How to Install and Configure AIDE on Ubuntu Linux

Last updated at Thu, 10 Aug 2023 21:48:55 GMT

Synopsys

Aide also known as Advanced Intrusion Detection Environment is an open source host based file and directory integrity checker. It is a replacement for the well-known Tripwire integrity checker that can be used to monitor filesystem for unauthorized change. It is very usefull when someone placing a backdoor on your web site and make changes that may take your system down completely. Aide creates a database from your filesystem and stores various file attributes like permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name. When someone make changes in filesystem, then Aide compare the database against the real status of the system and report it to you. AIDE supports many distributions such as Debian, Ubuntu, Gentoo, FreeBSD, Red Hat, OpenSUSE, CentOS and Fedora.

In this tutorial, we will go through step by step instruction of how to install and use AIDE on Ubuntu.

System Requirements

• Newly deployed Ubuntu 16.04 server.
• A static IP address 192.168.1.10 is configured on your server.

Update the System

Before starting, it is recommended to update your system with the latest stable version with the following command:<$

apt-get update -y

apt-get upgrade -y

Once your system is updated, restart your system and login with root user.

Install AIDE

By default, Aide is available in Ubuntu 16.04 repository. You can install it by just running the following command:

apt-get install aide -y

Once Aide is installed, you can verify the version of the Aide with the following command:

aide -v

You should see the following output:

 Aide 0.16a2-19-g16ed855
 
 Compiled with the following options: 
 WITH_MMAP 
 WITH_POSIX_ACL 
 WITH_SELINUX 
 WITH_XATTR 
 WITH_E2FSATTRS 
 WITH_LSTAT64 
 WITH_READDIR64 
 WITH_ZLIB 
 WITH_MHASH 
 WITH_AUDIT 
 CONFIG_FILE = "/dev/null"

Configure Aide

Aide has its configuration file located inside /etc/aide directory and database located inside /var/lib/aide/ directory. First, you will need to create a database on a new server before it is setup for production environment.

You can create a new database using aideinit command as below:

aideinit

You should see the following output:

 Running aide --init... 
 AIDE 0.16a2-19-g16ed855 initialized AIDE database at /var/lib/aide/aide.db.new 
 Start timestamp: 2017-06-15 20:32:27 +0530 
 Verbose level: 6
 
 Number of entries: 113609
 
 ---------------------------------------------------
 
 The attributes of the (uncompressed) database(s):
 
 ---------------------------------------------------
 
 /var/lib/aide/aide.db.new 
     RMD160 : X2BM4AC5y+tz4+mP1XjJQnuDTfk= 
     TIGER : gxn1Y0Gr4cSbgr9QrfVijH/OgYRUKsQD 
     SHA256 : 632IMHGHl/oVWno061cTCBbf6toTnot7 
         xd57VuhUA7o= 
     SHA512 : r/Iim34893tRd5AkSvbf0IeBvu4ephrU 
         W3cV2Snbdz7QdTQ2mThzJ/h1QuvZ5zxg 
         52n8Q4nobU/UZa81TJP3xA== 
     CRC32 : hHiUxQ== 
     HAVAL : FCwWSKr07Wv5afjCZPGsEOri6zyjmr+J 
         blByLIOF++I= 
     GOST : 9me+tSjSZHHMCrlm5z9n1Lovkh16vB42 
         0jtNLKxqfxo=
     
 End timestamp: 2017-06-15 20:45:12 +0530 (run time: 12m 45s)

The above command generates a new database in /var/lib/aide/aide.db.new.
Next, install the newly-generated database with the following command:

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Next, you will need to builds a new Aide config file. You can do this with the following command:

update-aide.conf

Next, copy newly generated config file to the /etc/aide directory:

cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

Test Aide

Once everything is configure properly. Let’s test Aide whether it is functioning or not.

First, create a some directory and files with the following command:

mkdir /root/aide-test

touch /root/aide-test/test1

touch /root/aide-test/test2

Now, run Aide check to detect new files and directory with the following command:

aide -c /etc/aide/aide.conf --check

You should see the changes detected by aide check in the following output:

 AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!! 
 Start timestamp: 2017-06-15 21:04:32 +0530 
 Verbose level: 6
 
 Summary: 
     Total number of entries: 113613 
     Added entries: 4 
     Removed entries: 0 
     Changed entries: 8
 
 --------------------------------------------------- 
 Added entries: 
 ---------------------------------------------------
 
 d++++++++++++++++: /root/aide-test
 
 f++++++++++++++++: /root/aide-test/test1
 
 f++++++++++++++++: /root/aide-test/test2
 
 f++++++++++++++++: /var/lib/aide/aide.db

You can verify the newly created files from the above Aide check reports. It is recommended to update the aide database so that it’s not reported again on the next AIDE check. Also you must keep the backup of the old Aide database and rename the updated database on daily basics to keep track.

References

• Aide Manual