AIDE or Advanced Intrusion Detection Environment, is a file integrity checking tool and can detect unauthorized changes to configuration files . It is quite similar to Tripwire. It will take snapshot of filesystem state which includes permissions, modification times and
file hashes , then it can then be used to compare against the current state of the filesystem.
1. Install the package
apt install aide aide-common
2. Initialize AIDE
aideinit
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
3. Check periodically the filesystem integrity
a. using cron to schedule
crontab -u root -e
add the following:
0 6 * * * /usr/bin/aide.wrapper –config /etc/aide/aide.conf –check
where:
-checks every 6am daily
-uses /usr/bin/aide.wrapper in order to prevent conflicts and protect the database as well
b. using timer file( aidecheck.timer) and service file (aidecheck.service)
-Verify if it is enabled:
systemctl is-enabled aidecheck.service
systemctl is-enabled aidecheck.timer
systemctl status aidecheck.timer
-Edit/Create /etc/systemd/system/aidecheck.service and add the following:
[Unit]
Description=Aide Check
[Service]
Type=simple
ExecStart=/usr/bin/aide.wrapper –config /etc/aide/aide.conf –check
[Install]
WantedBy=multi-user.target
-Edit/Create /etc/systemd/system/aidecheck.timer and add the following:
[Unit]
Description=Aide check every day at 6AM
[Timer]
OnCalendar=*-*-* 06:00:00
Unit=aidecheck.service
[Install]
WantedBy=multi-user.target
-Run commands below:
chmod 0644 /etc/systemd/system/aidecheck.*
chown root:root /etc/systemd/system/aidecheck.*
systemctl daemon-reload
systemctl enable aidecheck.service
systemctl –now enable aidecheck.timer