In this tutorial, you will learn how to install and configure AIDE on Debian 10. AIDE stands for Advanced Intrusion Detection Environment.
AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. Some of the file properties that AIDE can check include file permissions, inodes, modification time, file contents, user, group, file size…
Installing AIDE on Debian 10
Run System Update
Before you can begin to install AIDE, update your system packages
apt updateInstall AIDE on Debian 10
AIDE is available on the default Debian repositories.
apt-cache policy aideaide:
Installed: (none)
Candidate: 0.16.1-1
Version table:
0.16.1-1 500
500 http://deb.debian.org/debian buster/main amd64 PackagesHowever, as of this writing, the current release version of AIDE is 0.17.3.
Unfortunately, the Debian repos do not provide this latest release version of AIDE as it is still under testing. In that case, we will install the current stable release version available on the default repos, which AIDE v0.16.1-1.
Execute the command below to install stable release version of AIDE on Debian 10;
apt install aideOnce AIDE has been successfully installed, you can verify the installed version by executing;
aide -vThe command shows the current installed version of AIDE as well options installed with it.
Aide 0.16.1
Compiled with the following options:
WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"
Configuring AIDE on Debian 10
The general configuration file for AIDE is located under /etc/default/aide.
The rules and other configurations resides under /etc/aide/.
The AIDE database is located under /var/lib/aide/.
Initialize AIDE Database on Debian 10
Create new AIDE database.
aideinitThe aideinit will create a new baseline database, /var/lib/aide/aide.db.new.
The command might take a few mins though.
Running aide --init...
Start timestamp: 2021-05-13 14:06:27 -0400 (AIDE 0.16.1)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6
Number of entries: 205656
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new
RMD160 : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
TIGER : /TaHlucsBgKis1UAWqApNi05/irDr/EK
SHA256 : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
ZgZLEM5aZRo=
SHA512 : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
8rx7wQ2VMcn1aDfA8aXtNQ==
CRC32 : ibeVcw==
HAVAL : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
7TtzPAdV9Nk=
GOST : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
8vsT+WVZAjQ=
End timestamp: 2021-05-13 14:13:05 -0400 (run time: 6m 38s)
As you can see, a new baseline AIDE database has been created, /var/lib/aide/aide.db.new.
Install New AIDE Database
To install the newly created AIDE database, you need to copy it to place as follows;
cp /var/lib/aide/aide.db{.new,}Rebuild AIDE Configuration
