Skip to content

aide

Advanced Intrusion DEtection system.

https://blog.rapid7.com/2017/06/30/how-to-install-and-configure-aide-on-ubuntu-linux/

Aide seems to work better than tripwire so i just stepped over to it. Both the commands and the reports seem to be better so i will run with this for now. The aide program itself seems not to work, but you can initialize the database with :

initialize
1
2
# aide -i does not work !? :
aideinit

Generate a new config file :

config file
1
2
update-aide.conf
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

And check with :

call wrapper
1
2
# aide -C does not work either so :
aide.wrapper

Fine by me, this last command will directly report problems even if run directly after initializing :

output
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /media/cdrom0/tst
f++++++++++++++++: /var/lib/aide/aide.db

---------------------------------------------------
Changed entries:
---------------------------------------------------

d =.... mc.. .. .: /etc/aide
d =.... mc.. .. .: /media/cdrom0
d =.... mc.. .. .: /root
f >.... mc..C.. .: /root/.bash_history
f >.... mci.C.. .: /root/.viminfo
f =.... mc.....  : /run/systemd/timesync/synchronized
d =.... mc.. ..  : /run/systemd/units
f =.... mc..... .: /var/lib/systemd/timesync/clock

---------------------------------------------------

Actually the added files are expected, the aide db itself, and i redirected the output int tst (standing in /media/cdrom) so that figures as well.

The changed files have a lot of letter codes, which you can find in man aide.conf. The first directory us f(file) or d(directory) link,block,character device are also possible.

The code < = > means the size has become smaller, equal or bigger.

From man aide.conf :

aide.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
o      A l means that the link name has changed.

o      A b means that the block count has changed.

o      A p means that the permissions have changed.

o      An u means that the uid has changed.

o      A g means that the gid has changed.

o      An a means that the access time has changed.

o      A m means that the modification time has changed.

o      A c means that the change time has changed.

o      An i means that the inode has changed.

o      A n means that the link count has changed.

o      A C means that one or more checksums have changed.

Most changed files are expected as well, you can scroll down for a more detailed report. You can return aideinit to cut down on some of the entries :

output
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
Summary:
Total number of entries:      41939
Added entries:                0
Removed entries:              0
Changed entries:              2

---------------------------------------------------
Changed entries:
---------------------------------------------------

f =.... mc.....  : /run/systemd/timesync/synchronized
f =.... mc..... .: /var/lib/systemd/timesync/clock

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Now we get two files surely to change.

suppressions

Don't know.. yet!!