AIDE or Advanced Intrusion Detection Environment is a great tool for host based system integrity monitoring. AIDE will maintain a database of checksums on the content and attributes of critical system files. If these files change then a notification email will be sent.
Here’s the homepage for the AIDE project: http://aide.sourceforge.net/
Installing AIDE is easy since it’s available via yum:
1 |
yum install aide |
Edit the configuration file at /etc/aide.conf and make the following changes:
- Change “verbose” from 5 to 0.
- Change rule for “/var/log/lastlog” from “LSPP” to “LOG”
To setup just do:
1 2 |
/usr/sbin/aide --init cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz |
Also add a daily cronjob that runs a check operation:
1 |
0 5 * * * /usr/sbin/aide --check |
This job will send notification email to “root”. Make sure “root” is aliased to an appropriate address so the notifications will actually be received.
The procedure when you receive a notification should be to:
- Review the changed files and confirm that the changes are legitimate.
- Update the aide database to reflect the new content/properties.
Here’s the update procedure:
1 2 |
/usr/sbin/aide --update mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz |
If you don’t update the database then you’ll keep getting the same notifications over and over.