From 8811afe68254eed33ec1a18fa07607bcc856ac7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9ctor=20Louzao?= Date: Sun, 10 Jan 2021 12:23:45 +0100 Subject: [PATCH] Checking Integrity with AIDE --- modules/ROOT/pages/using-aide.adoc | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/modules/ROOT/pages/using-aide.adoc b/modules/ROOT/pages/using-aide.adoc index 0529d2b..595ceb8 100644 --- a/modules/ROOT/pages/using-aide.adoc +++ b/modules/ROOT/pages/using-aide.adoc @@ -1,7 +1,6 @@ [id='sec-Using-AIDE'] = Checking Integrity With *AIDE* :experimental: -include::{partialsdir}/unreviewed-message.adoc[] include::{partialsdir}/attributes.adoc[] Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions. @@ -10,12 +9,15 @@ Advanced Intrusion Detection Environment (AIDE) is a utility that creates a data . To install the _aide_ package: + + [source,shell,subs="attributes"] ---- $ sudo dnf install aide ---- + . To generate an initial database: + + [source,shell,subs="attributes"] ---- $ sudo aide --init @@ -24,9 +26,9 @@ AIDE initialized database at /var/lib/aide/aide.db.new.gz Number of entries: 150666 ---------------------------------------------------- -The attributes of the (uncompressed) database(s): ---------------------------------------------------- + --------------------------------------------------- + The attributes of the (uncompressed) database(s): + --------------------------------------------------- /var/lib/aide/aide.db.new.gz MD5 : 0isjEPsCORFk7laoGGz8tQ== @@ -42,7 +44,8 @@ The attributes of the (uncompressed) database(s): End timestamp: 2018-07-11 12:37:35 +0200 (run time: 1m 48s) ---- -+ + + NOTE: In the default configuration, the *aide --init* command checks just a set of directories and files defined in the `/etc/aide.conf` file. To include additional directories or files in the AIDE database, and to change their watched parameters, edit `/etc/aide.conf` accordingly. . To start using the database, remove the `.new` substring from the initial database file name: @@ -54,6 +57,7 @@ $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz . To change the location of the *AIDE* database, edit the `/etc/aide.conf` file and modify the `DBDIR` value. For additional security, store the database, configuration, and the `/usr/sbin/aide` binary file in a secure location such as a read-only media. + + IMPORTANT: To avoid SELinux denials after the AIDE database location change, update your SELinux policy accordingly. See the link:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/[SELinux User's and Administrator's Guide] for more information. == Performing Integrity Checks @@ -72,9 +76,9 @@ Summary: Removed entries: 0 Changed entries: 2 ---------------------------------------------------- -Added entries: ---------------------------------------------------- + --------------------------------------------------- + Added entries: + --------------------------------------------------- f++++++++++++++++: /etc/cups/subscriptions.conf.O ... @@ -98,6 +102,7 @@ After verifying the changes of your system such as, package updates or configura ---- $ sudo aide --update ---- + The *aide --update* command creates the `/var/lib/aide/aide.db.new.gz` database file. To start using it for integrity checks, remove the `.new` substring from the file name. == Additional Resources