AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker..
Aide takes a "snapshot" of the state of the system, register hashes, modification times, and other data regarding the files defined by the administrator. This "snapshot" is used to build a database that is saved and may be stored on an external device for safekeeping.
When the administrator wants to run an integrity test, the administrator places the previously built database in an accessible place and commands Aide to compare the database against the real status of the system. Should a change have happened to the computer between the snapshot creation and the test, Aide will detect it and report it to the administrator. Alternatively, Aide can be configured to run on a schedule and report changes daily using scheduling technologies such as cron, which is the default behavior of the Debian Aide package.
To install AIDE follow the below instructions.
Step 1 - Use yum to install Aide# yum install aideStep 2 - Run aide help and verify aide version# aide -v
Aide 0.13.1
Compiled with the following options:
WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_LSTAT64
WITH_READDIR64
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"Step 3 - Initialize first aide databaseInitialize the first aide database by issuing the command “aide init” as shown.
# aide --initVerify that the new aide database has been created
# cd /var/lib/aide
# ls -lt
total 1488
-rw------- 1 root root 1520639 Dec 8 16:57 aide.db.new.gzThe initial aide database (aide.db.new.gz) must be renamed (aide.db.gz) in order for aide to work successfully.
Step 4 - Rename aide database using the mv command so that it can be used later# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# ls -lt
total 1488
-rw------- 1 root root 1520639 Dec 8 16:57 aide.db.gzStep 5 - Run the first aide --check without making any changes# aide --checkNext we will create a file in the /usr/sbin directory to test that aide can detect and report the change.
Step 6 - Create a new file as a test# touch /usr/sbin/mytestfile.txtStep 7 - Run aide check to detect new file# aide --checkOnce we have reviewed the changes detected by aide check, we likely do not want aide to report them again because these reports can get very long.
Step 8 - Create updated aide database to ignore previous changesNext you will create an updated aide database that ignores all previously made (and reviewed) changes.
# aide --updateThe new aide database is called aide.db.new.gz.
# ls -lt
total 2976
-rw------- 1 root root 1520708 Dec 8 17:13 aide.db.new.gz
-rw------- 1 root root 1520639 Dec 8 16:57 aide.db.gzThe next step is to rename the aide database again so that we are using the new version of the aide database to report only changes that occur from this point forward.
Step 9 - Use updated aide databaseIt is usually a good idea to save the old aide database by renaming it with a date so that you can trace back any changes.
# mv aide.db.gz aide.db.gz-Dec082013
# mv aide.db.new.gz aide.db.gzStep 10. Automate using cron and sendmailHere is a simple example of a script that can be run from crontab to automate the aide check and email the last 20 lines of the report.
#! /bin/sh
MYDATE`date +%Y-%m-%d`
MYFILENAME"Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/sbin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
/bin/mail -s"$MYFILENAME `date`" bob.aiello@ieee.org < /tmp/$MYFILENAMEYou can also modify the /etc/aide.conf to configure advanced settings such as including or excluding specific directories.
