AIDE : Install
2025/01/03 |
Install and configure Host Based IDS (Intrusion Detection System) [AIDE] (Advanced Intrusion Detection Environment). |
|
[1] | Install AIDE. |
[root@dlp ~]# dnf -y install aide
|
[2] | Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows. |
[root@dlp ~]#
vi /etc/aide.conf # line 27 : description for setting rules # These are the default rules. # #p: permissions #i: inode: #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #acl: Access Control Lists #selinux SELinux security context #xattrs: Extended file attributes #md5: md5 checksum #sha1: sha1 checksum #sha256: sha256 checksum #sha512: sha512 checksum #rmd160: rmd160 checksum #tiger: tiger checksum ..... ..... # initialize database [root@dlp ~]# aide --init Start timestamp: 2025-01-03 09:58:47 +0900 (AIDE 0.18.6) AIDE successfully initialized database. New AIDE database written to /var/lib/aide/aide.db.new.gz Number of entries: 56061 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.new.gz MD5 : 2BrNIRp9abnzQYvw225hGg== SHA1 : aEBvOYrTDQAFXruTp8VI44GsLiI= SHA256 : 4hVpzwva9X5GiC+q6RQcCB5/j1yqreHt 7kjGRX9IA2o= SHA512 : ZNqMSwbD0ajPCrIQxf9Yg+1w0QnhKDLY VjcpZ3O8Betts1QyGue57cWq2tI4+ymx wYfwlFy8nmkvA9u/eeN1Ag== RMD160 : 88yBrD0urLBUUapGpK3+2EaDjvw= End timestamp: 2025-01-03 09:58:59 +0900 (run time: 0m 12s) # copy generated DB to master DB [root@dlp ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
[3] | Run checking. |
[root@dlp ~]#
aide --check # if there is no unmatch, it displayed [Looks okay] Start timestamp: 2025-01-03 10:04:41 +0900 (AIDE 0.18.6) AIDE found NO differences between database and filesystem. Looks okay!! Number of entries: 56061 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.gz MD5 : GyTINo5u1lyxVLBoAEB5yA== SHA1 : R+u6XmMrUC6GSewaSBv9RV/9Wm4= SHA256 : rqRTQmUS25zSR7bCN4DF/TnIyTmHqO5N UOR7sa9JcNQ= SHA512 : UB3TRfHlxLK//7zCZON8Q544eCpnBeR9 5NVoHl175wCd0/g8SzoICIIjQP0mTrc/ fZWgg7VJ8TeJUYUzn2C8vA== RMD160 : dRx1mGFTnP5r+PRBSS0wwZCgei4= End timestamp: 2025-01-03 10:05:17 +0900 (run time: 0m 36s) # try to change a file and check again [root@dlp ~]# chmod 640 /root/anaconda-ks.cfg [root@dlp ~]# aide --check # detected differences like follows Start timestamp: 2025-01-03 10:05:56 +0900 (AIDE 0.18.6) AIDE found differences between database and filesystem!! Summary: Total number of entries: 56061 Added entries: 0 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Changed entries: --------------------------------------------------- f = p.. .c...A.. : /root/anaconda-ks.cfg --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /root/anaconda-ks.cfg Perm : -rw------- | -rw-r----- Ctime : 2024-12-14 18:35:49 +0900 | 2025-01-03 10:05:51 +0900 ACL : A: user::rw- | A: user::rw- A: group::--- | A: group::r-- A: other::--- | A: other::--- ..... ..... |
[4] | If there is no ploblem even if some differences are detected, then update database like follows. |
[root@dlp ~]#
aide --update Start timestamp: 2025-01-03 10:07:42 +0900 (AIDE 0.18.6) AIDE found differences between database and filesystem!! New AIDE database written to /var/lib/aide/aide.db.new.gz Summary: Total number of entries: 56061 Added entries: 0 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Changed entries: --------------------------------------------------- f = p.. .c...A.. : /root/anaconda-ks.cfg --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /root/anaconda-ks.cfg Perm : -rw------- | -rw-r----- Ctime : 2024-12-14 18:35:49 +0900 | 2025-01-03 10:05:51 +0900 ACL : A: user::rw- | A: user::rw- A: group::--- | A: group::r-- A: other::--- | A: other::--- ..... ..... # update database [root@dlp ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
[5] | Add in Cron if you'd like to check regulary. Log file [/var/log/aide/aide.log] is updated every time, so if you's like to save log files, it needs to create a shell script or send results via email or others. |
# for example, add daily check in Crontab and send results via email [root@dlp ~]# vi /etc/cron.d/aide
00 01 * * * root /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root
|
|