AIDE is a file and directory integrity checker.
The FreeBSD port of security/aide does not provide a mechanism for periodically monitoring the integrity of the file system.
Here is one way to do it. The run-aide daily script will send a notification only if something has changed. Additionally, you can use the check_file_age2.pl Nagios plugin to verify that the AIDE database is not empty and that it’s sufficiently recent.
Another version of a reporting script can be found in the following thread.
Install the software
# cd /usr/ports/ports-mgmt/portmaster # make clean all install # make clean # rehash # portmaster -d security/aide # mkdir /var/db/aide/reports # aide --config=/usr/local/etc/aide.conf --init # mv /var/db/aide/databases/aide.db.new /var/db/aide/databases/aide.db
Create the daily verification script
# vi /var/db/aide/run-aide ------------------------------ cut here ------------------------------ #!/bin/csh -f set FQDN=`hostname -f` set MAILSUBJ="Daily AIDE report for $FQDN" set path=(/sbin /usr/sbin /bin /usr/bin /usr/local/sbin /usr/local/bin) date >& /var/db/aide/reports/aide.out set date=`date +%Y%m%d-%H%M` aide --config=/usr/local/etc/aide.conf --check >& /var/db/aide/reports/report-$date grep -q 'All files match AIDE database. Looks okay' /var/db/aide/reports/report-$date if ($status) then cat /var/db/aide/reports/report-$date | /usr/bin/mailx -s "$MAILSUBJ" root endif date >>& /var/db/aide/reports/aide.out aide --config=/usr/local/etc/aide.conf --init >>& /var/db/aide/reports/aide.out date >>& /var/db/aide/reports/aide.out mv /var/db/aide/databases/aide.db.new /var/db/aide/databases/aide.db >>& /var/db/aide/reports/aide.out ------------------------------ cut here ------------------------------ # chmod 755 /var/db/aide/run-aide # vi /etc/daily.local ------------------------------ cut here ------------------------------ #!/bin/sh /var/db/aide/run-aide 2>&1 ------------------------------ cut here ------------------------------ # chmod 700 /etc/daily.local
Install NRPE
# portmaster -d net-mgmt/nrpe2
Install the check_file_age2.pl Nagios plugin
# fetch -o /usr/local/libexec/nagios/check_file_age2.pl http://vsen.dk/files/check_file_age2.pl # chmod 755 /usr/local/libexec/nagios/check_file_age2.pl # portmaster -d misc/rpl # rehash # rpl /usr/bin/perl /usr/local/bin/perl /usr/local/libexec/nagios/check_file_age2.pl # rpl /usr/lib/nagios/plugins /usr/local/libexec/nagios /usr/local/libexec/nagios/check_file_age2.pl
Add the check_aide command in the nrpe configuration file
# vi /usr/local/etc/nrpe.cfg -------------------------- cut here -------------------------- command[check_aide]=/usr/local/bin/sudo /usr/local/libexec/nagios/check_file_age2.pl -w 86400 -c 216000 -n 1 -f /var/db/aide/databases/aide.db -------------------------- cut here --------------------------
Add nagios in sudoers
# visudo ------------------------------ cut here ------------------------------ nagios ALL=(ALL) NOPASSWD: /usr/local/libexec/nagios/check_file_age2.pl ------------------------------ cut here ------------------------------
Start nrpe
# sh /usr/local/etc/rc.d/nrpe2 restart