AIDE : Host Based IDS2022/08/30 |
|
Install and configure Host Based IDS (Intrusion Detection System) [AIDE] (Advanced Intrusion Detection Environment).
|
|
| [1] | Install AIDE. |
|
root@dlp:~# apt -y install aide
|
| [2] | Configure AIDE and initialize database. It's possible to use AIDE with default settings but if you'd like to customize settings, change configuration file like follows. It's possible to see details of Setting rules with [man aide.conf]. |
|
root@dlp:~#
vi /etc/default/aide # line 8 : if you do not use Cron job, comment out and turn to [no] #CRON_DAILY_RUN=yes
root@dlp:~#
vi /etc/aide/aide.conf # add to the end : set exclude directories if you need
!/var/log
!/var/lib/aide !/var/lib/apt !/var/lib/dpkg !/var/cache !/run # initialize database root@dlp:~# aide --init --config /etc/aide/aide.conf
Start timestamp: 2022-08-30 03:55:41 +0000 (AIDE 0.17.4)
AIDE initialized database at /var/lib/aide/aide.db.new
Ignored e2fs attributes: EIh
Number of entries: 140924
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new
SHA256 : qX5SmeDv79zhLbP48e3lZrV71nLo8HNV
qru/kPKM10k=
SHA512 : hP5P32xNwk5raG1nPdeYsgYcrMTwwQqL
2yjyEXVwONaNcsD72dedSunbgxXZfuTK
Ey7NpvoV3J2bx/a/qB7nxw==
RMD160 : AAueVtKLO6ofFv0A9OVPw7r+Gy8=
TIGER : zXkLcHHEuBy2GWM6CppkjUvCXbsKw7Bg
CRC32 : 6gsYXA==
HAVAL : 1MY0ba96vArmUh3ALnfmszMZ0vZ4Y1/z
uI1UB8bpjAo=
WHIRLPOOL : BhsXiPEt3sHhuDHzD6eAX3ZHdymmKRe4
z8qoMEbpPO9kXlT7gul6874WEhqe7Tok
bOhGwsRYL5WkO0143vQFsQ==
GOST : pXSi34f2QfEKYvekRxKRl/hqIGo7b7q2
ffNVrAUmwf8=
End timestamp: 2022-08-30 04:02:15 +0000 (run time: 6m 34s)
# copy generated DB to master DB root@dlp:~# cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
|
| [3] | Run checking. |
|
root@dlp:~#
aide --check --config /etc/aide/aide.conf # if thete is no unmatch, it displayed [*** Looks okay]
Start timestamp: 2022-08-30 04:02:30 +0000 (AIDE 0.17.4)
AIDE found NO differences between database and filesystem. Looks okay!!
Ignored e2fs attributes: EIh
Number of entries: 140924
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
SHA256 : qX5SmeDv79zhLbP48e3lZrV71nLo8HNV
qru/kPKM10k=
SHA512 : hP5P32xNwk5raG1nPdeYsgYcrMTwwQqL
2yjyEXVwONaNcsD72dedSunbgxXZfuTK
Ey7NpvoV3J2bx/a/qB7nxw==
RMD160 : AAueVtKLO6ofFv0A9OVPw7r+Gy8=
TIGER : zXkLcHHEuBy2GWM6CppkjUvCXbsKw7Bg
CRC32 : 6gsYXA==
HAVAL : 1MY0ba96vArmUh3ALnfmszMZ0vZ4Y1/z
uI1UB8bpjAo=
WHIRLPOOL : BhsXiPEt3sHhuDHzD6eAX3ZHdymmKRe4
z8qoMEbpPO9kXlT7gul6874WEhqe7Tok
bOhGwsRYL5WkO0143vQFsQ==
GOST : pXSi34f2QfEKYvekRxKRl/hqIGo7b7q2
ffNVrAUmwf8=
End timestamp: 2022-08-30 04:11:37 +0000 (run time: 9m 7s)
# try to change a file and check again root@dlp:~# touch /root/test.txt root@dlp:~# aide --check --config /etc/aide/aide.conf # detected differences like follows Start timestamp: 2022-08-30 04:13:52 +0000 (AIDE 0.17.4) AIDE found differences between database and filesystem!! Ignored e2fs attributes: EIh Summary: Total number of entries: 140925 Added entries: 1 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Added entries: --------------------------------------------------- f+++++++++++++++++: /root/test.txt --------------------------------------------------- Changed entries: --------------------------------------------------- d =.... mc.. .. . : /root --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /root Mtime : 2022-08-30 03:55:34 +0000 | 2022-08-30 04:13:49 +0000 Ctime : 2022-08-30 03:55:34 +0000 | 2022-08-30 04:13:49 +0000 ..... ..... |
| [4] | If there is no problem even if some differences are detected, then update database like follows. |
|
root@dlp:~#
aide --update --config /etc/aide/aide.conf Start timestamp: 2022-08-30 04:26:53 +0000 (AIDE 0.17.4) AIDE found differences between database and filesystem!! New AIDE database written to /var/lib/aide/aide.db.new Ignored e2fs attributes: EIh Summary: Total number of entries: 140925 Added entries: 1 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Added entries: --------------------------------------------------- f+++++++++++++++++: /root/test.txt --------------------------------------------------- Changed entries: --------------------------------------------------- d =.... mc.. .. . : /root --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /root Mtime : 2022-08-30 03:55:34 +0000 | 2022-08-30 04:13:49 +0000 Ctime : 2022-08-30 03:55:34 +0000 | 2022-08-30 04:13:49 +0000 ..... ..... # update database root@dlp:~# cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
|
| Sponsored Link |