AIDE

AIDE (Advanced Intrusion Detection Environment) is an open-source file integrity checker for Linux. It helps monitor and detect changes in the file system by creating a database of file attributes (like checksums, permissions, etc.) and later comparing the current state of files against this database. If any discrepancies or unauthorized changes are found, AIDE alerts the user, helping in identifying potential security breaches or unauthorized modifications.

Installation of AIDE

sudo apt update
sudo apt install aide

Initializing the Database

We need to take the base snapshot of the system to take reference from so we will create the base snippet

sudo aide init

After initialization, it's crucial to replace the initial database with the newly created one:

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Manually checking AIDE database

sudo aide -c /etc/aide/aide.conf --check

To ensure that the AIDE automaticlly checks the changes every midnight or on any specific time then we can do it with cron jobs to schedule AIDE check

sudo crontab -e
0 0 * * * /usr/bin/aide --check
# With this cron job, AIDE will perform a daily check at midnight.

Updating the baseline image

When changes to the filesystem are intentional, it's necessary to update the AIDE database to reflect the new state of the system

sudo aide --update
# Changing the database
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Creating Rulesets

Customize the Rule Set (FIPSR):
As per your instructions, you want to use the FIPSR rule set, which includes monitoring for:
- p: File Permissions
- i: Inode
- n: File Name
- u: User (ownership)
- g: Group (ownership)
- s: File Size
- m: Modification Time
- c: File Content (checksum)
- acl: Access Control List (if applicable)
- selinux: SELinux context (if applicable)
- xattrs: Extended Attributes (if applicable)
- sha256: Hashing algorithm used for file checks (SHA-256)
Add the following custom rule set to your /etc/aide.conf file:
Write Rules to Monitor Specific Files:
Now, you can add individual file monitoring rules based on the custom rule set. For example, to monitor /etc/hosts, you would add the following to the aide.conf file:
This tells AIDE to monitor /etc/hosts for changes in the attributes specified by the FIPSR rule set.
Initialize the AIDE Database:
After modifying /etc/aide.conf, initialize the AIDE database by running:
This will create a new AIDE database, typically stored as aide.db.new.gz.
Move the Database to the Correct Location:
The new AIDE database should be moved to the proper directory so AIDE can use it for file integrity checks. You can do this with the following command:
This moves the newly generated database to the correct location (/var/lib/aide/).
Verify Integrity:
To check for changes on the system and verify the integrity of the files monitored by AIDE, run:
This command will compare the current system state to the database and report any discrepancies (like changes in /etc/hosts). If a file is modified, AIDE will show details of the modification.
Update the Database After Changes:
If you make any changes to the files being monitored (or add new rules to the aide.conf file), you can update the AIDE database to reflect the new state. Use the following command to update the database:

PreviousFTP NextServers

Last updated 5 months ago

Manually checking AIDE database

sudo aide -c /etc/aide/aide.conf --check

To ensure that the AIDE automaticlly checks the changes every midnight or on any specific time then we can do it with cron jobs to schedule AIDE check

sudo crontab -e
0 0 * * * /usr/bin/aide --check
# With this cron job, AIDE will perform a daily check at midnight.

Creating Rulesets

Customize the Rule Set (FIPSR):

As per your instructions, you want to use the FIPSR rule set, which includes monitoring for:

p: File Permissions
i: Inode
n: File Name
u: User (ownership)
g: Group (ownership)
s: File Size
m: Modification Time
c: File Content (checksum)
acl: Access Control List (if applicable)
selinux: SELinux context (if applicable)
xattrs: Extended Attributes (if applicable)
sha256: Hashing algorithm used for file checks (SHA-256)

Add the following custom rule set to your /etc/aide.conf file:

Write Rules to Monitor Specific Files:

Now, you can add individual file monitoring rules based on the custom rule set. For example, to monitor /etc/hosts, you would add the following to the aide.conf file:

This tells AIDE to monitor /etc/hosts for changes in the attributes specified by the FIPSR rule set.

Initialize the AIDE Database:

After modifying /etc/aide.conf, initialize the AIDE database by running:

This will create a new AIDE database, typically stored as aide.db.new.gz.

Move the Database to the Correct Location:

The new AIDE database should be moved to the proper directory so AIDE can use it for file integrity checks. You can do this with the following command:

This moves the newly generated database to the correct location (/var/lib/aide/).

Verify Integrity:

To check for changes on the system and verify the integrity of the files monitored by AIDE, run:

This command will compare the current system state to the database and report any discrepancies (like changes in /etc/hosts). If a file is modified, AIDE will show details of the modification.

Update the Database After Changes:

If you make any changes to the files being monitored (or add new rules to the aide.conf file), you can update the AIDE database to reflect the new state. Use the following command to update the database: