AIDE : Host Based IDS2023/07/13 |
|
Install and configure Host Based IDS (Intrusion Detection System) [AIDE] (Advanced Intrusion Detection Environment).
|
|
| [1] | Install AIDE. |
|
root@dlp:~# apt -y install aide
|
| [2] | Configure AIDE and initialize database. It's possible to use AIDE with default settings but if you'd like to customize settings, change configuration file like follows. It's possible to see details of Setting rules with [man aide.conf]. |
|
root@dlp:~#
vi /etc/default/aide # line 8 : if you do not use Cron job, comment out and turn to [no] #CRON_DAILY_RUN=yes
root@dlp:~#
vi /etc/aide/aide.conf # add to the end : set exclude directories if you need
!/var/log
!/var/lib/aide !/var/lib/apt !/var/lib/dpkg !/var/cache !/run # initialize database root@dlp:~# aide --init --config /etc/aide/aide.conf
Start timestamp: 2023-07-13 00:08:59 -0500 (AIDE 0.18.3)
AIDE successfully initialized database.
New AIDE database written to /var/lib/aide/aide.db.new
Ignored e2fs attributes: EINV
Number of entries: 36804
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new
MD5 : PB+F57OJ7bxV54sNjQ+Mpg==
SHA1 : heeX8kb2C65l5Pa5LcorOdZbQhU=
SHA256 : WtpOVnxm4fy5PB20R4eJOZ8fqCzlWbL0
F+g/Z+sw5A8=
SHA512 : Sz3pK8Uwc8jzcF0fJ/Bp0aTvTkbH1/vk
Qu6/fP8qi3j5g0pZ2qxKO1PAAyW846GE
WR92cclUOr7MoY4qVqnu+A==
RMD160 : 1gYOjhpG5dye1PuIP1s3w1Vym+Y=
TIGER : yf9kkj2AxyB6C6HwoQBYTxFDyEPhFFw7
CRC32 : PdXXXw==
CRC32B : xjuyRw==
HAVAL : ZDC1v8WWT9n4mXF4tMv9HQOhcbp4vctG
iDWBbie86XY=
WHIRLPOOL : lN/yozsShe0DD1QRuNkyHqvG1WJF6Wb9
Cav7aQmDzui4bbSM5zqdKdlyFHnE3qqs
XbjlIkPise6uw+WtKt6auw==
GOST : s6maVSJeZyBDAatE75Vx0fXgjjfvx22c
DSSIzwOZhQ4=
End timestamp: 2023-07-13 00:09:56 -0500 (run time: 0m 57s)
# copy generated DB to master DB root@dlp:~# cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
|
| [3] | Run checking. |
|
root@dlp:~#
aide --check --config /etc/aide/aide.conf # if thete is no unmatch, it displayed [*** Looks okay]
Start timestamp: 2023-07-13 00:13:30 -0500 (AIDE 0.18.3)
AIDE found NO differences between database and filesystem. Looks okay!!
Ignored e2fs attributes: EINV
Number of entries: 36804
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
MD5 : PB+F57OJ7bxV54sNjQ+Mpg==
SHA1 : heeX8kb2C65l5Pa5LcorOdZbQhU=
SHA256 : WtpOVnxm4fy5PB20R4eJOZ8fqCzlWbL0
F+g/Z+sw5A8=
SHA512 : Sz3pK8Uwc8jzcF0fJ/Bp0aTvTkbH1/vk
Qu6/fP8qi3j5g0pZ2qxKO1PAAyW846GE
WR92cclUOr7MoY4qVqnu+A==
RMD160 : 1gYOjhpG5dye1PuIP1s3w1Vym+Y=
TIGER : yf9kkj2AxyB6C6HwoQBYTxFDyEPhFFw7
CRC32 : PdXXXw==
CRC32B : xjuyRw==
HAVAL : ZDC1v8WWT9n4mXF4tMv9HQOhcbp4vctG
iDWBbie86XY=
WHIRLPOOL : lN/yozsShe0DD1QRuNkyHqvG1WJF6Wb9
Cav7aQmDzui4bbSM5zqdKdlyFHnE3qqs
XbjlIkPise6uw+WtKt6auw==
GOST : s6maVSJeZyBDAatE75Vx0fXgjjfvx22c
DSSIzwOZhQ4=
End timestamp: 2023-07-13 00:15:02 -0500 (run time: 1m 32s)
# try to change a file and check again root@dlp:~# touch /root/test.txt root@dlp:~# aide --check --config /etc/aide/aide.conf # detected differences like follows Start timestamp: 2023-07-13 00:16:56 -0500 (AIDE 0.18.3) AIDE found differences between database and filesystem!! Ignored e2fs attributes: EINV Summary: Total number of entries: 36805 Added entries: 1 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Added entries: --------------------------------------------------- f+++++++++++++++++: /root/test.txt --------------------------------------------------- Changed entries: --------------------------------------------------- d =.... mc.. .. . : /root --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /root Mtime : 2023-07-13 00:08:55 -0500 | 2023-07-13 00:16:49 -0500 Ctime : 2023-07-13 00:08:55 -0500 | 2023-07-13 00:16:49 -0500 ..... ..... |
| [4] | If there is no problem even if some differences are detected, then update database like follows. |
|
root@dlp:~#
aide --update --config /etc/aide/aide.conf Start timestamp: 2023-07-13 00:20:21 -0500 (AIDE 0.18.3) AIDE found differences between database and filesystem!! New AIDE database written to /var/lib/aide/aide.db.new Ignored e2fs attributes: EINV Summary: Total number of entries: 36805 Added entries: 1 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Added entries: --------------------------------------------------- f+++++++++++++++++: /root/test.txt --------------------------------------------------- Changed entries: --------------------------------------------------- d =.... mc.. .. . : /root --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /root Mtime : 2023-07-13 00:08:55 -0500 | 2023-07-13 00:16:49 -0500 Ctime : 2023-07-13 00:08:55 -0500 | 2023-07-13 00:16:49 -0500 ..... ..... # update database root@dlp:~# cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
|
| Sponsored Link |