cfbs add install-aide
The AIDE (Advanced Intrusion Detection Environment) software enables integrity checking of installed software. It works by taking a snapshot of files, storing metadata about them (including hashes), and then comparing with the know values later, when you perform a “check”. When software / files change unexpectedly, this can indicate an attacker is making changes to the system (Intrusion Detection).
Recommendation: Install and use AIDE to detect changes to installed software, potentially from attackers. Run the check at least once per week, and set it up to alert you (via email) when there are changes.
Note: AIDE is a bit involved, and you have to make mulitple choices along the way, so this module only helps you with the first step - installing AIDE. Keep in mind that what AIDE does is quite extensive, it reads many files and performs a lot of logic, so it can be slow. The commands for initializing a database and performing a check can take several minutes. Because of this, performing a check every minute or every 5 minutes may be unrealistic.
In order to get started with AIDE, you essentially need to perform 4 steps:
sudo yum install aide / sudo apt install aidesudo aideinitsudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.dbsudo /usr/bin/aide.wrapper --config /etc/aide/aide.conf --checkBefore initializing the database (step 2), you should consider whether this machine is already in a good state - AIDE cannot detect any software that was changed before you initialized it. As the commands are quite slow, you should decide how often you want to run the check. Finally, you need to handle updates - after you upgrade packages on the system, AIDE will detect a lot of changes in those packages. Those changes are of course intentional, and not harmful, but you will have to update (or reinitialize) the database afterwards.
See appropriate man page for more information on AIDE.
This module has no dependencies