Advanced Intrusion Detection Environment (AIDE) Installation on Ubuntu 16.04

Overview

Anybody that manages a production platform would understand the importance of file changes. AIDE provides the ability to manage any changes within files and directories and it also includes a variety of options that could also help users figure out specifically what has been altered. This guide goes into setting up AIDE and how to use it.

Setting up AIDE

  1. Install the AIDE package:
    sudo apt install aide
  2. Make sure /etc/aide/aide.conf has the appropriate configuration for your environment (See below for a sample aide.conf).
  3. Initialize AIDE so that it has a baseline:
    aide.wrapper --init
    (I used the .wrapper because that seems to work more often than just the regular aide --init)
    If you make any changes to the configuration file after the first initialization, just go through steps 3-4 again.
  4. Overwrite the previous database file to set the baseline to the one you just initialized:
    mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Configuration

AIDE.conf file

So there are plenty of options that you could use within the conf file that will have AIDE look at many different things relating to the selected file or directory

If you want to add another directory or file that you want AIDE to look at, then first put the path to the file/directory and then tell it what type of check to do.

In our example, I did a check over the /home/ubuntu/AIDEHOME/ directory and told it to a Full check everytime aide.wrapper --check runs.

/home/ubuntu/AIDEHOME/ Full

If you do not want to use aliases then you can just put the specific attribute after the directory/file name like this:

/etc/aide/aide.conf p

This would check the permissions on the file every time aide checks it.

Look at this man page for the available attributes and configuration options: https://linux.die.net/man/5/aide.conf

Throughout the aide.conf file, there are templates/aliases that put in each of the desired attributes like OwnerMode = p+u+g+ftype and VarFile = OwnerMode+n+l+X.

As you can see within some of the templates/aliases, they put a reference to another template/alias so this means you could have a lot of nested templates/aliases if you wanted to.

Modifying AIDE.conf

In my setup, I am just trying to look at the /home/ubuntu/AIDEHOME directory and nothing else. The Full attribute is telling it to check if anything has happened to the file at all. Limiting the directories that it looks at decreases the output of the aide.wrapper --check command. Limiting the directories also decreases the time it takes to search for changes.

# Check everything
OwnerMode = p+u+g+ftype
Size = s+b
InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger
Full = InodeData+StaticFile

/home/ubuntu/AIDEHOME Full
!/var/backups/*
!/var/cache/*
!/var/crash/*
!/var/local/*
!/var/lock/*
!/var/log/*
!/var/mail/*
!/var/opt/*
!/var/run/*
!/var/snap/*
!/var/spool/*
!/var/tmp/*
!/usr/*
!/home/*
!/bin/*
!/etc/*
!/initrd.img.old/*
!/lost+found/*
!/opt/*
!/run/*
!/srv/*
!/mlinuz.old/*
!/boot/*
!/lib/*
!/media/*
!/proc/*
!/sbin/*
!/sys/*
!/dev/*
!/initrd.img/*
!/lib64/*
!/mnt/*
!/root/*
!/snap/*
!/tmp/*
!/vmlinuz/*
!/var/lib/*

Testing AIDE

The only way to test AIDE if it is working is to change up some of the files or directories that it was looking at.

For the test, I deleted a file that was in the file called NewFile.txt and changed the permissions on a file called AIDEFileTest.txt

To activate the AIDE check, run:

aide.wrapper --check

This is the condensed result I got after doing the changes above:

AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!

Summary:
  Total number of entries:    15138
  Removed entries:        1
  Changed entries:        2

Removed entries:
---------------------------------------------------
f----------------: /home/ubuntu/AIDEHOME/NewFile.txt
---------------------------------------------------
Changed entries:
---------------------------------------------------
d =.... mc.. .. .: /home/ubuntu/AIDEHOME
f =.p.. .c...A. .: /home/ubuntu/AIDEHOME/AIDEFileTest.txt

Conclusion

AIDE (Advanced Intrustion Detection Environment) can be used in a variety of circumstances to keep track of file changes. In this usage, it was used to to check if a file was deleted, if a file was added, and if a file was edited.

If you liked this tutorial, please leave a comment below telling us what you thought and take a look at our other tutorials.

If you have any suggestions for other tutorials, please contact us via the Contact Us page.