This article will describe AIDE which is a checker of file integrity.
Table of Contents
1 Before install AIDE
Install Postfix with this script.
2 Install AIDE
Install aide package.
> sudo zypper -n in aide > sudo sed -e 's/^verbose=.*/verbose=5/g' -i /etc/aide.conf
3 Create database
Running "aide –init" creates aide.db.new. And you need to copy it to aide.db.
> sudo aide --init. > sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
4 File integrity check
aide –check checks file integrity. aide –update checks file integrity and create new database aide.db.new. This needs to copy to aide.db.
> sudo aide --check <snip> > echo $? 0
If some file is changed, aide will return non zero value.
> sudo mv /usr/sbin/ip /usr/sbin/ip.orig > echo "modified" | sudo tee /usr/sbin/ip > sudo aide --check <snip> > echo $? 4
5 Cron job which runs aide
You need to create cron job. This article will creates daily cron job which runs "aide –update" and send email.
> sudo zypper -n in mailx procmail
> cat <<EOF | sudo tee /etc/cron.daily/aide
#!/bin/sh
LOCK_FILE=/var/run/aide.lock
MAIL_ADDR=root@localhost
lockfile \${LOCK_FILE} || exit 1
TMP=\$(mktemp -t aide.XXXXXX)
trap "rm \$TMP* 2>/dev/null" 0
aide --update > \${TMP} 2>&1
ret=\$?
if [ \${ret} -eq 0 ]; then
# Nothing is changed.
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
elif [ \${ret} -lt 8 ]; then
# Some file is changed.
cat \${TMP} | mail -s "AIDE detects changes" \${MAIL_ADDR}
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
else
# Cannot update database.
cat \${TMP} | mail -s "AIDE fatal error" \${MAIL_ADDR}
fi
rm -f \${LOCK_FILE}
EOF
> sudo chmod a+x /etc/cron.daily/aide