This article will describe AIDE which is a checker of file integrity.
Table of Contents
1 Before install AIDE
Install Postfix with this script.
2 Install AIDE
Install aide package.
$ sudo dnf install -y aide
3 Create database
Running "aide –init" creates aide.db.new.gz. And you need to copy it to aide.db.gz.
$ sudo aide --init. $ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
4 File integrity check
aide –check checks file integrity. aide –update checks file integrity and create new database aide.db.new.gz. This needs to copy to aide.db.gz.
$ sudo aide --check <snip> $ echo $? 0
If some file is changed, aide will return non zero value.
$ sudo mv /usr/sbin/ip /usr/sbin/ip.orig $ echo "modified" | sudo tee /usr/sbin/ip $ sudo aide --check <snip> $ echo $? 4
5 Cron job which runs aide
You need to create cron job. This article will creates daily cron job which runs "aide –update" and send email.
$ sudo dnf install -y mailx liblockfile
$ cat <<EOF | sudo tee /etc/cron.daily/aide
#!/bin/sh
LOCK_FILE=/var/run/aide.lock
MAIL_ADDR=root@localhost
dotlockfile -p \${LOCK_FILE} || exit 1
TMP=\$(mktemp -t aide.XXXXXX)
trap "rm \$TMP* 2>/dev/null" 0
aide --update > \${TMP} 2>&1
ret=\$?
if [ \${ret} -eq 0 ]; then
# Nothing is changed.
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
elif [ \${ret} -lt 8 ]; then
# Some file is changed.
cat \${TMP} | mail -s "AIDE detects changes" \${MAIL_ADDR}
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
else
# Cannot update database.
cat \${TMP} | mail -s "AIDE fatal error" \${MAIL_ADDR}
fi
dotlockfile -u \${LOCK_FILE}
EOF
$ sudo chmod a+x /etc/cron.daily/aide