The only wrinkle is that it requires you to actually move the database after you create it. From the command line that is a bit cumbersome because you need to figure out where things go.
I have a couple of little scripts that simplifies using the aide program: aide-init and aide-check. You can install these into /root/bin for ease of use. This is aide-init:
#!/bin/sh
echo "Creating temp copy of aide database"
rm -f /var/lib/aide/*
aide -i
echo "Overwriting stored aide database."
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo "Aide is ready for use."
echo "Creating temp copy of aide database"
rm -f /var/lib/aide/*
aide -i
echo "Overwriting stored aide database."
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo "Aide is ready for use."
and aide-check:
#!/bin/sh
aide -C
aide -C
The only reason I have aide-check is just for symmetry. If have an init, you should have a check.
So, the way to use these is to run aide-init to establish a baseline. Then next time you login, run aide-check to see if anything has changed. If so, investigate. If you are satisfied all changes are explained run aide-init again. Also if you see an update that needs to be installed, immediately do an aide-init after the update so that you have all changes rolled up to the database.
I have one interesting side note on this. I am leasing a VPS system for security research. A VPS system is a Virtual Private Server which is based on container technology. The interesting thing is that I can see when the host updates under me (since I share the base image with other servers).
Anyways...just thought I pass this along in case anyone finds this useful.
No comments:
Post a Comment