AIDE (Advanced Intrusion Detection Environment) setup
AIDE is a host-based file and directory integrity checking tool, similar to Tripwire. It creates a snapshot of file details during initialization and stores them in a database. The files that AIDE monitors are user-defined rules, where the admin can specify which directories/files to keep an eye on. The snapshot is basically a message digest of the files/directories information returned by stat command. One AIDE is initialized, it can detect any changes in the future and alert the admin of such changes. AIDE can be configured to run on a scheduled based using cron jobs for instance.
yum list aide yum install aide
Create AIDE DB – stores snapshot of file or directory stats by scanning the monitored resources.
$ /usr/sbin/aide --init $ mv /var/lib/aide/aidb.db.new.gz /var/lib/aide/aide.db.gz
To minimize false positives – Set PRELINKING=no in /etc/sysconfig/prelink and run
to restore the binaries to their prelinked state.
Scheduled integrity checks
Add a cron job to check file integrity, say every morning at 8 AM –
echo '0 8 * * * /usr/sbin/aide --check' >> /etc/crontab
Updating DB after making changes or verifying any changes reported during change –
$ aide -c aide.conf --update