Cleaning Up the AIDE Database

Over time, you'll notice that AIDE check reports become longer and longer. This is usually the result of normal activity on the server, such as adding and deleting users, updating software, and changing settings in configuration files. You should regularly update the AIDE database not only to shorten reports but also to better track when unexpected changes occur. If you don't regularly update the AIDE database, you might miss a change that resulted from an attack.

You may be asking, "How often should I update the AIDE database?" The answer depends largely on your needs and your security policy. When you first start to use AIDE, I expect that you should be updating the database at least for the first few runs (again, depending on your security policy) and, more important, refining the configuration file. You'll find that certain files change so often that you need to either exclude them entirely or change the types of checks that occur on those files.

It is much better to change the types of checks than to simply skip the files altogether. Some file attributes that AIDE can check will not change often or at all for the same file. Attributes such as inode and Ctime shouldn't change. Therefore, if you notice certain files that keep showing up in the AIDE report and you've ruled out nefarious activity, you should change the type of check that occurs on that file within the AIDE configuration file.

A file that regularly changes on some systems is the Samba password file, /etc/samba/smbpasswd. On such systems, the file regularly shows up in the report where everything in the /etc/ directory is examined using the R check (refer to Table 12.1 for a refresher). A more appropriate check type for this file might include things that don't change often such as inode and Ctime. Such a check would appear like this in the AIDE configuration file:

 /etc/samba/smbpasswd$ c+i 

Note the use of the $ at the end of the filename in the example to indicate the end of line.

As the AIDE report runs, you'll be able to use more granularity to refine the files that are checked and the checks themselves. After you update the AIDE configuration file, you'll need to update the database so that the changes take effect. This process is accomplished by running this command:

 /usr/local/bin/aide --update 

After the update is complete, you'll have a new database file, /usr/local/etc/aide.db.new by default. This file should be moved to overwrite the existing database:

 mv /usr/local/etc/aide.db.new /usr/local/etc/aide.db 

Now running aide --check will give a clean result:

 AIDE, version 0.10 ### All files match AIDE database. Looks okay! 

After you update the database, you should copy the file to secure media or to another computer to ensure the integrity of the database.

With the AIDE configuration file and database updated and AIDE scheduled to run nightly, you now have an infrastructure in place to verify the integrity of your filesystem. From here you can read on to find out about more advanced configurations for AIDE, or you can jump ahead to the next part of the chapter to find out about the rootkit checking tool called Chkrootkit.