AIDE : Host Based IDS2026/06/12 |
|
Install and configure Host Based IDS (Intrusion Detection System) [AIDE] (Advanced Intrusion Detection Environment). |
|
| [1] | Install AIDE. |
|
root@dlp:~# apt -y install aide
|
| [2] | Configure AIDE and initialize database. It's possible to use AIDE with default settings but if you'd like to customize settings, change configuration file like follows. It's possible to see details of Setting rules with [man aide.conf]. |
|
root@dlp:~#
vi /etc/default/aide # line 8 : if you do not use Cron job, comment out and turn to [no] #CRON_DAILY_RUN=yes
root@dlp:~#
vi /etc/aide/aide.conf # add to last line : set exclude directories if you need
!/var/log
!/var/lib/aide !/var/lib/apt !/var/lib/dpkg !/var/cache !/run # initialize database root@dlp:~# aide --init --config /etc/aide/aide.conf
Start timestamp: 2026-06-12 00:34:41 +0000 (AIDE 0.19.2)
AIDE successfully initialized database.
New AIDE database written to /var/lib/aide/aide.db.new
Ignored e2fs attributes: EINV
Number of entries: 150441
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new
SHA256 : E4VCzr6MU9nzYpa+lH7W5jnYsLvsRYLQ
pnyn0qdkYlo=
SHA512 : JjX0SgPRh6oLueOPpg8rHbnoBI0lq63w
kN7J4CeeyHjjT2DGmdlUJkzoZVZcDU/H
XfJWHZtoho3FMpUgCRSj6A==
STRIBOG256: QUiwkj40MeaPN7pSVHOcewhUJmvJGGj0
9TArQw31gwU=
STRIBOG512: +CtogUZSAYg7FjiZXXXuShZHi6ll3OSO
KILEHwtpGQ7T4vRwt3p2cNCXzZTWnhRy
ygBBIJYMUuiggxGbn1So1g==
SHA512/256: grcvGDldeqxc+pYgd2UdvEj5IPHP/P8R
R7U08Pw4EWc=
SHA3-256 : kFfWaFcGvfOVBQt8+x+olsNLkbTJOhPQ
vNpzad2XNG4=
SHA3-512 : wfukH3s8Q3XePxpZKGJrULfKqoGZB0Uw
8eSTtOYcJIi/KMvb7M2AZGROI4/X4Ji3
VQp/Er1gppIo6x6tfjjaBQ==
End timestamp: 2026-06-12 00:39:08 +0000 (run time: 4m 27s)
# copy generated DB to master DB root@dlp:~# cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
|
| [3] | Run checking. |
|
root@dlp:~#
aide --check --config /etc/aide/aide.conf # if thete is no unmatch, it displayed [*** Looks okay]
Start timestamp: 2026-06-12 00:46:22 +0000 (AIDE 0.19.2)
AIDE found differences between database and filesystem!!
Ignored e2fs attributes: EINV
Summary:
Total number of entries: 150441
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
SHA256 : E4VCzr6MU9nzYpa+lH7W5jnYsLvsRYLQ
pnyn0qdkYlo=
SHA512 : JjX0SgPRh6oLueOPpg8rHbnoBI0lq63w
kN7J4CeeyHjjT2DGmdlUJkzoZVZcDU/H
XfJWHZtoho3FMpUgCRSj6A==
STRIBOG256: QUiwkj40MeaPN7pSVHOcewhUJmvJGGj0
9TArQw31gwU=
STRIBOG512: +CtogUZSAYg7FjiZXXXuShZHi6ll3OSO
KILEHwtpGQ7T4vRwt3p2cNCXzZTWnhRy
ygBBIJYMUuiggxGbn1So1g==
SHA512/256: grcvGDldeqxc+pYgd2UdvEj5IPHP/P8R
R7U08Pw4EWc=
SHA3-256 : kFfWaFcGvfOVBQt8+x+olsNLkbTJOhPQ
vNpzad2XNG4=
SHA3-512 : wfukH3s8Q3XePxpZKGJrULfKqoGZB0Uw
8eSTtOYcJIi/KMvb7M2AZGROI4/X4Ji3
VQp/Er1gppIo6x6tfjjaBQ==
End timestamp: 2026-06-12 00:50:37 +0000 (run time: 4m 15s)
# try to change a file and check again root@dlp:~# touch /root/test.txt root@dlp:~# aide --check --config /etc/aide/aide.conf # detected differences like follows Start timestamp: 2026-06-12 01:02:37 +0000 (AIDE 0.19.2) AIDE found differences between database and filesystem!! Ignored e2fs attributes: EINV Summary: Total number of entries: 150442 Added entries: 1 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++++++++: /root/test.txt --------------------------------------------------- Changed entries: --------------------------------------------------- d =.... mc.. .. . : /root --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /root Mtime : 2026-06-12 00:57:16 +0000 | 2026-06-12 01:02:33 +0000 Ctime : 2026-06-12 00:57:16 +0000 | 2026-06-12 01:02:33 +0000 ..... ..... |
| [4] | If there is no problem even if some differences are detected, then update database like follows. |
|
root@dlp:~#
aide --update --config /etc/aide/aide.conf Start timestamp: 2026-06-12 01:07:40 +0000 (AIDE 0.19.2) AIDE found differences between database and filesystem!! New AIDE database written to /var/lib/aide/aide.db.new Ignored e2fs attributes: EINV Summary: Total number of entries: 150442 Added entries: 1 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++++++++: /root/test.txt --------------------------------------------------- Changed entries: --------------------------------------------------- d =.... mc.. .. . : /root --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /root Mtime : 2026-06-12 00:57:16 +0000 | 2026-06-12 01:02:33 +0000 Ctime : 2026-06-12 00:57:16 +0000 | 2026-06-12 01:02:33 +0000 ..... ..... # update database root@dlp:~# cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
|
| Sponsored Link |
|
|