How to install and use AIDE (Advanced Intrusion Detection Environment) in CentOS 8

4 min


In anticipation of the start of the course Linux Developer prepared a translation of interesting material.


AIDE stands for “Advanced Intrusion Detection Environment,” one of the most popular systems for monitoring changes in Linux-based operating systems. AIDE is used to protect against malware, viruses and detect unauthorized actions. To check file integrity and detect intrusions, AIDE creates a database with file information and compares the current state of the system with this database. AIDE helps reduce incident investigation time by focusing on files that have been modified.

AIDE features:

  • Support for various file attributes, including: file type, inode, uid, gid, permissions, number of links, mtime, ctime and atime.
  • Support for Gzip, SELinux, XAttrs, Posix ACL, and file system attributes compression.
  • Support for various algorithms, including, md5, sha1, sha256, sha512, rmd160, crc32, etc.
  • Email notifications.

In this article, we will look at how to install and use AIDE to detect intrusions in CentOS 8.

Prerequisites

  • A server running CentOS 8 with at least 2 GB of RAM.
  • root access

Begin

It is recommended that you upgrade your system first. To do this, run the following command.

dnf update -y

After the upgrade, restart the system for the change to take effect.

Install AIDE

AIDE is available in the default CentOS 8 repository. You can easily install it by running the following command:

dnf install aide -y

After installation is complete, you can view the AIDE version using the following command:

aide --version

You should see the following:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Available options aide can be viewed as follows:

aide --help

Creating and initializing a database

The first thing you need to do after installing AIDE is to initialize it. Initialization consists in creating a database (snapshot) of all files and directories of the server.

To initialize the database, run the following command:

aide --init

You should see the following:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

The above command will create a new database aide.db.new.gz in the catalog /var/lib/aide. It can be seen using the following command:

ls -l /var/lib/aide

Result:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE will not use this new database file until it is renamed to aide.db.gz. This can be done as follows:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

It is recommended that this database be updated periodically to provide the necessary monitoring of changes.

You can change the location of the database by changing the parameter DBDIR in file /etc/aide.conf.

Run check

AIDE is now ready to use the new database. Run the first AIDE check without making any changes:

aide --check

This command will take some time depending on the size of your file system and the amount of RAM on your server. After the check is complete, you should see the following:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

The above output says that all files and directories correspond to the AIDE database.

Testing AIDE

By default, AIDE does not track the default Apache root directory /var/www/html. Let’s set up AIDE to view it. To do this, change the file /etc/aide.conf.

nano /etc/aide.conf

Add above the line "/root/CONTENT_EX" following:

/var/www/html/ CONTENT_EX

Next, create a file aide.txt in the catalog /var/www/html/using the following command:

echo "Test AIDE" > /var/www/html/aide.txt

Now run the AIDE check and make sure that the created file is detected.

aide --check

You should see the following:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

We see that the created file is detected aide.txt.
After analyzing the detected changes, update the AIDE database.

aide --update

After the upgrade, you will see the following:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

The above command will create a new database aide.db.new.gz in the catalog

/var/lib/aide/

You can see it with the following command:

ls -l /var/lib/aide/

Result:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Now rename the new database again so that AIDE uses the new database to track further changes. Rename as follows:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run the test again to verify that AIDE is using the new database:

aide --check

You should see the following:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Automate verification

It is a good idea to run AIDE checks every day and send the report by mail. This process can be automated with cron.

nano /etc/crontab

To start the AIDE check every day at 10:15, add the line at the end of the file:

15 10 * * * root /usr/sbin/aide --check

Now AIDE will notify you by mail. You can check mail with the following command:

tail -f /var/mail/root

The AIDE log can be viewed using the following command:

tail -f /var/log/aide/aide.log

Conclusion

In this article, you learned how to use AIDE to detect file changes and detect unauthorized access to the server. For additional settings, you can change the configuration file /etc/aide.conf. For security reasons, it is recommended that you store the database and configuration file on read-only media. For more information, see the documentation. Aide doc.


Learn more about the course.



0 Comments

Leave a Reply