Profile Applicability:
Level 1

Description:
 AIDE is a host-based intrusion detection system that verifies filesystem integrity by comparing the current state of files against a known baseline. Installing AIDE is essential for monitoring unauthorized changes to system files.

Rationale:
 Having AIDE installed allows continuous monitoring of filesystem integrity, helping detect unauthorized modifications or tampering early.

Impact:
 Pros:

  • Provides automated integrity checks for system files.

  • Enhances security monitoring and incident detection.

Cons:

  • Requires configuration and maintenance.

  • May consume system resources during scans.

Default Value:
 AIDE may not be installed by default on many Linux distributions.

Pre-requisites:

  • Root or sudo privileges to install software packages.

Remediation:

Test Plan:

Using Linux command line:

  1. Check if AIDE is installed:

RPM-based systems:

rpm -q aide

Debian-based systems:

dpkg -l | grep aide

  1. Confirm AIDE package is present.

Implementation Plan:

Using Linux command line:

Install AIDE if not present

            RPM-based:

yum install aide -y

Debian-based:

apt install aide -y

Initialize AIDE database:

aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

  1. Configure regular AIDE checks via cron or systemd timers.

Backout Plan:

Using Linux command line:

  1. Remove or disable AIDE if necessary:

    yum remove aide
# or
apt remove aide

  1. Clean up related configuration files if needed.

References:

  • CIS Amazon Linux 2 Benchmark v3.0.0

  • AIDE Official Documentation