Category Archives: Security

Daily reporting of AIDE (Advanced Intrusion Detection Environment) integrity checker on FreeBSD

Posted on by | Leave a reply

AIDE is a file and directory integrity checker.

The FreeBSD port of security/aide does not provide a mechanism for periodically monitoring the integrity of the file system.

Here is one way to do it. The run-aide daily script will send a notification only if something has changed. Additionally, you can use the check_file_age2.pl Nagios plugin to verify that the AIDE database is not empty and that it’s sufficiently recent.

Another version of a reporting script can be found in the following thread.

Install the software

# cd /usr/ports/ports-mgmt/portmaster
# make clean all install
# make clean
# rehash
# portmaster -d security/aide
# mkdir /var/db/aide/reports
# aide --config=/usr/local/etc/aide.conf --init
# mv /var/db/aide/databases/aide.db.new /var/db/aide/databases/aide.db

Create the daily verification script

# vi /var/db/aide/run-aide
------------------------------ cut here ------------------------------
#!/bin/csh -f

set FQDN=`hostname -f`
set MAILSUBJ="Daily AIDE report for $FQDN"

set path=(/sbin /usr/sbin /bin /usr/bin /usr/local/sbin /usr/local/bin)

date >& /var/db/aide/reports/aide.out
set date=`date +%Y%m%d-%H%M`
aide --config=/usr/local/etc/aide.conf --check >& /var/db/aide/reports/report-$date
grep -q 'All files match AIDE database. Looks okay' /var/db/aide/reports/report-$date
if ($status) then
 cat /var/db/aide/reports/report-$date | /usr/bin/mailx -s "$MAILSUBJ" root
endif
date >>& /var/db/aide/reports/aide.out
aide --config=/usr/local/etc/aide.conf --init >>& /var/db/aide/reports/aide.out
date >>& /var/db/aide/reports/aide.out
mv /var/db/aide/databases/aide.db.new /var/db/aide/databases/aide.db >>& /var/db/aide/reports/aide.out
------------------------------ cut here ------------------------------

# chmod 755 /var/db/aide/run-aide

# vi /etc/daily.local
------------------------------ cut here ------------------------------
#!/bin/sh

/var/db/aide/run-aide 2>&1
------------------------------ cut here ------------------------------

# chmod 700 /etc/daily.local

Install NRPE

# portmaster -d net-mgmt/nrpe2

Install the check_file_age2.pl Nagios plugin

# fetch -o /usr/local/libexec/nagios/check_file_age2.pl http://vsen.dk/files/check_file_age2.pl
# chmod 755 /usr/local/libexec/nagios/check_file_age2.pl
# portmaster -d misc/rpl
# rehash
# rpl /usr/bin/perl /usr/local/bin/perl /usr/local/libexec/nagios/check_file_age2.pl
# rpl /usr/lib/nagios/plugins /usr/local/libexec/nagios /usr/local/libexec/nagios/check_file_age2.pl

Add the check_aide command in the nrpe configuration file

# vi /usr/local/etc/nrpe.cfg
-------------------------- cut here --------------------------
command[check_aide]=/usr/local/bin/sudo /usr/local/libexec/nagios/check_file_age2.pl -w 86400 -c 216000 -n 1 -f /var/db/aide/databases/aide.db
-------------------------- cut here --------------------------

Add nagios in sudoers

# visudo
------------------------------ cut here ------------------------------
nagios ALL=(ALL) NOPASSWD: /usr/local/libexec/nagios/check_file_age2.pl
------------------------------ cut here ------------------------------

Start nrpe

# sh /usr/local/etc/rc.d/nrpe2 restart