Chapter 7. Checking integrity with AIDE
Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.
7.1. Installing AIDE Copy linkLink copied to clipboard!
To start file-integrity checking with AIDE, you must install the corresponding package and initiate the AIDE database.
Prerequisites
-
The
AppStream
repository is enabled.
Procedure
Install the
aide
package:yum install aide
# yum install aide
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Generate an initial database:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Optional: In the default configuration, the
aide --init
command checks just a set of directories and files defined in the/etc/aide.conf
file. To include additional directories or files in the AIDE database, and to change their watched parameters, edit/etc/aide.conf
accordingly. To start using the database, remove the
.new
substring from the initial database file name:mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Optional: To change the location of the AIDE database, edit the
/etc/aide.conf
file and modify theDBDIR
value. For additional security, store the database, configuration, and the/usr/sbin/aide
binary file in a secure location such as a read-only media.
7.2. Performing integrity checks with AIDE Copy linkLink copied to clipboard!
You can use the crond
service to schedule regular file-integrity checks with AIDE.
Prerequisites
- AIDE is properly installed and its database is initialized. See Installing AIDE
Procedure
To initiate a manual check:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow At a minimum, configure the system to run AIDE weekly. Optimally, run AIDE daily. For example, to schedule a daily execution of AIDE at 04:05 a.m. by using the
cron
command, add the following line to the/etc/crontab
file:05 4 * * * root /usr/sbin/aide --check
05 4 * * * root /usr/sbin/aide --check
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
7.3. Updating an AIDE database Copy linkLink copied to clipboard!
After verifying the changes of your system, such as package updates or configuration files adjustments, update also your baseline AIDE database.
Prerequisites
- AIDE is properly installed and its database is initialized. See Installing AIDE
Procedure
Update your baseline AIDE database:
aide --update
# aide --update
Copy to Clipboard Copied! Toggle word wrap Toggle overflow The
aide --update
command creates the/var/lib/aide/aide.db.new.gz
database file.-
To start using the updated database for integrity checks, remove the
.new
substring from the file name.
7.4. File-integrity tools: AIDE and IMA Copy linkLink copied to clipboard!
Red Hat Enterprise Linux provides several tools for checking and preserving the integrity of files and directories on your system. The following table helps you decide which tool better fits your scenario.
Question | Advanced Intrusion Detection Environment (AIDE) | Integrity Measurement Architecture (IMA) |
---|---|---|
What | AIDE is a utility that creates a database of files and directories on the system. This database serves for checking file integrity and detect intrusion detection. | IMA detects if a file is altered by checking file measurement (hash values) compared to previously stored extended attributes. |
How | AIDE uses rules to compare the integrity state of the files and directories. | IMA uses file hash values to detect the intrusion. |
Why | Detection - AIDE detects if a file is modified by verifying the rules. | Detection and Prevention - IMA detects and prevents an attack by replacing the extended attribute of a file. |
Usage | AIDE detects a threat when the file or directory is modified. | IMA detects a threat when someone tries to alter the entire file. |
Extension | AIDE checks the integrity of files and directories on the local system. | IMA ensures security on the local and remote systems. |