[id='sec-Using-AIDE'] = Checking Integrity With *AIDE* :experimental: include::{partialsdir}/unreviewed-message.adoc[] include::{partialsdir}/attributes.adoc[] Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions. == Installing *AIDE* . To install the _aide_ package: + [source,shell,subs="attributes"] ---- $ sudo dnf install aide ---- . To generate an initial database: + [source,shell,subs="attributes"] ---- $ sudo aide --init Start timestamp: 2018-07-11 12:35:47 +0200 (AIDE 0.16) AIDE initialized database at /var/lib/aide/aide.db.new.gz Number of entries: 150666 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.new.gz MD5 : 0isjEPsCORFk7laoGGz8tQ== SHA1 : j0aPLakWChM+TAuxfVIpy9nqBOE= RMD160 : nYyyx0AGZj4e5rwcz77afasXFrw= TIGER : IBVo5A2A4En1kM6zDjD/MnlkN4QWeSOw SHA256 : YveypaI9c5PJNvPSZf8YFfjCMWfGUA8q vyqLpLJWY0E= SHA512 : TiUYmHYflS3A+j17qw5mW78Fn2yXLpCF 1LE1/RhiqqtMn1MjkKDrr+3TE+/vWfa4 7253cDhNmC6hoFndkS67Xw== End timestamp: 2018-07-11 12:37:35 +0200 (run time: 1m 48s) ---- + NOTE: In the default configuration, the *aide --init* command checks just a set of directories and files defined in the `/etc/aide.conf` file. To include additional directories or files in the AIDE database, and to change their watched parameters, edit `/etc/aide.conf` accordingly. . To start using the database, remove the `.new` substring from the initial database file name: + [source,shell,subs="attributes"] ---- $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz ---- . To change the location of the *AIDE* database, edit the `/etc/aide.conf` file and modify the `DBDIR` value. For additional security, store the database, configuration, and the `/usr/sbin/aide` binary file in a secure location such as a read-only media. + IMPORTANT: To avoid SELinux denials after the AIDE database location change, update your SELinux policy accordingly. See the link:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/[SELinux User's and Administrator's Guide] for more information. == Performing Integrity Checks To initiate a manual check: [source,shell,subs="attributes"] ---- $ sudo aide --check Start timestamp: 2018-07-11 12:41:20 +0200 (AIDE 0.16) AIDE found differences between database and filesystem!! Summary: Total number of entries: 150667 Added entries: 1 Removed entries: 0 Changed entries: 2 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++++++: /etc/cups/subscriptions.conf.O ... [output truncated] ---- At a minimum, *AIDE* should be configured to run a weekly scan. At most, *AIDE* should be run daily. For example, to schedule a daily execution of AIDE at _04:05_ a.m. using the *cron* command, see the xref:{MAJOROSVER}@fedora:system-administrators-guide:monitoring-and-automation/Automating_System_Tasks.adoc[Automating System Tasks] chapter in the System Administrator's Guide. Add the following line to the `/etc/crontab` file: [source,shell,subs="attributes"] ---- 05 4 * * * root /usr/sbin/aide --check ---- == Updating an *AIDE* Database After verifying the changes of your system such as, package updates or configuration files adjustments, update your baseline *AIDE* database: [source,shell,subs="attributes"] ---- $ sudo aide --update ---- The *aide --update* command creates the `/var/lib/aide/aide.db.new.gz` database file. To start using it for integrity checks, remove the `.new` substring from the file name. == Additional Resources For additional information on *AIDE*, see the following documentation: - link:https://static.open-scap.org/ssg-guides/ssg-sl7-guide-ospp-rhel7-server.html#xccdf_org.ssgproject.content_group_aide[Guide to the Secure Configuration of Red Hat Enterprise Linux 7 (OpenSCAP Security Guide): Verify Integrity with AIDE] - link:http://aide.sourceforge.net/stable/manual.html[The AIDE manual]