{"id":8824,"date":"2021-05-13T22:42:39","date_gmt":"2021-05-13T19:42:39","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8824"},"modified":"2024-03-18T22:31:27","modified_gmt":"2024-03-18T19:31:27","slug":"install-and-configure-aide-on-debian-10","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-aide-on-debian-10\/","title":{"rendered":"Install and Configure AIDE on Debian 10"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install and configure AIDE on Debian 10.&nbsp;<a href=\"http:\/\/aide.sourceforge.net\/stable\/manual.html\" target=\"_blank\" rel=\"noreferrer noopener\">AIDE<\/a>&nbsp;stands for&nbsp;<strong>A<\/strong>dvanced&nbsp;<strong>I<\/strong>ntrusion<strong>&nbsp;D<\/strong>etection<strong>&nbsp;E<\/strong>nvironment.<\/p>\n\n\n\n<p>AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. Some of the file properties that AIDE can check include file permissions, inodes, modification time, file contents, user, group, file size\u2026<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing AIDE on Debian 10<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Run System Update<\/h3>\n\n\n\n<p>Before you can begin to install AIDE, update your system packages<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install AIDE on Debian 10<\/h3>\n\n\n\n<p>AIDE is available on the default Debian repositories.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt-cache policy aide<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>aide:\n  Installed: (none)\n  Candidate: 0.16.1-1\n  Version table:\n     0.16.1-1 500\n        500 http:\/\/deb.debian.org\/debian buster\/main amd64 Packages<\/code><\/pre>\n\n\n\n<p>However, as of this writing, <a aria-label=\"the current stable release (opens in a new tab)\" href=\"https:\/\/github.com\/aide\/aide\/releases\" target=\"_blank\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\">the current release<\/a> version of AIDE is <strong>0.17.3<\/strong>.<\/p>\n\n\n\n<p>Unfortunately, the Debian repos do not provide this latest release version of AIDE as it is still under testing. In that case, we will install the current stable release version available on the default repos, which <strong>AIDE v0.16.1-1<\/strong>.<\/p>\n\n\n\n<p>Execute the command below to install stable release version of AIDE on Debian 10;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install aide<\/code><\/pre>\n\n\n\n<p>Once AIDE has been successfully installed, you can verify the installed version by executing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>aide -v<\/code><\/pre>\n\n\n\n<p>The command shows the current installed version of AIDE as well options installed with it.<\/p>\n\n\n\n<pre class=\"scrollbox\"><code>Aide 0.16.1\n\nCompiled with the following options:\n\nWITH_MMAP\nWITH_PCRE\nWITH_POSIX_ACL\nWITH_SELINUX\nWITH_XATTR\nWITH_E2FSATTRS\nWITH_LSTAT64\nWITH_READDIR64\nWITH_ZLIB\nWITH_MHASH\nWITH_AUDIT\nCONFIG_FILE = \"\/dev\/null\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring AIDE on Debian 10<\/h3>\n\n\n\n<p>The general configuration file for AIDE is located under&nbsp;<code><strong>\/etc\/default\/aide<\/strong><\/code>.<\/p>\n\n\n\n<p>The rules and other configurations resides under&nbsp;<code><strong>\/etc\/aide\/<\/strong><\/code>.<\/p>\n\n\n\n<p>The AIDE database is located under&nbsp;<code><strong>\/var\/lib\/aide\/<\/strong><\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Initialize AIDE Database on Debian 10<\/h4>\n\n\n\n<p>Create new AIDE database. <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>aideinit<\/code><\/pre>\n\n\n\n<p>The&nbsp;<code>aideinit<\/code>&nbsp;will create a new baseline database,&nbsp;&nbsp;<code>\/var\/lib\/aide\/aide.db.new<\/code>.<\/p>\n\n\n\n<p>The command might take a few mins though.<\/p>\n\n\n\n<pre class=\"scrollbox\"><code>Running aide --init...\nStart timestamp: 2021-05-13 14:06:27 -0400 (AIDE 0.16.1)\nAIDE initialized database at \/var\/lib\/aide\/aide.db.new\nVerbose level: 6\n\nNumber of entries:\t205656\n\n---------------------------------------------------\nThe attributes of the (uncompressed) database(s):\n---------------------------------------------------\n\n\/var\/lib\/aide\/aide.db.new\n  RMD160   : 7x5\/c1dpNifnCqEfbegXkgeUYZ8=\n  TIGER    : \/TaHlucsBgKis1UAWqApNi05\/irDr\/EK\n  SHA256   : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO\n             ZgZLEM5aZRo=\n  SHA512   : VwkOKebuBWzrAAhNdeyI\/KlgrJGp+Cx7\n             E\/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb\n             8rx7wQ2VMcn1aDfA8aXtNQ==\n  CRC32    : ibeVcw==\n  HAVAL    : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1\n             7TtzPAdV9Nk=\n  GOST     : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F\n             8vsT+WVZAjQ=\n\n\nEnd timestamp: 2021-05-13 14:13:05 -0400 (run time: 6m 38s)\n<\/code><\/pre>\n\n\n\n<p>As you can see, a new baseline AIDE database has been created,&nbsp;<code><strong>\/var\/lib\/aide\/aide.db.new<\/strong><\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Install New AIDE Database<\/h4>\n\n\n\n<p>To install the newly created AIDE database, you need to copy it to place as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/var\/lib\/aide\/aide.db{.new,}<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Rebuild AIDE Configuration<\/h4>\n\n\n\n<p>To update AIDE runtime configuration,&nbsp;<code><strong>\/etc\/aide\/aide.conf<\/strong><\/code>, execute the command below<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>update-aide.conf<\/code><\/pre>\n\n\n\n<p>The command generates a new configuration file,&nbsp;<code><strong>\/var\/lib\/aide\/aide.conf.autogenerated<\/strong><\/code>. Copy the new configuration file to the default AIDE configs directory and overwrite the existing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/var\/lib\/aide\/aide.conf.autogenerated \/etc\/aide\/aide.