AIDE - Advanced Intrusion Detection Environment

Been testing my new Oracle Linux stack based on RHEL 5.3. We have a lot of problems with sysops and admins editing files to fix problems. Only recently we started using subversion for release management so we can check for specific versions and verify the (unmodifed) integrity on files. Subversion will also let those sysops and admins commit their changes back into subversion, so changes get documented, verified, discussed and distributed through bug fix releases.

However, OEL/RHEL 5 comes bundled with AIDE - Advanced Intrusion Detection Environment and I've started running tests on my test servers.

When you initialize the AIDE database as part of the final post installation steps, you run aide -i. This creates base reference database - aka snapshot - of all files that you use later on for any modifications. Using aide -u you update that db.

Small problem is that you may a lot of lgetfilecon_raw failed errors. In my case, this had to do SELinux being disabled and aide checking for it. Editing the /etc/aide.conf file and removing all references to selinux there, then reinitializing the database fixed that. Don't forget to copy the newly initialized db!

No comments: