Setup AIDE on Rocky
Table of Contents
Advanced Intrusion Detection Environment(AIDE) is a host-based instrusion detection system(HIDS) for checking the integrity of files. Upon initialization, AIDE will create a database in /var/lib/aide based on files specified in /etc/aide.conf.
Install AIDE #
yum install aide -y
Initialize the Database #
[root@rockylab ~]# aide --init
Start timestamp: 2022-01-03 10:20:41 +0400 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 62898
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : dJYY/FcIsWU4w1MEPC5oMw==
SHA1 : rBAxvq0PjaPVCLKM9EDvl3K0ONQ=
RMD160 : zR4K2EN1V09rsqpAI3I0EFE5JlY=
TIGER : PeS4nVVTi5KtjiK6eBbvgnBZDHL4Ntxi
SHA256 : wbqqP/CaF/Z3cwmFGLLmJY+l29bYIT91
lF8txR1dU2c=
SHA512 : /nc1hv+paly2bLzlhT0W6py9Ra+HX8tc
RAk/x0kSfFDOlBqDd59717fZ3ryFef/d
aTBkV8zP1ixnn/lKonk9LA==
End timestamp: 2022-01-03 10:22:21 +0400 (run time: 1m 40s)
[root@rockylab ~]#
[root@rockylab ~]# ls -lh /var/lib/aide/aide.db.new.gz
-rw-------. 1 root root 3.6M Jan 3 10:22 /var/lib/aide/aide.db.new.gz
Rename the database #
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Create a new file and run a check on the database #
Create an empty file in /usr/bin and run a check:
[root@rockylab ~]# touch /usr/bin/testbin
[root@rockylab ~]# aide --check
Start timestamp: 2022-01-03 10:31:42 +0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 62899
Added entries: 1
Removed entries: 0
Changed entries: 1
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /usr/bin/testbin
----REDACTED---
The f+++... below Added entries is telling you that the change is a file. Aide is detecting the change because /usr has a rule in the configuration file:
/boot CONTENT_EX
/opt CONTENT
/root/\..* PERMS
/root CONTENT_EX
/usr CONTENT_EX
---REDACTED---
Update the database #
If you’re aware of the changes, update the database:
[root@rockylab ~]# aide --update
Start timestamp: 2022-01-03 10:39:13 +0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary:
Total number of entries: 62899
Added entries: 1
Removed entries: 0
Changed entries: 1
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /usr/bin/testbin
----REDACTED---
Once the database is updated, a new one is created with the new changes. You can keep the old one for comparison or just remove it and use the new one:
[root@rockylab aide]# ls
aide.db.gz aide.db.new.gz
[root@rockylab aide]# rm -f aide.db.gz
[root@rockylab aide]# mv aide.db.new.gz aide.db.gz
Changing permission #
Allow everyone to execute /usr/bin/testbin:
[root@rockylab ~]# chmod a=x /usr/bin/testbin
After a check, you’ll notice f p.. ..A.. below Changed entries. Which tells you that a file’s permissions and ACL were modified, including the actual permissions flag and which permission flag were enabled:
[root@rockylab aide]# aide --check
Start timestamp: 2022-01-13 09:10:52 +0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 62902
Added entries: 0
Removed entries: 0
Changed entries: 2
---------------------------------------------------
Changed entries:
---------------------------------------------------
f p.. ..A.. : /usr/bin/testbin
f C : /var/spool/anacron/cron.daily
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /usr/bin/testbin
Perm : -rwxr-xr-x | ---x--x--x
ACL : A: user::rwx | A: user::--x
A: group::r-x | A: group::--x
A: other::r-x | A: other::--x
Useful Commands and tips #
- Each time you update the database you have to rename it. Write a script to do it.
- Database comparison with
--compare. Both databases should be defined in the configuration file. - Create a report with
--report. E.gaide --report=report-dd-mm-yy.
βAn arrogant rich and a humble poor both need help! The former needs help to be human; the latter needs help to live humanely!β β Mehmet Murat ildan