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Check AIDE Database for any Inconsistencies<\/h4>\n\n\n\n<p>Once the new configuration is generated, run the manual database check against the new configuration by executing the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>aide -c \/etc\/aide\/aide.conf -C<\/code><\/pre>\n\n\n\n<p>The command will basically try to check the deviation between the AIDE database and the filesystem. See the example output below;<\/p>\n\n\n\n<pre class=\"scrollbox\"><code>Start timestamp: 2021-05-13 14:59:37 -0400 (AIDE 0.16.1)\nAIDE found differences between database and filesystem!!\nVerbose level: 6\n\nSummary:\n  Total number of entries:\t205656\n  Added entries:\t\t1\n  Removed entries:\t\t1\n  Changed entries:\t\t23\n\n---------------------------------------------------\nAdded entries:\n---------------------------------------------------\n\nf++++++++++++++++: \/var\/lib\/aide\/aide.db\n\n---------------------------------------------------\nRemoved entries:\n---------------------------------------------------\n\nl----------------: \/run\/systemd\/units\/invocation:session-3.scope\n\n---------------------------------------------------\nChanged entries:\n---------------------------------------------------\n\nf &gt;b... mc..C.. .: \/etc\/aide\/aide.conf\nf &gt;.... mc..C.. .: \/root\/.bash_history\nf =.... mc.....  : \/run\/systemd\/timesync\/synchronized\nd &lt;.... mc.. ..  : \/run\/systemd\/units\nf &lt;b... mc..C.. .: \/var\/lib\/dhcp\/dhclient.leases\nf =.... mc..... .: \/var\/lib\/systemd\/timers\/stamp-anacron.timer\nf =.... mc..... .: \/var\/lib\/systemd\/timesync\/clock\nd =.... mc.. .. .: \/var\/ossec\/etc\/shared\/default\nf =.... mc..... .: \/var\/ossec\/etc\/shared\/default\/merged.mg\nf &gt;b... mc..C.. .: \/var\/ossec\/logs\/alerts\/2021\/May\/ossec-alerts-13.json\nf &gt;b... mc..C.. .: \/var\/ossec\/logs\/alerts\/2021\/May\/ossec-alerts-13.log\nf &gt;b... mc..C.. .: \/var\/ossec\/logs\/alerts\/alerts.json\nf &gt;b... mc..C.. .: \/var\/ossec\/logs\/alerts\/alerts.log\nf &gt;.... mc..C.. .: \/var\/ossec\/logs\/ossec.log\nd =.... mc.. .. .: \/var\/ossec\/queue\/db\nf &gt;b... mc..C.. .: \/var\/ossec\/queue\/db\/000.db\nf &lt;.... mc..C.. .: \/var\/ossec\/queue\/diff\/debian\/535\/last-entry\nf &gt;.... mc..C.. .: \/var\/ossec\/stats\/totals\/2021\/May\/ossec-totals-13.log\nd =.... mc.. .. .: \/var\/ossec\/var\/run\nf =.... mci.... .: \/var\/ossec\/var\/run\/ossec-analysisd.state\nf =.... mci.... .: \/var\/ossec\/var\/run\/ossec-remoted.state\nf =.... mc..C.. .: \/var\/ossec\/var\/wodles\/syscollector\nf =.... mc..C.. .: \/var\/webmin\/miniserv.lastcrons\n\n---------------------------------------------------\nDetailed information about changes:\n---------------------------------------------------\n\nFile: \/etc\/aide\/aide.conf\n  Size     : 6598                             | 46195\n  Bcount   : 16                               | 96\n  Mtime    : 2016-04-16 13:57:29 -0400        | 2021-05-13 14:52:51 -0400\n  Ctime    : 2021-05-13 05:34:15 -0400        | 2021-05-13 14:52:51 -0400\n  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | 8wjI15r0D6K1MUVoiyjJPOlGv18=\n  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa\/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL\n  SHA256   : RN1UT38\/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji\n             0B5VVewz3h8=                     | WcEO1u90BTg=\n  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft\/kjH\n             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw\/K4u+WwMMUeg8iKdNkCL6YPc49X\n             yKP7Fvoitf+jHcriq57Pgg==         | xEkz4dL2MjSFBj0i+zQW1g==\n  CRC32    : S3Rhfg==                         | XsRmRw==\n  HAVAL    : +O7017egNOm+\/TJW\/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB\n             S+TXtMWVN\/E=                     | 4YrUy9kI6IU=\n  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j\n             NhV8dix9LIw=                     | Zf744WY7Flk=\n\nFile: \/root\/.bash_history\n  Size     : 5796                             | 8040\n  Mtime    : 2021-05-11 10:25:18 -0400        | 2021-05-13 14:27:45 -0400\n  Ctime    : 2021-05-13 05:14:51 -0400        | 2021-05-13 14:27:45 -0400\n  RMD160   : r8qlsnSTkGosX0fsArK8zsWqTXU=     | 1upKL9INTLUGKEWMIxLmc8CRxJ4=\n  TIGER    : 2uPjP9oFh0nVhGjPQqJti44Q3bF4KHNq | +pJmPgLgd3blY4u+BA6AZiwto8VS5Cvl\n  SHA256   : dCwQv9ucRkmGT0fl5ucRdu+mP9xzM2pF | x2EA+tw6mqkGRq33h7dLOr\/t0pX3HR61\n             w26HE7Pws5Y=                     | vQDZsEhmJD8=\n  SHA512   : \/W3bSTf1qOpkav1Gucjv0iCcGn0Z7G6U | kxOIprR2dkw\/LCCZg61E5kBGSpi4ZGA3\n             rUh3loPZBEQDvGrMc+9zw5FZKko4tfOM | 6T3UZ0Cr22B5CWWkoObGZQ24e3NvmTH5\n             1v\/0FqiB4MhBvZkGU5l0cA==         | pcAhiv4GdP83jO5+Hm2kpA==\n  CRC32    : KkRAtg==                         | SUGh1Q==\n  HAVAL    : JBPLwPshi3ls05OEx2RA4yCYLt7m8+wS | Jb1L2\/dFG0A8ghyV1txmjwlgsZ1wb8f0\n             a3UmYwGZDJo=                     | MOpMWDzQHAs=\n  GOST     : NK8Tmk801XGP72lQktmnfPJ34DFQOuYs | FBMm5BduPdQ2EIw3bYLAS+0uhvdXKSa9\n             OFvxMiIcmXI=                     | 11y3Y1oUsyg=\n\nFile: \/run\/systemd\/timesync\/synchronized\n  Mtime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400\n  