To update AIDE runtime configuration, /etc/aide/aide.conf, execute the command below
update-aide.confThe command generates a new configuration file, /var/lib/aide/aide.conf.autogenerated. Copy the new configuration file to the default AIDE configs directory and overwrite the existing;
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.confCheck AIDE Database for any Inconsistencies
Once the new configuration is generated, run the manual database check against the new configuration by executing the command below;
aide -c /etc/aide/aide.conf -CThe command will basically try to check the deviation between the AIDE database and the filesystem. See the example output below;
Start timestamp: 2021-05-13 14:59:37 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6
Summary:
Total number of entries: 205656
Added entries: 1
Removed entries: 1
Changed entries: 23
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /var/lib/aide/aide.db
---------------------------------------------------
Removed entries:
---------------------------------------------------
l----------------: /run/systemd/units/invocation:session-3.scope
---------------------------------------------------
Changed entries:
---------------------------------------------------
f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /root/.bash_history
f =.... mc..... : /run/systemd/timesync/synchronized
d <.... mc.. .. : /run/systemd/units
f <b... mc..C.. .: /var/lib/dhcp/dhclient.leases
f =.... mc..... .: /var/lib/systemd/timers/stamp-anacron.timer
f =.... mc..... .: /var/lib/systemd/timesync/clock
d =.... mc.. .. .: /var/ossec/etc/shared/default
f =.... mc..... .: /var/ossec/etc/shared/default/merged.mg
f >b... mc..C.. .: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.json
f >b... mc..C.. .: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.log
f >b... mc..C.. .: /var/ossec/logs/alerts/alerts.json
f >b... mc..C.. .: /var/ossec/logs/alerts/alerts.log
f >.... mc..C.. .: /var/ossec/logs/ossec.log
d =.... mc.. .. .: /var/ossec/queue/db
f >b... mc..C.. .: /var/ossec/queue/db/000.db
f <.... mc..C.. .: /var/ossec/queue/diff/debian/535/last-entry
f >.... mc..C.. .: /var/ossec/stats/totals/2021/May/ossec-totals-13.log
d =.... mc.. .. .: /var/ossec/var/run
f =.... mci.... .: /var/ossec/var/run/ossec-analysisd.state
f =.... mci.... .: /var/ossec/var/run/ossec-remoted.state
f =.... mc..C.. .: /var/ossec/var/wodles/syscollector
f =.... mc..C.. .: /var/webmin/miniserv.lastcrons
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/aide/aide.conf
Size : 6598 | 46195
Bcount : 16 | 96
Mtime : 2016-04-16 13:57:29 -0400 | 2021-05-13 14:52:51 -0400
Ctime : 2021-05-13 05:34:15 -0400 | 2021-05-13 14:52:51 -0400
RMD160 : kHZi6LuS1X5nlHkrtCLV9UdgDxo= | 8wjI15r0D6K1MUVoiyjJPOlGv18=
TIGER : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL
