Intrusion Detection with AIDE

Contents

12.1. Why Using AIDE?
12.2. Setting Up an AIDE Database
12.3. Local AIDE Checks
12.4. System Independent Checking
12.5. For More Information

Abstract

Securing your systems is a mandatory task for any mission-critical system. However, regardless of how hard you try, it is impossible to guarantee that the system is not compromised. When administering important servers (where the integrity and security of your data is critical) it is a good idea to do some extra checks regularly (for example with cron) to ensure that the system is still under the control of the administrator. This is where AIDE, the Advanced Intrusion Detection Environment, comes into play.

Why Using AIDE?

An easy check that often can reveal unwanted changes can be done by means of RPM. The package manager has a built-in verify function that checks all the managed files in the system for changes. To do a verify of all files, run the command rpm -Va. However, this command will also display changes in configuration files and you will have to do some filtering to detect important changes.

An additional problem to the method with RPM is that an intelligent attacker will modify rpm itself to hide any changes that might have been done by some kind of rootkit which allows the attacker to mask its intrusion and gain root privilege. To solve this, you should implement a secondary check that can also be run completely independent of the installed system.