Ctime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400\n\nDirectory: \/run\/systemd\/units\n  Size     : 940                              | 920\n  Mtime    : 2021-05-13 14:01:15 -0400        | 2021-05-13 14:31:33 -0400\n  Ctime    : 2021-05-13 14:01:15 -0400        | 2021-05-13 14:31:33 -0400\n\nFile: \/var\/lib\/dhcp\/dhclient.leases\n  Size     : 5344                             | 2222\n  Bcount   : 16                               | 8\n  Mtime    : 2021-05-13 14:08:06 -0400        | 2021-05-13 15:01:44 -0400\n  Ctime    : 2021-05-13 14:08:06 -0400        | 2021-05-13 15:01:44 -0400\n  RMD160   : x6g8TEahygu\/Y6vTVmTHz+jG7\/g=     | A8i8GUKMIZPvQ67ncZ3vaCulf24=\n  TIGER    : vopFlCGZMR5fD59z2IyqwGTPB4vaPLL7 | ZTotg1uJnCtyljIMyukQsXdIcRxRMBpb\n  SHA256   : 4aB4sFExXuQgHU36\/U4Gpllva+ew5BwK | rPPBKCIrTIK3E4l8g1kcMDEYIWsBAK7g\n             K6IzFjbxGtI=                     | XeH+hNDUQVg=\n  SHA512   : oauEMDY2HKK4cNHJyaE9zL9jeIZomb+B | oL4A\/nW81CzmU+wLwL2gj4o5i+RSFuDr\n             Qr66zW+FblCBjpX9+hPP+C3GWkuhooVO | dMRE57iAr5zpQIaNrsULOBcjf+xVl9\/x\n             DFLNYa2uAy7M+IZsAoXD1w==         | jWyRn+SAWeFgCbrQ1wVNuA==\n  CRC32    : vKR\/CQ==                         | iP46NQ==\n  HAVAL    : 52H8l2m8tGeeGGb7gC3N3bHcid1pvWDB | pcYoOf6Vk2JyMWqP7qOh+URg9Gz0Cabx\n             DZLJ7dflako=                     | kht7TRr3I0A=\n  GOST     : 4YlQabl31XCpQCioZVXpyR+cDcW4po24 | RUA3L4LrEvpAz3LYTDG+38Qz4Aco1HKz\n             81HDK676bSU=                     | gGtZSrw6AlE=\n\nFile: \/var\/lib\/systemd\/timers\/stamp-anacron.timer\n  Mtime    : 2021-05-13 13:57:07 -0400        | 2021-05-13 14:31:33 -0400\n  Ctime    : 2021-05-13 13:57:07 -0400        | 2021-05-13 14:31:33 -0400\n\nFile: \/var\/lib\/systemd\/timesync\/clock\n  Mtime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400\n  Ctime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400\n\nDirectory: \/var\/ossec\/etc\/shared\/default\n  Mtime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400\n  Ctime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400\n\nFile: \/var\/ossec\/etc\/shared\/default\/merged.mg\n  Mtime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400\n  Ctime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400\n\nFile: \/var\/ossec\/logs\/alerts\/2021\/May\/ossec-alerts-13.json\n  Size     : 303004                           | 303699\n  Bcount   : 600                              | 608\n  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400\n  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400\n  RMD160   : HI8kVRJVmBHQ12uM4mgjgC8tG7c=     | rXlxkYtULGVhokQ2Plf1gsRwfeU=\n  TIGER    : fYh0uHAKUPT1rbJ\/b\/e\/PcFOCIAqIGfn | 5mbOOvGc9vIdu\/fu1HhzjYtSCNaMSA+W\n  SHA256   : xRC0btISZjbwp3HJ6YWTx8qVl\/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu\n             +GDwaFVbOiM=                     | 2B3mpC3PNrk=\n  SHA512   : GYVO1j\/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi\n             aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0\/pH\/SCacBUILfKQVBbU\n             Jisfz69u8Fc3WEhGfvN4hQ==         | nEBwUdlorF+p3oPQ4lpipg==\n  CRC32    : mIJZOg==                         | EaLg9w==\n  HAVAL    : Jt9WwS1ZnQ\/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN\/6wrrOtC+4K3BIpO\n             OJBxqeEjgtA=                     | Sxlq8e5pWqc=\n  GOST     : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq\n             76dAVlPr8QU=                     | JyOluc+3ikE=\n\nFile: \/var\/ossec\/logs\/alerts\/2021\/May\/ossec-alerts-13.log\n  Size     : 196342                           | 196713\n  Bcount   : 392                              | 400\n  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400\n  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400\n  RMD160   : \/5NDXAKCiQxSuPHVbhi9VQOLLak=     | IDKuML9GS4sQO8oF6Cxz\/vupSJs=\n  TIGER    : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU\n  SHA256   : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb\n             f1I4fTI8FOg=                     | \/dHjbIBnNS4=\n  SHA512   : N9PN7Zm2+6zqZEP\/2O4EBU0wGfV+q\/ap | ZTb1mxGjv2n\/vnwq58\/rTUQIdW0o\/fxa\n             E\/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6\n             A5wLwkdp9CRzuqNIAS\/WMg==         | dpg9q4ewGLAmwHYMPBbgMg==\n  CRC32    : aTphhA==                         | LFRiBQ==\n  HAVAL    : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB\n             s78\/EtSkPEc=                     | S0VrHY0GV08=\n  GOST     : pI74rIIHDI7TDrCA+Sx\/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824\n             NX+WsahkgQI=                     | Qv+qrf4TU6U=\n\nFile: \/var\/ossec\/logs\/alerts\/alerts.json\n  Size     : 303004                           | 303699\n  Bcount   : 600                              | 608\n  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400\n  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400\n  RMD160   : HI8kVRJVmBHQ12uM4mgjgC8tG7c=     | rXlxkYtULGVhokQ2Plf1gsRwfeU=\n  TIGER    : fYh0uHAKUPT1rbJ\/b\/e\/PcFOCIAqIGfn | 5mbOOvGc9vIdu\/fu1HhzjYtSCNaMSA+W\n  SHA256   : xRC0btISZjbwp3HJ6YWTx8qVl\/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu\n             +GDwaFVbOiM=                     | 2B3mpC3PNrk=\n  SHA512   : GYVO1j\/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi\n             aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0\/pH\/SCacBUILfKQVBbU\n             Jisfz69u8Fc3WEhGfvN4hQ==         | nEBwUdlorF+p3oPQ4lpipg==\n  CRC32    : mIJZOg==                         | EaLg9w==\n  HAVAL    : Jt9WwS1ZnQ\/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN\/6wrrOtC+4K3BIpO\n             OJBxqeEjgtA=                     | Sxlq8e5pWqc=\n  GOST     : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq\n             76dAVlPr8QU=                     | JyOluc+3ikE=\n\nFile: \/var\/ossec\/logs\/alerts\/alerts.log\n  Size     : 196342                           | 196713\n  Bcount   : 392                              | 400\n  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400\n  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400\n  RMD160   : \/5NDXAKCiQxSuPHVbhi9VQOLLak=     | IDKuML9GS4sQO8oF6Cxz\/vupSJs=\n  TIGER    : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU\n  SHA256   : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb\n             f1I4fTI8FOg=                     | \/dHjbIBnNS4=\n  SHA512   : N9PN7Zm2+6zqZEP\/2O4EBU0wGfV+q\/ap | ZTb1mxGjv2n\/vnwq58\/rTUQIdW0o\/fxa\n             E\/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6\n             A5wLwkdp9CRzuqNIAS\/WMg==         | dpg9q4ewGLAmwHYMPBbgMg==\n  CRC32    : aTphhA==                         | LFRiBQ==\n  HAVAL    : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB\n             s78\/EtSkPEc=                     | S0VrHY0GV08=\n  GOST     : pI74rIIHDI7TDrCA+Sx\/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824\n             NX+WsahkgQI=                     | Qv+qrf4TU6U=\n\nFile: \/var\/ossec\/logs\/ossec.log\n  Size     : 11605                            | 11757\n  Mtime    : 2021-05-13 13:57:32 -0400        | 2021-05-13 14:25:18 -0400\n  Ctime    : 2021-05-13 13:57:32 -0400        | 2021-05-13 14:25:18 -0400\n  RMD160   : UrndE9lRw2gEB6OGZuQ\/mnGRc7U=     | rMF+\/kDPzTEQp4+fG4nWvCrRdfk=\n  TIGER    : j4s+XmwXPueAQuAciYwhO7X455MBGq4r | x61JVqPEUAm6ZSQ0S37CA+stHjQyh2KV\n  SHA256   : 9kdSlM2EjZKe451VHXo+BXd3fAtVsRt8 | qktJymmvRRyM1jjuLlvVscpDMBfs\/eds\n             CcloQ1jNTzo=                     | EQ5zKH61\/2o=\n  SHA512   : pTDO+6p6JzruJ+AMsZ4LCIqQsKCeagOj | Ga+4TvLk90Q5lTMK1iO\/2Zw4Ic0eCLt4\n             4OeJYhAdNRJ+1QSFabUatNuwltW0uIs+ | 5X0c7AH5GvbUCs5Cw4y9RUHQlGF7BLVA\n             Sj6ab2HDu0RJEmy\/EQVAOA==         | cLxxRzeSvk6MKK00DtwotQ==\n  CRC32    : Xq9wkw==                         | qoNgtQ==\n  HAVAL    : fMCtlMz5vBfRN\/UZm+nigxdn\/lphzAag | J6sZyDnrOV+vT07OER46CGex4nUPjNAU\n             EVwoljewwnk=                     | hZRJBEQuXvQ=\n  GOST     : vG3FbAnnsorn5Wa69JWn+rVBLNSWOy0o | mi1diJV7nKcX4li9XFdcYs1rA4rLzcSI\n             TvuIiF4Ohzo=                     | r+Y1bqomAjg=\n\nDirectory: \/var\/ossec\/queue\/db\n  Mtime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400\n  Ctime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400\n\nFile: \/var\/ossec\/queue\/db\/000.db\n  Size     : 2113536                          | 2228224\n  Bcount   : 4128                             | 4328\n  Mtime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400\n  Ctime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400\n  RMD160   : h9D0qcSXGbRqsZGJV5wNywYfO30=     | OSPi2pAhW\/rVJrwB2NL\/NGlcc9U=\n  TIGER    : MFWistAyOA7gy+T4ZtmuwmCBghe8ndnN | V00qPUeAtE5+i\/uMTSbfidq3Q3dIFxj\/\n  SHA256   : JMeairDZxZUWoA2Rcpw0CoLxUllolk3l | T0UJvOvhurdsnLokgrBqmIUDLVdJ4HI5\n             j79VsRy1d\/E=                     | 3IPq7G21RZY=\n  SHA512   : sbtVw881IhIicV5UfsWvpbdOOHzb8aVw | XBE7eta1oMwAsG4kOcj793f16ZqMeGh+\n             Fy7jrUgDkQSfnMYiNnD329pRbw61OxY8 | k4kw4Q7+lzJYrILo8a5\/Ea7cCShz2cnv\n             j\/dO5nqq7H3tHhzou+bf0A==         | UU6gNnzyT3HslSTfXm2upQ==\n  CRC32    : RqsdGg==                         | LD0Qpw==\n  HAVAL    : vSCMk\/LypxzM\/KT0mX\/xAZkIMZNt8Qeq | 6vHfo9hW75oG2PksEcaE0IPYLlMxukZU\n             RqMoxzLqfcc=                     | eIAcYWyfr6w=\n  GOST     : GTCGuUTPs0BM2pSO4\/PgO\/HXI8P0tgid | Ec053qs2D5hjYO8IxHmW6g6UhW0tK4aE\n             mYVX1XfJHM8=                     | vypwpBv5bb8=\n\nFile: \/var\/ossec\/queue\/diff\/debian\/535\/last-entry\n  Size     : 1024                             | 1021\n  Mtime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:33:10 -0400\n  Ctime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:33:10 -0400\n  RMD160   : qHsDObPkZuJcZNKKxWUlkN1TmdI=     | j2zl43WJTJelXeuFTkIVH8uCW9A=\n  TIGER    : Q8rEdFootqfUPYX6I5u7UC+IBXt1EtQ4 | XPAYBNVvJ+mtPHWOemVeZ7xjls5bE9kQ\n  SHA256   : tkk1KU58wTyYjwdmyF4aFWWBttu2gnua | 09g04YBhFqG1lbLtHvyxvBcUbNYwnv7p\n             7eqkATbNMy4=                     | LfG5wba7E2Q=\n  SHA512   : sKOr9fAXVeaAfmNGTQrJfAeG4nghNw17 | dE7AD9uML4iQcMmH1W38MJu5ngzLxyvZ\n             FIjGsgxU3erZS0iIEncQL7XgMBeC9Jts | +e22ULMcqxJC+7GunqeNMn6ADesqjZN1\n             bllmBgLe\/elsofeGAXfRvQ==         | Tj6RdqgqnxDEmIPnf1tJKg==\n  CRC32    : Q0OBsA==                         | CIXH\/Q==\n  HAVAL    : PFRZcbTmd11VMc9WDRKR5nMvyVVbTwU7 | LY0Eu6iQTPTOTyp2TqXW2\/IPvBK5dsn3\n             vnQHgGKEN\/Y=                     | GOFLTBzoCvE=\n  GOST     : 11cAAblplJja5\/rktHJDKzFraTKbaqz5 | leGBDPnpRhyRLTGo8QMaMkYHjOSkdqa+\n             By98fbs8dTw=                     | +6QrJ4E5rQs=\n\nFile: \/var\/ossec\/stats\/totals\/2021\/May\/ossec-totals-13.log\n  Size     : 894                              | 999\n  Mtime    : 2021-05-13 14:01:16 -0400        | 2021-05-13 15:01:46 -0400\n  Ctime    : 2021-05-13 14:01:16 -0400        | 2021-05-13 15:01:46 -0400\n  RMD160   : zJ8At9unwQxEzSe9J4GrzbqTMz8=     | COrlpQLyTK+TCf8KkThMAyvseig=\n  TIGER    : gs7ydELV5qsqM6gqkk3VubEx9WZvybNH | nNzaNRkTekRV\/eE7mrzj8wypqqQ3X02M\n  SHA256   : OrAiYG8X0UfOSTWwfcFs1gl0CkAwC7aR | 