Accueiil
Products
Red Hat Enterprise Linux
9
Security hardening
Chapter 8. Checking integrity with AIDE

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 8. Checking integrity with AIDE

Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.

8.1. Installing AIDE

To start file-integrity checking with AIDE, you must install the corresponding package and initiate the AIDE database.

Prerequisites

The AppStream repository is enabled.

Procedure

Install the aide package:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
dnf install aide
```
```
# dnf install aide
```

Generate an initial database:

Copy to Clipboard Toggle word wrap

aide --init

# aide --init
Start timestamp: 2024-07-08 10:39:23 -0400 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	55856

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
…
  SHA512   : mZaWoGzL2m6ZcyyZ/AXTIowliEXWSZqx
             IFYImY4f7id4u+Bq8WeuSE2jasZur/A4
             FPBFaBkoCFHdoE/FW/V94Q==

Optional: In the default configuration, the aide --init command checks just a set of directories and files defined in the /etc/aide.conf file. To include additional directories or files in the AIDE database, and to change their watched parameters, edit /etc/aide.conf accordingly.
To start using the database, remove the .new substring from the initial database file name:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
```
```
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
```
Optional: To change the location of the AIDE database, edit the /etc/aide.conf file and modify the DBDIR value. For additional security, store the database, configuration, and the /usr/sbin/aide binary file in a secure location such as a read-only media.

8.2. Performing integrity checks with AIDE

You can use the crond service to schedule regular file-integrity checks with AIDE.

Prerequisites

AIDE is properly installed and its database is initialized. See Installing AIDE

Procedure

To initiate a manual check:

Copy to Clipboard Toggle word wrap

aide --check

# aide --check
Start timestamp: 2024-07-08 10:43:46 -0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	55856
  Added entries:		0
  Removed entries:		0
  Changed entries:		1

---------------------------------------------------
Changed entries:
---------------------------------------------------

f   ...      ..S : /root/.viminfo

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /root/.viminfo
  SELinux  : system_u:object_r:admin_home_t:s | unconfined_u:object_r:admin_home
             0                                | _t:s0
…

At a minimum, configure the system to run AIDE weekly. Optimally, run AIDE daily. For example, to schedule a daily execution of AIDE at 04:05 a.m. by using the cron command, add the following line to the /etc/crontab file:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
 05 4 * * * root /usr/sbin/aide --check
```
```
 05 4 * * * root /usr/sbin/aide --check
```

Additional resources

cron(8) man page on your system

8.3. Updating an AIDE database

After verifying the changes of your system, such as package updates or configuration files adjustments, update also your baseline AIDE database.

Prerequisites

AIDE is properly installed and its database is initialized. See Installing AIDE

Procedure

Update your baseline AIDE database:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
aide --update
```
```
# aide --update
```
The aide --update command creates the /var/lib/aide/aide.db.new.gz database file.
To start using the updated database for integrity checks, remove the .new substring from the file name.

8.4. File-integrity tools: AIDE and IMA

Red Hat Enterprise Linux provides several tools for checking and preserving the integrity of files and directories on your system. The following table helps you decide which tool better fits your scenario.

Table 8.1. Comparison between AIDE and IMA
Question	Advanced Intrusion Detection Environment (AIDE)	Integrity Measurement Architecture (IMA)
What	AIDE is a utility that creates a database of files and directories on the system. This database serves for checking file integrity and detect intrusion detection.	IMA detects if a file is altered by checking file measurement (hash values) compared to previously stored extended attributes.
How	AIDE uses rules to compare the integrity state of the files and directories.	IMA uses file hash values to detect the intrusion.
Why	Detection - AIDE detects if a file is modified by verifying the rules.	Detection and Prevention - IMA detects and prevents an attack by replacing the extended attribute of a file.
Usage	AIDE detects a threat when the file or directory is modified.	IMA detects a threat when someone tries to alter the entire file.
Extension	AIDE checks the integrity of files and directories on the local system.	IMA ensures security on the local and remote systems.

8.5. Configuring file integrity checks with the aide RHEL system role

You can configure Advanced Intrusion Detection Environment (AIDE) consistently across multiple systems by using the aide RHEL system role. The role automatically installs the aide package on all managed nodes, and depending on your configuration, it can perform the following actions:

Initialize the AIDE database and store it on the control node
Run AIDE integrity checks on the managed nodes
Update the AIDE database and store it on the control node

Prerequisites

You have prepared the control node and the managed nodes
You are logged in to the control node as a user who can run playbooks on the managed nodes.
The account you use to connect to the managed nodes has sudo permissions on them.

Procedure

Create a playbook file, for example ~/playbook.yml, with the following content:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
---
- name: Configure system integrity
  hosts: managed-node-01.example.com
  tasks:
    - name: Configure file integrity checks with AIDE
      ansible.builtin.include_role:
        name: rhel-system-roles.aide.aide
      vars:
        aide_db_fetch_dir: files
        aide_init: true
        aide_check: false
        aide_update: false
        aide_cron_check: true
        aide_cron_interval: 0 12 * * *
```
```
---
- name: Configure system integrity
  hosts: managed-node-01.example.com
  tasks:
    - name: Configure file integrity checks with AIDE
      ansible.builtin.include_role:
        name: rhel-system-roles.aide.aide
      vars:
        aide_db_fetch_dir: files
        aide_init: true
        aide_check: false
        aide_update: false
        aide_cron_check: true
        aide_cron_interval: 0 12 * * *
```
The settings specified in the example playbook include the following:
aide_db_fetch_dir: files
Specifies the directory on the Ansible Control Node (ACN) for storing the AIDE database fetched from the remote nodes. With the default files value, the role stores the database in the same directory as the playbook. To store the database files somewhere else, specify a different path.
aide_check: false
Runs an integrity check on the remote nodes.
aide_update: false
Updates the AIDE database and stores it on the control node.
aide_cron_check: true
Configures a periodic cron job that activates AIDE integrity checks on the managed nodes.
aide_cron_interval: 0 12 * * *
Sets the interval for the cron job in the format <minute> <hour> <day_of_month> <month> <day of week>. The value 0 12 * * * sets it to run every day at noon.
For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.aide/README.md file on the control node.
Validate the playbook syntax:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ansible-playbook --syntax-check ~/playbook.yml
```
```
$ ansible-playbook --syntax-check ~/playbook.yml
```
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
ansible-playbook ~/playbook.yml
```
```
$ ansible-playbook ~/playbook.yml
```

Additional resources

/usr/share/ansible/roles/rhel-system-roles.aide/README.md file
/usr/share/doc/rhel-system-roles/aide/ directory

Retour au début

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 8. Checking integrity with AIDE

8.1. Installing AIDE

8.2. Performing integrity checks with AIDE

8.3. Updating an AIDE database

8.4. File-integrity tools: AIDE and IMA

8.5. Configuring file integrity checks with the aide RHEL system role

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Rendre l’open source plus inclusif

À propos de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 8. Checking integrity with AIDE

8.1. Installing AIDE

8.2. Performing integrity checks with AIDE

8.3. Updating an AIDE database

8.4. File-integrity tools: AIDE and IMA

8.5. Configuring file integrity checks with the aide RHEL system role

8.6. Additional resources

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Rendre l’open source plus inclusif

À propos de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links