AIDE : Install2025/01/03

	Install and configure Host Based IDS (Intrusion Detection System) [AIDE] (Advanced Intrusion Detection Environment).
[1]	Install AIDE.

[root@dlp ~]#

dnf -y install aide

[2]	Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows.

[root@dlp ~]#

vi /etc/aide.conf

# line 27 : description for setting rules

# These are the default rules.
#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
.....
.....

# initialize database

[root@dlp ~]#

aide --init

Start timestamp: 2025-01-03 09:58:47 +0900 (AIDE 0.18.6)
AIDE successfully initialized database.
New AIDE database written to /var/lib/aide/aide.db.new.gz

Number of entries:      56061

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
 MD5       : 2BrNIRp9abnzQYvw225hGg==
 SHA1      : aEBvOYrTDQAFXruTp8VI44GsLiI=
 SHA256    : 4hVpzwva9X5GiC+q6RQcCB5/j1yqreHt
             7kjGRX9IA2o=
 SHA512    : ZNqMSwbD0ajPCrIQxf9Yg+1w0QnhKDLY
             VjcpZ3O8Betts1QyGue57cWq2tI4+ymx
             wYfwlFy8nmkvA9u/eeN1Ag==
 RMD160    : 88yBrD0urLBUUapGpK3+2EaDjvw=


End timestamp: 2025-01-03 09:58:59 +0900 (run time: 0m 12s)

# copy generated DB to master DB

[root@dlp ~]#

cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

[3]	Run checking.

[root@dlp ~]#

aide --check

# if there is no unmatch, it displayed [Looks okay]

Start timestamp: 2025-01-03 10:04:41 +0900 (AIDE 0.18.6)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:      56061

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
 MD5       : GyTINo5u1lyxVLBoAEB5yA==
 SHA1      : R+u6XmMrUC6GSewaSBv9RV/9Wm4=
 SHA256    : rqRTQmUS25zSR7bCN4DF/TnIyTmHqO5N
             UOR7sa9JcNQ=
 SHA512    : UB3TRfHlxLK//7zCZON8Q544eCpnBeR9
             5NVoHl175wCd0/g8SzoICIIjQP0mTrc/
             fZWgg7VJ8TeJUYUzn2C8vA==
 RMD160    : dRx1mGFTnP5r+PRBSS0wwZCgei4=


End timestamp: 2025-01-03 10:05:17 +0900 (run time: 0m 36s)

# try to change a file and check again

[root@dlp ~]#

chmod 640 /root/anaconda-ks.cfg

[root@dlp ~]#

aide --check

# detected differences like follows

Start timestamp: 2025-01-03 10:05:56 +0900 (AIDE 0.18.6)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:      56061
  Added entries:                0
  Removed entries:              0
  Changed entries:              1

---------------------------------------------------
Changed entries:
---------------------------------------------------

f = p.. .c...A.. : /root/anaconda-ks.cfg

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /root/anaconda-ks.cfg
 Perm      : -rw-------                       | -rw-r-----
 Ctime     : 2024-12-14 18:35:49 +0900        | 2025-01-03 10:05:51 +0900
 ACL       : A: user::rw-                     | A: user::rw-
             A: group::---                    | A: group::r--
             A: other::---                    | A: other::---
.....
.....

[4]	If there is no ploblem even if some differences are detected, then update database like follows.

[root@dlp ~]#

aide --update

Start timestamp: 2025-01-03 10:07:42 +0900 (AIDE 0.18.6)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:      56061
  Added entries:                0
  Removed entries:              0
  Changed entries:              1

---------------------------------------------------
Changed entries:
---------------------------------------------------

f = p.. .c...A.. : /root/anaconda-ks.cfg

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /root/anaconda-ks.cfg
 Perm      : -rw-------                       | -rw-r-----
 Ctime     : 2024-12-14 18:35:49 +0900        | 2025-01-03 10:05:51 +0900
 ACL       : A: user::rw-                     | A: user::rw-
             A: group::---                    | A: group::r--
             A: other::---                    | A: other::---
.....
.....

# update database

[root@dlp ~]#

cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

[5]	Add in Cron if you'd like to check regulary. Log file [/var/log/aide/aide.log] is updated every time, so if you's like to save log files, it needs to create a shell script or send results via email or others.

# for example, add daily check in Crontab and send results via email

[root@dlp ~]#

vi /etc/cron.d/aide

00 01 * * * root /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root

Matched Content