adding values to aide.conf

The man page http://manpages.ubuntu.com/manpages/bionic/en/man1/aide.1.html provides some information about config files, among others "./aide.conf" and "/etc/aide/aide.conf.d/*"

You should also read the information in http://aide.sourceforge.net/

And another reference: https://help.ubuntu.com/community/FileIntegrityAIDE#AIDE_with_the_aide-common_package

I appreciate the information....

Ubuntu 16.04
I am looking for the specific file that I can update to lock-down my server for STIG.

This is what the solution says for one part of AIDE...

Add or update the following selection lines to "/etc/aide/aide.conf", in order to protect the integrity of the audit tools.
# Audit Tools
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512
/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512

However /etc/aide/aide.conf has a warning that the file will be overwritten if changes are made to it.

I am wondering what file I can add the above to so they are not overwritten?

Thank you
Bill

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Manfred Hampl
Sent: Thursday, November 29, 2018 3:09 AM
To: ECCLES, WILLIAM <email address hidden>
Subject: Re: [Question #676432]: adding values to aide.conf

Your question #676432 on aide in Ubuntu changed:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_aide_-2Bquestion_676432&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=K1eEyIbEO-KL3uQfczw_nX1wcb4Cj8e-fF4FsHCaKbQ&s=JY6XDVJtKWLsWyJj3oVJepq-MaGOc3yYHp8x6g33lRA&e=

Manfred Hampl proposed the following answer:
And another reference:
https://urldefense.proofpoint.com/v2/url?u=https-3A__help.ubuntu.com_community_FileIntegrityAIDE-23AIDE-5Fwith-5Fthe-5Faide-2D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=K1eEyIbEO-KL3uQfczw_nX1wcb4Cj8e-fF4FsHCaKbQ&s=grsgNO7ZhkbOT23Omz_82vThr6Xz_iWECsA8wyzfD3A&e=
common_package

--
If this answers your question, please go to the following page to let us
know that it is solved:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_aide_-2Bquestion_676432_-2Bconfirm-3Fanswer-5Fid-3D1&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=K1eEyIbEO-KL3uQfczw_nX1wcb4Cj8e-fF4FsHCaKbQ&s=UhHmTDgiSWXnBiHXndFfvbb3P2A9RgPBaP6oQ1LqNqo&e=

If you still need help, you can reply to this email or go to the
following page to enter your feedback:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_aide_-2Bquestion_676432&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=K1eEyIbEO-KL3uQfczw_nX1wcb4Cj8e-fF4FsHCaKbQ&s=JY6XDVJtKWLsWyJj3oVJepq-MaGOc3yYHp8x6g33lRA&e=

You received this question notification because you asked the question.

Did you read my first answer?
Look at the man pages and you will see a hint about files in /etc/aide/aide.conf.d/

I did read your first email....

Back to my original concerns about the aide.conf file….

When I edit it, it says....

#WARNING WARNING WARNING

#This file is generated dynamically from /etc/aide/aide.conf and the files

#in /etc/aide/aide.conf.d

#ANY changes you make here will be lost.

#WARNING WARNING WARNING

[cid:image002.jpg@01D4887D.D5C39040]

So if I make changes to this file….the changes are lost.

My original question is…..Where would I add information to AIDE so it is not overwritten.

I need to add these lines to the AIDE config file.

# Audit Tools

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512

Does not seem like this is the file as it clearly states anything changed will be lost.

I am reaching out for help because I am not familiar with AIDE.

I appreciate your assistance.

Thanks

Bill

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Manfred Hampl
Sent: Thursday, November 29, 2018 3:13 PM
To: ECCLES, WILLIAM <email address hidden>
Subject: Re: [Question #676432]: adding values to aide.conf

Your question #676432 on aide in Ubuntu changed:

https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_aide_-2Bquestion_676432&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=SYfBAow5pKqVqoRaf2u9gEFLJuySWMSbqIlLm3KdVt0&s=8bdEo_K5ivXfGhi2cXHAXi1WPwIY7ggbiQnKyOVnpA8&e=

    Status: Open => Answered

Manfred Hampl proposed the following answer:

Did you read my first answer?

