Build and Test AIDE Database

Classification:

compliance

Framework:

Control:

Description

Run the following command to generate a new database:

$ sudo aideinit

By default, the database will be written to the file

/var/lib/aide/aide.db.new.

Storing the database, the configuration file /etc/aide.conf, and the binary /usr/bin/aide.wrapper (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:

$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

To initiate a manual check, run the following command:

$ sudo /usr/bin/aide.wrapper --check

If this check produces any unexpected output, investigate.

Rationale

For AIDE to be effective, an initial database of “known-good” information about files must be captured and it should be able to be verified against the installed files.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

DEBIAN\_FRONTEND=noninteractive apt-get install -y "aide"

AIDE\_CONFIG=/etc/aide/aide.conf
DEFAULT\_DB\_PATH=/var/lib/aide/aide.db

# Fix db path in the config file, if necessary
if ! grep -q '^database=file:' ${AIDE\_CONFIG}; then
 # replace\_or\_append gets confused by 'database=file' as a key, so should not be used.
 #replace\_or\_append "${AIDE\_CONFIG}" '^database=file' "${DEFAULT\_DB\_PATH}" '@CCENUM@' '%s:%s'
 echo "database=file:${DEFAULT\_DB\_PATH}" >> ${AIDE\_CONFIG}
fi

# Fix db out path in the config file, if necessary
if ! grep -q '^database\_out=file:' ${AIDE\_CONFIG}; then
 echo "database\_out=file:${DEFAULT\_DB\_PATH}.new" >> ${AIDE\_CONFIG}
fi

/usr/sbin/aideinit -y -f

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure AIDE is installed
 package:
 name: '{{ item }}'
 state: present
 with\_items:
 - aide
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.10.1.3
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-11.5
 - PCI-DSSv4-11.5.2
 - aide\_build\_database
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Build and Test AIDE Database
 command: /usr/sbin/aideinit -y -f
 changed\_when: true
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.10.1.3
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-11.5
 - PCI-DSSv4-11.5.2
 - aide\_build\_database
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Check whether the stock AIDE Database exists
 stat:
 path: /var/lib/aide/aide.db.new.gz
 register: aide\_database\_stat
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.10.1.3
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-11.5
 - PCI-DSSv4-11.5.2
 - aide\_build\_database
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Stage AIDE Database
 copy:
 src: /var/lib/aide/aide.db.new
 dest: /var/lib/aide/aide.db
 backup: true
 remote\_src: true
 when:
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - (aide\_database\_stat.stat.exists is defined and aide\_database\_stat.stat.exists)
 tags:
 - CJIS-5.10.1.3
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-11.5
 - PCI-DSSv4-11.5.2
 - aide\_build\_database
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy