Skip to main content

Setup AIDE on Rocky

·3 mins

Advanced Intrusion Detection Environment(AIDE) is a host-based instrusion detection system(HIDS) for checking the integrity of files. Upon initialization, AIDE will create a database in /var/lib/aide based on files specified in /etc/aide.conf.

Install AIDE #

yum install aide -y

Initialize the Database #

[root@rockylab ~]# aide --init
Start timestamp: 2022-01-03 10:20:41 +0400 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	62898

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : dJYY/FcIsWU4w1MEPC5oMw==
  SHA1     : rBAxvq0PjaPVCLKM9EDvl3K0ONQ=
  RMD160   : zR4K2EN1V09rsqpAI3I0EFE5JlY=
  TIGER    : PeS4nVVTi5KtjiK6eBbvgnBZDHL4Ntxi
  SHA256   : wbqqP/CaF/Z3cwmFGLLmJY+l29bYIT91
             lF8txR1dU2c=
  SHA512   : /nc1hv+paly2bLzlhT0W6py9Ra+HX8tc
             RAk/x0kSfFDOlBqDd59717fZ3ryFef/d
             aTBkV8zP1ixnn/lKonk9LA==


End timestamp: 2022-01-03 10:22:21 +0400 (run time: 1m 40s)
[root@rockylab ~]# 
[root@rockylab ~]# ls -lh /var/lib/aide/aide.db.new.gz
-rw-------. 1 root root 3.6M Jan  3 10:22 /var/lib/aide/aide.db.new.gz

Rename the database #

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Create a new file and run a check on the database #

Create an empty file in /usr/bin and run a check:

[root@rockylab ~]# touch /usr/bin/testbin

[root@rockylab ~]# aide --check
Start timestamp: 2022-01-03 10:31:42 +0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	62899
  Added entries:		1
  Removed entries:		0
  Changed entries:		1

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /usr/bin/testbin

----REDACTED---

The f+++... below Added entries is telling you that the change is a file. Aide is detecting the change because /usr has a rule in the configuration file:

/boot       CONTENT_EX
/opt        CONTENT
/root/\..* PERMS
/root   CONTENT_EX
/usr    CONTENT_EX

---REDACTED---

Update the database #

If you’re aware of the changes, update the database:

[root@rockylab ~]# aide --update
Start timestamp: 2022-01-03 10:39:13 +0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	62899
  Added entries:		1
  Removed entries:		0
  Changed entries:		1

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /usr/bin/testbin

----REDACTED---

Once the database is updated, a new one is created with the new changes. You can keep the old one for comparison or just remove it and use the new one:

[root@rockylab aide]# ls
aide.db.gz  aide.db.new.gz
[root@rockylab aide]# rm -f aide.db.gz
[root@rockylab aide]# mv aide.db.new.gz aide.db.gz

Changing permission #

Allow everyone to execute /usr/bin/testbin:

[root@rockylab ~]# chmod a=x /usr/bin/testbin

After a check, you’ll notice f p.. ..A.. below Changed entries. Which tells you that a file’s permissions and ACL were modified, including the actual permissions flag and which permission flag were enabled:

[root@rockylab aide]# aide --check
Start timestamp: 2022-01-13 09:10:52 +0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:  62902
  Added entries:    0
  Removed entries:    0
  Changed entries:    2

---------------------------------------------------
Changed entries:
---------------------------------------------------

f   p..    ..A.. : /usr/bin/testbin
f           C    : /var/spool/anacron/cron.daily

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /usr/bin/testbin
  Perm     : -rwxr-xr-x                       | ---x--x--x
  ACL      : A: user::rwx                     | A: user::--x
             A: group::r-x                    | A: group::--x
             A: other::r-x                    | A: other::--x

Useful Commands and tips #

  • Each time you update the database you have to rename it. Write a script to do it.
  • Database comparison with --compare. Both databases should be defined in the configuration file.
  • Create a report with --report. E.g aide --report=report-dd-mm-yy.

β€œAn arrogant rich and a humble poor both need help! The former needs help to be human; the latter needs help to live humanely!” ― Mehmet Murat ildan