|
AIDE : Install
2025/01/03 |
|
Install and configure Host Based IDS (Intrusion Detection System) [AIDE] (Advanced Intrusion Detection Environment). |
|
| [1] | Install AIDE. |
|
[root@dlp ~]# dnf -y install aide
|
| [2] | Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows. |
|
[root@dlp ~]#
vi /etc/aide.conf # line 27 : description for setting rules # These are the default rules. # #p: permissions #i: inode: #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #acl: Access Control Lists #selinux SELinux security context #xattrs: Extended file attributes #md5: md5 checksum #sha1: sha1 checksum #sha256: sha256 checksum #sha512: sha512 checksum #rmd160: rmd160 checksum #tiger: tiger checksum ..... ..... # initialize database [root@dlp ~]# aide --init
Start timestamp: 2025-01-03 09:58:47 +0900 (AIDE 0.18.6)
AIDE successfully initialized database.
New AIDE database written to /var/lib/aide/aide.db.new.gz
Number of entries: 56061
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : 2BrNIRp9abnzQYvw225hGg==
SHA1 : aEBvOYrTDQAFXruTp8VI44GsLiI=
SHA256 : 4hVpzwva9X5GiC+q6RQcCB5/j1yqreHt
7kjGRX9IA2o=
SHA512 : ZNqMSwbD0ajPCrIQxf9Yg+1w0QnhKDLY
VjcpZ3O8Betts1QyGue57cWq2tI4+ymx
wYfwlFy8nmkvA9u/eeN1Ag==
RMD160 : 88yBrD0urLBUUapGpK3+2EaDjvw=
End timestamp: 2025-01-03 09:58:59 +0900 (run time: 0m 12s)
# copy generated DB to master DB [root@dlp ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
| [3] | Run checking. |
|
[root@dlp ~]#
aide --check # if there is no unmatch, it displayed [Looks okay]
Start timestamp: 2025-01-03 10:04:41 +0900 (AIDE 0.18.6)
AIDE found NO differences between database and filesystem. Looks okay!!
Number of entries: 56061
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : GyTINo5u1lyxVLBoAEB5yA==
SHA1 : R+u6XmMrUC6GSewaSBv9RV/9Wm4=
SHA256 : rqRTQmUS25zSR7bCN4DF/TnIyTmHqO5N
UOR7sa9JcNQ=
SHA512 : UB3TRfHlxLK//7zCZON8Q544eCpnBeR9
5NVoHl175wCd0/g8SzoICIIjQP0mTrc/
fZWgg7VJ8TeJUYUzn2C8vA==
RMD160 : dRx1mGFTnP5r+PRBSS0wwZCgei4=
End timestamp: 2025-01-03 10:05:17 +0900 (run time: 0m 36s)
# try to change a file and check again [root@dlp ~]# chmod 640 /root/anaconda-ks.cfg [root@dlp ~]# aide --check # detected differences like follows
Start timestamp: 2025-01-03 10:05:56 +0900 (AIDE 0.18.6)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 56061
Added entries: 0
Removed entries: 0
Changed entries: 1
---------------------------------------------------
Changed entries:
---------------------------------------------------
f = p.. .c...A.. : /root/anaconda-ks.cfg
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /root/anaconda-ks.cfg
Perm : -rw------- | -rw-r-----
Ctime : 2024-12-14 18:35:49 +0900 | 2025-01-03 10:05:51 +0900
ACL : A: user::rw- | A: user::rw-
A: group::--- | A: group::r--
A: other::--- | A: other::---
.....
.....
|
| [4] | If there is no ploblem even if some differences are detected, then update database like follows. |
|
[root@dlp ~]#
aide --update
Start timestamp: 2025-01-03 10:07:42 +0900 (AIDE 0.18.6)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary:
Total number of entries: 56061
Added entries: 0
Removed entries: 0
Changed entries: 1
---------------------------------------------------
Changed entries:
---------------------------------------------------
f = p.. .c...A.. : /root/anaconda-ks.cfg
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /root/anaconda-ks.cfg
Perm : -rw------- | -rw-r-----
Ctime : 2024-12-14 18:35:49 +0900 | 2025-01-03 10:05:51 +0900
ACL : A: user::rw- | A: user::rw-
A: group::--- | A: group::r--
A: other::--- | A: other::---
.....
.....
# update database [root@dlp ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
| [5] | Add in Cron if you'd like to check regulary. Log file [/var/log/aide/aide.log] is updated every time, so if you's like to save log files, it needs to create a shell script or send results via email or others. |
|
# for example, add daily check in Crontab and send results via email [root@dlp ~]# vi /etc/cron.d/aide
00 01 * * * root /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root
|
|
|