KaliLinux 2017.1: File integrity check with AIDE

Table of Contents

• 1. Before install AIDE
• 2. Install AIDE
• 3. Fix /etc/aide/aide.conf.d/10_aide_distribution
• 4. Create database
• 5. File integrity check
• 6. Cron job which runs aide

1 Before install AIDE

Install Postfix with this script.

2 Install AIDE

Install aide package.

$ sudo apt install -y aide

3 Fix /etc/aide/aide.conf.d/10_aide_distribution

Running aideinit will cause the following error.

$ sudo aideinitRunning aide –init…77:syntax error:Rolling77:Error while reading configuration:RollingConfiguration errorAIDE –init return code 17

Fix /etc/aide/aide.conf.d/10_aide_distribution as below.

$ sudo sed -e “s;head -n 1 /etc/debian_version;head -n 1 /etc/debian_version | sed ‘s/[[:space:]]\+/_/g’;g” -i /etc/aide/aide.conf.d/10_aide_distribution

4 Create database

Create database with aideinit which is wrapper script for “aide –init”. The aideinit will create aide.db.new and copy to aide.db.

/var/lib/aide/aide.db.new/var/lib/aide/aide.db

Unlike AIDE in other distribution, the configuration file is not /etc/aide.conf but the following file. Because it does not have /etc/aide.conf, running aide directly will cause error. /etc/aide/aide.conf.d/* are the configuration files for various packages.

/etc/aide/aide.conf/etc/aide/aide.conf.d/*

5 File integrity check

aide.wrapper –check checks file integrity. aide.wrapper –update checks file integrity and create new database “aide.db.new”. This needs to copy to aide.db.

$ sudo aide.wrapper –check<snip>$ echo $?0

If some file is changed, aide.wrapper will return non zero value.

$ sudo mv /usr/sbin/ip /usr/sbin/ip.orig$ echo “modified” | sudo tee /usr/sbin/ip$ sudo aide.wrapper –check<snip>$ echo $?4

Running cron job “/etc/cron.daily/aide” is better.

$ sudo /etc/cron.daily/aide

6 Cron job which runs aide

This cron job runs “aide.wrapper –update”, copy created “aide.db.new” to aide.db and send email.

/etc/cron.daily/aide

The configuration file for this cron job is the following. The email address is ${MAILTO}@${FQDN}.

/etc/default/aide

If FQDN is not defined in /etc/default/aide, FQDN will be set to value of “hostname -f”. This article will set FQDN to localhost. And default value of MAILTO is root.

$ sudo sed -e ‘s/^# FQDN=/FQDN=localhost/g’ -e ‘s/^MAILTO=root/MAILTO=root@${FQDN}/g’ -i /etc/default/aide

After this, cron job will send to root@localhost 1 time in a day. You can send email to gmail with Postfix setting.