SHA256 : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji
0B5VVewz3h8= | WcEO1u90BTg=
SHA512 : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft/kjH
ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw/K4u+WwMMUeg8iKdNkCL6YPc49X
yKP7Fvoitf+jHcriq57Pgg== | xEkz4dL2MjSFBj0i+zQW1g==
CRC32 : S3Rhfg== | XsRmRw==
HAVAL : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB
S+TXtMWVN/E= | 4YrUy9kI6IU=
GOST : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j
NhV8dix9LIw= | Zf744WY7Flk=
File: /root/.bash_history
Size : 5796 | 8040
Mtime : 2021-05-11 10:25:18 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 05:14:51 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : r8qlsnSTkGosX0fsArK8zsWqTXU= | 1upKL9INTLUGKEWMIxLmc8CRxJ4=
TIGER : 2uPjP9oFh0nVhGjPQqJti44Q3bF4KHNq | +pJmPgLgd3blY4u+BA6AZiwto8VS5Cvl
SHA256 : dCwQv9ucRkmGT0fl5ucRdu+mP9xzM2pF | x2EA+tw6mqkGRq33h7dLOr/t0pX3HR61
w26HE7Pws5Y= | vQDZsEhmJD8=
SHA512 : /W3bSTf1qOpkav1Gucjv0iCcGn0Z7G6U | kxOIprR2dkw/LCCZg61E5kBGSpi4ZGA3
rUh3loPZBEQDvGrMc+9zw5FZKko4tfOM | 6T3UZ0Cr22B5CWWkoObGZQ24e3NvmTH5
1v/0FqiB4MhBvZkGU5l0cA== | pcAhiv4GdP83jO5+Hm2kpA==
CRC32 : KkRAtg== | SUGh1Q==
HAVAL : JBPLwPshi3ls05OEx2RA4yCYLt7m8+wS | Jb1L2/dFG0A8ghyV1txmjwlgsZ1wb8f0
a3UmYwGZDJo= | MOpMWDzQHAs=
GOST : NK8Tmk801XGP72lQktmnfPJ34DFQOuYs | FBMm5BduPdQ2EIw3bYLAS+0uhvdXKSa9
OFvxMiIcmXI= | 11y3Y1oUsyg=
File: /run/systemd/timesync/synchronized
Mtime : 2021-05-13 14:05:09 -0400 | 2021-05-13 14:30:46 -0400
Ctime : 2021-05-13 14:05:09 -0400 | 2021-05-13 14:30:46 -0400
Directory: /run/systemd/units
Size : 940 | 920
Mtime : 2021-05-13 14:01:15 -0400 | 2021-05-13 14:31:33 -0400
Ctime : 2021-05-13 14:01:15 -0400 | 2021-05-13 14:31:33 -0400
File: /var/lib/dhcp/dhclient.leases
Size : 5344 | 2222
Bcount : 16 | 8
Mtime : 2021-05-13 14:08:06 -0400 | 2021-05-13 15:01:44 -0400
Ctime : 2021-05-13 14:08:06 -0400 | 2021-05-13 15:01:44 -0400
RMD160 : x6g8TEahygu/Y6vTVmTHz+jG7/g= | A8i8GUKMIZPvQ67ncZ3vaCulf24=
TIGER : vopFlCGZMR5fD59z2IyqwGTPB4vaPLL7 | ZTotg1uJnCtyljIMyukQsXdIcRxRMBpb
SHA256 : 4aB4sFExXuQgHU36/U4Gpllva+ew5BwK | rPPBKCIrTIK3E4l8g1kcMDEYIWsBAK7g
K6IzFjbxGtI= | XeH+hNDUQVg=
SHA512 : oauEMDY2HKK4cNHJyaE9zL9jeIZomb+B | oL4A/nW81CzmU+wLwL2gj4o5i+RSFuDr
Qr66zW+FblCBjpX9+hPP+C3GWkuhooVO | dMRE57iAr5zpQIaNrsULOBcjf+xVl9/x
DFLNYa2uAy7M+IZsAoXD1w== | jWyRn+SAWeFgCbrQ1wVNuA==
CRC32 : vKR/CQ== | iP46NQ==
HAVAL : 52H8l2m8tGeeGGb7gC3N3bHcid1pvWDB | pcYoOf6Vk2JyMWqP7qOh+URg9Gz0Cabx
DZLJ7dflako= | kht7TRr3I0A=
GOST : 4YlQabl31XCpQCioZVXpyR+cDcW4po24 | RUA3L4LrEvpAz3LYTDG+38Qz4Aco1HKz
81HDK676bSU= | gGtZSrw6AlE=
File: /var/lib/systemd/timers/stamp-anacron.timer
Mtime : 2021-05-13 13:57:07 -0400 | 2021-05-13 14:31:33 -0400
Ctime : 2021-05-13 13:57:07 -0400 | 2021-05-13 14:31:33 -0400
File: /var/lib/systemd/timesync/clock
