aide is a simple piece of the puzzle for detecting file modifications during an intrusion. It does have its limitations (e.g. rootkits, etc). One limitation, if I understand it correctly, is that if you want to utilize key signing of the database you have to compile it yourself. It is also recommended that the database be stored on read-only memory. Since, I back my system up fairly regularly I don’t worry so much about whether an intruder is going to delete the database as much as I am concerned about them modifying the ASCII database.
The limitation to my script is you cannot schedule the tasks, but must run them interactively. There are other good solutions for running interactive tasks across multiple systems, and I will leave that for another time.
Here are my scripts for protecting the database. I’m sure others can write better bash scripts
aide-init.sh
#!/bin/bash
# Initializes/re-creates the aide database
# This should be run any time changes have been made to the system
cd /var/lib/aide
# Backup your old aide encrypted database
if -f aide.db.aes ]
then
mv aide.db.aes aide.db.aes-`date +%F-%H-%M-%S`
fi
# Housekeeping: This file should not exist, but remove it if it does
if -f aide.db ]
then
shred -z -n 7 -u aide.db
fi
# Housekeeping: This file should not exist, but remove it if it does
if -f aide.db.new ]
then
shred -z -n 7 -u aide.db.new
fi
# Create a new aide.db.new file
aide --init
# Prompt for a password and store it in "$pwd"
IFS= read -s -p Password: pwd
# Store the password in a temporary file
echo -n "$pwd" >$$.tmp
# Give the user a newline after they hit enter
echo
# Encrypt your new aide database
gpg2 --batch --passphrase-file $$.tmp -c --cipher-algo aes256 -o aide.db.aes aide.db.new
# Make the aide.db.new and temporary password file non-recoverable
shred -z -n 7 -u aide.db.new *.tmp
aide-check.sh
#!/bin/bash
# Compares the aide database against the current system
cd /var/lib/aide
# Housekeeping: This file should not exist, but remove it if it does
if -f aide.db ]
then
shred -z -n 7 -u aide.db
fi
# Housekeeping: This file should not exist, but remove it if it does
if -f aide.db.new ]
then
shred -z -n 7 -u aide.db.new
fi
# Make sure the encrypted database exists
if -f aide.db.aes ]
then
# Prompt for a password and store it in "$pwd"
IFS= read -s -p Password: pwd
# Store the password in a temporary file
echo -n "$pwd" >$$.tmp
# Give the user a newline after they hit enter
echo
# Decrypt the database
gpg2 --batch --passphrase-file $$.tmp -d aide.db.aes >aide.db 2>/dev/null
else
echo ERROR: There is no encrypted database!
exit 1
fi
# Make sure the directory exists where the report will be stored
if ! -d /root/aide ]
then
mkdir /root/aide
fi
# Check for changes to the filesystem and generate a report
aide -CV >/root/aide/aide_`date +%F-%H-%M-%S`.txt
# Make the aide.db and temporary password files non-recoverable
shred -z -n 7 -u aide.db *.tmp