CentOS 7
Sponsored Link

AIDE : Install
2015/06/21
 
Install and configure Host Based IDS (Intrusion Detection System) "AIDE" (Advanced Intrusion Detection Environment).
[1] Install AIDE.
[[email protected] ~]#
yum -y install aide
[2] Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows. Setting rules are writen near 26-84 lines, refer to them.
[[email protected] ~]#
vi /etc/aide.conf
# for example, change setting of monitoring /var/log

/var/log  
p+u+g+i+n+acl+selinux+xattrs
# initialize database

[[email protected] ~]#
aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

# copy generated DB to master DB

[[email protected] ~]#
cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[3] Execute checking.
[[email protected] ~]#
aide --check
# if thete is no unmatch, it displayed "Okay"

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

# try to change a file and check again

[[email protected] ~]#
chmod 640 /root/anaconda-ks.cfg

[[email protected] ~]#
aide --check
# detected differences like follows

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2015-06-17 19:55:20

Summary:
  Total number of files:        39039
  Added files:                  0
  Removed files:                0
  Changed files:                1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root/anaconda-ks.cfg

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /root/anaconda-ks.cfg
 Perm     : -rw-------                       , -rw-r-----
 Ctime    : 2015-05-24 02:22:04              , 2015-06-19 11:55:15
 ACL      : old = A:
----
user::rw-
group::---
other::---
----
                  D: <NONE>
            new = A:
----
user::rw-
group::r--
other::---
----
                  D: <NONE>
[4] If there is no ploblem even if some differences are detected, then update database like follows.
[[email protected] ~]#
aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2015-06-17 19:56:31

Summary:
  Total number of files:        39039
  Added files:                  0
  Removed files:                0
  Changed files:                1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root/anaconda-ks.cfg
.....
.....

# update database

[[email protected] ~]#
cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[5] Add in Cron if check regulary. Log file [/var/log/aide/aide.log] is updated every time and if there is no difference, it is updated with zero byte, so if you's like to save log files, it needs to create a shell script or send results via email or others.
# for example, add daily check in Crontab and send results via email

[[email protected] ~]#
vi /etc/cron.d/aide
00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root