
- allow for overrides of aide.conf and cron.d templates
- aide logging options
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
aideinit
This task initializes aide and copies the aide database
Changelog
Release 1.3.5
Enhancements
- Updated pdk
- Added puppet aide task to initialize and copy aide database
Release 1.2.5
Enhancements
- Added
report_ignore_e2fsattrs
support - Updated README
- Added github badges
Release 1.1.5
Enhancements
- Fixed deprecated
validate_legacy
warnings and switched from using params to hiera - Added
nice
andionice
to throttle I/O and CPU load of AIDE - Added unit test for
util-linux
package - Added path to
aide init
exec command infirstrun.pp
- Update pdk to latest version
Release 1.0.5
Bugfixes
- Pass correct variable to
mail_only_on_changes
- Updated pdk
Release 1.0.4
Bugfixes
- Updated pdk
- Updated dependency upbound limit
Release 1.0.3
Bugfixes
- Fixed cron job command by removing support for temporary file used by mail_only_on_changes param
- Added
cat -v
to mail_only_on_changes needed to escape filenames with non-printable characters. - Added path for mail program
Release 1.0.2
Bugfixes
- Fixed changes made in release 1.0.1 which prevented aide from triggering changes due to config error.
Release 1.0.1
- Fixed spacing in user defined rules in config template and module versioning.
Release 1.0.0
Features
Bugfixes
Known Issues
Dependencies
- puppetlabs/concat (>= 4.0.0 < 8.0.0)
- puppetlabs/stdlib (>=4.0.0 < 8.0.0)
- puppet/cron (>=1.0.0 < 6.0.0)
BSD 3-Clause License Copyright (c) 2019, Indiana University All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.