@JS's Notes

Site with notes from my work.

AIDE - Advanced Intrusion Detection Environment in Fedora

2019-10-04 System @JS

My test platform: Fedora Server 29

AIDE is a program for checking the integrity of a files and directories. It creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.

Requirements: user with root privileges or non-root user with sudo privileges.

Installation
$ sudo dnf update -y
$ sudo dnf install aide -y

After the installation is complete, you need to create the initial AIDE database, which is a snapshot of the system in a normal state. This database will act as the yardstick against which all subsequent updates and changes will be measured. The default aide configuration enables checking a set of directories and files defined in the /etc/aide.conf file. You need to edit this file accordingly to configure more files and directories to be watched by AIDE.

$ sudo aide --init

To start using the database, remove the .new from the initial database file name.

$ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

To protect the AIDE database, you can change its default location by editing the configuration file and modify the DBDIR value. For additional security, store the database configuration file in a secure location. You can increase security by signing the configuration and/or database.

[...]
@@define DBDIR  /path/to/secret/db/location
[...]

To manually scan the system, run the following command:

$ sudo aide --check

For effective usage AIDE, you should configure AIDE to run as a cron job, to perform scheduled scans, either weekly (at the minimum) or daily (at the maximum). Example:

00  00  *  *  *  root  /usr/sbin/aide --check

After confirming the changes of your system such as, package updates or configuration files modifications, update your baseline AIDE database with the following command:

$ sudo aide --update

The aide –update command creates a new database file /var/lib/aide/aide.db.new.gz. To start using it for future scans, you need to rename it as shown before (remove the .new substring from the file name).

Fedora 29
© 2019 - 2020 Created by @JS
Powered by Hugo