hank-test/quick-docs
1
0
Fork 0
mirror of https://pagure.io/fedora-docs/quick-docs.git synced 2024-11-24 21:35:17 +00:00
Code Issues 1 Projects Releases Packages Wiki Activity Actions
quick-docs/modules/ROOT/pages/aide-checking-file-integrity.adoc

120 lines
4.1 KiB
Text
Raw Blame History

= Checking Integrity With *AIDE*
Héctor Louzao; The Fedora Documentation Team
:revnumber: F38
:revdate: 2023-08-09
:page-aliases: using-aide.adoc
:category: Administration
:tags: How-to Monitoring
// Optional free form useful additional information as comment
[abstract]
Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.
== Installing *AIDE*
. To install the _aide_ package:
+
[source,shell,subs="attributes"]
----
$ sudo dnf install aide
----
. To generate an initial database:
+
[source,shell,subs="attributes"]
----
$ sudo aide --init
Start timestamp: 2018-07-11 12:35:47 +0200 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 150666
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : 0isjEPsCORFk7laoGGz8tQ==
SHA1 : j0aPLakWChM+TAuxfVIpy9nqBOE=
RMD160 : nYyyx0AGZj4e5rwcz77afasXFrw=
TIGER : IBVo5A2A4En1kM6zDjD/MnlkN4QWeSOw
SHA256 : YveypaI9c5PJNvPSZf8YFfjCMWfGUA8q
vyqLpLJWY0E=
SHA512 : TiUYmHYflS3A+j17qw5mW78Fn2yXLpCF
1LE1/RhiqqtMn1MjkKDrr+3TE+/vWfa4
7253cDhNmC6hoFndkS67Xw==
End timestamp: 2018-07-11 12:37:35 +0200 (run time: 1m 48s)
----
NOTE: In the default configuration, the *aide --init* command checks just a set of directories and files defined in the `/etc/aide.conf` file. To include additional directories or files in the AIDE database, and to change their watched parameters, edit `/etc/aide.conf` accordingly.
. To start using the database, remove the `.new` substring from the initial database file name:
+
[source,shell,subs="attributes"]
----
$ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
----
. To change the location of the *AIDE* database, edit the `/etc/aide.conf` file and modify the `DBDIR` value. For additional security, store the database, configuration, and the `/usr/sbin/aide` binary file in a secure location such as a read-only media.
+
IMPORTANT: To avoid SELinux denials after the AIDE database location change, update your SELinux policy accordingly. See the xref:changing-selinux-states-and-modes.adoc[Changing SELinux states and modes] guide for more information.
//link:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/[SELinux User's and Administrator's Guide] for more information.
== Performing Integrity Checks
To initiate a manual check:
[source,shell,subs="attributes"]
----
$ sudo aide --check
Start timestamp: 2018-07-11 12:41:20 +0200 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 150667
Added entries: 1
Removed entries: 0
Changed entries: 2
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/cups/subscriptions.conf.O
...
[output truncated]
----
At a minimum, *AIDE* should be configured to run a weekly scan. At most, *AIDE* should be run daily. For example, to schedule a daily execution of AIDE at _04:05_ a.m. use the *cron* command.
Add the following line to the `/etc/crontab` file:
[source,shell,subs="attributes"]
----
05 4 * * * root /usr/sbin/aide --check
----
== Updating an *AIDE* Database
After verifying the changes of your system such as, package updates or configuration files adjustments, update your baseline *AIDE* database:
[source,shell,subs="attributes"]
----
$ sudo aide --update
----
The *aide --update* command creates the `/var/lib/aide/aide.db.new.gz` database file. To start using it for integrity checks, remove the `.new` substring from the file name.
== Additional Resources
For additional information on *AIDE*, see the following documentation:
- link:https://static.open-scap.org/ssg-guides/ssg-fedora-guide-index.html[Guide to the Secure Configuration of Fedora (OpenSCAP Security Guide)]
- link:https://aide.github.io/doc/[The AIDE manual]
Reference in a new issue View git blame Copy permalink