Debian 11 Bullseye
Sponsored Link

AIDE : Host Based IDS2021/09/29
 
Install and configure Host Based IDS (Intrusion Detection System) [AIDE] (Advanced Intrusion Detection Environment).
[1] Install AIDE.
root@dlp:~#
apt -y install aide
[2] Configure AIDE and initialize database. It's possible to use AIDE with default settings but if you'd like to customize settings, change configuration file like follows. It's possible to see details of Setting rules with [man aide.conf].
root@dlp:~#
vi /etc/default/aide
# line 8 : if you do not use Cron job, comment out and turn to [no]

#CRON_DAILY_RUN=yes
root@dlp:~#
vi /etc/aide/aide.conf
# add to the end : set exclude directories if you need

!/var/log
# initialize database

root@dlp:~#
aide --init --config /etc/aide/aide.conf 

Start timestamp: 2021-09-29 11:46:16 +0900 (AIDE 0.17.3)
AIDE initialized database at /var/lib/aide/aide.db.new

Number of entries:      60348

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new
 SHA256    : keqGXwfYXPRH7T6f5Bg4G5d9NospEMml
             Pd/ffXEPBcI=
 SHA512    : BCM4g241I9eTn8fJEosFegosLFiDNKT2
             /Vd18n8zS28lRAgkSVYwlC+1BFpMEGys
             SrHva7FdrIRvmpxBbQ6yFw==
 RMD160    : /QOh/U5fACDwYHIz/sL4kAnt6Nc=
 TIGER     : NJQ57tlVM3t/PvQFvoUzzVnWiEXDuNut
 CRC32     : ABSl7w==
 HAVAL     : G1MC+Lkor9sHJSREYa34QXzmzhyinJ6b
             RoruRWogdlM=
 WHIRLPOOL : ujY6bMHVMFkggmyTaWlKnAKTJoPODJM/
             iheCSiymzuSZn6ExK8DKq7IlJ1AzT+Bv
             z3NHscmYHsp/jZEY5URtbg==
 GOST      : 8g+gWS5EHCymtIlCjaXzoo3DGa7SPP3E
             H+agoHn90fE=


End timestamp: 2021-09-29 11:48:00 +0900 (run time: 1m 44s)
# copy generated DB to master DB

root@dlp:~#
cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
[3] Run ckecking.
root@dlp:~#
aide --check --config /etc/aide/aide.conf
# if thete is no unmatch, it displayed [*** Looks okay]

AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:      60348

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
 SHA256    : keqGXwfYXPRH7T6f5Bg4G5d9NospEMml
             Pd/ffXEPBcI=
 SHA512    : BCM4g241I9eTn8fJEosFegosLFiDNKT2
             /Vd18n8zS28lRAgkSVYwlC+1BFpMEGys
             SrHva7FdrIRvmpxBbQ6yFw==
 RMD160    : /QOh/U5fACDwYHIz/sL4kAnt6Nc=
 TIGER     : NJQ57tlVM3t/PvQFvoUzzVnWiEXDuNut
 CRC32     : ABSl7w==
 HAVAL     : G1MC+Lkor9sHJSREYa34QXzmzhyinJ6b
             RoruRWogdlM=
 WHIRLPOOL : ujY6bMHVMFkggmyTaWlKnAKTJoPODJM/
             iheCSiymzuSZn6ExK8DKq7IlJ1AzT+Bv
             z3NHscmYHsp/jZEY5URtbg==
 GOST      : 8g+gWS5EHCymtIlCjaXzoo3DGa7SPP3E
             H+agoHn90fE=


End timestamp: 2021-09-29 11:51:17 +0900 (run time: 2m 37s)
# try to change a file and check again

root@dlp:~#
touch /root/test.txt

root@dlp:~#
aide --check --config /etc/aide/aide.conf
# detected differences like follows

Start timestamp: 2021-09-29 11:52:25 +0900 (AIDE 0.17.3)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:      60349
  Added entries:                1
  Removed entries:              0
  Changed entries:              1

---------------------------------------------------
Added entries:
---------------------------------------------------

f+++++++++++++++++: /root/test.txt

---------------------------------------------------
Changed entries:
---------------------------------------------------

d =.... mc.. .. . : /root

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /root
 Mtime     : 2021-09-29 11:46:06 +0900        | 2021-09-29 11:51:54 +0900
 Ctime     : 2021-09-29 11:46:06 +0900        | 2021-09-29 11:51:54 +0900
.....
.....
[4] If there is no problem even if some differences are detected, then update database like follows.
root@dlp:~#
aide --update --config /etc/aide/aide.conf 
Start timestamp: 2021-09-29 12:00:38 +0900 (AIDE 0.17.3)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new

Summary:
  Total number of entries:      60349
  Added entries:                1
  Removed entries:              0
  Changed entries:              1

---------------------------------------------------
Added entries:
---------------------------------------------------

f+++++++++++++++++: /root/test.txt

---------------------------------------------------
Changed entries:
---------------------------------------------------

d =.... mc.. .. . : /root

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /root
 Mtime     : 2021-09-29 11:46:06 +0900        | 2021-09-29 11:51:54 +0900
 Ctime     : 2021-09-29 11:46:06 +0900        | 2021-09-29 11:51:54 +0900

.....
.....
# update databaseć–°

root@dlp:~#
cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Matched Content