AIDE Ubuntu Installation
Introduction
AIDE is an open-source tool that allows administrators to monitor for any changes made to files and directories on a system. In this guide, we’ll be going over how to set it up and test it on Ubuntu 18.04 or 16.04.
Prerequisites
Before you can follow the guide below, you’re going to need either Ubuntu 18.04 or 16.04 on a compatible server and of course have AIDE itself ready to install.
Installing AIDE Package
Update package repositories before continuing:
apt update -y
Install the AIDE package using the apt command
apt install aide -y
Updating AIDE Configuration
/etc/default/aide
^ This is where you would set up mailed reports and Cronjob-specific configuration options.
/etc/aide/aide.conf
^ This is where you set the directories and files that AIDE will monitor.
We'll be editing:
/etc/aide/aide.conf
for now but feel free to look around in
/etc/default/aide
if you're interested in configuring any of the things listed in the file.
AIDE Definitions
The
/etc/aide/aide.conf
file includes all the definitions and rules (in that order) that are in each of the files in the
/etc/aide/aide.conf.d/ directory.
By default, the file will contain only the definitions that will be used when stating how files/directories should be watched.
An example definition looks like this:
OwnerMode = p+u+g+ftype
This specific definition would monitor the files to see if there are any changes in the permissions, the owners/groups of the file, and the file type. You can see what each of the specific letters in this definition do by looking at the man page for AIDE: http://manpages.ubuntu.com/manpages/bionic/man5/aide.conf.5.html#default%20groups
With these definitions, you can even combine multiple of them into one single definition. This is one of the ones that I made:
OwnerSize = OwnerMode+s+b
With this definition, AIDE would monitor for all changes that the
OwnerMode
definition is already looking out for along with changes in the file size. Since this group definition is custom-made, you can do the same and make whatever definition or group definition that would fulfill your needs!
Now, these definitions wouldn't be of any use until we tell AIDE to use them when monitoring files and directories.
AIDE Rules
As I mentioned before, all of the rules by default will be in each of the files in the
/etc/aide/aide.conf.d/
directory.
The rules listed in these files won't show up in
/etc/aide/aide.conf
until you run the
update-aide.conf
command.
So before we run that command, we'll want to pick and choose whichever rules we'll want to apply to our system.
As an example, we'll set up AIDE to monitor the directories that the web service,
Apache2 installs on the system.
Under
the /etc/aide/aide.conf.d/
directory, we have a few files that match this description:
/etc/aide/aide.conf.d/31_aide_libapache2-mod-fastcgi
/etc/aide/aide.conf.d/31_aide_apache2
/etc/aide/aide.conf.d/30_aide_apache2
The
31_aide_apache2
contains a few rules containing the log files that Apache2 creates. However, for our example, we'll want AIDE to also watch the configuration directories to make sure nobody is changing the files on the system.
Before we configure the Apache2 files directly, let's move the rest of the files out of the way so AIDE will only add rules that will fulfill our needs:
mkdir /etc/aide/unused-config-files
for FILE in $(ls -arth /etc/aide/aide.conf.d | grep -viE "apache2|aide$"); do mv /etc/aide/aide.conf.d/${FILE} /etc/aide/unused-config-files/; done
With these commands, we'll create a directory and move all files that do not specifically reference the Apache2 service or AIDE into that directory.
Now onto editing the contents of the Apache2 files. Within
/etc/aide/aide.conf.d/31_aide_apache2
we can find:
@@ifdef APACHE2_SUEXEC
@@define APACHE2_LOGS (access|error|suexec)
@@else
@@define APACHE2_LOGS (access|error)
@@endif
/var/log/apache2/@@{APACHE2_LOGS}\.log$ Log
/var/log/apache2/@@{APACHE2_LOGS}\.log\.1$ LowLog
/var/log/apache2/@@{APACHE2_LOGS}\.log\.2\.gz$ LoSerMemberLog
/var/log/apache2/@@{APACHE2_LOGS}\.log\.([3-9]|[1-4][0-9]|5[0-1])\.gz$ SerMemberLog
/var/log/apache2/@@{APACHE2_LOGS}\.log\.52\.gz$ HiSerMemberLog
/@@{RUN}/apache2\.pid$ VarFile
/@@{RUN}/apache2/ssl_scache$ VarFile
/var/log/apache2$ VarDir
/@@{RUN}/apache2$ VarDirInode
So let's break down this file first before we add our own rule to it.
