Advanced Intrusion Detection Environment (AIDE) is an open-source utility designed to monitor and protect the integrity of files on a Linux system. AIDE creates a database of file attributes and uses it to perform regular checks for changes, additions, or deletions in system files, alerting you to potential security breaches. When properly used AIDE helps to protect the system internally, by providing a layer of protection against viruses, rootkits, malware, and detection of unauthorized activities.
Why Use AIDE?
- Detect Unauthorized Changes: AIDE can identify unauthorized changes to critical system files, helping you catch intrusion attempts promptly.
- File Integrity Monitoring: It offers continuous file integrity monitoring, making it ideal for ensuring the stability and security of your server.
- Customizable Rules: AIDE allows you to define specific rules for monitoring, tailoring its functionality to your unique server environment.
- Alerts and Reports: It generates detailed reports and alerts when changes are detected, making it easier to respond to security incidents.
Install AIDE
AIDE is readily available in all the operating system software repositories.
# yum install aide
Initilize AIDE
Check if the AIDE database is created and initialized using:
# aide --check
You might end up with the below error, its because the AIDE database has not been created and initialized.
[root@delme ~]# aide --check
Couldn't open file /var/lib/aide/aide.db.gz for reading
Create and Initialize AIDE Database using:
# aide --init
Initializing the AIDE database will take some time as its building a database with entries of the files in the server for integrity checks.
As you can see from the logs, the new AIDE DB has been created at ‘/var/lib/aide/aide.db.new.gz’.
[root@delme ~]# aide --init
Start timestamp: 2023-10-17 17:19:48 +0000 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Running the AIDE check now will again error out because the AIDE is still not in the location AIDE needs it to be.
[root@delme ~]# aide --check
Couldn't open file /var/lib/aide/aide.db.gz for reading
We need to rename the AIDE created in the initialization step as follows:
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Running an AIDE check should complete successfully.
[root@delme ~]# aide --check
Start timestamp: 2023-10-18 09:34:17 +0000 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 152841
Added entries: 0
Removed entries: 0
Changed entries: 2
---------------------------------------------------
Changed entries:
---------------------------------------------------
f ... .C... : /root/dead.letter
f C : /var/spool/anacron/cron.daily
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /root/dead.letter
SHA512 : jdMY+0A4RF8MDhMhdE1GvbQbxo695cYf | Q9XC53FBoeyLpzXe7bcUvEex0C/EwNZq
KoS4la95t3np7LxoeMmH943uDFipAq8d | v1BNdB8ZlDwIgMTemCoUSeOWtz1CowZ3
Q3VgvcerraMGjo6TVP1FHg== | G/nTFnnCNr9ihxO/NGeTtg==
File: /var/spool/anacron/cron.daily
SHA512 : MAp+To9ckjKmE7nZl5/J5M9EXxsgks8O | BsPYbhD/SXkrAdJ4Z4V6ng7BhrFJmqeZ
wv/5ABt5bMMxWkrjOci3mQhRKfOoNV/h | IJ87kg0X3xVlJYrXV9MR7+0BJ90/0wg2
eQBfHpitQxsAY2867cU2FQ== | TI+f0QyA7lChmEYPer2QxQ==
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : fkL+BqnpQdU/i6i3Y3kYqg==
SHA1 : soqet8oNzHlY9RyDvmHxkqqHY50=
RMD160 : yIFtCdBrYrt8XY0YipYaMMLP6N0=
TIGER : Cbz88BLcGNlurtyIUeizs8KOjof0vc97
SHA256 : mZK5eTK5nHYDxp/Q7bpCjBtZXa8o8jTx
INo+S3qXTVE=
SHA512 : ASgbZO1egNtthUi4TkMqDuQFpKwUr7bh
SHkdcSscF6rN2p0EKqdd27qmjDf3cr7X
nCuHDXZrTfYwPSy46KGfdQ==
End timestamp: 2023-10-18 09:34:49 +0000 (run time: 0m 32s)
[root@delme ~]#
As you can see AIDE has detected 2 changes in the system since the DB is initialized/updated. Review those changes and make sure everything is fine.
Once verified, you should update the AIDE DB to include the known changes using the --update command option.
However, if there are changes in the filesystem, which is usually the case when you update the DB, AIDE will create a new DB as follows. You need to back up the old and rename the newly generated one to be the main db.
[root@delme ~]# aide --update
Start timestamp: 2023-10-18 09:44:02 +0000 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary:
Total number of entries: 152841
Added entries: 0
Removed entries: 0
Changed entries: 2
Rename the AIDE Db to include newly modified/added files:
# mv /var/lib/aide/aide.db.gz /var/lib/aide/aide.db.$(date +%d%m%y%H%M).gz
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Running a check again should give you a clean summary provided there are no further changes in the system.
AIDE configuration
AIDE’s configuration
file is /etc/aide.conf file.
You can customize the rules for file monitoring based on your needs. For
example, you can add or exclude specific directories or files from monitoring.
The AIDE confirmation file contains the directives that defines the database location, where the new database be created when running an update, default rules, files and directories to be included in the database for monitoring and so on.
The following are the default rules, that can be applied to the files and directories to be added to the DB.
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
You can create custom rules of your choice using the above default rules.
There are few custom rules already in the configuration file as follows.
# NORMAL = R+sha512
NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only
PERMS = p+u+g+acl+selinux+xattrs
# Logfile are special, in that they often change
LOG = p+u+g+n+S+acl+selinux+xattrs
# Content + file type.
CONTENT = sha512+ftype
# Extended content + file type + access.
CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
You may define rules to watch files and directories. The configuration file contains several default rules that does a job of monitoring files, but you are free to tweak.
An example rule set:
Check everything for all files under the /root directory with the exception of checking for permissions only for the hidden files under /root.
/root/\..* PERMS
/root CONTENT_EX
Use the following to help you detect any changes in data inside all files/directory under /etc/.
/etc/ DATAONLY
You may specify to ignore files and directories using “!” as follows:
# Files under there directores are too volatile, hence do not include in the AIDE database
!/usr/src
!/usr/tmp
Some thoughts on setting up the AIDE rules
There are currently thirteen attributes that AIDE can log including permissions, owner, group, size, all three timestamps (atime, ctime, and mtime), plus lower-level stuff like inode, block count and number of links .
You need to review the rules in the AIDE configuration file and set proper regular expression matching the files you need to monitor is key to effective use of AIDE. If you are monitoring too many file and directories you might end up with extremely long logs to go through. On the other hand a narrow set of rules could risk missing an important change on your system.
Run System Integrity Checks Frequently
AT the very minimum AIDE should be configured to run every week or ideally everyday. You could setup a cornjob as follows.
0 0 * * * /usr/sbin/aide --check
No comments:
Post a Comment