9OjAmTYpHgKyhQ2aXWzbRoTIRjDDpGlk\n             52uZF3374G8=                     | SzQNk0h7bHk=\n  SHA512   : atNLeqF+T7DoIyN5XBh9Z7Lxvtxv88kv | FOxCmlwtkJ2\/ej5BM6HX13p9UpiP+9mV\n             u+XHdKFZIr6UMf7UTycb\/+qso33BlVfH | CtmkyaWXNcOhw1moeRUGHKdkRUdWh06a\n             Mn8sGcjy4DuchZpZeggdyA==         | TpH4CYF4P6uMH4VMfhUwDg==\n  CRC32    : f5dIXg==                         | lVKiZg==\n  HAVAL    : PO\/8wHY4EFaVnO\/yUEIPCr9UmrujdHoH | HZF3AmNvk8PNec0OcUHsNWs8TeIJ7Bm\/\n             baDhTTJixt0=                     | GhgPEEhrtYc=\n  GOST     : SDdETY0dZJHWCQGIl4cggiwFBQwp\/Ely | lm4MpfRUd+5kF8PkFi066ESY\/4ISLjhy\n             HVZbNI4G\/LM=                     | \/w68fjIDHL4=\n\nDirectory: \/var\/ossec\/var\/run\n  Mtime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400\n  Ctime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400\n\nFile: \/var\/ossec\/var\/run\/ossec-analysisd.state\n  Mtime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400\n  Ctime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400\n  Inode    : 291862                           | 304591\n\nFile: \/var\/ossec\/var\/run\/ossec-remoted.state\n  Mtime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400\n  Ctime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400\n  Inode    : 304591                           | 307354\n\nFile: \/var\/ossec\/var\/wodles\/syscollector\n  Mtime    : 2021-05-13 05:03:42 -0400        | 2021-05-13 14:25:18 -0400\n  Ctime    : 2021-05-13 05:03:42 -0400        | 2021-05-13 14:25:18 -0400\n  RMD160   : t2dgf7PI+qjCpifY2lsAcxDF9Fk=     | cntjaDX\/DCNzvCfiCA1kXl7KCCM=\n  TIGER    : +Gq9NCskrl71MYuh9vQY\/9SKFmdwV2WC | w2KPhzO5tiv\/GcsGpi6kfqs8JPsH4h2J\n  SHA256   : YWnwELAriPpKVUvzp48A36IsQiLiDrPa | 5AwQ6d972QnzU6DymNjanYsORD2V5TIQ\n             +xaI8POCyBo=                     | yPakdvhIjIQ=\n  SHA512   : TmNSY5LxyrRar\/OWhzGR\/IzBw33HSywQ | adcpxpI3Q9psuemsly3IVcpaXJUKt88W\n             eQb39k+4WJOY1Dag638EQj0PQDFTJTyo | zbzT2XtMHO8lWny35\/AdVVOYvW56aD6K\n             IfHuoARl+hAG\/NeGUrb\/Nw==         | D0jnB0YUWop4oQI2Exhsgw==\n  CRC32    : YrOyVA==                         | Jcfn4Q==\n  HAVAL    : kZ1+RJgVhR5Ye4SBgUA++Opyag\/JQw5X | JnJ1PH1Qst5GxeaKBT\/G9vvBrJJ1v+iO\n             7f0i\/Y4BMZc=                     | sGj6SbculZI=\n  GOST     : c56J+RwvEsiWC3j3TwCigV9ip7G26cc4 | iUktb3cvt2mwTIbtf5pD5y2RBq4c0f\/1\n             RjAfGj8Yklg=                     | 792rogTuXMw=\n\nFile: \/var\/webmin\/miniserv.lastcrons\n  Mtime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:57:09 -0400\n  Ctime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:57:09 -0400\n  RMD160   : l4hocPE\/SHW9NhN2NCF2nQX+fbU=     | pm7WC+m645+3fPpMGPfMIbZML1c=\n  TIGER    : AZZbVVUb9d9+o+IPaFHr\/1JTepGY0skV | QG8yw6Ma8zTNORA5mvFJgZvdZVRRqarp\n  SHA256   : OZbnUDEbF2h8\/h3wEy+xQ0+qQ+X1IdED | ZmH3hXZrdFopMfPquWUplysApSgaCLbN\n             tW0z\/XmwFgE=                     | woeJMG74uoY=\n  SHA512   : ebuDdi38UvLbg7hE5b90rU01dTNsH8PT | pcFF4JY4+w\/OL9gujrtJ1OqWyDyQabrM\n             Vyn01yobjF9ieXuIVgtohQFhfj4V\/ciG | VLmyprO+sEYWvkCWE028s350NM1ZOIzI\n             jH49Npaj0MOT418Lj7sbBw==         | feXBta\/T\/EvgzOi5Uz\/oCQ==\n  CRC32    : \/ZYiew==                         | 8UcOAw==\n  HAVAL    : K2mLlgdjxme5iRQ8+GS1fbIa0wkKR4Q2 | nMGCLXkIIls7X6YraMeRbq3+mnboYOe8\n             fUXtscLxzYw=                     | pidvAJg7Q0M=\n  GOST     : eMerS2vevb7fswadmjiZLo0ImDxQ2uo\/ | 5rwUUkXBg6z9QsYhGJ7pOVkwaeZfHt5X\n             fRjhDng5dWg=                     | c1AvM7h2otw=\n\n\n---------------------------------------------------\nThe attributes of the (uncompressed) database(s):\n---------------------------------------------------\n\n\/var\/lib\/aide\/aide.db\n  RMD160   : 7x5\/c1dpNifnCqEfbegXkgeUYZ8=\n  TIGER    : \/TaHlucsBgKis1UAWqApNi05\/irDr\/EK\n  SHA256   : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO\n             ZgZLEM5aZRo=\n  SHA512   : VwkOKebuBWzrAAhNdeyI\/KlgrJGp+Cx7\n             E\/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb\n             8rx7wQ2VMcn1aDfA8aXtNQ==\n  CRC32    : ibeVcw==\n  HAVAL    : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1\n             7TtzPAdV9Nk=\n  GOST     : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F\n             8vsT+WVZAjQ=\n\n\nEnd timestamp: 2021-05-13 15:02:37 -0400 (run time: 3m 0s)\n<\/code><\/pre>\n\n\n\n<p>From the output above, AIDE found a number of file system changes. Check the report.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Testing AIDE on Debian 10<\/h4>\n\n\n\n<p>You can now create new files, edit some and even delete some and re-run AIDE check to actually see how AIDE can detect all these changes.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"1.2.3.4 test.kifarunix-demo.com\" &gt;&gt; \/etc\/hosts<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>touch \/etc\/newfile<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rm -rf \/etc\/issue<\/code><\/pre>\n\n\n\n<p>After all that changes, re-run AIDE database check against the filesystem.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>aide -c \/etc\/aide\/aide.conf -C<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scrollbox\"><code>Start timestamp: 2021-05-13 15:08:24 -0400 (AIDE 0.16.1)\nAIDE found differences between database and filesystem!!