Blog

Automatically Detect File Changes on Your Server

  • Post author:
  • Post category:Apps

From bashshell.net

AIDE (Advanced Intrusion Detection Environment) is the Open Source version of Tripwire. AIDE takes a snapshot of every file on your server, records it and then will notify you of any changes. This tutorial will show you how to create a script that will automate this process and send you an email of the outcome.

Step #1: Install and Configure AIDE
If you need more information on installation and configuring AIDE.

Initialize the database first. It will create a database in /var/lib/aide.

aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide/db.gz
aide --check

 
If you run aide and files have changed, review the files and then determine if they are legitimate changes. If they are update. Notice in this example you can see changed files and the sums for those that changed.
 
 
Now run an update.
aide --update
 
 
Once you have updated change to the database directory and copy the new database to the original.
cd /var/lib/aide
cp aide.db.new.gz aide.db.gz
 
 

Step #2: Create a Script to Monitor Your Server
You will need to constantly update so you do not see the same files that you have verified previously.
Create the script aide.sh and place it in the /root/scripts directory. Test and then create a cron job to run it.

#!/bin/bash
# Create 4 Hour Cron Job With AIDE
/usr/sbin/aide --check > /tmp/aide
logfile=/tmp/aide
x=$(grep "Looks okay" $logfile | wc -l)
if [ $x -eq 1 ]
then
echo "All Systems Look OK" | /bin/mail -s "AIDE OK" your_email
else
echo "$(egrep "added|changed" /tmp/aide)" | /bin/mail -s "AIDE PROBLEM" your_email

fi
exit

 
 
Step #3: Create 4 Hour Cron Job With AIDE
You need to create a cron job which will run on a regular basis to check to see if files change on the system.
/usr/sbin/aide --check > /tmp/aide
 
 
Create a temporary file to evaluate. This file will be overwritten on the next check.
logfile=/tmp/aide
 
 
The variable sets the location of the temporary file.
x=$(grep "Looks okay" $logfile | wc -l)
if [ $x -eq 1 ]
then
echo "All Systems Look OK" | /bin/mail -s "AIDE OK" your_email
else
echo "$(egrep "added|changed" /tmp/aide)" | /bin/mail -s "AIDE PROBLEM" your_email
fi
exit

 
The script firsts checks the logfile to see if there are changes or if it is “okay”. If there are no changes then the script sends a message that “All Systems Look OK”. If there are changes, the script lists those files and folders that have been added or changed in an email.

AIDE output must be dealt with as an administrator. So if you see that files have changed but you recognize the changes were performed by your staff then you need to update and reset everything.

If the changes were NOT legitimate, then you have other serious problems to deal with.

From bashshell.net

g33kadmin

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....