Overview

Advanced Intrusion Detection Environment (AIDE) is a secure open source file and directory integrity checker to help monitor select files that are recently changed or modified. AIDE uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE helps monitor those files that are recently changed or modified. This allows you to keep track of files or directories when someone tries to modify or change them. AIDE tracks file properties, such as inode, permissions, modification time, file contents, etc.

You can activate AIDE on the SBC using the System Admin "Intrusion Detection" configurable object. Once "Intrusion Detection" is enabled, AIDE runs daily, and starts again after a reboot.  

The following AIDE logs are stored in the/var/log/sonus/hids directory:

  • aide_init.log: Logs generated by AIDEINIT.
  • aide.log: Logs generated by aide.sh while surveilling.
  • configureAIDE.log: Logs generated by configureAIDE.py.

Potential file integrity issues are reported with the sonusSystemSecurityReportNotification trap. 

Use the System Admin object "Intrusion Detection" to enable/disable the intrusion detection system (AIDE) tool, plus add/delete tokens (case-sensitive) in the exceptions list (used to specify which tokens to not report in the sonusSystemSecurityReportNotification trap.

Tokens are file paths, for example:

  • /opt/sonus/sbx/tailf/confd.conf
  • /opt/sonus/cnxipm/conf
  • /opt/sonus/cnxipm/conf/pmTimeout.conf
  • /opt/sonus/cnxipm/conf/pmLog.conf
  • /opt/sonus/bin/np/swe/out_speech

Command Syntax

% set system admin <system name> intrusionDetection 
	exceptionList <token | list>
	intrusionDetectionState <disabled | enabled>
% delete system admin <system name> intrusionDetection <token | [leave empty to delete list]>

Command Parameters

ParameterLength/RangeDescriptionM/O

intrusionDetection

N/A

Use this object to enable the Advanced Intrusion Detection Environment (AIDE) tool on the SBC and specify the exception list sent to the sonusSystemSecurityReportNotification trap.

AIDE is a file and directory integrity checker that helps in keeping track of file properties, such as inode, permissions, modification time, file contents, etc.

O

intrusionDetectionState

N/A

Use this flag to enable/disable AIDE on the SBC. 

  • disabled (default) 
  • enabled – Once AIDE is enabled, the tool runs on a daily basis, and after every reboot.
O

exceptionList

0-1024 characters

Pattern: (((.)){0,1024})

Use this parameter to specify one or more tokens to exclude from the sonusSystemSecurityReportNotification trap report.

Options (entries are case-sensitive):

  • [ token1 token2 ] – Creates an exception list or overwrites existing list.
  • token3 – Appends a token to the existing list.
O


Configuration Examples


  • To create a new exception list:

    This deletes the existing exception list.

    CREATE list
    %  set system admin <SYSTEM NAME> intrusionDetection exceptionList [ token1 token2 ]

  • To append token3 to the exception list:

    APPEND token
    %  set system admin <SYSTEM NAME> intrusionDetection exceptionList token3

  • To delete one token (token1) from the exception list:

    DELETE token
    %  delete system admin <SYSTEM NAME> intrusionDetection exceptionList token1

  • To delete all tokens (the entire exception list):

    DELETE list
    %  delete system admin <SYSTEM NAME> intrusionDetection exceptionList [leave empty]