\nVerbose level: 6\n\nSummary:\n  Total number of entries:\t205656\n  Added entries:\t\t2\n  Removed entries:\t\t2\n  Changed entries:\t\t24\n\n---------------------------------------------------\nAdded entries:\n---------------------------------------------------\n\nf++++++++++++++++: \/etc\/newfile\nf++++++++++++++++: \/var\/lib\/aide\/aide.db\n\n---------------------------------------------------\nRemoved entries:\n---------------------------------------------------\n\nf----------------: \/etc\/issue\nl----------------: \/run\/systemd\/units\/invocation:session-3.scope\n\n---------------------------------------------------\nChanged entries:\n---------------------------------------------------\n\nf &gt;b... mc..C.. .: \/etc\/aide\/aide.conf\nf &gt;.... mc..C.. .: \/etc\/hosts\n...\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Limiting AIDES Integrity Checks to Specific Files\/Directories<\/h4>\n\n\n\n<p>To limit the integrity checks to a specific entries for example <code><strong>\/etc<\/strong><\/code>, pass the&nbsp;<code><strong>--limit REGEX<\/strong><\/code>&nbsp;option to AIDE check command where REGEX is the entry to check.<\/p>\n\n\n\n<p>For example, check and update the database entries matching&nbsp;<code>\/etc<\/code>, you would run aide command as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>aide -c \/etc\/aide\/aide.conf --limit \/etc --check<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scrollbox\"><code>Start timestamp: 2021-05-13 15:13:34 -0400 (AIDE 0.16.1)\nAIDE found differences between database and filesystem!!\nLimit: \/etc | Verbose level: 6\n\nSummary:\n  Total number of entries:\t205656\n  Added entries:\t\t1\n  Removed entries:\t\t1\n  Changed entries:\t\t2\n\n---------------------------------------------------\nAdded entries:\n---------------------------------------------------\n\nf++++++++++++++++: \/etc\/newfile\n\n---------------------------------------------------\nRemoved entries:\n---------------------------------------------------\n\nf----------------: \/etc\/issue\n\n---------------------------------------------------\nChanged entries:\n---------------------------------------------------\n\nf &gt;b... mc..C.. .: \/etc\/aide\/aide.conf\nf &gt;.... mc..C.. .: \/etc\/hosts\n\n---------------------------------------------------\nDetailed information about changes:\n---------------------------------------------------\n\nFile: \/etc\/aide\/aide.conf\n  Size     : 6598                             | 46195\n  Bcount   : 16                               | 96\n  Mtime    : 2016-04-16 13:57:29 -0400        | 2021-05-13 14:52:51 -0400\n  Ctime    : 2021-05-13 05:34:15 -0400        | 2021-05-13 14:52:51 -0400\n  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | 8wjI15r0D6K1MUVoiyjJPOlGv18=\n  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa\/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL\n  SHA256   : RN1UT38\/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji\n             0B5VVewz3h8=                     | WcEO1u90BTg=\n  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft\/kjH\n             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw\/K4u+WwMMUeg8iKdNkCL6YPc49X\n             yKP7Fvoitf+jHcriq57Pgg==         | xEkz4dL2MjSFBj0i+zQW1g==\n  CRC32    : S3Rhfg==                         | XsRmRw==\n  HAVAL    : +O7017egNOm+\/TJW\/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB\n             S+TXtMWVN\/E=                     | 4YrUy9kI6IU=\n  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j\n             NhV8dix9LIw=                     | Zf744WY7Flk=\n\nFile: \/etc\/hosts\n  Size     : 186                              | 218\n  Mtime    : 2021-01-29 14:23:36 -0500        | 2021-05-13 15:07:59 -0400\n  Ctime    : 2021-01-29 14:23:36 -0500        | 2021-05-13 15:07:59 -0400\n  RMD160   : pgg6hjBhDjMlk+l8yu0LB1SL7o8=     | sUqfThZK2gYBG5rgKCY0882JsFE=\n  TIGER    : 6rCGqnmCVSK81X5SatwKyW6Cybt1B9yP | 04im6NfESOdCKzANx6VA3ehjZ0skylIh\n  SHA256   : XJiphdFN5h4JGKNCqvrG71xF+FyFEi5E | rjTkky\/c4992255kH3yXciO+SHZa8wlA\n             SvfqvfKxUng=                     | 9brQo29MU+o=\n  SHA512   : Frpi7XYfQq7SA8HSImzFystaarku\/1Cs | jqUFxAQYoNlj5LXVZxn6kJGwQLePCWcs\n             Ba7vka2boOYZsqzVoXq0c6zlxb5AVX7J | Ay3i8i8bAv59cfjRpxQpTj3rNdeS70pp\n             Yl+VEG\/SZpPvca+6xn4P8Q==         | xj1P9YWWTtn6unB6ZON2pg==\n  CRC32    : xZ01PQ==                         | 9LtLwA==\n  HAVAL    : 17oJH6iVQGXq3ge2uXnwumq0xCLaF+fS | Qty\/rrMbvG1RTmj6+PvPUtB6zAk6x\/na\n             Goy5GCiijPI=                     | oiBWgvPWsmY=\n  GOST     : X8Mnh75FrKoDQl88Ez1l0hRH4pR9lOon | zjAjM0BCHajG4Xb1AIZGOXOzjOtRQ7lZ\n             jkxNlJeC1fA=                     | EzBfUnAXze0=\n\n\n---------------------------------------------------\nThe attributes of the (uncompressed) database(s):\n---------------------------------------------------\n\n\/var\/lib\/aide\/aide.db\n  RMD160   : 7x5\/c1dpNifnCqEfbegXkgeUYZ8=\n  TIGER    : \/TaHlucsBgKis1UAWqApNi05\/irDr\/EK\n  SHA256   : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO\n             ZgZLEM5aZRo=\n  SHA512   : VwkOKebuBWzrAAhNdeyI\/KlgrJGp+Cx7\n             E\/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb\n             8rx7wQ2VMcn1aDfA8aXtNQ==\n  CRC32    : ibeVcw==\n  HAVAL    : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1\n             7TtzPAdV9Nk=\n  GOST     : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F\n             8vsT+WVZAjQ=\n\n\nEnd timestamp: 2021-05-13 15:14:04 -0400 (run time: 0m 30s)\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Exclude Specific Directories from AIDE Checks<\/h4>\n\n\n\n<p>To exclude some directories, edit the configuration file,&nbsp;<code>\/etc\/aide\/aide.conf<\/code>, and add the directories to ignore to the end of the file in the format;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>!