Exadata – Advanced Intrusion Detection Environment (AIDE)
Few days ago, we have upgrade one Exadata environment to 19c version. One of new features named AIDE – Advanced Intrusion Detection Environment was introduced on this release of Exadata software, it came pre-configured. This feature is really awesome, and call my attention, because it tracks if the system files were modified and then helps the DMA (Database Machine Administrator) to find issues and security breaches on their environments. AIDE run crontab jobs daily and monitor if files changes in specific directories. If some files changes, it raise an alert and generate logs on /var/log/aide/aide.log
.
On Oracle documentation:
exadataAIDE Syntax
The utility is located at /opt/oracle.SupportTools/exadataAIDE
.
1 |
|
Description of syntax options:
-s[tatus]
: Print the current status of the AIDE daily cron job-e[nable]
: Enable the AIDE daily cron job-d[isable]
: Disable the AIDE daily cron job-u[pdate]
: Update the AIDE database metadata and run the daily scan-h[elp]
: Print the command syntax and help information
Get the current status of the
aide
cron job.exadataAIDE –status
Disable the daily AIDE scan.
exadataAIDE –disable
Enable the daily AIDE scan.
exadataAIDE –enable
Update the AIDE database after making changes to the system.
exadataAIDE –update
Let’s take a look on the “warning file” generated by AIDE.
[root@myexa01 ~]# cat /var/log/aide/aide.log AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2019-07-21 19:57:20 Summary: Total number of files: 55788 Added files: 0 Removed files: 0 Changed files: 2 Changed files: changed: /home/oracle/monitor/check_compliance changed: /home/oracle/monitor/check_oracle Detailed information about changes: File: /home/oracle/monitor/check_listener SHA256 : AnuG4ldrP0yB15r/3nOGN+nrnW18391+ , wqPj5hnOIl1HGK7f85/E+0tWGYvEKbH5 File: /home/oracle/monitor/check_oracle SHA256 : t6zk+jufuBfia/YCNHS1WqJt/GPW8xSX , Xk3ZkzP/YpT2jbKvjORsRF3TfoCteY8Z
After that alert, for our environment we need to add an exception for a specific directory by the end of the file:
[root@myexa01 ~]# vi /etc/aide.conf #Add one Exception for monitoring directory !/home/oracle/monitor/
Then we need to rebuild the database for AIDE, the DB is located at /var/lib/aide/aide.db.gz
[root@myexa01 ~]# /opt/oracle.SupportTools/exadataAIDE -u AIDE: database update request accepted.
Then, we need to clen the alerts raised. To cleanup we use dbmcli utility
[root@myexa01 ~]# dbmcli DBMCLI> LIST ALERTHISTORY 1_1 2019-07-20T18:24:29+02:00 warning "Advanced Intrusion Detection Environment (AIDE) detected potential changes to software on this system. The changes are in /var/log/aide/aide.log " 1_2 2019-07-22T09:14:55+02:00 clear "Advanced Intrusion Detection Environment (AIDE) violation has been cleared." DBMCLI> drop alerthistory 1_1, 1_2 Alert 1_1 successfully dropped Alert 1_2 successfully dropped
To check more this secutiry framework on Exadata, please refer:
https://docs.oracle.com/en/engineered-systems/exadata-database-machine/dbmsq/exadata-security-practices.html#GUID-74FF1D0C-59F2-4F02-B648-34048AC02C31
All the Best,
Rodrigo Mufalani
Disclaimer: “The postings on this site are my own and don’t necessarily represent may actual employer positions, strategies or opinions. The information here was edited to be useful for general purpose, specific data and identifications was removed to allow reach generic audience and to be useful.”