Differences

This shows you the differences between two versions of the page.

--- aide [2025/10/22 15:39] – jianwu
+++ aide [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-[[https://pctresearch.com/|{{:banner_image.jpg?nolink&800|}}]]
-===== How to install and configure AIDE on Ubuntu =====
-<code Text>
-AIDE (Advanced Intrusion Detection Environment) is a host-based file integrity checker.
-It monitors your filesystem for unauthorized changes (such as tampering with binaries, configs, or permissions).
-</code>
-[[https://github.com/aide/aide|Repository: github.com/aide/aide]]
-==== Step 1. Install AIDE ====
-<code Bash>
-sudo apt update
-sudo apt install aide -y
-</code>
-This installs AIDE and creates a default configuration file at:
-<code Bash>
-/etc/aide/aide.conf
-</code>
-==== Step 2. Initialize the AIDE database ====
-AIDE uses a baseline database of file checksums, permissions, and other metadata.
-Initialize it with:
-<code Bash>
-sudo aideinit
-</code>
-This command:
-Scans your system according to the rules in /etc/aide/aide.conf.
-Creates a new database at:
-<code Bash>
-/var/lib/aide/aide.db.new
-</code>
-Then rename it to make it the active baseline:
-<code Bash>
-sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-</code>
-:!: Tip: Run this step only when the system is in a known good state (no malware, correct configs).
-==== Step 3. Run checks ====
-You can now manually check for changes anytime:
-<code Bash>
-sudo aide --check
-</code>
-If files have been added, removed, or modified, AIDE will print a detailed report.
-Typical output:
-<code Bash>
-AIDE found differences between database and filesystem!!
-Summary:
-  Total number of entries: 12345
-  Added entries: 2
-  Removed entries: 0
-  Changed entries: 1
-</code>
-To view details, scroll through the terminal or redirect output to a file:
-<code Bash>
-sudo aide --check | less
-</code>
-==== Step 4. Update the database after legitimate changes ====
-When you intentionally change system files (for example, after an update), rebuild the database:
-<code Bash>
-sudo aide --update
-sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-</code>
-This updates your baseline so AIDE won’t keep alerting you about legitimate changes.
-===== Step 5. Automate daily checks (optional but recommended) =====
-To automate AIDE checks, add a cron job:
-<code Bash>
-sudo nano /etc/cron.daily/aide
-</code>
-Paste this script:
-<code Bash>
-#!/bin/bash
-/usr/bin/aide --check | mail -s "AIDE Integrity Check Report - $(hostname)" root
-</code>
-Then make it executable:
-<code Bash>
-sudo chmod +x /etc/cron.daily/aide
-</code>
-You can configure email delivery by setting up a local mailer (e.g., postfix or ssmtp) or redirect the report to a log file.
-===== Step 6. (Optional) Customize configuration =====
-Edit /etc/aide/aide.conf to include or exclude directories.
-Examples:
-<code Bash>
-# Add custom directory
-/etc   p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
-# Exclude temporary directories
-!/tmp
-!/var/tmp
-!/run
-</code>
-Then reinitialize the database after saving changes:
-<code Bash>
-sudo aideinit
-sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-</code>
-==== Good practices ====
-<code Text>
-Keep the AIDE database secure — store a copy offline or on read-only media.
-If attackers can alter both your files and the AIDE database, they can hide their tracks.
-Run after updates — rebuild the database only after verifying legitimate updates.
-Integrate with monitoring — send reports to a centralized system (email, SIEM, or log server).
-</code>
-==== How to configure custom AIDE rules on Ubuntu ====
-AIDE’s power comes from its configuration file, usually located at:
-<code Bash>
-/etc/aide/aide.conf
-</code>
-This file defines:
-Which files/directories to monitor
-What attributes to check (permissions, owner, checksums, etc.)
-Which paths to ignore
-Below, I’ll show you how to:
-. Understand rule syntax
-. Define your own rules
-. Configure AIDE to monitor only what you need
-. Test your configuration safely
-==== Step 1. Understand AIDE rule syntax ====
-Each line in aide.conf has this general format:
-<code Bash>
-<path or pattern>  <rule or rule name>
-</code>
-Examples:
-<code Bash>
-/etc          NORMAL
-/usr/bin      NORMAL
-!/tmp
-</code>
-A line starting with ! means “exclude this path”.
-A rule like NORMAL refers to a rule definition (explained next).
-You can also directly specify what to check, like p+i+n+u+g+s+m+c+sha512.
-==== Step 2. Understand the rule components ====
-Each letter corresponds to an attribute to check.
-Here are the most useful ones:
-|Code^Meaning^Example^
-^p|Permissions|File mode changes|
-^i|Inode number|Detect moved/replaced files|
-^n|Number of links|Detect added hard links|
-^u|User (owner)|Owner changed|
-^g|Group|Group ownership changed|
-^s|Size|File grew/shrank|
-^m|Modification time|Changed content|
-^c|Change time (inode metadata)|Metadata change|
-^a|Access time|(Usually ignored; too frequent)|
-^sha512|Hash algorithm|Detects content tampering|
-Example combined rule:
-<code Bash>
-p+i+n+u+g+s+m+c+sha512
-</code>
-→ Checks almost everything important, using SHA-512 for content integrity.
-==== Step 3. Define your custom rules ====
-Open the configuration file:
-<code Bash>
-sudo nano /etc/aide/aide.conf
-</code>
-Scroll to the bottom (after the default rules) and add your own:
-<code Bash>
-# ===== Custom Rules =====
-# Define a strong rule for system configuration files
-CUSTOM = p+i+n+u+g+s+m+c+sha512
-# Directories to monitor
-/etc         CUSTOM
-/usr/bin     CUSTOM
-/usr/sbin    CUSTOM
-/var/www     CUSTOM
-# Exclude temporary and runtime directories
-!/tmp
-!/var/tmp
-!/run
-!/proc
-!/sys
-!/dev
-!/mnt
-!/media
-</code>
-=== Explanation: ===
-<code Bash>
-/etc — monitors configuration files.
-/usr/bin and /usr/sbin — monitors system executables.
-/var/www — monitors your web server files (if applicable).
-The excluded directories change too often or contain temporary data.
-</code>
-==== Step 4. Initialize AIDE again ====
-After editing the config, you must rebuild the database:
-<code Bash>
-sudo aideinit
-sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-</code>
-==== Step 5. Test your configuration ====
-Run a manual check:
-<code Bash>
-sudo aide --check
-</code>
-Change something intentionally (for testing):
-<code Bash>
-sudo touch /etc/testfile
-</code>
-Run the check again:
-<code Bash>
-sudo aide --check
-</code>
-You should see output like:
-<code Bash>
-AIDE found differences between database and filesystem!!
-Added entries: 1
-/etc/testfile
-</code>
-Then remove the test file and update your database if all is well:
-<code Bash>
-sudo rm /etc/testfile
-sudo aide --update
-sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-</code>
-==== Step 6. (Optional) Automate your custom checks ====
-If you want AIDE to run your custom configuration daily, ensure the cron job (from the previous setup) uses this command:
-<code Bash>
-/usr/bin/aide --config /etc/aide/aide.conf --check
-</code>
-==== Pro tips ====
-Use multiple rules for different sensitivity levels:
-<code Bash>
-SYSTEM = p+i+n+u+g+s+m+c+sha512
-LOGS   = p+u+g+s
-</code>
-Then apply them selectively:
-<code Bash>
-/etc        SYSTEM
-/var/log    LOGS
-</code>
-Protect your AIDE database:
-Store a copy offline or on read-only media (/root/aide-backups or USB).
-Example backup:
-<code Bash>
-sudo cp /var/lib/aide/aide.db /root/aide-backups/aide.db.$(date +%F)
-</code>
-Combine with systemd service (optional):
-You can create a systemd timer to run AIDE weekly instead of using cron.
-==== Summary ====
-|Step^Command^Description^
-^1|$ sudo nano /etc/aide/aide.conf|Edit configuration|
-^2|Add custom rules|Define CUSTOM = p+i+n+u+g+s+m+c+sha512|
-^3|Add directories & exclusions|/etc, /usr/bin, /var/www, etc.|
-^4|$ sudo aideinit|Rebuild baseline|
-^5|$ sudo aide --check|Verify changes|
-^6|(Optional) Automate|Cron or systemd timer|