Comments on: Catch website file changes with AIDE

By: SEO

SEO — Mon, 15 Mar 2010 15:59:40 +0000

The problem with CentOs is that if you run a cron, it will email you the entire database in addition to the changed files etc. Also, the directory /etc/default/aide isn’t there, so how to set COPYNEWDB to yes?

Anyone knows how to get this working on CentOs?

Thanks!

By: whoo

whoo — Tue, 15 Jul 2008 02:39:38 +0000

md5mon does something similar, if not identical. Ive been using it for a while.

http://freshmeat.net/projects/md5mon/

By: Roni

Roni — Thu, 19 Jun 2008 06:07:37 +0000

As you said “If your site is on a shared hosting account then you’re out of luck”

I think some one must provide features brought to by AIDE into an easier manner. I didn’t think I was harder, but I use shared hosting

By: Альтернативщики опротестовали дотации "Почте России" - ComNews.ru

Альтернативщики опротестовали дотации "Почте России" - ComNews.ru — Wed, 18 Jun 2008 01:06:43 +0000

[...] Catch website file changes with AIDE [...]

By: Donnacha

Donnacha — Tue, 17 Jun 2008 14:02:07 +0000

@Kate, I found this article which suggests that it’s extremely simple:

http://www.bofh-hunter.com/2008/04/10/centos-5-and-aide/

… but I haven’t actually got around to implementing it on any of my CentOS systems yet.

By: Kate

Kate — Tue, 17 Jun 2008 04:36:20 +0000

Is AIDE available for CentOS or Redhat system? I want to try it in CentOS/Redhat system

By: WordPress file monitoring at Mostly Harmless

WordPress file monitoring at Mostly Harmless — Tue, 17 Jun 2008 03:18:00 +0000

[...] Donncha provided a page that covers the issue succinctly and today he added another post on setting up aide. His two posts are good and anyone considering monitoring their WordPress files for modification [...]

By: Donncha

Donncha — Mon, 16 Jun 2008 20:45:00 +0000

Donnacha – unfortunately it might have a lot of privacy issues as POST requests include usernames and passwords.
It’s probably hard, but not impossible, to see a hack attempt in progress. A central db might be useful but it would require a lot of resources.

By: Donnacha

Donnacha — Mon, 16 Jun 2008 20:08:55 +0000

Hmmm, I’m thinking it would be really useful if, aswell as having a plugin email the admin, if the emails were also CC’d to a central server that could treat them as incoming reports, track the trends and, then, when another rash of attacks hits, could send additional warning emails to people whose emails seemed to indicate a likely attack.

Donncha, is something like that ever likely to be instituted or does Automattic tend to be more hands-off, culturally?

By: Donncha

Donncha — Mon, 16 Jun 2008 19:59:39 +0000

Piggy – it’s similar, but AIDE goes further.

First of all, AIDE has a database of file checksums. It runs md5 and various other checksum algorithms on the files you list, and uses that checksum to figure out what files have changed. The plugin above simply checks the file modification time which can be easily spoofed using touch().

Second, AIDE has to be run as root (well, you could install it in a home directory as an ordinary user too, but I digress) which offers some protection against the database being compromised by the webserver user. Even if a PHP application recorded md5 checksums of all it’s files, you could never trust the database because it would have to be owned by the webserver and therefore at risk of being modified by a hacker.

That said, if you can’t install AIDE, then you should use a plugin like that. It would be really nice if it emailed the administrator once every 24 hours with a list of changed files.