Having anti-virus software and a rigorous firewall as your first line of defense is considered a bare necessity nowadays. But what happens when somehow the malicious code or intent somehow gets past your protection? That is where an Intrusion Detection System (IDS) comes into play.
AIDE is one such tool among others (like Tripwire) – it builds an initial local database of the files you specify it to monitor using the verification and checksum methods you set, after which if you run a check against this database AIDE will show you what files have been changed since the build of the database. Essentially, when you run it periodically you’ll be able to tell what, when and how has been changed since the last check had been run.
First, let’s install the base package:
apt-get install aide
Now using your editor of choice we should define some basic configuration for aide:
As per usual you should change everything to your liking, but now this – you can never be too paranoid and security always comes with a trade-off at comfort. For demonstrational purposes the checksums used here provide an acceptable ratio of calculation speed/efficiency, however, in a production environement a more robust checksum combination is preferred.
Example contents of aide.conf:
Checksums = sha512+crc32
database_attrs = Checksums
Finally, you can include the directories to be monitored at the end of this config file, so for instance should you only want to keep an eye on your www folder, then this is what you should put at the end of aide.conf:
Now we have to build the initial database by running:
Also don’t forget to set your email address over here:
After that we are good to go! To test it, create a file using for example, touch /var/www/test.txt and do a manual check by using:
aide -c /etc/aide/aide.conf --check
A cron job is added automagically to the cron.daily jobs.