Look at the man pages and you will see a hint about files in /etc/aide/aide.conf.d/

--

If this answers your question, please go to the following page to let us

know that it is solved:

https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_aide_-2Bquestion_676432_-2Bconfirm-3Fanswer-5Fid-3D3&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=SYfBAow5pKqVqoRaf2u9gEFLJuySWMSbqIlLm3KdVt0&s=CB34_jhLLnKvGKEDXVhmDx3DozhbLuZ6MpZE1YSQMD4&e=

If you still need help, you can reply to this email or go to the

following page to enter your feedback:

https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_aide_-2Bquestion_676432&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=SYfBAow5pKqVqoRaf2u9gEFLJuySWMSbqIlLm3KdVt0&s=8bdEo_K5ivXfGhi2cXHAXi1WPwIY7ggbiQnKyOVnpA8&e=

You received this question notification because you asked the question.

The file says that changes made will be lost.

So......
Is there a section in aide.conf where I can make changes that will not be lost?
Should I be looking at a different file?

Thanks

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Bill Eccles
Sent: Friday, November 30, 2018 7:33 AM
To: ECCLES, WILLIAM <email address hidden>
Subject: Re: [Question #676432]: adding values to aide.conf

Your question #676432 on aide in Ubuntu changed:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_aide_-2Bquestion_676432&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=Zos8A0eroAPafbkXEzNqGBohpdCkQw7DR4-5W_akW7E&s=PJ2e7UBY3TtR4L2zhIRbdykpZE1vH2ycO-zX-KASjMs&e=

    Status: Answered => Open

You are still having a problem:
I did read your first email....

Back to my original concerns about the aide.conf file….

When I edit it, it says....

#WARNING WARNING WARNING

#This file is generated dynamically from /etc/aide/aide.conf and the
files

#in /etc/aide/aide.conf.d

#ANY changes you make here will be lost.

#WARNING WARNING WARNING

[cid:image002.jpg@01D4887D.D5C39040]

So if I make changes to this file….the changes are lost.

My original question is…..Where would I add information to AIDE so it is
not overwritten.

I need to add these lines to the AIDE config file.

# Audit Tools

/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/audispd p+i+n+u+g+s+b+acl+xattr+sha512

/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattr+sha512

Does not seem like this is the file as it clearly states anything
changed will be lost.

I am reaching out for help because I am not familiar with AIDE.

I appreciate your assistance.

Thanks

Bill

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Manfred Hampl
Sent: Thursday, November 29, 2018 3:13 PM
To: ECCLES, WILLIAM <email address hidden>
Subject: Re: [Question #676432]: adding values to aide.conf

Your question #676432 on aide in Ubuntu changed:

https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad
.net_ubuntu_-2Bsource_aide_-2Bquestion_676432&d=DwIFaQ&c=LFYZ-
o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=SYfBAow5pKqVqoRaf2u9gEFLJuySWMSbqIlLm3KdVt0&s=8bdEo_K5ivXfGhi2cXHAXi1WPwIY7ggbiQnKyOVnpA8&e=

    Status: Open => Answered

Manfred Hampl proposed the following answer:

Did you read my first answer?

Look at the man pages and you will see a hint about files in
/etc/aide/aide.conf.d/

--

If this answers your question, please go to the following page to let us

know that it is solved:

https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad
.net_ubuntu_-2Bsource_aide_-2Bquestion_676432_-2Bconfirm-3Fanswer-5Fid-
3D3&d=DwIFaQ&c=LFYZ-
o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=SYfBAow5pKqVqoRaf2u9gEFLJuySWMSbqIlLm3KdVt0&s=CB34_jhLLnKvGKEDXVhmDx3DozhbLuZ6MpZE1YSQMD4&e=

If you still need help, you can reply to this email or go to the

following page to enter your feedback:

https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad
.net_ubuntu_-2Bsource_aide_-2Bquestion_676432&d=DwIFaQ&c=LFYZ-
o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=SYfBAow5pKqVqoRaf2u9gEFLJuySWMSbqIlLm3KdVt0&s=8bdEo_K5ivXfGhi2cXHAXi1WPwIY7ggbiQnKyOVnpA8&e=

You received this question notification because you asked the question.

--
You received this question notification because you asked the question.

My original question is…..Where would I add information to AIDE so it is not overwritten.

I already told twice:
Put it into a file in /etc/aide/aide.conf.d/