I am not that familiar with aide, and i found a diffficulty to troubleshoot it.
I have a problem regarding the aide process /usr/bin/aide is hanging in Linux, this process sent the accumulation mail to root hence it resulted to full memory.
A low memory alarm appears to have been caused by an accumulation of /usr/bin/aide processes which have been unable to exit.
The process is launched by an unknown method every night and takes some time to run, usually resulting in a very large output, which is then mailed to root.
The mail is too large and is dropped, and aide does not exit.
my temporary remedy is by killing the aide process using command kill -9 PID
But when we kill the process, aide still running with new PID, we want to avoid killing the process everytime we log in.
below is the log when aide is running.
[QUOTE]MDRmspTS03:~ # ps -ef | grep -i aide
root 10631 1 0 02:00 ? 00:00:00 /bin/sh -c test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s ‘Aide daily run’ root &
root 10632 10631 5 02:00 ? 00:05:05 /usr/bin/aide --check -V
root 10634 10631 0 02:00 ? 00:00:00 /bin/mail -s Aide daily run root
root 13828 1 0 Feb13 ? 00:00:00 /bin/sh -c test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s ‘Aide daily run’ root &
root 13830 13828 0 Feb13 ? 00:04:31 /usr/bin/aide --check -V
root 13831 13828 0 Feb13 ? 00:00:00 /bin/mail -s Aide daily run root
root 26896 26849 0 03:28 pts/4 00:00:00 grep -i aide
root 28730 1 0 Feb14 ? 00:00:00 /bin/sh -c test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s ‘Aide daily run’ root &
root 28732 28730 0 Feb14 ? 00:05:08 /usr/bin/aide --check -V
root 28734 28730 0 Feb14 ? 00:00:00 /bin/mail -s Aide daily run root
[/QUOTE]
Below is the crontab for aide process, but we did not save it in crontab, so it should not be sending the mail to root.
[QUOTE]MDRmspTS03:/etc/cron.d # more aide
RUN_FROM_CRON=yes
0 2 * * * root test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s ‘Aide daily run’ root &
[/QUOTE]
Below is the linux version.
[QUOTE]MDRmspTS03:~ # uname -a
Linux MDRmspTS03 2.6.27.19-5-default #1 SMP 2009-02-28 04:40:21 +0100 x86_64 x86_64 x86_64 GNU/Linux
MDRmspTS03:~ # cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 0
[/QUOTE]
and below is the aide version
[QUOTE]MDRmspTS01:/etc # rpm -qi aide
Name : aide Relocations: (not relocatable)
Version : 0.13.1 Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
Release : 40.14 Build Date: Mon 23 Feb 2009 18:57:42 UTC
Install Date: Mon 20 Jun 2011 18:56:47 UTC Build Host: Super-Pinguine
Group : Productivity/Security Source RPM: aide-0.13.1-40.14.src.rpm
Size : 274230 License: GPL v2 or later
Signature : RSA/8, Mon 23 Feb 2009 18:57:48 UTC, Key ID e3a5c360307e3d54
Packager : http://bugs.opensuse.org
URL : http://sourceforge.net/projects/aide/
Summary : Advanced Intrusion Detection Environment
Description :
AIDE is an intrusion detection system that checks file integrity.
[/QUOTE]
Below is the configuration of aide
[QUOTE]MDRmspTS03:/etc # more aide.conf
Based on the Example AIDE Config by Matthias G. Eckermann mge@suse.de
Configuration parameters
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
verbose=1
report_url=stdout
warn_dead_symlinks=yes
Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+n+u+g+s+b+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
Added to ignore check script changes + more permissive /var/log
ConfFiles2 = p+n+u+g+s+b+md5+sha1
Databases2 = p+n+u+g+ANF
Logs2 = p+n+u+g+ANF+ARF
Logs3 = p+n+ANF+ARF
Directories and files
Kernel, system map, etc.
/boot Binlib
watch config files, but exclude, what changes at boot time, …
!/etc/mtab
!/etc/lvm
/etc/adjtime Databases
Special treatment for some files altered by check.sh
/etc/passwd$ ConfFiles2
/etc/group$ ConfFiles2
/etc/security$ StaticDir
/etc/security/opasswd$ Databases
/etc/security/opasswd\.old$ Databases2
/etc/shadow$ ConfFiles2
/etc/group\.old$ Databases2
/etc/passwd\.old$ Databases2
/etc/shadow\.old$ Databases2
/etc/passwd\.backup$ Databases2
/etc/shadow\.backup$ Databases2
/etc$ StaticDir
/etc ConfFiles
Binaries
/bin Binlib
/sbin Binlib
Libraries
/lib Binlib
Complete /usr and /opt
/usr Binlib
/opt Binlib
Log files
/var/log$ StaticDir
/var/log/ Logs2
Devices
!/dev/pts
!/dev/bus
!/dev/\.udev
!/dev/vcs
!/dev/shm/sysconfig
/dev/log$ p+n+u+g
/dev$ StaticDir
/dev Devices
Other miscellaneous files
/var/run$ StaticDir
!/var/run/
/var/lib Databases
Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc
Oracle files
/opt/oracle/diag/rdbms/miepdb/MIEPDB Logs2
/opt/oracle/admin/MIEPDB/adump Logs2
/opt/oracle/11\.1\.0/dbs Logs2
/opt/oracle/diag$ StaticDir
/opt/oracle/11\.1\.0/log/diag/ Logs2
MIEP files
/var/log/miep/ Logs3
/opt/miep[^/]/conf/config.xml$ Databases
/opt/miep[^/]/dbRuntimeBackup/ Logs2
/opt/miep[^/]/shm$ StaticDir
!/opt/miep[^/]/shm/[^/]*_shm$
!/opt/sentinel
!/opt/apache/conf/pipsw\.dir$
!/opt/apache/conf/pipsw\.pag$
/opt/tomcat/logs$ StaticDir
/opt/tomcat/logs/ Logs2
/opt/tomcat/conf$ StaticDir
/opt/tomcat/conf/ Logs2
[/QUOTE]
My preference is not to kill the hang aide process every time we log in and find out the rootcause.
so can we tune aide to produce less output data ? or simply not mail it to root every day ? because this aide mail sent to root is not being read by anyone.
could you please advise for the solution that not required me to kill the process everytime we log in?