AIDE installation and setup
Posted by danielMar 12
AIDE (Advanced Intrusion Detection Environment) setup
AIDE is a host-based file and directory integrity checking tool, similar to Tripwire. It creates a snapshot of file details during initialization and stores them in a database. The files that AIDE monitors are user-defined rules, where the admin can specify which directories/files to keep an eye on. The snapshot is basically a message digest of the files/directories information returned by stat command. One AIDE is initialized, it can detect any changes in the future and alert the admin of such changes. AIDE can be configured to run on a scheduled based using cron jobs for instance.
Installation
yum list aide yum install aide
Initialization
Create AIDE DB – stores snapshot of file or directory stats by scanning the monitored resources.
$ /usr/sbin/aide --init $ mv /var/lib/aide/aidb.db.new.gz /var/lib/aide/aide.db.gz
To minimize false positives – Set PRELINKING=no in /etc/sysconfig/prelink and run
/usr/sbin/prelink -ua
to restore the binaries to their prelinked state.
Scheduled integrity checks
Add a cron job to check file integrity, say every morning at 8 AM –
echo '0 8 * * * /usr/sbin/aide --check' >> /etc/crontab
Updating DB after making changes or verifying any changes reported during change –
$ aide -c aide.conf --update
References –
No comments
You must be logged in to post a comment.