Mtime : 2021-05-13 14:05:09 -0400 | 2021-05-13 14:30:46 -0400
Ctime : 2021-05-13 14:05:09 -0400 | 2021-05-13 14:30:46 -0400
Directory: /var/ossec/etc/shared/default
Mtime : 2021-05-13 14:12:09 -0400 | 2021-05-13 15:01:44 -0400
Ctime : 2021-05-13 14:12:09 -0400 | 2021-05-13 15:01:44 -0400
File: /var/ossec/etc/shared/default/merged.mg
Mtime : 2021-05-13 14:12:09 -0400 | 2021-05-13 15:01:44 -0400
Ctime : 2021-05-13 14:12:09 -0400 | 2021-05-13 15:01:44 -0400
File: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.json
Size : 303004 | 303699
Bcount : 600 | 608
Mtime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : HI8kVRJVmBHQ12uM4mgjgC8tG7c= | rXlxkYtULGVhokQ2Plf1gsRwfeU=
TIGER : fYh0uHAKUPT1rbJ/b/e/PcFOCIAqIGfn | 5mbOOvGc9vIdu/fu1HhzjYtSCNaMSA+W
SHA256 : xRC0btISZjbwp3HJ6YWTx8qVl/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu
+GDwaFVbOiM= | 2B3mpC3PNrk=
SHA512 : GYVO1j/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi
aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0/pH/SCacBUILfKQVBbU
Jisfz69u8Fc3WEhGfvN4hQ== | nEBwUdlorF+p3oPQ4lpipg==
CRC32 : mIJZOg== | EaLg9w==
HAVAL : Jt9WwS1ZnQ/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN/6wrrOtC+4K3BIpO
OJBxqeEjgtA= | Sxlq8e5pWqc=
GOST : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq
76dAVlPr8QU= | JyOluc+3ikE=
File: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.log
Size : 196342 | 196713
Bcount : 392 | 400
Mtime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : /5NDXAKCiQxSuPHVbhi9VQOLLak= | IDKuML9GS4sQO8oF6Cxz/vupSJs=
TIGER : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU
SHA256 : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb
f1I4fTI8FOg= | /dHjbIBnNS4=
SHA512 : N9PN7Zm2+6zqZEP/2O4EBU0wGfV+q/ap | ZTb1mxGjv2n/vnwq58/rTUQIdW0o/fxa
E/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6
A5wLwkdp9CRzuqNIAS/WMg== | dpg9q4ewGLAmwHYMPBbgMg==
CRC32 : aTphhA== | LFRiBQ==
HAVAL : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB
s78/EtSkPEc= | S0VrHY0GV08=
GOST : pI74rIIHDI7TDrCA+Sx/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824
NX+WsahkgQI= | Qv+qrf4TU6U=
File: /var/ossec/logs/alerts/alerts.json
Size : 303004 | 303699
Bcount : 600 | 608
Mtime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : HI8kVRJVmBHQ12uM4mgjgC8tG7c= | rXlxkYtULGVhokQ2Plf1gsRwfeU=
TIGER : fYh0uHAKUPT1rbJ/b/e/PcFOCIAqIGfn | 5mbOOvGc9vIdu/fu1HhzjYtSCNaMSA+W
SHA256 : xRC0btISZjbwp3HJ6YWTx8qVl/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu
+GDwaFVbOiM= | 2B3mpC3PNrk=
SHA512 : GYVO1j/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi
aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0/pH/SCacBUILfKQVBbU
Jisfz69u8Fc3WEhGfvN4hQ== | nEBwUdlorF+p3oPQ4lpipg==
CRC32 : mIJZOg== | EaLg9w==
HAVAL : Jt9WwS1ZnQ/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN/6wrrOtC+4K3BIpO
