Here is my version of an AIDE Cheat Sheet. I originally wrote this about a year ago, but it is still pretty much the same. This is not meant to be a perfect implementation guideline, just a cheat sheet to get you up and running quickly! There are more advanced features and security elements that I do not go into, that you should explore.<\/p>\n
BACKGROUND<\/em> GET UP AND RUNNING<\/em> Now, initialize the database for a baseline:<\/p>\n …this creates Next, copy it to the correct name so you can use it:<\/p>\n …this gives you a database to run your checks against. Make sure to keep a read-only copy of CHECKING \/ TESTING<\/em> So let’s run a check and see results (at the default verbose level 1 in …and here’s the result:<\/p>\n ON-GOING MAINTENANCE<\/em> …the update command also does the same thing as check, but it also creates a new database; by this I mean it creates a new “ When changes are found, and you don’t want to see those changes in future reports, you can simply reinitialize the static database ( If you wish to run a “ PERSONAL NOTES<\/em> Note that aide is a bit processor-intensive. On my systems it utilizes 20-60% of the processor for about 4-8 minutes. I suppose your experience would depend upon how fast your disk channel is. Also, depending on the size of your filesystem and the settings in SCRIPTS<\/em> Here’s a script that I run manually after I’ve seen all of the changes that may have occured and I don’t want to be notified about them anymore:<\/p>\n MORE INFORMATION<\/em> Here is my version of an AIDE Cheat Sheet. I originally wrote this about a year ago, but it is still pretty much the same. This is not meant to be a perfect implementation guideline, just a cheat sheet to…
\nDid you notice that Tripwire is no longer included in Suse Linux? What do you do? You use Aide. And here’s how, in very brief steps.<\/p>\n
\nFirst, install the aide package using Yast. Besides just the binaries, the package gives you a good baseline configuration file (\/etc\/aide.conf)<\/code>, and a good example script you can add to cron for regular checks:<\/p>\n(\/usr\/share\/doc\/packages\/aide\/examples\/etc\/cron.daily\/aide.sh)<\/font><\/pre>\n
aide
--<\/code>config=\/etc\/aide.conf --<\/code>init<\/font><\/pre>\n\/var\/lib\/aide\/aide.db.new<\/code>, a text-based database file that contains information about the filesystem, as instructed by \/etc\/aide.conf<\/code>.<\/p>\ncp \/var\/lib\/aide\/aide.db.new \/var\/lib\/aide\/aide.db<\/font><\/pre>\n
aide.db<\/code> off of the system for later comparisons for security validations!<\/p>\n
\n…I modified some files on my system so I could get a result. Otherwise, output is silent in the event of no detected changes.<\/p>\naide.conf<\/code>). It may take a loooooong time, so be patient…<\/p>\naide
--<\/code>config=\/etc\/aide.conf --<\/code>check<\/font><\/pre>\n\r\nAIDE found differences between database and filesystem!!\r\nSummary:\r\nTotal number of files: 215749\r\nAdded files: 1\r\nRemoved files: 1\r\nChanged files: 8\r\n<\/font><\/pre>\n
\nYou can tweak the aide.conf<\/code> to your taste. After that, you can do an update:<\/p>\naide
--<\/code>config=\/etc\/aide.conf --<\/code>update<\/font><\/pre>\naide.db.new<\/code>“, and during the update it is comparing it real-time with aide.db<\/code> (which does not change, which is why it should be read-only!).<\/p>\naide.db<\/code>). To do this, just re-run with --init<\/code>, then copy aide.db.new<\/code> to aide.db<\/code>, as described above. Again, make sure to keep a read-only copy of aide.db<\/code> off of the system for later comparisons for security validations!<\/p>\n--compare<\/code>” to compare your databases, you must add the following to your aide.conf<\/code> (if you don’t specify on the command line):
\ndatabase_new=file:\/var\/lib\/aide\/aide.db.new<\/code>
\n…note: the “--compare<\/code>” does not examine the filesystem, it only compares the two databases!<\/p>\n
\nPersonally, I run aide once each night with the --update<\/code> option. This way it makes a new aide.db.new<\/code>, and still tells me what changed (since it compares the filesystem with aide.db<\/code>. Then, I can manually copy over the aide.db<\/code> database as described above, and keep a copy offline.<\/p>\naide.conf<\/code>, the database files can be many tens of MBs.<\/p>\n
\nHere’s a script that I run each day from \/etc\/cron.daily<\/code>:<\/p>\n\r\n#!\/bin\/bash\r\naide
--<\/code>config=\/etc\/aide.conf --<\/code>update<\/font><\/pre>\n\r\n#!\/bin\/bash\r\ndate\r\necho \"Initialize the db...\"\r\naide
--<\/code>config=\/etc\/aide.conf --<\/code>init\r\necho \"Copy over the new db...\"\r\ncp \/var\/lib\/aide\/aide.db.new \/var\/lib\/aide\/aide.db\r\n# Replace this next line with a copy to offline storage!\r\n# cp \/var\/lib\/aide\/aide.db.new \/removableMedia\r\necho \"...Done! \"\r\ndate\r\n<\/font><\/pre>\n
\nFor more thorough documentation, here are some references:
\nman aide
\nman aide.conf<\/code>
\nhttp:\/\/www.cs.tut.fi\/~rammer\/aide\/manual.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Read more<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[12,30],"tags":[],"class_list":["post-16","post","type-post","status-publish","format-standard","hentry","category-advanced","category-aide"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pnjn1-g","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/16","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16"}],"version-history":[{"count":0,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/16\/revisions"}],"wp:attachment":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}