# AIDE AIDE (Advanced Intrusion Detection Environment) is an open-source file integrity checker for Linux. It helps monitor and detect changes in the file system by creating a database of file attributes (like checksums, permissions, etc.) and later comparing the current state of files against this database. If any discrepancies or unauthorized changes are found, AIDE alerts the user, helping in identifying potential security breaches or unauthorized modifications. *** ### Installation of AIDE ```bash sudo apt update sudo apt install aide ``` ### Initializing the Database We need to take the base snapshot of the system to take reference from so we will create the base snippet ```bash sudo aide init ``` After initialization, it's crucial to replace the initial database with the newly created one: ```bash sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db ``` ## Manually checking AIDE database ```bash sudo aide -c /etc/aide/aide.conf --check ``` To ensure that the AIDE automaticlly checks the changes every midnight or on any specific time then we can do it with cron jobs to schedule AIDE check ```bash sudo crontab -e 0 0 * * * /usr/bin/aide --check # With this cron job, AIDE will perform a daily check at midnight. ``` ## Updating the baseline image When changes to the filesystem are intentional, it's necessary to update the AIDE database to reflect the new state of the system ```bash sudo aide --update # Changing the database sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db ``` *** ## Creating Rulesets * **Customize the Rule Set (`FIPSR`):** As per your instructions, you want to use the `FIPSR` rule set, which includes monitoring for: * `p`: File Permissions * `i`: Inode * `n`: File Name * `u`: User (ownership) * `g`: Group (ownership) * `s`: File Size * `m`: Modification Time * `c`: File Content (checksum) * `acl`: Access Control List (if applicable) * `selinux`: SELinux context (if applicable) * `xattrs`: Extended Attributes (if applicable) * `sha256`: Hashing algorithm used for file checks (SHA-256) Add the following custom rule set to your `/etc/aide.conf` file: ```plaintext FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 ``` * **Write Rules to Monitor Specific Files:** Now, you can add individual file monitoring rules based on the custom rule set. For example, to monitor `/etc/hosts`, you would add the following to the `aide.conf` file: ```plaintext /etc/hosts FIPSR ``` This tells AIDE to monitor `/etc/hosts` for changes in the attributes specified by the `FIPSR` rule set. * **Initialize the AIDE Database:** After modifying `/etc/aide.conf`, initialize the AIDE database by running: ```bash sudo aide --init --config=/etc/aide/aide.conf ``` This will create a new AIDE database, typically stored as `aide.db.new.gz`. * **Move the Database to the Correct Location:** The new AIDE database should be moved to the proper directory so AIDE can use it for file integrity checks. You can do this with the following command: ```bash sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db ``` This moves the newly generated database to the correct location (`/var/lib/aide/`). * **Verify Integrity:** To check for changes on the system and verify the integrity of the files monitored by AIDE, run: ```bash sudo aide -c /etc/aide/aide.conf --check ``` This command will compare the current system state to the database and report any discrepancies (like changes in `/etc/hosts`). If a file is modified, AIDE will show details of the modification. * **Update the Database After Changes:** If you make any changes to the files being monitored (or add new rules to the `aide.conf` file), you can update the AIDE database to reflect the new state. Use the following command to update the database: ```bash sudo aide --update ```