Build and Test AIDE Database
Description
Run the following command to generate a new database:
By default, the database will be written to the file
/var/lib/aide/aide.db.new
.
Storing the database, the configuration file /etc/aide.conf
, and the binary
/usr/bin/aide.wrapper
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
To initiate a manual check, run the following command:
$ sudo /usr/bin/aide.wrapper --check
If this check produces any unexpected output, investigate.
Rationale
For AIDE to be effective, an initial database of “known-good” information about files
must be captured and it should be able to be verified against the installed files.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
DEBIAN\_FRONTEND=noninteractive apt-get install -y "aide"
AIDE\_CONFIG=/etc/aide/aide.conf
DEFAULT\_DB\_PATH=/var/lib/aide/aide.db
# Fix db path in the config file, if necessary
if ! grep -q '^database=file:' ${AIDE\_CONFIG}; then
# replace\_or\_append gets confused by 'database=file' as a key, so should not be used.
#replace\_or\_append "${AIDE\_CONFIG}" '^database=file' "${DEFAULT\_DB\_PATH}" '@CCENUM@' '%s:%s'
echo "database=file:${DEFAULT\_DB\_PATH}" >> ${AIDE\_CONFIG}
fi
# Fix db out path in the config file, if necessary
if ! grep -q '^database\_out=file:' ${AIDE\_CONFIG}; then
echo "database\_out=file:${DEFAULT\_DB\_PATH}.new" >> ${AIDE\_CONFIG}
fi
/usr/sbin/aideinit -y -f
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Ensure AIDE is installed
package:
name: '{{ item }}'
state: present
with\_items:
- aide
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.10.1.3
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide\_build\_database
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Build and Test AIDE Database
command: /usr/sbin/aideinit -y -f
changed\_when: true
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.10.1.3
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide\_build\_database
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Check whether the stock AIDE Database exists
stat:
path: /var/lib/aide/aide.db.new.gz
register: aide\_database\_stat
when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CJIS-5.10.1.3
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide\_build\_database
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Stage AIDE Database
copy:
src: /var/lib/aide/aide.db.new
dest: /var/lib/aide/aide.db
backup: true
remote\_src: true
when:
- ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
- (aide\_database\_stat.stat.exists is defined and aide\_database\_stat.stat.exists)
tags:
- CJIS-5.10.1.3
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-11.5
- PCI-DSSv4-11.5.2
- aide\_build\_database
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy