Skip to content

epomatti/aide-sbx

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.assets
.assets
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
VagrantFile
VagrantFile
 
 

Repository files navigation

AIDE

Advanced Intrusion Detection Environment (AIDE) sandbox.

Tip

Commands to install and configure AIDE were referenced from CIS Benchmarks

Install

Start a Linux VM

This example will use VirtualBox. Use the VagrantFile template to start your box:

vagrant up

Install AIDE packages

Install AIDE:

# Upgrade all packages
sudo apt update && sudo apt upgrade -y

# Install AIDE
sudo apt install -y aide aide-common

You'll be prompted to configured Postfix. Selecting No configuration will do it for now.

Initiate AIDE

Initiate AIDE:

sudo aideinit

Check the output:

$ sudo ls -l /var/lib/aide/
total 48576
-rw------- 1 root root 24868906 Apr 17 17:14 aide.db
-rw------- 1 root root 24868906 Apr 17 17:14 aide.db.new

Copy the new DB over the baseline:

Tip

You may choose to cp or mv

sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Running AIDE

Command to run AIDE manually:

sudo aide --check --config=/etc/aide/aide.conf

Configuration

Tip

Detailed configuration can be found in the manuals: aide.conf (Ubuntu), aide.conf (Debian), and further details can be obtained in the manual

Edit the configuration file:

/etc/aide/aide.conf

The default configuration will include several files from /etc/aide/aide.conf.d.

As a sample for manual configuration:

Tip

Use $ to indicate a file

@@x_include_setenv PATH /bin:/usr/bin
#@@x_include /etc/aide/aide.conf.d ^[a-zA-Z0-9_-]+$

/opt R
/etc R

Once changes have been made, reapply them:

sudo aide --init --config=/etc/aide/aide.conf

It's likely that the database must be copied again:

sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Run Daily

A simple way of running AIDE automatically is using cron.daily:

sudo cp /usr/share/doc/aide/examples/aide.cron.daily /etc/cron.daily/aide
sudo chmod +x /etc/cron.daily/aide

To disable the service, there are options. There are caveats.

This will show which scripts are run without executing them:

sudo run-parts --test /etc/cron.daily

Other

Verify AIDE Installation

You can run the following commands to verify if AIDE is installed:

dpkg-query -s aide &>/dev/null && echo "aide is installed"
# aide is installed

dpkg-query -s aide-common &>/dev/null && echo "aide-common is installed"
# aide-common is installed

Troubleshooting

Logs are available in varying locations:

sudo journalctl | grep aide
sudo grep -i aide /var/log/syslog
sudo grep -i cron /var/log/syslog
sudo ls -l /var/log/aide

About

Advanced Intrusion Detection Environment (AIDE) sandbox

Topics

linux aide

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Packages

 
 
 

Contributors

Languages