Comments on How To Configure The AIDE (Advanced Intrusion Detection Environment) File Integrity Scanner For Your Website

How To Configure The AIDE (Advanced Intrusion Detection Environment) File Integrity Scanner For Your Website A file integrity scanner is something you need to have.  Imagine a hacker placing a backdoor on your web site, or changing your order form to email him a copy of everyone's credit card while leaving it appear to be functionally normally. By setting up daily reporting, this notifies you within, at most, 24 hours of when any file was changed, added, or removed.  It also helps establish an audit trail in the event your site is compromised. These instructions are designed for an end user, where you don't need to have root access, to implement and assumes your server has the aide binary installed.  Most hosts will have this installed already, or will install it for you upon request.

9 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By:
Reply  

is that link securehostingdirectory.com/aide.conf secured enough? is that the best link to get this thing?

 

By: Aura23
Reply  

This is the Sourceforge project link:

http://aide.sourceforge.net/

By: Aura23
Reply  

... oh dear I'm so stupid. I thought you were talking about aide itself, not the config.

 Well, the installation of aide will create a basic configuration itself, so if you like to tinker on it then you probably won't have to download the provided configuration.

By: Anonymous
Reply  

or if your server has a cd drive you can write the AIDE db to the cd-r on another computer. that way is read only, no matter who hack your server. just a thought 

By: Anonymous
Reply  

The link in this tutorial no longer works:

wget securehostingdirectory.com/aide.conf

By: Anonymous
Reply  

Is their way to configure AIDE to not send email if the body of the email reads:

"AIDE, version 0.14### All files match AIDE database. Looks okay!"? I want to only be emailed in the event of an issue.

By: Vitali
Reply  

Here is what I did to send email only if there is a change:

1. WHen you run your aide command just output this in a file aide_output.txt

2. if grep -rw 'aide/aide_output.txt' -e 'All files match AIDE database' ; then

    (do nothing here)

else

    mail -s 'AIDE found differences between database and filesystem on puniashdp200!!' [email protected] < /aide/aide_output.txt

fi

 

By: John Doe
Reply  

Awesome HowTo! Thx a lot for this.

By: Jacob Amey
Reply  

I ended up writing a script to do just this. It does not search for that text but instead exit codes. If its return code is a zero, no change happened. A 1+ and change or failure occurred so it will notify with a generated report.# Start of Script.

#!/bin/bash

#

# Variables

###########

#

AIDE=$(which aide)

DATE=$(date +%Y-%m-%d)

TIME=$(date +%r)

ORGANIZATION=DevOps

REPORT=/tmp/aide/aide-report-"$DATE".txt

EMAIL="[email protected],[email protected]"

SUBJECT="[ Security Check ] $ORGANIZATION Aide Report - $(hostname) - $DATE"

LOCKFILE=/tmp/aide-job.lck

 

#

# Functions

###########

#

aide_init () {

  echo "=========="

  echo "[AIDE] - Is performing an init of its DB for next run."

  echo "=========="

  rm /var/lib/aide/aide.db.gz

  $AIDE --init

  mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

}

 

aide_check () {

  echo "=========="

  echo "[AIDE] - Is Performing an audit check..."

  echo "=========="

  if [[ -f /var/lib/aide/aide.db.gz ]]; then

    $AIDE --check

  else

    $AIDE --init

    mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

    $AIDE --check

 

  fi

}

 

aide_notify () {

aide_message | mailx -a $REPORT -s "$SUBJECT" $EMAIL

}

 

aide_cleanup () {

  echo "=========="

  echo "[SYSTEM] - Is cleaning up lockfiles and old reports."

  echo "=========="

  rm -f $LOCKFILE

  find /tmp/aide/aide-report-* -mtime +10 -type f -delete

  echo "-------------------------------------"

  echo "AIDE process finished at $(date +%r)."

  exec 1>&3

}

 

aide_message () {

echo -e "

The Advanced Intrusion Detection Environment (AIDE) has finished a system check on $DATE at $TIME.

Please review the attachment for $(hostname).

 

Regards,

The $ORGANIZATION Security Team

[Please do not reply to this message. This notification is an automatically generated email; We do not monitor this mailbox.]"

}

 

###########

# Ensure logfile exist.

#

mkdir -p /tmp/aide

touch $REPORT

 

###########

# Redirect output to a logfile.

#

exec 3>&1

exec 1>> $REPORT

 

###########

# AIDE Process Start

#

echo -e "

------------: AIDE CHECK :---------------

Hostname : $(hostname)

IP : $(hostname -i)

Date and Time : $(date)

-------------------------------------------

 

"

echo "aide check started at $(date +%r)."

echo "----------------------------------"

###########

# Creat lock file;

#

if [ -f $LOCKFILE ]; then

  echo "A lock file already exists, we will not run an aide check since it's already running."

  echo "aide check stopped at $(date +%r)."

  exec 1>&3

  exit 0

else

  echo "There is no lock file; Creating it and starting aide system check."

  touch $LOCKFILE

fi

 

###########

# run aide.

# send aide report.

# update aide for next run.

# cleanup.

aide_check

  if [[ $? != 0 ]]; then

    echo "AIDE detected changes, cleaning up and sending a notification."

    aide_init

    aide_cleanup

    aide_notify

    exit 0

  else

    echo "AIDE detected no changes, cleaning up and exiting."

    aide_init

    aide_cleanup

    exit 0

fi

 

# End of script.