IDS - AIDE

We use AIDE (Advanced Intrusion Detection Environment) for our IDS (Intrusion Detection System).

Here's a few notes of how to set it up.

yum install aide

aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
aide --check

aide --update

If you want it to monitor your website, you'll need to add a rule into /etc/aide.conf something like:

/var/www/html/ CONTENT_EX

Create a shell script to run it and e-mail over the results

cat > /var/log/aide/aidechk.sh
#!/bin/sh
DATE=`date +%Y-%m-%d`
REPORT="Aide-"$DATE.txt

/usr/sbin/aide --check > /tmp/aidecheck.txt

cat /tmp/aidecheck.txt|/bin/grep "found differences" >> /tmp/$REPORT

if [ -s /tmp/$REPORT ]
then

    mail -s "$REPORT `date` $HOSTNAME" adam@adsar.co.uk < /tmp/aidecheck.txt

    /usr/sbin/aide --update
    mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

fi

rm /tmp/$REPORT

Set permissions to execute

chmod +x /var/log/aide/aidechk.sh

And add it to your crontab

00 01 * * 0-6 /var/log/aide/aidechk.sh



Want to get in touch?