How to use AIDE monitoring the integrity of files in Linux

Brief introduction

AIDE (Advanced detection into the qin environment) is a file integrity checker and the qin testing procedures.

characteristic

• The main purpose is to check the integrity of the files, which files on the computer audit been changed.
• AIDE database is created according to the rules of regular expressions found from the /etc/aide.conf profile. After the initialization of the database, it can be used to verify the integrity of files. You can also check whether all the usual file attributes inconsistency. It can be read or updated version of the old version of the database. AIDE database can store various attributes of the file, including: permission (permission), inode number (inode number), belongs to the user (user), user group (group), file size, last modification time (mtime), creation time (ctime), last access time (atime), increase the size and number of connections. AIDE also possible to use the following algorithm: sha1, md5, rmd160, tiger, establishing checksum or hash numbers for each file in encrypted form.
• This database should not save those files that frequently change, such as: log files, e-mail, / proc file system, user directories, and in fact, the temporary directory.

background

When an incoming qin who enters your system and planted , will usually find a way to conceal this (except outside some of its hidden characteristics, he will try to process your check system obstacles), usually into the qin who will modify some files, such as administrators often view the process with ps aux system, then into the qin they are likely to use their modified program to replace in ps ps program on your system to use the ps command can not find a running program. If the qin discovers administrator running crontab jobs, it is also possible to replace the crontab program and so on. So it can be seen to check the system files or critical files is essential. At present it is the integrity of the inspection system tools are used more two: Tripwire and AIDE, the former is a commercial software, which is a free but powerful and very powerful tool.

Steps

installation

[root@CentOS7 ~]# yum -y install aide

Modify the configuration file

/etc/aide.conf

/etc/aide.conf 默认配置文件路径
/usr/sbin/aide 默认二进制可执行文件路径
/var/lib/aide  默认数据库文件路径
/var/log/aide  默认日志文件路径

AIDE default initialization library:

`which aide` --init

执行完这步操作后会在默认数据库路径/var/lib/aide下产生一个名为“aide.db.new.gz”的数据库文件，/etc/aide.conf中定义的规则都写入到了该数据库文件中。

Check the database to generate (recommended to initialize the database stored in a safe place)

mv /var/lib/aide/aide.db{.new,}.gz

因为aide默认是从aide.db.gz数据库文件中读取/etc/aide.conf文件中定义的规则来检测文件完整性的，所以需要重命名初始化的库文件。

Detect

`which aide` --check

Update the database

`which aide` --update

检测完需要更新文件数据库，否则下次检测还是从旧的文件数据库中读取规则来检测文件的完整性。同时需要重命名数据库文件

AIDE default rule

#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum

#haval:  haval checksum (MHASH only)
#gost:   gost checksum (MHASH only)
#crc32:  crc32 checksum (MHASH only)
#whirlpool:     whirlpool checksum (MHASH only)

AIDE rule definition and use

规则定义格式：规则名 = 具体规则
【例】：TEST = a+m+c

规则使用格式：文件/目录 规则名
【例】：/dir1  TEST
注：如果在文件或目录前面加了“!”，则表示忽略检测

AIDE rule validation

The following rules defined in /etc/aide.conf file, where / dir1 directory beginning is empty.

TEST = a+c+m
/dir1 TES

Test 1:

在该目录下创建一个新的文件file1，并写入"hello aide"
[root@CentOS7 ~]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

[root@CentOS7 ~]# echo "hello aide" > /dir1/file1
[root@CentOS7 ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2019-11-10 19:12:57

Summary:
  Total number of files:    3
  Added files:          1
  Removed files:        0
  Changed files:        1

---------------------------------------------------
Added files:
---------------------------------------------------

added: /dir1/file1

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /dir1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /dir1
 Mtime    : 2019-11-10 19:12:00              , 2019-11-10 19:12:55
 Ctime    : 2019-11-10 19:12:00              , 2019-11-10 19:12:55

以上输出表示在/dir1目录下添加了file1文件，并且修改了/dir1目录的Ctime和Mtime属性

Test 2:

将/dir1/file1文件的内容由"hello aide"修改为"hello world"
[root@CentOS7 ~]# sed -i '/hello/c hello world' /dir1/file1 ; cat /dir1/file1
hello world
[root@CentOS7 ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2019-11-10 19:14:34

Summary:
  Total number of files:    3
  Added files:          1
  Removed files:        0
  Changed files:        1

---------------------------------------------------
Added files:
---------------------------------------------------

added: /dir1/file1

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /dir1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /dir1
 Atime    : 2019-11-10 19:12:02              , 2019-11-10 19:12:57
 Mtime    : 2019-11-10 19:12:00              , 2019-11-10 19:14:31
 Ctime    : 2019-11-10 19:12:00              , 2019-11-10 19:14:31

这时候/dir1目录的Atime,Mtime,Ctime都被修改了。