1. Install aide software.
[email protected] ~]# Yum install aide-y
2. Modify aide configuration file.
Basic cofigrations:
# Define Db/log location.
@ @define Dbdir/var/lib/aide
@ @define Logdir/var/log/aide
# Define DB location and name.
Database=file:@@{dbdir}/aide.db.gz
Database_out=file:@@{dbdir}/aide.db.new.gz
# Compress aide DB.
Gzip_dbout=yes
Verbose=5
# Define generate report write to logs and print in screen.
Report_url=file:@@{logdir}/aide.log
Report_url=stdout
# Define dirs which want to audit.
# Next Decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
#/lib NORMAL
#/lib64 NORMAL
#/opt NORMAL
#/usr NORMAL
/root NORMAL
# These is too volatile
!/usr/src
!/usr/tmp
3. After cofnigured aide, generate aide DB.
[Email protected] ~]# aide-i
AIDE, version 0.14
# # # AIDE Database at/var/lib/aide/aide.db.new.gz initialized.
4. Rename DB to var/lib/aide/aide.db.gz.
[Email protected] ~]# mv/var/lib/aide/aide.db.new.gz/var/lib/aide/aide.db.gz
Generate report with exist DB.
5.Check report.
[Email protected] ~]# aide-c
AIDE, version 0.14
# # All Files match AIDE database. Looks okay!
6. Change something to verify.
A. ADD user user2.
[Email protected] ~]# useradd-u 10004-s/sbin/nologin user2
B. Check changes.
[Email protected] ~]# aide-c
AIDE found differences between database and filesystem!!
Start TIMESTAMP:2015-04-17 04:16:51
Summary:
Total number of files:1815
Added files:1
Removed files:0
Changed files:11
---------------------------------------------------
Added files:
---------------------------------------------------
Added:/var/log/httpd/access_log-20150417
---------------------------------------------------
Changed files:
---------------------------------------------------
Changed:/etc/passwd
Changed:/etc/passwd-
Changed:/etc/gshadow
Changed:/etc/gshadow-
Changed:/etc/group-
Changed:/etc/shadow-
Changed:/etc/shadow
Changed:/etc/group
Changed:/var/log/httpd/access_log
Changed:/root
Changed:/root/.viminfo
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File:/etc/passwd
size:1339, 1386
MTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
CTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
inode:25609, 25599
md5:d+fkjnpvoooblrwioqvhnq==, mvdgwk3/grl50jgog6eacq==
rmd160:8yg5pf836arlzv21ltv+yqy2168=, vsnqhtinle/sr8uxayya0or+fss=
SHA256:INJOLL/4RMFWESOYTOLMENBJ8L/MFUXQ, tcoa5ldpbxftfdcmbc8sbqkdcjcbfg1w
File:/etc/passwd-
size:1294, 1339
mtime:2015-04-03 02:27:33, 2015-04-17 02:09:33
CTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
MD5:/00yqcuwzu/+80x3voaujg==, d+fkjnpvoooblrwioqvhnq==
rmd160:rzode9edman8u2zqgwimvk2blvw=, 8yg5pf836arlzv21ltv+yqy2168=
SHA256:7IVCTSIG7QW5ZYAVDOLFQATDJRDGNKLQ, INJOLL/4RMFWESOYTOLMENBJ8L/MFUXQ
File:/etc/gshadow
size:498, 508
MTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
CTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
inode:25534, 25311
md5:l6+t3nkffkabarfcq2c4cq==, t1tjbylw6bofdxrmlga6gg==
Rmd160:dpgu5ythe0x5w7okjgwxuwhqzxa=, ibpe8mr6mv+8w7voifbo4bzbxr8=
Sha256:mt0lkr8rev7aevcdmx8ejifrppynmxzd, ZLBRYJEJ+LFUR7ZVKCPBBGPV2GS6S/W6
File:/etc/gshadow-
size:488, 498
mtime:2015-04-03 02:27:33, 2015-04-17 02:09:33
CTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
md5:6jpje5dvxh/qyhmmkgptfq==, l6+t3nkffkabarfcq2c4cq==
rmd160:bn7h6wdeg9xyj07tjoinzuqt6+w=, dpgu5ythe0x5w7okjgwxuwhqzxa=
SHA256:M1ADYYIJKDEBD7JLHGZQHP6MD+53IGMG, Mt0lkr8rev7aevcdmx8ejifrppynmxzd
File:/etc/group-
size:594, 608
mtime:2015-04-03 02:27:33, 2015-04-17 02:09:33
CTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
md5:wrpaj/80hagvrgrpk6bdxg==, xhf8m1fnvxqv01xwfqvtza==
rmd160:mbjff/xi0fn2bmekhpuz9gjoitg=, jwbfvvu6vslosv7ed7kh0cdm6wg=
Sha256:qflmvknlkoebimyxvlwgqbridxkwzal4, S/36GKNID/MHDJANGXX5V2H82/XS17/C
File:/etc/shadow-
size:723, 751
mtime:2015-04-03 02:27:33, 2015-04-17 02:09:33
CTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
md5:a8zb/ckbshbtsk8mq76zxq==, 3auqza/rm4m2dm2ocuki8w==
rmd160:zlrktm5d1fapq0jzxomzjaj8f/y=, 9plx0kdq2xuxhoyna9dl5dfmaem=
SHA256:IIOHA9TMTQ486NMVSKVFO0QLURKANILR, 3ketpurrzpbfambqey8iedscepl9x9fu
File:/etc/shadow
size:751, 779
MTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
CTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
inode:25536, 25602
md5:3auqza/rm4m2dm2ocuki8w==, 4sl4otmzduxlfy8f5o1miq==
rmd160:9plx0kdq2xuxhoyna9dl5dfmaem=, mrogj9i5zr2adgqfxhnvsnszqrg=
Sha256:3ketpurrzpbfambqey8iedscepl9x9fu, UF0SXCIWL16VT0PLQEWLS8KLTD93F64T
File:/etc/group
size:608, 623
MTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
CTIME:2015-04-17 02:09:33, 2015-04-17 04:16:22
inode:25311, 25536
md5:xhf8m1fnvxqv01xwfqvtza==, jlmjugofdqrdiiqfvuusbg==
rmd160:jwbfvvu6vslosv7ed7kh0cdm6wg=, my2+zs+5bsfxkoddhkdbxanluny=
SHA256:S/36GKNID/MHDJANGXX5V2H82/XS17/C, NJUENRSRDD7BG31IREX1ME7YWZHIDVPK
File:/var/log/httpd/access_log
size:730, 0
inode:266417, 266453
Directory:/root
MTIME:2015-04-17 04:05:56, 2015-04-17 04:15:20
CTIME:2015-04-17 04:05:56, 2015-04-17 04:15:20
File:/root/.viminfo
inode:25306, 25269
[Email protected] ~]#
Isntall Aide service to audit Linux OS.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
