Changing the Output of the AIDE Report

You might want a little more flexibility in the location of the AIDE report. For example, you may not want to receive emails if everything is okay with the AIDE report, or you may want to have AIDE report into a file instead of providing standard output. AIDE has four basic options for configuring output that can be configured through the AIDE configuration file.

LINUX OUTPUT STREAMS

Linux has three generic streams of output that are created when a program runs. These streams are referred to as stdin, stdout, and stderr, which are abbreviations for Standard Input, Standard Output, and Standard Error, respectively. When you see a referral to stdout, it refers to the normal method of output to the screen, and STDERR indicates output as a result of an error condition. As you might expect, STDIN refers to the method of input when read from the input file descriptor.

The general AIDE configuration option called report url configures how output is displayed. By default, output is displayed to STDOUT. Output can be displayed to any or all of the following:

Text file

• File descriptor

Of these four possibilities, STDOUT, STDERR, and text file are of interest. Future versions of AIDE may include output configurations for automated email and automated output to the SYSLOG facility.

Of particular interest is the text file type of output for AIDE. This output type is specified using this configuration line:

report_url=file:/<path>/<filename>

For example, to configure AIDE reports to go to a file called aidereport.txt in the /var/log/aide directory that you create, you would use this configuration option in the AIDE configuration file:

report_url=file:/var/log/aide/aidereport.txt

However, the report url configuration option is only one means for getting output into a file. Because you're running the AIDE report from cron, you could also simply redirect the output to a file. For example, recall the crontab entry shown earlier in the chapter:

You could alter that cron entry to redirect the output to a file. Doing so would cause all output to go to that file and would also enable additional features such as date-based naming. This can be done with a little shell trick using runquotes (sometimes called a backtick, usually found with the tilde [~] on the keyboard). Here's the new cron entry:

0 2 * * * /usr/local/bin/aide --check >/var/log/aide/aidereport-Ndate +%m%d%YN.txt

Now the AIDE report will run and redirect STDOUT to a file called

/var/log/aide/aidereport -<date>.txt

This document is created with trial version of CHM2PDF Pilot 2.15.72. For example, for a report run on March 12, 2004, the file would be called

/var/log/aide/aidereport -03122004.txt

With a redirected configuration such as the one shown, you will no longer receive emails when AIDE runs through its normal cron job. Rather, you will receive emails only when an error occurs with the AIDE cron job. Because you'll no longer be receiving the emails, you may be tempted to ignore your monitoring duties and just let all the AIDE reports pile up. However, you should still monitor the AIDE reports by looking at the reports for anomalies and cleaning them up as appropriate.

Was this article helpful?

0 0

Responses

  • MANUELA
    Where is Linux AIDE output?
    3 months ago

Post a comment