OJBxqeEjgtA= | Sxlq8e5pWqc=
GOST : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq
76dAVlPr8QU= | JyOluc+3ikE=
File: /var/ossec/logs/alerts/alerts.log
Size : 196342 | 196713
Bcount : 392 | 400
Mtime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : /5NDXAKCiQxSuPHVbhi9VQOLLak= | IDKuML9GS4sQO8oF6Cxz/vupSJs=
TIGER : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU
SHA256 : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb
f1I4fTI8FOg= | /dHjbIBnNS4=
SHA512 : N9PN7Zm2+6zqZEP/2O4EBU0wGfV+q/ap | ZTb1mxGjv2n/vnwq58/rTUQIdW0o/fxa
E/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6
A5wLwkdp9CRzuqNIAS/WMg== | dpg9q4ewGLAmwHYMPBbgMg==
CRC32 : aTphhA== | LFRiBQ==
HAVAL : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB
s78/EtSkPEc= | S0VrHY0GV08=
GOST : pI74rIIHDI7TDrCA+Sx/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824
NX+WsahkgQI= | Qv+qrf4TU6U=
File: /var/ossec/logs/ossec.log
Size : 11605 | 11757
Mtime : 2021-05-13 13:57:32 -0400 | 2021-05-13 14:25:18 -0400
Ctime : 2021-05-13 13:57:32 -0400 | 2021-05-13 14:25:18 -0400
RMD160 : UrndE9lRw2gEB6OGZuQ/mnGRc7U= | rMF+/kDPzTEQp4+fG4nWvCrRdfk=
TIGER : j4s+XmwXPueAQuAciYwhO7X455MBGq4r | x61JVqPEUAm6ZSQ0S37CA+stHjQyh2KV
SHA256 : 9kdSlM2EjZKe451VHXo+BXd3fAtVsRt8 | qktJymmvRRyM1jjuLlvVscpDMBfs/eds
CcloQ1jNTzo= | EQ5zKH61/2o=
SHA512 : pTDO+6p6JzruJ+AMsZ4LCIqQsKCeagOj | Ga+4TvLk90Q5lTMK1iO/2Zw4Ic0eCLt4
4OeJYhAdNRJ+1QSFabUatNuwltW0uIs+ | 5X0c7AH5GvbUCs5Cw4y9RUHQlGF7BLVA
Sj6ab2HDu0RJEmy/EQVAOA== | cLxxRzeSvk6MKK00DtwotQ==
CRC32 : Xq9wkw== | qoNgtQ==
HAVAL : fMCtlMz5vBfRN/UZm+nigxdn/lphzAag | J6sZyDnrOV+vT07OER46CGex4nUPjNAU
EVwoljewwnk= | hZRJBEQuXvQ=
GOST : vG3FbAnnsorn5Wa69JWn+rVBLNSWOy0o | mi1diJV7nKcX4li9XFdcYs1rA4rLzcSI
TvuIiF4Ohzo= | r+Y1bqomAjg=
Directory: /var/ossec/queue/db
Mtime : 2021-05-13 13:57:33 -0400 | 2021-05-13 14:25:29 -0400
Ctime : 2021-05-13 13:57:33 -0400 | 2021-05-13 14:25:29 -0400
File: /var/ossec/queue/db/000.db
Size : 2113536 | 2228224
Bcount : 4128 | 4328
Mtime : 2021-05-13 13:57:33 -0400 | 2021-05-13 14:25:29 -0400
Ctime : 2021-05-13 13:57:33 -0400 | 2021-05-13 14:25:29 -0400
RMD160 : h9D0qcSXGbRqsZGJV5wNywYfO30= | OSPi2pAhW/rVJrwB2NL/NGlcc9U=
TIGER : MFWistAyOA7gy+T4ZtmuwmCBghe8ndnN | V00qPUeAtE5+i/uMTSbfidq3Q3dIFxj/
SHA256 : JMeairDZxZUWoA2Rcpw0CoLxUllolk3l | T0UJvOvhurdsnLokgrBqmIUDLVdJ4HI5
j79VsRy1d/E= | 3IPq7G21RZY=
SHA512 : sbtVw881IhIicV5UfsWvpbdOOHzb8aVw | XBE7eta1oMwAsG4kOcj793f16ZqMeGh+
Fy7jrUgDkQSfnMYiNnD329pRbw61OxY8 | k4kw4Q7+lzJYrILo8a5/Ea7cCShz2cnv
j/dO5nqq7H3tHhzou+bf0A== | UU6gNnzyT3HslSTfXm2upQ==
CRC32 : RqsdGg== | LD0Qpw==
HAVAL : vSCMk/LypxzM/KT0mX/xAZkIMZNt8Qeq | 6vHfo9hW75oG2PksEcaE0IPYLlMxukZU
RqMoxzLqfcc= | eIAcYWyfr6w=
GOST : GTCGuUTPs0BM2pSO4/PgO/HXI8P0tgid | Ec053qs2D5hjYO8IxHmW6g6UhW0tK4aE
