Configuration and setting-up of AIDE on RHEL6


AIDE is a powerful package for checking integrity of files on a machine/system.

Prerequisites: Just aide package.

[root@sunny ~]# yum install aide -y
Loaded plugins: refresh-packagekit, rhnplugin
This system is not registered with RHN.                                                                        
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package aide.x86_64 0:0.14-3.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
 Package         Arch              Version               Repository        Size
================================================================================
Installing:
 aide            x86_64            0.14-3.el6            local            123 k
Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 123 k
Installed size: 297 k
Downloading Packages:
aide-0.14-3.el6.x86_64.rpm                               | 123 kB     00:00    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : aide-0.14-3.el6.x86_64                                   1/1

Installed:
  aide.x86_64 0:0.14-3.el6    
                                                
Complete!
[root@sunny ~]#

Main configuration file for this aide is /etc/aide.conf, This file contains:
·         Default path of DBDIR,
·         LOGDIR,
·         From where the DB needs to be read,
·         Where the new DB needs to be created,
·         Which directories you need to include when you run a check od initialize a DB via aide,
·         And  various other things.

Now for getting started with aide firstly we need to initialize this:
[root@sunny ~]# /usr/sbin/aide --init
OR
[root@sunny ~]# aide --init

Once your aide it initialized it will show you a message and the path of your new database.
=============================
AIDE, version 0.14

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
============================

So the database which is present on location /var/lib/aide/aide.db.new.gz, /usr/sbin/aide and /etc/aide.conf are very critical you need to save all these files to a safe location, Like as the conf. file contains everything and the DB which you just created created information about your machine before any changes have been made.
The expected name of the DB which aide can read from is aide.db.gz which should be there in /var/lib/aide/ directory, Like the full path would be: /var/lib/aide/aide.db.gz.
Now suppose that some changes are made in the machine in which aide was initialized, Like vsftpd was installed.
Now we need to check whether there is any inconsistency between the database and the machine or not ?

[root@client aide]# aide --check

You can check the differences in the DB in aide.log file like which files were changed, removed, total number of files etc.

The default layout for aide.log file is as follows:
==================================
AIDE found differences between database and filesystem!!
Start timestamp: 2012-08-21 12:31:49

Summary:
  Total number of files:        118342
  Added files:                  0
  Removed files:                2
  Changed files:                177
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /var/log/nagios/spool/checkresults/cbIBh8r
removed: /var/log/nagios/spool/checkresults/cbIBh8r.ok
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/vsftpd
changed: /etc/vsftpd/ftpusers

Followed by a long list of files which were changed.
==================================

If the changes are know then you can update your DB if not then you can take actions as required and again save that DB to a safe location.

 [root@client]# aide --update

Comments

  1. hamzaJune 5, 2017 at 11:13 AM

    It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content. Actually. I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written.

    ReplyDelete
  2. UnknownJuly 25, 2017 at 11:18 AM

    Hi, your blog really nice, keep it up! I’ll go ahead and bookmark your website to come back later.
    Regards,
    Linux Training Institutes in India
    Best Linux Training Institutes in Hyderabad
    Linux Course in Hyderabad
    Linux Online Training hyderabad
    Learn Linux Online
    Online Linux Training
    Linux Certification Training in Hyderabad
    Best Institutes for Linux
    Linux Institutes in Hyderabad
    Best Institutes for Linux in Hyderabad

    ReplyDelete

Post a Comment

Popular posts from this blog

Installing Tomcat8 on RHEL6

Image
Apache-HTTP v/s Apache-Tomcat: The basic difference is Apache-Tomcat is written in Java but Apache-HTTP is written in C. Apart from this Apache-Tomcat is used as a webserver as well as to deploy Java Servlet's and JSP's [Java server pages] so basically Apache-Tomcat is used to serve Java Technologies whereas Apache-HTTP is used to serve HTTP. Prerequisites: Appropriate version of JRE [Java run-time environment] for instance jre1.7 is required to run tomcat-8[.X.X]. Tomcat binaries, for version 8 check this link . Sudo/Root access to the machine. Step1: Install JRE Download JRE from Java's official website. You can keep Java at any location but for my ease I have kept both Tomcat and Java in /opt. # cd /opt # cp jre-7u45-linux-x64.tar.gz . # tar -zxvf jre-7u45-linux-x64.tar.gz  The above command will create a folder with JRE binaries. In my case it was "jre1.7.0_45". Now set JRE_HOME [Required by Tomcat] and PATH. export JRE_HOME=/opt/jre1.7.
Read more

Manage existing resources via Helm

Manage existing resources via Helm Helm is really a very powerful tool for managing Kubernetes objects. With a single command, we can install or upgrade multiple related Kubernetes entities. Let's say we want to install any chart from the helm registry, we just need to type in the below command and helm will do the heavy lifting for us. $ helm install [RELEASE_NAME] [REPO]/[CHART] But below post is not about the basics of helm or how to install or upgrade a chart, etc. It's been a long time since I wrote anything, so I just thought to write something about what new I learned today :)  While installing one of my charts, I encountered below issue: Error: INSTALLATION FAILED: rendered manifests contain a resource that already exists. Unable to continue with install: StorageClass "demo-sc" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by&qu
Read more