If you suspect that your system was compromised and files and/or their permissions were modified by the intruder, you can use AIDE to check your file system against some modifications.
AIDE (Advanced Intrusion Detection Environment) is a file integrity checker and intrusion detection program. AIDE is used to scan the system when it’s in known good state – it collects information about files and their permissions in the file system and writes gathered information to the database. Once the database is initialized it can be used to verify the integrity of the files in case of some compromise is suspected. All of the usual file attributes can be checked for inconsistencies.
In this tutorial we will show you how to install and deploy AIDE on CentOS/Fedora/RedHat.
Steps:
1. Install AIDE
[root@tuxfixer ~]# yum install aide2. Edit config file (optional)
[root@tuxfixer ~]# vim /etc/aide.confNote: in this tutorial we are using default values
3. Build initial database of file system
[root@tuxfixer ~]# aide -i
AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.Note: this can take a while
4. Store initial database in safe place
Copy initial database file to secure location: backup disk, remote hosts, etc…
5. Copy initial database file to it’s expected name
[root@tuxfixer ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzNote: during integrity check AIDE will look for /var/lib/aide/aide.db.gz file for verification.
6. Verify file system integrity with AIDE
[root@tuxfixer ~]# aide -C
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2015-11-11 17:02:06
Summary:
Total number of files: 233470
Added files: 0
Removed files: 0
Changed files: 1
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /opt/teamviewer/logfiles/TeamViewer10_Logfile.log
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /opt/teamviewer/logfiles/TeamViewer10_Logfile.log
Size : 234313 , 234951
Mtime : 2015-11-11 15:01:01 , 2015-11-11 17:01:02
Ctime : 2015-11-11 15:01:01 , 2015-11-11 17:01:02
SHA256 : tzKFXGZuwCOPQmTC5xVp2kUN0phQ78t3 , bx5f9mkZIv4ZQrEkVB3uxHqXQf6IX9zc
SHA512 : lu3Iavm/Jbx1hY2safy7ws1eIRzLi8Ug , eyV/xlwVlUD/Ttssn4XPQO5fNqL84ngPNote: verification can take a while. Almost after each check AIDE detects some differences against initial database and it’s normal, because some files in the system (i.e.: log files) are modified constantly and you should rather pay attention to important/critical files differences (i.e.: files in /etc, /root, etc…).
Results are also displayed in: /var/log/aide/aide.log.
[root@tuxfixer ~]# tail -f /var/log/aide/aide.logAIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2015-11-11 17:02:06
Summary:
Total number of files: 233470
Added files: 0
Removed files: 0
Changed files: 1
...