Aide Notes.md 1.8 KB
Aide Notes
Check Integrity of File and Directory Using “AIDE” in Linux
Aide is used to check hashes on files.
Basic Usage
#Initialize the very first DB at `/var/lib/aide/aide.db.new.gz`
aide --init
#Check the current file system against the DB
aide --check
#Update the DB based on the file system
aide --update
#Show extra debugging
aide --verbose=255
Best Practices
- Create a database against which future checks are performed.
aide --init - Move the database to a read-only media. the config file and AIDE binary should also be moved to read only. This read only media should only be accessible during the scan.
- Check the current files against the read only init DB.
aide --check - Make adjustments to the conf file if needed and update the aide DB with
aide --update. This will create a new DB. This new DB should be placed on the read-only media along with new config file.
Splunk
Splunk and AIDE -- How do I ignore the first line of an AIDE log file?
Add context to the log file
Splunk: Best Practice - Enriched log paths
14 * * * * /sbin/aide --check >> /var/log/aide_`rpm -qa aide`_`md5sum /etc/aide.conf`_aide-`date`.log
aide --check >> /var/log/aide/aide-$(date +%s).log
Prep Aide logs for Splunk
cat /var/log/aide/aide-1600126273.log | grep 'changed\|added\|removed'|sed -r 's/://g'|sed -r 's/ /,/g' >> /var/log/aide/splunk-log
Splunk Search
index=os sourcetype=aide