AIDE (Advanced Intrusion Detection Environment) can be used to help track file integrity by comparing a 'snapshot' of the system's files prior to and after a suspected incident. It is a freeware version of Tripwire, AIDE uses a database to accumulate key file attributes like permissions, mtime, ctime, and number of links for a system. The idea is to build the database before 2 things occur:
- before the snapshot image of these files is taken prior to the system being placed on a network; and,
- before the snapshot image is taken prior to a system compromise.
For further protection, a checksum of each file in its current state can be used with a choice of several hash methods.
The idea behind AIDE and other host-based IDSs is for the snapshot to be taken and then periodically updated as the system is updated. Patches, hardware and other software installs tend to change the size and nature of files, so it is always a good idea to re-run AIDE after making changes. If the administrator then suspects that a system has been compromised, running AIDE and then comparing the two snapshots will assist the admin in honing in on what happened. Doing so without this original snapshot can be difficult at best.
aide is included in many distributions of Linux. to begin using it you must review the /etc/aide.conf file and ensure that it has the correct information for your environment- then initialize the database using the command
aide –i
once the database is created you run a comparison using the –-check switch; i set this up as a cron job to run daily (although you can do this more or less often as you feel necessary) the command is
aide –-check >/tmp/aide.log
then i have the aide.log mailed to me for review. If nothing is changed it is a simple comparison. over time the system will have changes made, you can use this log file to review changes as they occur. periodically; as the volumes of change from the initial snapshot grows you can update your snapshot using the following command
aide -u
