Verificar la Integridad con AIDE

Héctor Louzao, Equipo de Documentación de Fedora Version F38 Last review: 2023-08-09
Advanced Intrusion Detection Environment (Entorno Avanzado de Detección de Intrusión) (AIDE) es una utilidad que crea una base de datos de archivos en el sistema y después utiliza esta base de datos para asegurar la integridad de los archivos y detectar intrusiones en el sistema.

Installing AIDE

  1. To install the aide package:

    $ sudo dnf install aide
  2. To generate an initial database:

    $ sudo aide --init
    Start timestamp: 2018-07-11 12:35:47 +0200 (AIDE 0.16)
    AIDE initialized database at /var/lib/aide/aide.db.new.gz
    
    Number of entries:	150666
    
     ---------------------------------------------------
     The attributes of the (uncompressed) database(s):
     ---------------------------------------------------
    
    /var/lib/aide/aide.db.new.gz
      MD5      : 0isjEPsCORFk7laoGGz8tQ==
      SHA1     : j0aPLakWChM+TAuxfVIpy9nqBOE=
      RMD160   : nYyyx0AGZj4e5rwcz77afasXFrw=
      TIGER    : IBVo5A2A4En1kM6zDjD/MnlkN4QWeSOw
      SHA256   : YveypaI9c5PJNvPSZf8YFfjCMWfGUA8q
                 vyqLpLJWY0E=
      SHA512   : TiUYmHYflS3A+j17qw5mW78Fn2yXLpCF
                 1LE1/RhiqqtMn1MjkKDrr+3TE+/vWfa4
                 7253cDhNmC6hoFndkS67Xw==
    
    
    End timestamp: 2018-07-11 12:37:35 +0200 (run time: 1m 48s)
In the default configuration, the aide --init command checks just a set of directories and files defined in the /etc/aide.conf file. To include additional directories or files in the AIDE database, and to change their watched parameters, edit /etc/aide.conf accordingly.
  1. To start using the database, remove the .new substring from the initial database file name:

    $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
  2. To change the location of the AIDE database, edit the /etc/aide.conf file and modify the DBDIR value. For additional security, store the database, configuration, and the /usr/sbin/aide binary file in a secure location such as a read-only media.

    To avoid SELinux denials after the AIDE database location change, update your SELinux policy accordingly. See the Changing SELinux states and modes guide for more information.

Performing Integrity Checks

To initiate a manual check:

$ sudo aide --check
Start timestamp: 2018-07-11 12:41:20 +0200 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	150667
  Added entries:		1
  Removed entries:		0
  Changed entries:		2

 ---------------------------------------------------
 Added entries:
 ---------------------------------------------------

f++++++++++++++++: /etc/cups/subscriptions.conf.O
...
[output truncated]

At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. For example, to schedule a daily execution of AIDE at 04:05 a.m. use the cron command.

Add the following line to the /etc/crontab file:

 05 4 * * * root /usr/sbin/aide --check

Updating an AIDE Database

After verifying the changes of your system such as, package updates or configuration files adjustments, update your baseline AIDE database:

$ sudo aide --update

The aide --update command creates the /var/lib/aide/aide.db.new.gz database file. To start using it for integrity checks, remove the .new substring from the file name.

Recursos Adicionales

For additional information on AIDE, see the following documentation: