How to Use and Installation of AIDE Intrusion Detection

Unknown | 03:07 | 0 comments


AIDE:

AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker

It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies.

Installation Procedure:

1. Install AIDE package on CentOS/RHEL:
# yum install -y aide

2. Check and adjust aide configuration file to fulfill your needs:
# vim /etc/aide.conf

3. Initialize AIDE database - it will scan all the files in folders that were included in the config file and save their hash as well as attributes info
aide --init

Once initialized we may see below line
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

4. we need to modify newly created database with mv command
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz


5. Check the database before making any changes
aide --check

6. Make any changes Ex : touch /usr/sbin/mytestfile.txt(just relating any file to test)
again check aide database fro notify changes by running below command
aide --check


7. You may consider keeping golden copy of AIDE database (default is set to /var/lib/aide/aide.db.gz) is secure and read-only location. It will allow you to compare current system integrity to the golden copy.
To check what changed run:
# aide -C


Category: , , , , ,

handsonbook.blogspot.com

0 comments