Configuration and setting-up of AIDE on RHEL6


AIDE is a powerful package for checking integrity of files on a machine/system.

Prerequisites: Just aide package.

[root@sunny ~]# yum install aide -y
Loaded plugins: refresh-packagekit, rhnplugin
This system is not registered with RHN.                                                                        
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package aide.x86_64 0:0.14-3.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
 Package         Arch              Version               Repository        Size
================================================================================
Installing:
 aide            x86_64            0.14-3.el6            local            123 k
Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 123 k
Installed size: 297 k
Downloading Packages:
aide-0.14-3.el6.x86_64.rpm                               | 123 kB     00:00    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : aide-0.14-3.el6.x86_64                                   1/1

Installed:
  aide.x86_64 0:0.14-3.el6    
                                                
Complete!
[root@sunny ~]#

Main configuration file for this aide is /etc/aide.conf, This file contains:
·         Default path of DBDIR,
·         LOGDIR,
·         From where the DB needs to be read,
·         Where the new DB needs to be created,
·         Which directories you need to include when you run a check od initialize a DB via aide,
·         And  various other things.

Now for getting started with aide firstly we need to initialize this:
[root@sunny ~]# /usr/sbin/aide --init
OR
[root@sunny ~]# aide --init

Once your aide it initialized it will show you a message and the path of your new database.
=============================
AIDE, version 0.14

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
============================

So the database which is present on location /var/lib/aide/aide.db.new.gz, /usr/sbin/aide and /etc/aide.conf are very critical you need to save all these files to a safe location, Like as the conf. file contains everything and the DB which you just created created information about your machine before any changes have been made.
The expected name of the DB which aide can read from is aide.db.gz which should be there in /var/lib/aide/ directory, Like the full path would be: /var/lib/aide/aide.db.gz.
Now suppose that some changes are made in the machine in which aide was initialized, Like vsftpd was installed.
Now we need to check whether there is any inconsistency between the database and the machine or not ?

[root@client aide]# aide --check

You can check the differences in the DB in aide.log file like which files were changed, removed, total number of files etc.

The default layout for aide.log file is as follows:
==================================
AIDE found differences between database and filesystem!!
Start timestamp: 2012-08-21 12:31:49

Summary:
  Total number of files:        118342
  Added files:                  0
  Removed files:                2
  Changed files:                177
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /var/log/nagios/spool/checkresults/cbIBh8r
removed: /var/log/nagios/spool/checkresults/cbIBh8r.ok
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/vsftpd
changed: /etc/vsftpd/ftpusers

Followed by a long list of files which were changed.
==================================

If the changes are know then you can update your DB if not then you can take actions as required and again save that DB to a safe location.

 [root@client]# aide --update

Comments

  1. hamzaJune 5, 2017 at 11:13 AM

    It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content. Actually. I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written.

    ReplyDelete
  2. UnknownJuly 25, 2017 at 11:18 AM

    Hi, your blog really nice, keep it up! I’ll go ahead and bookmark your website to come back later.
    Regards,
    Linux Training Institutes in India
    Best Linux Training Institutes in Hyderabad
    Linux Course in Hyderabad
    Linux Online Training hyderabad
    Learn Linux Online
    Online Linux Training
    Linux Certification Training in Hyderabad
    Best Institutes for Linux
    Linux Institutes in Hyderabad
    Best Institutes for Linux in Hyderabad

    ReplyDelete

Post a Comment

Popular posts from this blog

Creating a SWAP partition in a LVM

Assuming that you have already created a physical volume ==> volume group. If not then click here..... Now firstly create a logical volume. Check the free space in your volume group by firing a command in terminal as vgdisplay VOLUMEGROUP NAME. [root@sunny ~]# vgdisplay vg_sunny   --- Volume group ---   VG Name               vg_sunny   System ID                Format                lvm2   Metadata Areas        1   Metadata Sequence No  3   VG Access             read/write   VG Status             resizable   MAX LV                0   Cur LV                2   Open LV               2   Max PV                0   Cur PV                1   Act PV                1   VG Size               14.51 GiB   PE Size               4.00 MiB   Total PE              3714   Alloc PE / Size       3204 / 12.52 GiB   Free  PE / Size       510 / 1.99 GiB   VG UUID               XdBCWB-sQw5-JQvn-v0an-VOWi-fIs9-Q7uEmm This command shows that in this volume group we still hav
Read more

Managing Partitions

Harddisk : It is a storage device which is used to store any kind of data, Currently there are two types of HDD available in market: SATA (Serial Advanced Technology Attachment). PATA (Parallel Advanced Technology Attachment). So the basic command to check your file system structure is fdisk -l, it will show you list of your harddisk's partition table. For more information on this you can see its man page by firing a command as man fdisk. Usually when a hard disk is inserted in a machine it acts like a file and is stored in /dev partition. So suppose that there are 3 hard disk in your machine then there naming convention would be /dev/sda (for the first HDD), /dev/sdb (for the second HDD), /dev/sdc (for the third HDD). parted : Stands for GNU Parted - a partition manipulation program, it is  a  disk  partitioning  and  partition resizing program.  It allows you to create, destroy, resize, move and copy ext2,  linux-swap,FAT,  FAT32,  and reiserfs partitions.  It can c
Read more