How to Install and Configure AIDE on Ubuntu Linux



Synopsys

Aide also known as Advanced Intrusion Detection Environment is an open source host based file and directory integrity checker. It is a replacement for the well-known Tripwire integrity checker that can be used to monitor filesystem for unauthorized change. It is very usefull when someone placing a backdoor on your web site and make changes that may take your system down completely. Aide creates a database from your filesystem and stores various file attributes like permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name. When someone make changes in filesystem, then Aide compare the database against the real status of the system and report it to you. AIDE supports many distributions such as Debian, Ubuntu, Gentoo, FreeBSD, Red Hat, OpenSUSE, CentOS and Fedora.

In this tutorial, we will go through step by step instruction of how to install and use AIDE on Ubuntu.

System Requirements

  • Newly deployed Ubuntu 16.04 server.
  • A static IP address 192.168.1.10 is configured on your server.

Update the System

Before starting, it is recommended to update your system with the latest stable version with the following command:<$

apt-get update -y
apt-get upgrade -y

Once your system is updated, restart your system and login with root user.

Install AIDE

By default, Aide is available in Ubuntu 16.04 repository. You can install it by just running the following command:

apt-get install aide -y

Once Aide is installed, you can verify the version of the Aide with the following command:

aide -v

You should see the following output:

Aide 0.16a2-19-g16ed855

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"

Configure Aide

Aide has its configuration file located inside /etc/aide directory and database located inside /var/lib/aide/ directory. First, you will need to create a database on a new server before it is setup for production environment.

You can create a new database using aideinit command as below:

aideinit

You should see the following output:

Running aide --init...
AIDE 0.16a2-19-g16ed855 initialized AIDE database at /var/lib/aide/aide.db.new
Start timestamp: 2017-06-15 20:32:27 +0530
Verbose level: 6

Number of entries:	113609

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new
  RMD160   : X2BM4AC5y+tz4+mP1XjJQnuDTfk=
  TIGER    : gxn1Y0Gr4cSbgr9QrfVijH/OgYRUKsQD
  SHA256   : 632IMHGHl/oVWno061cTCBbf6toTnot7
             xd57VuhUA7o=
  SHA512   : r/Iim34893tRd5AkSvbf0IeBvu4ephrU
             W3cV2Snbdz7QdTQ2mThzJ/h1QuvZ5zxg
             52n8Q4nobU/UZa81TJP3xA==
  CRC32    : hHiUxQ==
  HAVAL    : FCwWSKr07Wv5afjCZPGsEOri6zyjmr+J
             blByLIOF++I=
  GOST     : 9me+tSjSZHHMCrlm5z9n1Lovkh16vB42
             0jtNLKxqfxo=


End timestamp: 2017-06-15 20:45:12 +0530 (run time: 12m 45s)

The above command generates a new database in /var/lib/aide/aide.db.new.
Next, install the newly-generated database with the following command:

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Next, you will need to builds a new Aide config file. You can do this with the following command:

update-aide.conf

Next, copy newly generated config file to the /etc/aide directory:

cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

Test Aide

Once everything is configure properly. Let’s test Aide whether it is functioning or not.

First, create a some directory and files with the following command:

mkdir /root/aide-test
touch /root/aide-test/test1
touch /root/aide-test/test2

Now, run Aide check to detect new files and directory with the following command:

aide -c /etc/aide/aide.conf --check

You should see the changes detected by aide check in the following output:

AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
Start timestamp: 2017-06-15 21:04:32 +0530
Verbose level: 6

Summary:
  Total number of entries:	113613
  Added entries:		4
  Removed entries:		0
  Changed entries:		8

---------------------------------------------------
Added entries:
---------------------------------------------------

d++++++++++++++++: /root/aide-test
f++++++++++++++++: /root/aide-test/test1
f++++++++++++++++: /root/aide-test/test2
f++++++++++++++++: /var/lib/aide/aide.db

You can verify the newly created files from the above Aide check reports. It is recommended to update the aide database so that it’s not reported again on the next AIDE check. Also you must keep the backup of the old Aide database and rename the updated database on daily basics to keep track.

References


Comments

No comments yet. Be the first to chime in!