mYVX1XfJHM8= | vypwpBv5bb8=
File: /var/ossec/queue/diff/debian/535/last-entry
Size : 1024 | 1021
Mtime : 2021-05-13 13:57:08 -0400 | 2021-05-13 14:33:10 -0400
Ctime : 2021-05-13 13:57:08 -0400 | 2021-05-13 14:33:10 -0400
RMD160 : qHsDObPkZuJcZNKKxWUlkN1TmdI= | j2zl43WJTJelXeuFTkIVH8uCW9A=
TIGER : Q8rEdFootqfUPYX6I5u7UC+IBXt1EtQ4 | XPAYBNVvJ+mtPHWOemVeZ7xjls5bE9kQ
SHA256 : tkk1KU58wTyYjwdmyF4aFWWBttu2gnua | 09g04YBhFqG1lbLtHvyxvBcUbNYwnv7p
7eqkATbNMy4= | LfG5wba7E2Q=
SHA512 : sKOr9fAXVeaAfmNGTQrJfAeG4nghNw17 | dE7AD9uML4iQcMmH1W38MJu5ngzLxyvZ
FIjGsgxU3erZS0iIEncQL7XgMBeC9Jts | +e22ULMcqxJC+7GunqeNMn6ADesqjZN1
bllmBgLe/elsofeGAXfRvQ== | Tj6RdqgqnxDEmIPnf1tJKg==
CRC32 : Q0OBsA== | CIXH/Q==
HAVAL : PFRZcbTmd11VMc9WDRKR5nMvyVVbTwU7 | LY0Eu6iQTPTOTyp2TqXW2/IPvBK5dsn3
vnQHgGKEN/Y= | GOFLTBzoCvE=
GOST : 11cAAblplJja5/rktHJDKzFraTKbaqz5 | leGBDPnpRhyRLTGo8QMaMkYHjOSkdqa+
By98fbs8dTw= | +6QrJ4E5rQs=
File: /var/ossec/stats/totals/2021/May/ossec-totals-13.log
Size : 894 | 999
Mtime : 2021-05-13 14:01:16 -0400 | 2021-05-13 15:01:46 -0400
Ctime : 2021-05-13 14:01:16 -0400 | 2021-05-13 15:01:46 -0400
RMD160 : zJ8At9unwQxEzSe9J4GrzbqTMz8= | COrlpQLyTK+TCf8KkThMAyvseig=
TIGER : gs7ydELV5qsqM6gqkk3VubEx9WZvybNH | nNzaNRkTekRV/eE7mrzj8wypqqQ3X02M
SHA256 : OrAiYG8X0UfOSTWwfcFs1gl0CkAwC7aR | 9OjAmTYpHgKyhQ2aXWzbRoTIRjDDpGlk
52uZF3374G8= | SzQNk0h7bHk=
SHA512 : atNLeqF+T7DoIyN5XBh9Z7Lxvtxv88kv | FOxCmlwtkJ2/ej5BM6HX13p9UpiP+9mV
u+XHdKFZIr6UMf7UTycb/+qso33BlVfH | CtmkyaWXNcOhw1moeRUGHKdkRUdWh06a
Mn8sGcjy4DuchZpZeggdyA== | TpH4CYF4P6uMH4VMfhUwDg==
CRC32 : f5dIXg== | lVKiZg==
HAVAL : PO/8wHY4EFaVnO/yUEIPCr9UmrujdHoH | HZF3AmNvk8PNec0OcUHsNWs8TeIJ7Bm/
baDhTTJixt0= | GhgPEEhrtYc=
GOST : SDdETY0dZJHWCQGIl4cggiwFBQwp/Ely | lm4MpfRUd+5kF8PkFi066ESY/4ISLjhy
HVZbNI4G/LM= | /w68fjIDHL4=
Directory: /var/ossec/var/run
Mtime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Ctime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
File: /var/ossec/var/run/ossec-analysisd.state
Mtime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Ctime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Inode : 291862 | 304591
File: /var/ossec/var/run/ossec-remoted.state
Mtime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Ctime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Inode : 304591 | 307354
File: /var/ossec/var/wodles/syscollector
Mtime : 2021-05-13 05:03:42 -0400 | 2021-05-13 14:25:18 -0400
Ctime : 2021-05-13 05:03:42 -0400 | 2021-05-13 14:25:18 -0400
RMD160 : t2dgf7PI+qjCpifY2lsAcxDF9Fk= | cntjaDX/DCNzvCfiCA1kXl7KCCM=
TIGER : +Gq9NCskrl71MYuh9vQY/9SKFmdwV2WC | w2KPhzO5tiv/GcsGpi6kfqs8JPsH4h2J
SHA256 : YWnwELAriPpKVUvzp48A36IsQiLiDrPa | 5AwQ6d972QnzU6DymNjanYsORD2V5TIQ
+xaI8POCyBo= | yPakdvhIjIQ=
SHA512 : TmNSY5LxyrRar/OWhzGR/IzBw33HSywQ | adcpxpI3Q9psuemsly3IVcpaXJUKt88W