\/home\/\n!\/var\/lib\/\n!\/proc<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Using Custom AIDE Configuration<\/h4>\n\n\n\n<p>You can also create your own configuration and define what needs to be checked and what not.<\/p>\n\n\n\n<p>See example configuration below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>mkdir \/home\/koromicha\/aide<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/home\/koromicha\/aide\/aide.conf<\/code><\/pre>\n\n\n\n<pre class=\"scrollbox\"><code># Path for creating the databases\ndatabase=file:\/home\/koromicha\/aide\/aide.db\ndatabase_out=file:\/home\/koromicha\/aide\/aide.db.new\ndatabase_new=file:\/home\/koromicha\/aide\/aide.db.new\n\n# Set your own AIDE rule.\nMYRULE=p+n+u+g+s+m+c+xattrs+md5+sha512\n\n# Directories\/files to be monitored and rule to apply\n#\/etc MYRULE\n#\/bin MYRULE\n#\/usr\/bin MYRULE\n\n# Directories to ignore\n\/home MYRULE\n!\/proc\n<\/code><\/pre>\n\n\n\n<p>Basically, the rule set above checks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>p<\/strong>ermissions,<\/li>\n\n\n\n<li><strong>n<\/strong>umber of links,<\/li>\n\n\n\n<li><strong>u<\/strong>ser,<\/li>\n\n\n\n<li><strong>g<\/strong>roup,<\/li>\n\n\n\n<li><strong>m<\/strong>odification time, <\/li>\n\n\n\n<li>inode\/file&nbsp;<strong>c<\/strong>hange time,<\/li>\n\n\n\n<li>e<strong>x<\/strong>tended file&nbsp;<strong>attr<\/strong>ibute<strong>s<\/strong>,<\/li>\n\n\n\n<li><strong>MD5<\/strong>&nbsp;checksum,<\/li>\n\n\n\n<li><strong>SHA512<\/strong>&nbsp;checksum.<\/li>\n<\/ul>\n\n\n\n<p>Initialize the database with the new configuration;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>aide -c \/home\/koromicha\/aide\/aide.conf -i<\/code><\/pre>\n\n\n\n<p>Copy the database in place;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/home\/koromicha\/aide\/aide.db{.new,}<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">AIDE Diagnostics<\/h4>\n\n\n\n<p>Verify the configuration file for errors by running the command below;<\/p>\n\n\n\n<pre id=\"crayon-5c533ea7442e2891618126-2\" class=\"wp-block-preformatted\">aide -c \/home\/koromicha\/aide\/aide.conf --config-check<\/code><\/pre>\n\n\n\n<p>Check the command exit status.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo $?<\/code><\/pre>\n\n\n\n<p>According to AIDE man pages, the AIDE\u2019s exit status is normally 0 if no errors occurred. Except when the \u2013check, \u2013compare or \u2013update command was requested, in which case the exit status is defined as:<\/p>\n\n\n\n<pre class=\"scrollbox\"><code>   1 * (new files detected?)     +\n\n   2 * (removed files detected?) +\n\n   4 * (changed files detected?)\n\n   Since  those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files detected, the exit status will be 1 + 2 = 3.\n\n   Additionally, the following exit codes are defined for generic error conditions:\n\n   14 Error writing error\n\n   15 Invalid argument error\n\n   16 Unimplemented function error\n\n   17 Invalid configureline error\n\n   18 IO error\n\n   19 Version mismatch error\n<\/code><\/pre>\n\n\n\n<p>NOTE: Whenever you make any AIDE configuration changes, remember to initialize the database to create a baseline.<\/p>\n\n\n\n<p>Make changes like create a new directory, files;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>rm -rf \/home\/koromicha\/aide\/aide.db.new\nmkdir \/home\/koromicha\/test-dir\ntouch \/home\/koromicha\/test-file<\/code><\/pre>\n\n\n\n<p>You can then run AIDE against your custom configuration.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>aide -c \/home\/koromicha\/aide\/aide.conf -C<\/code><\/pre>\n\n\n\n<pre class=\"scrollbox\"><code>Start timestamp: 2021-05-13 15:20:06 -0400 (AIDE 0.16.1)\nAIDE found differences between database and filesystem!!\n\nSummary:\n  Total number of entries:\t10\n  Added entries:\t\t3\n  Removed entries:\t\t1\n  Changed entries:\t\t2\n\n---------------------------------------------------\nAdded entries:\n---------------------------------------------------\n\nf++++++++++++++++: \/home\/koromicha\/aide\/aide.db\nd++++++++++++++++: \/home\/koromicha\/test-dir\nf++++++++++++++++: \/home\/koromicha\/test-file\n\n---------------------------------------------------\nRemoved entries:\n---------------------------------------------------\n\nf----------------: \/home\/koromicha\/aide\/aide.db.new\n\n---------------------------------------------------\nChanged entries:\n---------------------------------------------------\n\nd = ... mc n  .  : \/home\/koromicha\nd = ... mc .  .  : \/home\/koromicha\/aide\n\n---------------------------------------------------\nDetailed information about changes:\n---------------------------------------------------\n\nDirectory: \/home\/koromicha\n  Mtime    : 2021-05-13 15:17:02 -0400        | 2021-05-13 15:19:59 -0400\n  Ctime    : 2021-05-13 15:17:02 -0400        | 2021-05-13 15:19:59 -0400\n  Linkcount: 3                                | 4\n\nDirectory: \/home\/koromicha\/aide\n  Mtime    : 2021-05-13 15:18:19 -0400        | 2021-05-13 15:19:59 -0400\n  Ctime    : 2021-05-13 15:18:19 -0400        | 2021-05-13 15:19:59 -0400\n\n\n---------------------------------------------------\nThe attributes of the (uncompressed) database(s):\n---------------------------------------------------\n\n\/home\/koromicha\/aide\/aide.db\n  MD5      : f0gmAXaAnpmsLpcqEB2yaw==\n  SHA1     : HjZ96ZFaLaGXT7oLQHetDByRcfg=\n  RMD160   : ND0cqBPVsKaZw6peqJq81oAckx8=\n  