Intrusion Detection with AIDE and RKHunter

Introduction

Detecting a breach early is critical. AIDE (file integrity) and RKHunter (rootkits) provide two layers of intrusion detection.

1. Install AIDE

sudo apt install aide. Initialize database: sudo aideinit.

2. Configure AIDE Rules

Edit /etc/aide/aide.conf to define what to monitor (e.g., /etc CONTENT_EX).

3. Schedule AIDE Scans

Cron job: 0 2 * * * aide --check | mail -s "AIDE Report" ....

4. Handling Updates

After software updates, run sudo aide --update to refresh the database.

5. Install RKHunter

sudo apt install rkhunter. Update its signatures: sudo rkhunter --update.

6. Run Initial Scan

sudo rkhunter --check --skip-keypress. Review warnings (many are false positives).

7. Whitelist False Positives

Edit /etc/rkhunter.conf and set SCRIPTWHITELIST or disable specific tests.

8. Schedule RKHunter

Cron: 0 3 * * * rkhunter --check --cronjob --report-warnings-only.

9. Combine with Logwatch

Install logwatch to consolidate daily security alerts.

10. Investigate Changes

If AIDE reports unexpected file modifications, immediately check logs and consider compromise.

11. Off‑site AIDE Database

Store the AIDE database on a separate management server to prevent tampering.

12. RKHunter Propupd

After package updates, run sudo rkhunter --propupd to update property database.

13. OSSEC for Advanced HIDS

For multi‑server environments, consider OSSEC or Wazuh.

14. Integrity Monitoring for Docker

Use Docker Bench Security and audit container images separately.

15. Performance Impact

AIDE and RKHunter scans take a few minutes; schedule during low traffic.

16. Alert Integration

Send AIDE/RKHunter alerts to Slack or PagerDuty via custom scripts.

17. Regular False‑Positive Review

Review and tune exclusions monthly to keep alerts actionable.

18. Incident Response Preparation

Have a runbook ready for when AIDE or RKHunter triggers a real alert.

19. Combine with Auditd

For real‑time file access monitoring, add auditd rules.

20. Centralized Logging

Send all security logs to a remote syslog server for tamper‑proof storage.

Conclusion

Install AIDE and RKHunter on every VPS. Tune them to minimise false positives, and review alerts daily.

# IDS # AIDE # RKHunter # Rootkit