Setting up AIDE in Kali Linux.
Antarctica Starts Here. » Antarctica Starts Here. 2013-06-18
Summary:
Kali Linux (formerly Backtrack) is a distribution of Linux designed for penetration testers and information security professionals. I'll spare you the details - that's what Wikipedia is for - but I did want to post about a problem that I've been wrestling with for a couple of hours.
Kali Linux can be installed and operated like any other distribution of Linux, which means that you get all of the nifty and handy tools that you'd expect to have, like AIDE for monitoring the file system for unauthorized changes. Unfortunately, because Kali is based upon Debian, and Debian over-engineers a lot of things, there is a minor but annoying bug in the process used to construct the AIDE monitoring database in Kali Linux. On Debian machines, you're not supposed to interact with the AIDE executable directly, you're supposed to go through a wrapper script (/usr/bin/aide.wrapper), and in fact there is a second wrapper script which does nothing but create the AIDE database (/usr/bin/aideinit). So, when you run aideinit you will see the following error:
Running aide --init...
70:syntax error:1.0
70:Error while reading configuration:1.0
Configuration error
AIDE --init return code 17
This comes from a value that AIDE doesn't understand being put in the configuration file it's generating, vis a vis:
@@ifndef DEBIANVERSION
@@define DEBIANVERSION Debian/Kali Linux 1.0
@@endif
I'm not sure exactly why this makes AIDE error out, but after some tinkering (passing the option --verbose=255 to aideinit helped) I figured out how to fix it.
The fix is editing the /etc/aide/aide.conf.d/10_aide_distribution configuration file, which reads the contents of the /etc/debian_version file and puts it into a conditional directive of the /var/lib/aide/aide.conf.autogenerated configuration file (which the automated backend magick references) and comment that bit out. It doesn't break anything because it's used purely for bookkeeping purposes. The specific part you need to comment out is this:
if [ -e "/etc/debian_version" ]; then
echo "@@ifndef DEBIANVERSION"
echo "@@define DEBIANVERSION Debian/$(head -n 1 /etc/debian_version)"
echo "@@endif"
fi
Do that and run the aideinit utility as the root user. Sit back for a couple of minutes, and when it finishes you'll have a shiny new /var/lib/aide/aide.db.new file. Copy /var/lib/aide/aide.db.new to /var/lib/aide/aide.db and you should be good to go.