TIGER    : GsNazCXJu\/wNbSTKyXUSPXgGImsKYZSj\n  SHA256   : yz0xi62lx4v4yxwvcVG4DcrEpaszxCFi\n             M5SFuRB7rFc=\n  SHA512   : bMqIRxmfMz\/Id1aKhKNUfZbG6I\/Jn5UD\n             6+G7x0oTFwf\/GxUn8AVbhDyitO4bDjE\/\n             6yw2N+Ea4b69UgYkt8v6xQ==\n  CRC32    : amnOHQ==\n  HAVAL    : lKVe1OAZ\/RHx8vq3AH1td++qnLZhomN\/\n             8VWvgolh12Y=\n  GOST     : WzrpoPdX5kbKV9+XXKO2B6mWdyPq2m17\n             u3querF\/YTk=\n  WHIRLPOOL: gsUPlPVbwDJYOXOWi30\/1PXONnTZqMGM\n             fQOCS8VsEpV9tYUuM2Yrb78hCjfjACla\n             SdxnhuyiM3DPwIVS9c1x9Q==\n\n\nEnd timestamp: 2021-05-13 15:20:06 -0400 (run time: 0m 0s)\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Sending AIDE Report via Mail<\/h4>\n\n\n\n<p>By default, AIDE sets up itself a daily execution script,&nbsp;<code>\/etc\/cron.daily\/aide<\/code>, upon installation.<\/p>\n\n\n\n<p>The the output of checks is mailed to the user specified in the&nbsp;<code><strong>MAILTO=<\/strong><\/code>&nbsp;directive of the&nbsp;<code><strong>\/etc\/default\/aide<\/strong><\/code>&nbsp;configuration file as detailed above.<\/p>\n\n\n\n<p>To sent the AIDE report via mail, you need to edit the file,&nbsp;<code>\/etc\/default\/aide<\/code>&nbsp;and set the value of&nbsp;<code>MAILTO<\/code>&nbsp;directive to your email ID such that it looks like below. The default recipient is&nbsp;<code>root<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/default\/aide<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n#MAILTO=root\nMAILTO=analyst@kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>Most of the AIDE default parameter settings are defined in this file. It is highly commended for easy understanding, therefore go through this file to see what other options to enable or disable.<\/p>\n\n\n\n<p>The email delivery can only work if you have configure your MTA for email transfer. Follow the link below to learn how to configure Postfix to use Gmail SMTP for relay;<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/configure-postfix-to-use-gmail-smtp-on-ubuntu-20-04\/\" target=\"_blank\" class=\"rank-math-link\">Configure Postfix to Use Gmail SMTP<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" class=\"rank-math-link\" href=\"https:\/\/kifarunix.com\/configure-postfix-to-use-gmail-smtp-on-ubuntu-18-04\/\" target=\"_blank\">Configure Postfix to Use Gmail SMTP on Ubuntu 18.04<\/a><\/p>\n\n\n\n<p>Instead of using the cron mail recipient address above, you can edit Postfix mail aliases and set an alias for root to the email address you want to receive AIDE report on;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/aliases<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>postmaster:    root\nroot:   analyst@kifarunix-demo.com<\/code><\/pre>\n\n\n\n<p>Ensure you update aliases;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>newaliases<\/code><\/pre>\n\n\n\n<p>You can as well install a cron job to execute AIDE at specific time intervals;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo crontab -e<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>*\/10 * * * * aide -c \/home\/koromicha\/aide\/aide.conf -u &amp;&amp; cp \/home\/koromicha\/aide\/aide.db{.new,}<\/code><\/pre>\n\n\n\n<p>This will execute AIDE system check every 10 mins and email the report to&nbsp;<code><strong>analyst@kifarunix-demo.com<\/strong><\/code>&nbsp;as per my setup.<\/p>\n\n\n\n<p>It is also good to note that AIDE checks might be resource intensive and may cause a performance issue on your system during integrity checks. If you are scanning system wide, be sure to provide &#8220;enough&#8221; resources.<\/p>\n\n\n\n<p>Other Tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-modsecurity-3-with-apache-in-a-docker-container\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install ModSecurity 3 with Apache in a Docker Container<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/intercept-malicious-file-upload-with-modsecurity-and-clamav\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Intercept Malicious File Upload with ModSecurity and ClamAV<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/protect-wordpress-against-brute-force-attacks-using-fail2ban\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Protect WordPress Against Brute force Attacks Using Fail2ban<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-arkime-moloch-full-packet-capture-tool-on-ubuntu\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install Arkime (Moloch) Full Packet Capture tool on Ubuntu<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install and configure AIDE on Debian 10.&nbsp;AIDE&nbsp;stands for&nbsp;Advanced&nbsp;Intrusion&nbsp;Detection&nbsp;Environment. AIDE is an intrusion detection system that detects changes<\/p>\n","protected":false},"author":1,"featured_media":8828,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121],"tags":[311,3527,997,3526,3528,3525],"class_list":["post-8824","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","tag-aide","tag-aide-install-debian-10","tag-debian-10","tag-debian-10-install-aide","tag-install-aide","tag-install-aide-debian-10","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8824"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8824"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8824\/revisions"}],"predecessor-version":[{"id":21820,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8824\/revisions\/21820"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8828"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}