# Aide Notes

https://www.tecmint.com/check-integrity-of-file-and-directory-using-aide-in-linux/


Aide is used to check hashes on files. 

# Basic Usage

Initialize the very first DB at /var/lib/aide/aide.db.new.gz

`aide --init`

Check the current file system against the DB

`aide --check`

Update the DB based on the file system

`aide --update`

Show extra debugging

`aide --verbose=255`

# Best Practices

1. create a database against which future checks are performed. `aide --init`
2. move the database to a read-only media. the config file and AIDE binary should also be moved to read only. This read only media should only be accessible during the scan.
3. check the current files against the read only init DB. `aide --check`
4. make adjustments to the conf file if needed and update the aide DB with `aide --update`. This will create a new DB. This new DB should be placed on the read-only media along with new config file. 

# Splunk 

https://community.splunk.com/t5/Getting-Data-In/Splunk-and-AIDE-How-do-I-ignore-the-first-line-of-an-AIDE-log/m-p/307082

## Add context to the log file

https://www.oldlogsnewtricks.com/post/best-practice-enriched-log-paths

```
14 * * * * /sbin/aide --check >> /var/log/aide_`rpm -qa aide`_`md5sum /etc/aide.conf`_aide-`date`.log
```

aide --check >> /var/log/aide/aide-$(date +%s).log

## Prep Aide logs for Splunk

https://github.com/jls3tech/AIDE-Handler/blob/master/aide_Runv3.sh

cat /var/log/aide/aide-1600126273.log | grep 'changed\|added\|removed'|sed -r 's/://g'|sed -r 's/ /,/g' >> /var/log/aide/splunk-log

## Splunk Search 

`index=os sourcetype=aide`