AIDE for TufinOS 4

Overview

Advanced Intrusion Detection Environment (AIDE) is an open-source utility that creates a database of files on the system and uses that database to ensure file integrity and detect system intrusions.

This procedure describes configuring periodic checking of the file system integrity to detect changes. Periodic file checking allows the system administrator to determine if there are unauthorized changes to critical files.

AIDE is supported in TufinOS 4 from TufinOS 4.30.

Prerequisites

Before proceeding, log in as a root user with the root user environment variables. If you logged in as a regular user, you can become a root user, including the root user environment variables, by using the sudo su - command. If the sudo command is not configured, you can use the su - command.

Check AIDE Configuration

Run the commands below. If the output of one or more of these commands is not as expected, follow the steps in Configure and Schedule the AIDE Check).

  1. The expected output for this command is static:

    systemctl is-enabled aidecheck.service
    systemctl is-enabled aidecheck.service
  2. The expected output for this command is enabled:

    systemctl is-enabled aidecheck.timer
    systemctl is-enabled aidecheck.timer
  3. The expected output for this command is active:

    systemctl is-active aidecheck.timer
    systemctl is-active aidecheck.timer
  4. The expected output for this command is CONTENT_EX:

    grep "^[#]*/root[\t ]\+CONTENT_EX" /etc/aide.conf
    grep "^[#]*/root[\t ]\+CONTENT_EX" /etc/aide.conf

Configure and Schedule the AIDE Check

Perform this procedure if the output of one or more of the commands in Check AIDE Configuration is not as expected.

  1. In the /root directory, disable AIDE extended content files check:

    sed -i 's/\(^\/root[/]*[\t ]\+CONTENT_EX[\t]*$\)/#\1/' /etc/aide.conf
    sed -i 's/\(^\/root[/]*[\t ]\+CONTENT_EX[\t]*$\)/#\1/' /etc/aide.conf
  2. Verify that the AIDE configuration has been changed as expected:

    grep "^[#]*/root[\t ]\+CONTENT_EX" /etc/aide.conf
    grep "^[#]*/root[\t ]\+CONTENT_EX" /etc/aide.conf

    This command should return CONTENT_EX:

  3. Remove existing AIDE databases:

    rm -f /var/lib/aide/aide.db*.gz
    rm -f /var/lib/aide/aide.db*.gz
  4. Initialize the AIDE database. This process might take a while.

    aide --init
    aide --init

    The AIDE database is initialized.

  5. Rename the new AIDE database:

    mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
    mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
  6. Create a service file /etc/systemd/system/aidecheck.service to run the AIDE check. Copy/paste the following content to the file:

    [Unit]
    Description=Aide Check

    [Service]
    Type=simple
    ExecStart=/usr/sbin/aide --check --config /etc/aide.conf
    [Unit] Description=Aide Check [Service] Type=simple ExecStart=/usr/sbin/aide --check --config /etc/aide.conf
  7. Save the service file.

  8. Create a timer file /etc/systemd/system/aidecheck.timer to schedule the AIDE check. Copy/paste the following content to the file. If required, you can change the scheduled run time from 02:00 AM to a different value.

    [Unit]
    Description=Aide check every day at 02:00 AM

    [Timer]
    OnCalendar=*-*-* 02:00:00
    Unit=aidecheck.service

    [Install]
    WantedBy=multi-user.target
    [Unit] Description=Aide check every day at 02:00 AM [Timer] OnCalendar=*-*-* 02:00:00 Unit=aidecheck.service [Install] WantedBy=multi-user.target
  9. Change permissions and ownership of the service and timer:

    chmod 0640 /etc/systemd/system/aidecheck.*
    chmod 0640 /etc/systemd/system/aidecheck.*
    chown root:root /etc/systemd/system/aidecheck.*
    chown root:root /etc/systemd/system/aidecheck.*
  10. Reload the systemd daemon:

    systemctl daemon-reload
    systemctl daemon-reload
  11. Verify that the files you created do not contain any errors:

    systemd-analyze verify /etc/systemd/system/aidecheck.*
    systemd-analyze verify /etc/systemd/system/aidecheck.*

    If the command returns no output, the files passed the verification successfully.

  12. Enable and start the AIDE check timer:

    systemctl --now enable aidecheck.timer
    systemctl --now enable aidecheck.timer
  13. Verify the AIDE check timer status:

    systemctl status aidecheck.timer
    systemctl status aidecheck.timer

    The AIDE timer details appear:

  14. Verify that the AIDE check timer is in the timers list:

    systemctl list-timers --all aidecheck.timer
    systemctl list-timers --all aidecheck.timer

    For example:

Run the AIDE Check Manually

Start the AIDE service:

systemctl start aidecheck.service
systemctl start aidecheck.service

Run the journalctl command:

journalctl -u aidecheck.service
journalctl -u aidecheck.service

If there are differences between the AIDE database and the file system, they will appear in the log results.

If there are no differences, the log message "AIDE found NO differences between database and filesystem. Looks okay!!" will appear.