Few days ago, we have upgrade one Exadata environment to 19c version. One of new features named AIDE – Advanced Intrusion Detection Environment was introduced on this release of Exadata software, it came pre-configured. This feature is really awesome, and call my attention, because it tracks if the system files were modified and then helps the DMA (Database Machine Administrator) to find issues and security breaches on their environments. AIDE run crontab jobs daily and monitor if files changes in specific directories. If some files changes, it raise an alert and generate logs on /var/log/aide/aide.log.

On Oracle documentation:

exadataAIDE Syntax

The utility is located at /opt/oracle.SupportTools/exadataAIDE.

1

exadataAIDE [-s|-status] [-e|enable] [-d|disable] [-u|-update] [-h|help]

Description of syntax options:

• -s[tatus] : Print the current status of the AIDE daily cron job

• -e[nable] : Enable the AIDE daily cron job

• -d[isable] : Disable the AIDE daily cron job

• -u[pdate] : Update the AIDE database metadata and run the daily scan

• -h[elp] : Print the command syntax and help information

• Get the current status of the aide cron job.exadataAIDE –status

• Disable the daily AIDE scan.exadataAIDE –disable

• Enable the daily AIDE scan.exadataAIDE –enable

• Update the AIDE database after making changes to the system.exadataAIDE –update

Let’s take a look on the “warning file” generated by AIDE.

 [root@myexa01 ~]# cat /var/log/aide/aide.log
 AIDE 0.15.1 found differences between database and filesystem!!
 Start timestamp: 2019-07-21 19:57:20
 Summary:
   Total number of files:        55788
   Added files:                  0
   Removed files:                0
   Changed files:                2
 
 Changed files:
 changed: /home/oracle/monitor/check_compliance
 changed: /home/oracle/monitor/check_oracle
 
 Detailed information about changes:
 File: /home/oracle/monitor/check_listener
  SHA256   : AnuG4ldrP0yB15r/3nOGN+nrnW18391+ , wqPj5hnOIl1HGK7f85/E+0tWGYvEKbH5
 File: /home/oracle/monitor/check_oracle
  SHA256   : t6zk+jufuBfia/YCNHS1WqJt/GPW8xSX , Xk3ZkzP/YpT2jbKvjORsRF3TfoCteY8Z 

After that alert, for our environment we need to add an exception for a specific directory by the end of the file:

[root@myexa01 ~]# vi /etc/aide.conf

#Add one Exception for monitoring directory
!/home/oracle/monitor/

Then we need to rebuild the database for AIDE, the DB is located at /var/lib/aide/aide.db.gz

[root@myexa01 ~]# /opt/oracle.SupportTools/exadataAIDE -u
 AIDE: database update request accepted.

Then, we need to clen the alerts raised. To cleanup we use dbmcli utility

[root@myexa01 ~]# dbmcli
 DBMCLI> LIST ALERTHISTORY
          1_1     2019-07-20T18:24:29+02:00       warning         "Advanced Intrusion Detection Environment (AIDE) detected potential changes to software on this system. The changes are in /var/log/aide/aide.log "
          1_2     2019-07-22T09:14:55+02:00       clear           "Advanced Intrusion Detection Environment (AIDE) violation has been cleared."
 
DBMCLI> drop alerthistory 1_1, 1_2
 Alert 1_1 successfully dropped
 Alert 1_2 successfully dropped

To check more this secutiry framework on Exadata, please refer:

https://docs.oracle.com/en/engineered-systems/exadata-database-machine/dbmsq/exadata-security-practices.html#GUID-74FF1D0C-59F2-4F02-B648-34048AC02C31

All the Best,

Rodrigo Mufalani

Disclaimer: “The postings on this site are my own and don’t necessarily represent may actual employer positions, strategies or opinions. The information here was edited  to be useful for general purpose, specific data and identifications was removed to allow reach generic audience and to be useful.”