First Aide for Intrusion Detection

I was considering installing tripwire on a CentOS 5.1 install but I happened upon an article about 'aide' which also notifies the system admin about changes to core files (and thus possible intrusions) Of course any genuine newly installed software may also trigger differences in the aide database.

yum install aide

If not using SELinux then replace /etc/aide.conf with this conf file.
/usr/sbin/aide –init
### AIDE database at /var/lib/aide/ initialized.
cp /var/lib/aide/ /var/lib/aide/aide.db.gz
/usr/sbin/aide –check
Create a cron job:
vi /etc/cron.weekly/

/usr/sbin/aide –check | /bin/mail -s "Hostname Weekly Aide Data"

I got this info from this article.

If you get error messages such as:

File /usr/sbin/filename in databases has different attributes, 300000bbf,200000bbf

Check that you have the the correct aide.conf file and if you have run aide –init against that aide.conf that you have copied the to aide.db.gz.

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>