Ever heard of AIDE, neither had I. Apparently its a simple intrusion detection application that can be used to monitor file changes. It can be confired to monitor permission, ownership, timestamp, or content changes.
Lets install it. Its in the stock Redhat repos, so its a piece of cake to install via yum.
[root@localhost ~]# yum -y install aide
Once installed, you can tweak the config file (/etc/aide.conf) to your liking. The stock config is pretty robust, so I am going to trim it down a bit and just monitor /etc for permission changes, and /bin for what are defined as normal changes. Normal looks at file hashes to see if the files have been modified.
/bin NORMAL
/etc PERMS
Now lets start aide
[root@localhost ~]# aide –init
AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
Now this part is silly, we need to rename the database created above to the name that aide is configured to use.
[root@localhost ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Now lets check for changes.
[root@localhost ~]# aide –check
AIDE, version 0.15.1
### All files match AIDE database. Looks okay!
Hey no changes. Now lets monkey with something and see if aide catches it. In this example we are creating a new file in /etc. As seen below aide catches the new file and reports on it.
[root@localhost ~]# touch /etc/aide.test.change
[root@localhost ~]# aide –check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2014-07-15 19:51:14Summary:
Total number of files: 5054
Added files: 1
Removed files: 0
Changed files: 0—————————————————
Added files:
—————————————————added: /etc/aide.test.change
So now lets re-initialize the database, which is pretty much a snapshot.
[root@localhost ~]# aide –init
AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
Don't forget to overwrite the old database.
[root@localhost ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
cp: overwrite ‘/var/lib/aide/aide.db.gz’? yes
Now lets change the permissions on our test file and see if aide catches the change. I'll spare you the suspense and let you know that aide did its job. See below.
[root@localhost ~]# chmod 777 /etc/aide.test.change
[root@localhost ~]# aide –check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2014-07-15 19:54:09Summary:
Total number of files: 5054
Added files: 0
Removed files: 0
Changed files: 2—————————————————
Changed files:
—————————————————changed: /etc/aide.test.change
changed: /root/.mozilla/firefox/8u03e3hs.default/sessionstore.js—————————————————
Detailed information about changes:
—————————————————File: /etc/aide.test.change
Perm : -rw-r–r– , -rwxrwxrwx
ACL : old = A:
—-
user::rw-
group::r–
other::r–
—-
D: <NONE>
new = A:
—-
user::rwx
group::rwx
other::rwx
—-
D: <NONE>
Now aide on its own is just a simple tool, but run via cron with a bit of tuning and a bit more logic behind it and I can see it being a very useful tool. Looking forward to playing with it more.
Related articles