Ubuntu 18.04
Sponsored Link

AIDE : Host Based IDS
2018/11/29
 
Install and configure Host Based IDS (Intrusion Detection System) "AIDE" (Advanced Intrusion Detection Environment).
[1] Install AIDE.
root@dlp:~#
apt -y install aide
[2] Configure AIDE and initialize database. It's possible to use AIDE with default settings but if you'd like to customize settings, change configuration file like follows. It's possible to see details of Setting rules with [man aide.conf].
root@dlp:~#
vi /etc/default/aide
# line 5: uncomment if you'd like to check daily

#CRON_DAILY_RUN=yes
root@dlp:~#
vi /etc/aide/aide.conf
# add to the end : set exclude directories if you need

!/var/lib/lxcfs
!/var/lib/private/systemd
!/var/log/journal
# initialize database

root@dlp:~#
aideinit

Running aide --init...
Start timestamp: 2018-11-29 19:26:29 +0900 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6

Number of entries:      78734

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new

.....
.....

End timestamp: 2018-11-29 19:27:39 +0900 (run time: 1m 10s)

# copy generated DB to master DB

root@dlp:~#
cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
[3] チェックを実行します。
# run check

root@dlp:~#
aide.wrapper --check
# if thete is no unmatch, it displayed [*** Looks okay]

Start timestamp: 2018-11-29 19:36:45 +0900 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
Verbose level: 6

Number of entries:      78717

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db

.....
.....

End timestamp: 2018-11-29 19:38:00 +0900 (run time: 1m 15s)

# try to change a file and check again

root@dlp:~#
touch /root/test.txt

root@dlp:~#
aide.wrapper --check
# detected differences like follows

Start timestamp: 2018-11-29 19:38:48 +0900 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Verbose level: 6

Summary:
  Total number of entries:      78718
  Added entries:                1
  Removed entries:              0
  Changed entries:              1

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /root/test.txt

---------------------------------------------------
Changed entries:
---------------------------------------------------

d =.... mc.. .. .: /root

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /root
  Mtime    : 2018-11-29 19:34:57 +0900        | 2018-11-29 19:38:37 +0900
  Ctime    : 2018-11-29 19:34:57 +0900        | 2018-11-29 19:38:37 +0900

.....
.....

End timestamp: 2018-11-29 19:40:02 +0900 (run time: 1m 14s)
[4] If there is no ploblem even if some differences are detected, then update database like follows.
root@dlp:~#
aide.wrapper --update
Start timestamp: 2018-11-29 19:42:19 +0900 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new
Verbose level: 6

Summary:
  Total number of entries:      78718
  Added entries:                1
  Removed entries:              0
  Changed entries:              3

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /root/test.txt

---------------------------------------------------
Changed entries:
---------------------------------------------------

d =.... mc.. .. .: /root
f >.... mci.C.. .: /root/.viminfo
d =.... mc.. .. .: /usr/bin

.....
.....

# update database

root@dlp:~#
cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Matched Content