infrastructure-notes/Aide Notes.md

Aide Notes

https://www.tecmint.com/check-integrity-of-file-and-directory-using-aide-in-linux/

Aide is used to check hashes on files.

Basic Usage

Initialize the very first DB at /var/lib/aide/aide.db.new.gz

aide --init

Check the current file system against the DB

aide --check

Update the DB based on the file system

aide --update

Show extra debugging

aide --verbose=255

Best Practices

1. create a database against which future checks are performed. aide --init
2. move the database to a read-only media. the config file and AIDE binary should also be moved to read only. This read only media should only be accessible during the scan.
3. check the current files against the read only init DB. aide --check
4. make adjustments to the conf file if needed and update the aide DB with aide --update. This will create a new DB. This new DB should be placed on the read-only media along with new config file.

Splunk

https://community.splunk.com/t5/Getting-Data-In/Splunk-and-AIDE-How-do-I-ignore-the-first-line-of-an-AIDE-log/m-p/307082

Add context to the log file

https://www.oldlogsnewtricks.com/post/best-practice-enriched-log-paths

14 * * * * /sbin/aide --check >> /var/log/aide_`rpm -qa aide`_`md5sum /etc/aide.conf`_aide-`date`.log

aide --check >> /var/log/aide/aide-$(date +%s).log

Prep Aide logs for Splunk

https://github.com/jls3tech/AIDE-Handler/blob/master/aide_Runv3.sh

cat /var/log/aide/aide-1600126273.log | grep 'changed|added|removed'|sed -r 's/://g'|sed -r 's/ /,/g' >> /var/log/aide/splunk-log

Splunk Search

index=os sourcetype=aide