Linux Ultra-practical aide (advanced intrusion detection system)

Source: Internet
Author: User
Tags crc32 crc32 checksum md5 sha1

Niche Blog:

Niche Q q:1770058260

-------Thank you for your reference, if you have any questions, please contact

I. Introduction of Aide

1. Role

2. Principle

3. Installation

Ii. introduction of aide Documents

Three, aide operation process

I. introduction of AIDE

1. Role

AIDE(advanced intrusion Detection Environment, high-level intrusion detection environment), mainly used to detect file integrity.

2. Principle

to generate the initial checksum (document database) for the system files, and then each time the check command is executed,aide will compare the checksum of the previous generation with the checksum of the current file, and output the report, mainly checking the class three files (modified, newly added, deleted)

3. Installation

Install aide directly using yum (yum–y installed aide)

Ii. introduction of AIDE documents

default configuration file:/etc/aide.conf

Default Document database file storage location:/var/lib/aide/

default intrusion Detection report storage location:/var/log/aide/

1./etc/aide.conf Master Profile instance,aide checks almost all directories and their files by default, here is a aide Master profile that I have removed configuration information from

# Example configuration file for AIDE.

@ @define dbdir/var/lib/aide // Defining Variables Dbdir

@ @define logdir/var/log/aide // Defining Variables LogDir

# The location of the database is read.

database=file:@@{dbdir}/aide.db.gz //aide The storage path of the file database (signature file) read when performing the check and its file name

# The location of the database is written.

#database_out =sql:host:port:database:login_name:passwd:table


database_out=file:@@{dbdir}/ // the storage path after the file database (signature file) is generated and its file name

# Whether to gzip the output to database.


# Default.


report_url=file:@@{logdir}/aide.log // log file path

report_url=stdout // The comparison results are standard output to the screen

#report_url =stderr

#NOT implemented Report_url=mailto:[email protected]

#NOT implemented Report_url=syslog:log_auth

# These is the default rules.


#p: Permissions // specifies that the letter P represents the permission

#i: inode: // Specifies that the letter I represents the index node

#n: Number of links // specifies that the letter n represents the number of links

#u: User // specifies that the letter U represents the user

#g: Group // Specify the letter G for the group

#s: Size // specifies that the letter s represents the size

#b: Block count // Specify the letter B to represent the number of blocks

#m: Mtime // Specifies that m represents the content modification time

#a: Atime // Specifies that a represents the last access time

#c: CTime // Specifies that C represents a change in the properties or permissions of the file, and the time of the update

#S: Check for growing size

#acl: Access Control Lists

#selinux SELinux Security Context

#xattrs: Extended file attributes

#md5: MD5 Checksum

#sha1: SHA1 Checksum

#sha256: sha256 Checksum

#sha512: sha512 Checksum

#rmd160: rmd160 Checksum

#tiger: Tiger Checksum

#haval: Haval checksum (Mhash only)

#gost: Gost checksum (Mhash only)

#crc32: CRC32 checksum (Mhash only)

#whirlpool: Whirlpool Checksum (Mhash only)

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256


#L: P+i+n+u+g+acl+selinux+xattrs

#E: Empty Group

#>: Growing logfile P+u+g+i+n+s+acl+selinux+xattrs

# You can create a custom rules like this.

# with Mhash ...

# allxtrahashes = Sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32

Allxtrahashes = Sha1+rmd160+sha256+sha512+tiger

# Everything but access time (Ie. All changes)

everything = R+allxtrahashes

# Sane, with one good hash.

# NORMAL = sha256

NORMAL = sha256

/usr/local/mysql/normal // define the directory to be detected and what information is detected, normal is defined above


!/usr/local/mysql/tttt.txt // exclamation point indicates what is not detected

Third, the general aide operation Process

1. Initialize the file database first (generate a checksum for the files that need to be monitored)

   aide  --init

at this time in the directory of the file database to produce a name: " " aide

MV aide.db.gz

2. Check System files


--report: Specify output Check report to a file or not, check report standard output to screen

3. The file database needs to be updated after the check, otherwise the next comparison of the file database is the old file database


MV aide.db.gz

This article is from the "Niche blog" blog, please be sure to keep this source

Linux Ultra-practical aide (advanced intrusion detection system)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.