AIDE: Advanced Intrusion Detection Environment

With the release of Exadata system software 19.1.0, Oracle added a bunch of improvements in Exadata security. AIDE is an one such new feature. It is enabled by default at the time of installation. The utility to manage AIDE is called “exadataAIDE” and is installed at: /opt/oracle.SupportTools.

What is the need?

Exadata is a special engineered system to run oracle databases with critical and performance intensive workloads. Once a system is promoted to production, changes like modification to the filesystem or, software installation etc are usually not that common. Any such modification can be a potential intrusion.

How it works?

During installation of Exadata system software, AIDE creates a database by taking a snapshot of the state of the system, data related to files such as hashes, modification timestamp etc. This database is then saved as the primary reference point. Which files or, folders are to be considered for auditing and which ones to be excluded is governed by the settings defined in the configuration file /etc/aide.conf.

A daily cron is scheduled to take another snapshot of the system and compare the results with the previous snapshot. If any discrepancies are found, such as a new file was created or, the hash value changed, AIDE would log the findings in /var/log/aide/aide.log and send an e-mail alert to the DBAs.

Now the onus is on the administrators to review the logs and see if the findings are legitimate and need to be actioned or, if the changes were expected, and can safely be ignored.

Sounds good but…

but…

If all of that sounds good, what is the “but” about?

The scan definition within the AIDE configuration file is pretty extensive, however you can end up getting a lot of false positive alerts in case of planned activities, for example a monitoring agent is installed or, when a backup software agent creates log files each time a backup is executed. With a lot of false positive alerts, ensuring a real-threat or, intrusion attempt is not ignored can very well be synonymous to finding a needle in a hay-stack.

Stop false positives

Fortunately, it is pretty easy to stop false positive alerts so that real-alerts and intrusion attempts are not ignored. All you need to ensure is that during a planned activity, either AIDE is disabled and enabled after the activity is completed or, the AIDE database is updated after the alerts are received and the planned activity is completed.

If you have a scenario where you are getting false positives by various legitimate log files etc, ensure that /etc/aide.conf file is updated with an exception for the folder or, file in question and the database is updated to take the changes in account.

Command Reference

Login to the each of the Exadata database node as root and use /opt/oracle.SupportTools/exadataAIDE utility.

Check AIDE status:
[root@exa01 ~]# /opt/oracle.SupportTools/exadataAIDE -s
AIDE: daily cron is currently enabled.

Disable AIDE:
[root@exa01 ~]# /opt/oracle.SupportTools/exadataAIDE -d
AIDE: daily cron is currently disabled.

Enable AIDE:
[root@exa01 ~]# /opt/oracle.SupportTools/exadataAIDE -e
AIDE: daily cron is currently enabled.

Add exception in AIDE configuration file:
[root@exa01 ~]# vi /etc/aide.conf

Aide uses a first match system, hence it is important to put file specific instructions before generic matches. For example, if you wanted to add an exception for a file named warning.log under /opt/demo/agent/log and still wanted everything else to be monitored under /opt/demo/agent, the settings would look like the below:

!/opt/demo/agent/log/folder2/warning.log
!/opt/demo/agent/log/folder1
/opt/demo/agent

Update AIDE database and suppress previous alerts:

Update AIDE database:
[root@exa01 ~]# /opt/oracle.SupportTools/exadataAIDE -u
AIDE: database update request accepted.

[root@exa01 ~]# dbmcli
DBMCLI: Release  - Production on Tue May 02 09:03:22 CDT 2021
DBMCLI> list alerthistory
DBMCLI> drop alerthistory 15_1, 15_2, 15_3, 15_4
Alert 15_1 successfully dropped
Alert 15_2 successfully dropped
Alert 15_3 successfully dropped
Alert 15_4 successfully dropped