AIDE - Advanced Intrusion Detection Environment in Fedora
My test platform: Fedora Server 29
AIDE is a program for checking the integrity of a files and directories. It creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.
Requirements: user with root privileges or non-root user with sudo privileges.
Installation
$ sudo dnf update -y
$ sudo dnf install aide -y
After the installation is complete, you need to create the initial AIDE database, which is a snapshot of the system in a normal state. This database will act as the yardstick against which all subsequent updates and changes will be measured. The default aide configuration enables checking a set of directories and files defined in the /etc/aide.conf file. You need to edit this file accordingly to configure more files and directories to be watched by AIDE.
$ sudo aide --init
To start using the database, remove the .new from the initial database file name.
$ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To protect the AIDE database, you can change its default location by editing the configuration file and modify the DBDIR value. For additional security, store the database configuration file in a secure location. You can increase security by signing the configuration and/or database.
[...]
@@define DBDIR /path/to/secret/db/location
[...]
To manually scan the system, run the following command:
$ sudo aide --check
For effective usage AIDE, you should configure AIDE to run as a cron job, to perform scheduled scans, either weekly (at the minimum) or daily (at the maximum). Example:
00 00 * * * root /usr/sbin/aide --check
After confirming the changes of your system such as, package updates or configuration files modifications, update your baseline AIDE database with the following command:
$ sudo aide --update
The aide –update command creates a new database file /var/lib/aide/aide.db.new.gz. To start using it for future scans, you need to rename it as shown before (remove the .new substring from the file name).