Chapter 7. Checking integrity with AIDE
Advanced Intrusion Detection Environment (AIDE
) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.
7.1. Installing AIDE
The following steps are necessary to install AIDE
and to initiate its database.
Prerequisites
-
The
AppStream
repository is enabled.
Procedure
To install the aide package:
# yum install aide
To generate an initial database:
# aide --init
NoteIn the default configuration, the
aide --init
command checks just a set of directories and files defined in the/etc/aide.conf
file. To include additional directories or files in theAIDE
database, and to change their watched parameters, edit/etc/aide.conf
accordingly.To start using the database, remove the
.new
substring from the initial database file name:# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
To change the location of the
AIDE
database, edit the/etc/aide.conf
file and modify theDBDIR
value. For additional security, store the database, configuration, and the/usr/sbin/aide
binary file in a secure location such as a read-only media.
7.2. Performing integrity checks with AIDE
Prerequisites
-
AIDE
is properly installed and its database is initialized. See Section 7.1, “Installing AIDE”
Procedure
To initiate a manual check:
# aide --check Start timestamp: 2018-07-11 12:41:20 +0200 (AIDE 0.16) AIDE found differences between database and filesystem!! ... [trimmed for clarity]
At a minimum,
AIDE
should be configured to run a weekly scan. At most,AIDE
should be run daily. For example, to schedule a daily execution ofAIDE
at 04:05 a.m. using thecron
command, add the following line to the/etc/crontab
file:05 4 * * * root /usr/sbin/aide --check
7.3. Updating an AIDE database
After verifying the changes of your system such as, package updates or configuration files adjustments, updating your baseline AIDE
database is recommended.
Prerequisites
-
AIDE
is properly installed and its database is initialized. See Section 7.1, “Installing AIDE”
Procedure
Update your baseline AIDE database:
# aide --update
The aide --update command creates the
/var/lib/aide/aide.db.new.gz
database file.-
To start using the updated database for integrity checks, remove the
.new
substring from the file name.