LinuxMint 18: File integrity check with AIDE

Install Postfix with this script.

Install aide package.

$ sudo apt install -y -o 'apt::install-recommends=true' aide

Create database with aideinit which is wrapper script for "aide –init". The aideinit will create aide.db.new and copy to aide.db.

/var/lib/aide/aide.db.new
/var/lib/aide/aide.db

Unlike AIDE in other distribution, the configuration file is not /etc/aide.conf but the following file. Because it does not have /etc/aide.conf, running aide directly will cause error. /etc/aide/aide.conf.d/* are the configuration files for various packages.

/etc/aide/aide.conf
/etc/aide/aide.conf.d/*

aide.wrapper –check checks file integrity. aide.wrapper –update checks file integrity and create new database "aide.db.new". This needs to copy to aide.db.

$ sudo aide.wrapper --check
<snip>
$ echo $?
0

If some file is changed, aide.wrapper will return non zero value.

$ sudo mv /usr/sbin/ip /usr/sbin/ip.orig
$ echo "modified" | sudo tee /usr/sbin/ip
$ sudo aide.wrapper --check
<snip>
$ echo $?
4

Running cron job "/etc/cron.daily/aide" is better.

$ sudo /etc/cron.daily/aide

This cron job runs "aide.wrapper –update", copy created "aide.db.new" to aide.db and send email.

/etc/cron.daily/aide

The configuration file for this cron job is the following. The email address is ${MAILTO}@${FQDN}.

/etc/default/aide

If FQDN is not defined in /etc/default/aide, FQDN will be set to value of "hostname -f". This article will set FQDN to localhost. And default value of MAILTO is root.

$ sudo sed -e 's/^# FQDN=/FQDN=localhost/g' -i /etc/default/aide

After this, cron job will send to root@localhost 1 time in a day. You can send email to gmail with Postfix setting.