The first 5 lines of the file use the @@ symbols and go over setting a variable that can be used within all other AIDE configuration files. You can view the documentation for these specific macros (as they are called) here:
http://manpages.ubuntu.com/manpages/bionic/man5/aide.conf.5.html#macro%20lines
We can see that the if/else condition first checks to see if the
APACHE2_SUEXEC
variable is set which is all the
file 30_aide_apache2
does. So, as long as that file stays enabled, the file we're editing will not have any problems.
You'll see within the if/else statements the use of
define
which is how you set the variables. Within the file, it sets the variable
APACHE2_LOGS
to be both
access
and
error
whenever it is called.
So applying what we know, this variable is used to have AIDE look at both the
/var/log/apache2/error.log
and
/var/log/apache2/access.log
files with the log-specific definitions, which can be found in
/etc/aide/aide.conf
A few of the next lines after those use
@@{RUN}
which is created by the 10-aide-run config file and simply translates to run.
So with all of the contents of the file explained, let's create our own rule to the bottom of the file.
@@define SITES (sites-available|sites-enabled)
/etc/apache2/@@{SITES} Checksums
First, we define
SITES
to resolve to both
sites-available
and
sites-enabled.
Both of these values come from the directories that Apache2 creates to sort out which configuration files are enabled or are simply just available.
Then, we use this newly-created variable when specifying the Apache2 configuration directory so that it knows where to look. If we wanted to exclude the directory, we would put ! in front of the directory and leave out the group definition like this:
!/etc/apache2/@@{SITES}
Since we're wanting to monitor the directory for changes within the files, we'll add
Checksums
definition onto the end.
Now that we've created our rules, we can move on to initializing the database.
For these rules files, you can just create a file, place the rules in it, and name it whatever you want as long as the file is within the
/etc/aide/aide.conf.d/
directory. You can also add the rules to the
/etc/aide/aide.conf
directory but only use this for testing as all changes get overwritten when you run the
update-aide.conf
command.
Initializing the Database
Now that we have the rules that we want AIDE to use, we can initialize the database
aideinit
Applying changes
Update AIDE configuration by running this command:
update-aide.conf
Now update the default configuration file with the one that we just generated by running this command:
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
Now we should be able to see the rules we added in the Apache2 AIDE config file in
/etc/aide/aide.conf!
If you want to make any changes to the configuration after you've set up everything, you can just add the rules wherever you think is best and then re-initialize the database to overwrite the baseline configuration.
Testing AIDE
Now that we have the database set up and the rules monitoring the files that we want to be checking, we can test AIDE by making changes to the Apache2 directories.
touch /etc/apache2/sites-enabled/aide.conf
Now run the aide.wrapper command with the -C option to see that AIDE saw us create this new file!
root@aide-test:/etc/aide/aide.conf.d# aide.wrapper -C
Start timestamp: 2021-01-25 22:05:22 +0000 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Verbose level: 6
Summary:
Total number of entries: 156
Added entries: 1
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/apache2/sites-enabled/aide.conf
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : uu/nZvqD/lwLoqIBU+Q5NkfBs2E=
TIGER : JSCDwIVW1kXJYzuAJQc52juwAzEu1HyK
SHA256 : riBO2TjNW41EnuJ3iTXBFlGWzEcNA2k/
xbxmZAIUofw=
SHA512 : PWjqwCgvzSEXSuXeMwYaAM5oEEaN8vTx
TXr4O38WUXoZHrqKkhjvln5CasNP83Dv
ovdqe4CNqzTbGQoHFWwkng==
CRC32 : Q8gEfQ==
HAVAL : OrNFTv7qMAdtGS+1zDc0InnK8tVv4kg3
kqAZUK54p68=
GOST : Cg8R3BLhocvxsvweTBTdR6wHy9L07Jxd
PqTUc3/uZ34=
End timestamp: 2021-01-25 22:05:22 +0000 (run time: 0m 0s)
Now, we can use AIDE to monitor any files or directories we want!
Conclusion
AIDE can be used for a variety of applications including monitoring file configuration changes, filesystem changes, and more. It can even be used as a tool to keep any cyber attacks from modifying the system in any way. However, even if they did, it’s easy to identify what files they altered, and how.
Overall, AIDE is a great tool to use for general admin integrations for your systems! If you run into any trouble though, don’t hesitate to reach out to the Awnix team for help!