The Advanced Intrusion Detection Environment (AIDE) is a free replacement for the popular file integrity verification tool known as Tripwire. It creates a database from regular expression rules that it finds in a configuration file. Once this database is initialized, it can be used to verify the integrity of critical system and user files. AIDE uses most of the popular message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) for checking file integrity. Additional algorithms may also be easily added. All of the traditional file system attributes may be checked for inconsistencies as well.
1.How to install AIDE
sudo aptitude install aide (yum install aide.x86_64 on fedora)
2.How to configure AIDE
AIDE has 2 configuration files and one folder:
/etc/default/aide The AIDE general configuration file.
/etc/aide/aide.conf The AIDE rules configuration file.
/etc/aide/aide.conf.d/ Here is specified what files will AIDE scan and with what rules.
or if you are on fedora linux there is only one file :
/etc/aide.conf The AIDE configuration file.
3.How to use AIDE
First you must check to see if AIDE's database is present
cd /var/lib/aide
ls -ltr
If you see the file aide.db in the output of the ls command or the directory is empty, then proceed to the initialization step. If, instead, you see the file aide.db.new, then you need to rename the aide.db.new file to aide.db using this command:
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
If there is no database you must initialize AIDE like this:
sudo aide.wrapper --init (or if this doesen't work try aide --init if you are on fedora linux)
Now you are ready to do an initial check on files and folders of your system like this:
sudo aide.wrapper --check (or aide --check if you are on fedora)
If all is well in the directories, and files being monitored, you will see this message when the check completes:
### All files match AIDE database. Looks okay!
If not you will see the files that have changed from last time you ran AIDE.
4.If you modify any aide configuration file on ubuntu you must run the update-aide-conf for the configuration changes to take effect:
sudo update-aide-conf
Note : On ubuntu AIDE is very well configured and is aded as a cron job to be run daily with the update parameter.
It is also wise to copy /var/lib/aide/aide.db on a usb stick or on some safe external support and copy it back to your sistem when you want to check for system changes.
No comments:
Post a Comment