Advanced Intrusion Detection Environment

host-based intrusion detection system (HIDS) for checking the integrity of files

Advanced Intrusion Detection Environment (AIDE) is a host-based intrusion detection system (HIDS) for checking the integrity of files. It does this by creating a baseline database of files on an initial run, and then checks this database against the system on subsequent runs. File properties that can be checked against include inode, permissions, modification time, file contents, etc……….. more at archwiki📚

How to install it?

# Check what repo will provide you aide tool.

yum whatprovides aide

# And then install it, if available.

yum install aide -y
aide-whatprovides-install

Next step ..??

Let’s check the files unpacked from the aide package we just installed.

aide-rpm-ql
# open the file with vim or your favourite text editor
vim /etc/aide.conf

# The file looked very huge so I checked its length.

wc /etc/aide.conf

# OUTPUT:
# 312 765 7333 /etc/aide.conf
man 5 aide.conf
aide.conf
  • There are 2️⃣selection lines that are used to indicate which files are added to the database.
  • 3️⃣ macro lines define or undefine variables within the config file.
  • Lines beginning with # are ignored as comments.#️⃣
Really
Really

Enough for configuration… How to use it?

Go to the man page of aide.

# from terminal

man aide
man-aide
diagnostics
commands

Time for some fun now!!

lets-play
lets-play
  • Configure AIDE to add that folder in database.
  • Have fun with the folder and files and check the AIDE logs for reports.
create-folder
#-------------- My-Settings ---------------
myfilter = sha256

/fun-with-aide myfilter
add-to-conf
  • cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
  • aide --check
aide-check
tinker-file1
aide-check
yeah-automation
# SOURCE: https://wiki.archlinux.org/index.php/AIDE

#!/bin/bash -e

# these should be the same as what's defined in /etc/aide.conf
database=/var/lib/aide/aide.db.gz
database_out=/var/lib/aide/aide.db.new.gz

if [ ! -f "$database" ]; then
echo "$database not found" >&2
exit 1
fi

aide -u || true

mv $database $database.back
mv $database_out $database
operation-theatre
db_spec
being-tonystark
being-tonystark

Conclusion

In the end, let’s understand how AIDE does what it does.

end

Connecting the dots and rest is magic. https://ayedaemon.github.io/