This article will describe AIDE which is a checker of file integrity.
Table of Contents
1 Before install AIDE
Install Postfix with this script.
2 Install AIDE
Install aide package.
$ sudo apt install -y aide
3 Create database
Create database with aideinit which is wrapper script for "aide –init". The aideinit will create aide.db.new and copy to aide.db.
/var/lib/aide/aide.db.new /var/lib/aide/aide.db
Unlike AIDE in other distribution, the configuration file is not /etc/aide.conf but the following file. Because it does not have /etc/aide.conf, running aide directly will cause error. /etc/aide/aide.conf.d/* are the configuration files for various packages.
/etc/aide/aide.conf /etc/aide/aide.conf.d/*
4 File integrity check
aide.wrapper –check checks file integrity. aide.wrapper –update checks file integrity and create new database "aide.db.new". This needs to copy to aide.db.
$ sudo aide.wrapper --check <snip> $ echo $? 0
If some file is changed, aide.wrapper will return non zero value.
$ sudo mv /usr/sbin/ip /usr/sbin/ip.orig $ echo "modified" | sudo tee /usr/sbin/ip $ sudo aide.wrapper --check <snip> $ echo $? 4
Running cron job "/etc/cron.daily/aide" is better.
$ sudo /etc/cron.daily/aide
5 Cron job which runs aide
This cron job runs "aide.wrapper –update", copy created "aide.db.new" to aide.db and send email.
/etc/cron.daily/aide
The configuration file for this cron job is the following. The email address is ${MAILTO}@${FQDN}.
/etc/default/aide
If FQDN is not defined in /etc/default/aide, FQDN will be set to value of "hostname -f". This article will set FQDN to localhost. And default value of MAILTO is root.
$ sudo sed -e 's/^# FQDN=/FQDN=localhost/g' -i /etc/default/aide
After this, cron job will send to root@localhost 1 time in a day. You can send email to gmail with Postfix setting.