Posts

Showing posts from January, 2022

OS anomaly detection with AIDE

Image
 Advanced Intrusion Detection Environment (AIDE) is a linux tool to detect changes in the system state. It can be classified as File Integrity Monitoring (FIM) software. It simply builds a database that describes current contents and attributes of monitored files. Later it can be used for comparison to detect any changes to the system. AIDE uses checksums to perform integrity checks; it support such algorithms as  sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool and a few more, by optional integrations. Available rules and hashing algorithms are listed in /etc/aide.conf and on man pages. Installation sudo yum -y install aide In this case I am using Red Hat 8 and yum.  Set up monitoring /var/log/secure$ p+u+g+n+S+acl+selinux+xattrs Add this line to monitor changes to /var/log/secure.  Initialize database sudo aide --init Once this is completed, you need to move the new database to AIDE master database.  mv /var/lib/aide/aide.db.new.gz /var/lib/...