Thursday, July 4, 2013

Intrusion detection tools on Linux - AIDE

AIDE is an opensource file integrity check tool. It can help you verifying files integrity in an easy way.

1. Install AIDE package on CentOS/RHEL:
# yum install -y aide

2. Check and adjust aide configuration file to fulfill your needs:
# vim /etc/aide.conf

3. Initialize AIDE database - it will scan all the files in folders that were included in the config file and save their hash as well as attributes info

4. You may consider keeping golden copy of AIDE database (default is set to /var/lib/aide/aide.db.gz) is secure and read-only location. It will allow you to compare current system integrity to the golden copy.
To check what changed run:
# aide -C
If you get "Couldn't open file /var/lib/aide/aide.db.gz for reading" error it means you need to move database generated in step 3 to this location:
#  mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

No comments:

Post a Comment