2

Is there any point in installing Aide on a long-installed machine? or is it only trustworthy if installed immediately after a fresh install or run from thumb drive?

Background:

A non-techy friend has a laptop that I help him stay in business with. It was originally installed with 14.04 LTS and upgraded to 16.04 LTS. He has only a user password, no root password, nor is he in sudo group. I've told him many times not to click unknown attachments but I know once in a while he still tries to open stuff, e.g. video attachments, from friends that may have been hacked, have viruses etc.

Lately the laptop has been "getting slow" and I don't see a good reason in terms of the fairly basic things I know how to check (disk is not full, it is not swapping, top shows 2-5 items at various times, each using < 2-5%, etc). Maybe I should check more of this basic stuff first but I'm feeling a little paranoid that it is hacked or rootkitted.

I used to use Tripwire on all my servers so I am familiar with how that builds a database and then monitors changes compared to that. If the laptop's files are already hacked, and Aide works the same way, then this is not helpful. But if Aide has some secure way to check against the repository versions of binaries then I suppose it could tell me if I'm safe without requiring a fresh install.

Obviously a fresh install would be the most certain way to be safe, but he is 400 km away and on slooow satellite internet so fresh install takes a ton of effort.

Martin Moops
  • 121
  • The issue with Linux is that malware can hide itself perfectly against any tool if it hooks into the kernel. In theory, it could even be done in such a way that digital signature enforcement (or hash enforcement) would be inaccurate. Malware on Linux usually tends to be game over, especially if it gets root or kernel access. Before going down the malware route, check installed services, htop, memory allocation, SMART state (drive could just be slowing down), syslogs, drive utilization, etc. – Kaz Wolfe Jul 18 '17 at 20:12
  • okay good tips, thanks. I'm leaning towards suspecting Thunderbird pre-made-reply plugins, although they do not show as hogging CPU in top. I will try disabling these next time I can access his laptop and see if that helps. Meanwhile I'm still curious for future usage, if Aide compares to repo or one's own files. – Martin Moops Jul 21 '17 at 17:02

1 Answers1

0

Aide compares against your own files.

From man aide (http://manpages.ubuntu.com/manpages/trusty/man1/aide.1.html) and the Aide manual (http://www.cs.tut.fi/~rammer/aide/manual.html):

"--init, -i Initialize the database. You must initialize a database and move it to the appropriate place before you can use the --check command."

and

"Typically, a system administrator will create an AIDE database on a new system before it is brought onto the network. This first AIDE database is a snapshot of the system in it's normal state and the yardstick by which all subsequent updates and changes will be measured."

Martin Moops
  • 121