top of page
Search

AIDE Configuration and Logger Report

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 4 min read

Summary:

This document outlines a guide on how to set up and use AIDE, an open-source file integrity checker, on a Linux server to monitor system integrity. Key points include installation, configuration, running scans, and interpreting log outputs. The setup involves installing AIDE, customizing the configuration file for specific files or directories, initializing it with a baseline creation, and conducting periodic checks against this baseline. The document also covers updating the baseline methodologically. The logger report within the document details changes made to various system files by user "root," such as modifications to timestamps (Mtime and Ctime), checksum values, sizes, and inode numbers. These changes are part of routine updates or interventions affecting root's environment. The log file from AIDE is not recommended for use with a syslog reader due to its unique format and focuses on providing information about added, changed, or removed files without detailed content analysis. The log entries include details like the time of the check, number of files checked, and types of changes (added, changed, removed), but file names are not consistently reported. The AIDE log uses specific fields such as `deviceVendor`, `deviceProduct`, `name` (indicating type of change), and `filename`. This information is useful for understanding system modifications detected by the tool without detailed content analysis being feasible through the logger.

Details:

The document provides a guide on how to configure and run the AIDE (Advanced Intrusion Detection Environment), an open-source file and directory integrity checker, from a Linux server. Here's a summarized breakdown of its contents: ### UseCase **Objective:** Configure AIDE and report on the output of the AIDE system scans. ### Setup and Run AIDE 1. **Installation:**

  • Install AIDE using Yum or download and install separately from a Linux server.

2. **Configuration File:**

  • By default, AIDE checks the entire system unless specific files or directories are defined in `/etc/aide.conf`. Adjust this file to include only necessary files for checking.

3. **Initialization and Checking:**

  • Initialize AIDE with `aide --init` to create a baseline.

  • Run integrity checks against the baseline using `aide --check`, generating an `aide.log` file.

4. **Updating Baseline (Alternative Method):**

  • To update the baseline, run `aide --init` and then copy the new database file to the original location with `cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz`. The command `aide --update` can also be used according to the man page, but these steps are recommended for clarity.

### Logger Report 1. **Sample Log File:**

  • When AIDE is configured to monitor a limited set of files and directories, the log file will be concise. It primarily reports added and changed files without removed ones.

2. **Content Example (from `/var/log/aide/aide.log`):**

  • The log starts with details about discrepancies found between the database and filesystem.

  • Provides timestamps for when the check started.

  • Summarizes the number of files added, removed, and changed:

  • Total files: 96314

  • Added files: 3 (examples are `/root/sqlnet.log`, `/root/testfile`, `/root/testdir`)

  • Changed files: 6

  • Lists the specific paths of added and changed files.

This document serves as a user manual for setting up and interpreting AIDE scans, which is crucial for maintaining system integrity and detecting unauthorized modifications or intrusions. The detailed information provided is about changes made to various files and directories located in the root directory of a system, specifically for user "root". Here's a summary of what has been changed: 1. **Directories and Files Affected:**

  • **/root**: This directory had its modification (Mtime) and creation time (Ctime) updated multiple times. The link count also increased from 20 to 21 during these changes.

  • **/root/.gnome2_private**: Only the creation time (Ctime) was modified twice at different points in time, without any other significant changes reported.

  • **/root/.viminfo**: This file had its size and modification time updated, along with a change in its inode number and MD5 and RMD160 checksums.

  • **/root/.rhn-applet.conf**: The modification time (Mtime) was changed when the configuration file for the Red Hat Network applet was modified.

  • **/root/.gconfd** and **/root/.gconfd/saved_state**: Both directories had their modification and creation times updated, along with changes in MD5 and RMD160 checksums of the saved state file.

2. **File Details:**

  • **/root/.viminfo**: The size changed from 4684 bytes to a new value, and there were significant changes to its checksum (MD5 and SHA-256) as well.

  • **/root/.rhn-applet.conf**: This configuration file had its modification time updated, but no other details about content or structure changes were provided.

  • **/root/.gconfd/saved_state**: The saved state file experienced multiple changes to its metadata (Mtime and Ctime), as well as alterations in the checksum values of MD5, RMD160, and SHA-256.

3. **Additional Information:**

  • A syslog file reader connector for the aide toolkit was installed from a specified URL, using properties found on that page (provided URL not accessible here).

These changes indicate regular updates and modifications to various configurations and system files related to user "root"’s environment, likely performed by automated scripts or manual interventions. The provided information outlines the content and limitations of a log file generated by AIDE (Advanced Intrusion Detection Environment) on a device, specifically from the `ck.arcsight.com/docs/DOC-2151` documentation in the `user/agent/flexagent/syslog` directory. It is advised against using the File Transfer receiver to read this log due to its inconsistent format. The useful information extracted from the log includes: 1. Time of check 2. Number of files checked and details about which were added, changed, or removed. 3. The file or directory name (however, this information is not consistently reported). The fields in the log file are as follows:

  • `deviceVendor`: AIDE

  • `deviceProduct`: AIDE

  • `name`: includes values such as "added", "changed", "removed" and others like "Total", "Added", "Changed", "Removed", and "Start timestamp".

  • `filename`: the full path of the file or directory.

The SQL query filters events based on specific conditions related to AIDE logs, including details about the type of change (added, changed, removed) and other relevant terms found in the log entries. The report generated from this query would likely show detailed records of changes detected by AIDE as per the specified criteria.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

@2021 Copyrights reserved.

bottom of page