Get best of the week

How to install and use AIDE (Advanced Intrusion Detection Environment) in CentOS 8

In anticipation of the start of the Linux Administrator course , we prepared a translation of interesting material.



AIDE stands for β€œAdvanced Intrusion Detection Environment,” one of the most popular systems for monitoring changes to Linux-based operating systems. AIDE is used to protect against malware, viruses and detect unauthorized actions. To check file integrity and detect intrusions, AIDE creates a database with file information and compares the current state of the system with this database. AIDE helps reduce incident investigation time by focusing on files that have been modified.

AIDE features:

  • Support for various file attributes, including: file type, inode, uid, gid, permissions, number of links, mtime, ctime and atime.
  • Support for Gzip, SELinux, XAttrs, Posix ACL, and file system attributes compression.
  • Support for various algorithms, including, md5, sha1, sha256, sha512, rmd160, crc32, etc.
  • Email notifications.

In this article, we will look at how to install and use AIDE to detect intrusions in CentOS 8.

Prerequisites


  • A server running CentOS 8 with at least 2 GB of RAM.
  • root access

Getting started


We recommend that you upgrade your system first. To do this, run the following command.

dnf update -y

After the upgrade, restart the system for the changes to take effect.

Install AIDE


AIDE is available in the default CentOS 8 repository. You can easily install it by running the following command:

dnf install aide -y

After installation is complete, you can view the AIDE version using the following command:

aide --version

You should see the following:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Available options aidecan be viewed as follows:

aide --help



Creating and initializing a database


The first thing you need to do after installing AIDE is to initialize it. Initialization consists in creating a database (snapshot) of all files and directories of the server.

To initialize the database, run the following command:

aide --init

You should see the following:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

The above command will create a new database aide.db.new.gzin the directory /var/lib/aide. It can be seen using the following command:

ls -l /var/lib/aide

Result:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE will not use this new database file until it is renamed to aide.db.gz. This can be done as follows:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

It is recommended that this database be updated periodically to provide the necessary monitoring of changes.

You can change the location of the database by changing the parameter DBDIRin the file /etc/aide.conf.

Run check


AIDE is now ready to use the new database. Run the first AIDE check without making any changes:

aide --check

The execution of this command will take some time depending on the size of your file system and the amount of RAM on your server. After the check is complete, you should see the following:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

The above output says that all files and directories correspond to the AIDE database.

Testing AIDE


By default, AIDE does not track the default Apache root directory. /var/www/html.Let's configure AIDE to view it. To do this, you need to change the file /etc/aide.conf.

nano /etc/aide.conf

Add the "/root/CONTENT_EX"following above the line :

/var/www/html/ CONTENT_EX

Next, create a file aide.txtin the directory /var/www/html/using the following command:

echo "Test AIDE" > /var/www/html/aide.txt

Now run the AIDE check and make sure that the created file is detected.

aide --check

You should see the following:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

We see that the created file is detected aide.txt.
After analyzing the detected changes, update the AIDE database.

aide --update

After the upgrade, you will see the following:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

The above command will create a new database aide.db.new.gzin the directory

/var/lib/aide/

You can see it with the following command:

ls -l /var/lib/aide/

Result:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Now rename the new database again so that AIDE uses the new database to track further changes. Rename as follows:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run the test again to verify that AIDE is using the new database:

aide --check

You should see the following:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Automate verification


It is a good idea to run AIDE checks every day and send the report by mail. This process can be automated with cron.

nano /etc/crontab

To start the AIDE check every day at 10:15, add the line at the end of the file:

15 10 * * * root /usr/sbin/aide --check

Now AIDE will notify you by mail. You can check mail with the following command:

tail -f /var/mail/root

The AIDE log can be viewed using the following command:

tail -f /var/log/aide/aide.log

Conclusion


In this article, you learned how to use AIDE to detect file changes and detect unauthorized access to the server. For additional settings, you can modify the configuration file /etc/aide.conf. For security reasons, it is recommended that you store the database and configuration file on read-only media. For more information, see the AIDE Doc documentation .


Learn more about the course.

More articles:


All Articles