Sep 122012


AIDE (Advanced Intrusion Detection Environment) is the Open Source version of Tripwire. AIDE takes a snapshot of every file on your server, records it and then will notify you of any changes. This tutorial will show you how to create a script that will automate this process and send you an email of the outcome.

Step #1: Install and Configure AIDE
If you need more information on installation and configuring AIDE.

Initialize the database first. It will create a database in /var/lib/aide.

<br />
aide --init<br />
mv /var/lib/aide/ /var/lib/aide/aide/db.gz<br />
aide --check<br />

If you run aide and files have changed, review the files and then determine if they are legitimate changes. If they are update. Notice in this example you can see changed files and the sums for those that changed.
Now run an update.

aide --update

Once you have updated change to the database directory and copy the new database to the original.

cd /var/lib/aide<br />
cp aide.db.gz


Step #2: Create a Script to Monitor Your Server
You will need to constantly update so you do not see the same files that you have verified previously.
Create the script and place it in the /root/scripts directory. Test and then create a cron job to run it.

<br />
#!/bin/bash<br />
# Create 4 Hour Cron Job With AIDE<br />
/usr/sbin/aide --check > /tmp/aide<br />
logfile=/tmp/aide<br />
x=$(grep "Looks okay" $logfile | wc -l)<br />
if [ $x -eq 1 ]<br />
then<br />
echo "All Systems Look OK" | /bin/mail -s "AIDE OK" your_email<br />
else<br />
echo "$(egrep "added|changed" /tmp/aide)" | /bin/mail -s "AIDE PROBLEM" your_email


Step #3: Create 4 Hour Cron Job With AIDE
You need to create a cron job which will run on a regular basis to check to see if files change on the system.

/usr/sbin/aide --check > /tmp/aide

Create a temporary file to evaluate. This file will be overwritten on the next check.


The variable sets the location of the temporary file.

x=$(grep "Looks okay" $logfile | wc -l)<br />
if [ $x -eq 1 ]<br />
then<br />
echo "All Systems Look OK" | /bin/mail -s "AIDE OK" your_email<br />
else<br />
echo "$(egrep "added|changed" /tmp/aide)" | /bin/mail -s "AIDE PROBLEM" your_email<br />
fi<br />
exit<br />

The script firsts checks the logfile to see if there are changes or if it is “okay”. If there are no changes then the script sends a message that “All Systems Look OK”. If there are changes, the script lists those files and folders that have been added or changed in an email.

AIDE output must be dealt with as an administrator. So if you see that files have changed but you recognize the changes were performed by your staff then you need to update and reset everything.

If the changes were NOT legitimate, then you have other serious problems to deal with.


Share This!
 Posted by at 8:24 pm

Sorry, the comment form is closed at this time.