eQb39k+4WJOY1Dag638EQj0PQDFTJTyo | zbzT2XtMHO8lWny35/AdVVOYvW56aD6K
IfHuoARl+hAG/NeGUrb/Nw== | D0jnB0YUWop4oQI2Exhsgw==
CRC32 : YrOyVA== | Jcfn4Q==
HAVAL : kZ1+RJgVhR5Ye4SBgUA++Opyag/JQw5X | JnJ1PH1Qst5GxeaKBT/G9vvBrJJ1v+iO
7f0i/Y4BMZc= | sGj6SbculZI=
GOST : c56J+RwvEsiWC3j3TwCigV9ip7G26cc4 | iUktb3cvt2mwTIbtf5pD5y2RBq4c0f/1
RjAfGj8Yklg= | 792rogTuXMw=
File: /var/webmin/miniserv.lastcrons
Mtime : 2021-05-13 13:57:08 -0400 | 2021-05-13 14:57:09 -0400
Ctime : 2021-05-13 13:57:08 -0400 | 2021-05-13 14:57:09 -0400
RMD160 : l4hocPE/SHW9NhN2NCF2nQX+fbU= | pm7WC+m645+3fPpMGPfMIbZML1c=
TIGER : AZZbVVUb9d9+o+IPaFHr/1JTepGY0skV | QG8yw6Ma8zTNORA5mvFJgZvdZVRRqarp
SHA256 : OZbnUDEbF2h8/h3wEy+xQ0+qQ+X1IdED | ZmH3hXZrdFopMfPquWUplysApSgaCLbN
tW0z/XmwFgE= | woeJMG74uoY=
SHA512 : ebuDdi38UvLbg7hE5b90rU01dTNsH8PT | pcFF4JY4+w/OL9gujrtJ1OqWyDyQabrM
Vyn01yobjF9ieXuIVgtohQFhfj4V/ciG | VLmyprO+sEYWvkCWE028s350NM1ZOIzI
jH49Npaj0MOT418Lj7sbBw== | feXBta/T/EvgzOi5Uz/oCQ==
CRC32 : /ZYiew== | 8UcOAw==
HAVAL : K2mLlgdjxme5iRQ8+GS1fbIa0wkKR4Q2 | nMGCLXkIIls7X6YraMeRbq3+mnboYOe8
fUXtscLxzYw= | pidvAJg7Q0M=
GOST : eMerS2vevb7fswadmjiZLo0ImDxQ2uo/ | 5rwUUkXBg6z9QsYhGJ7pOVkwaeZfHt5X
fRjhDng5dWg= | c1AvM7h2otw=
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
TIGER : /TaHlucsBgKis1UAWqApNi05/irDr/EK
SHA256 : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
ZgZLEM5aZRo=
SHA512 : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
8rx7wQ2VMcn1aDfA8aXtNQ==
CRC32 : ibeVcw==
HAVAL : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
7TtzPAdV9Nk=
GOST : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
8vsT+WVZAjQ=
End timestamp: 2021-05-13 15:02:37 -0400 (run time: 3m 0s)
From the output above, AIDE found a number of file system changes. Check the report.
Testing AIDE on Debian 10
You can now create new files, edit some and even delete some and re-run AIDE check to actually see how AIDE can detect all these changes.
echo "1.2.3.4 test.kifarunix-demo.com" >> /etc/hoststouch /etc/newfilerm -rf /etc/issueAfter all that changes, re-run AIDE database check against the filesystem.
aide -c /etc/aide/aide.conf -CSample output;
Start timestamp: 2021-05-13 15:08:24 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6
Summary:
Total number of entries: 205656
Added entries: 2
Removed entries: 2
Changed entries: 24
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/newfile
f++++++++++++++++: /var/lib/aide/aide.db
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /etc/issue
l----------------: /run/systemd/units/invocation:session-3.scope
---------------------------------------------------
Changed entries:
---------------------------------------------------
f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /etc/hosts
...
Limiting AIDES Integrity Checks to Specific Files/Directories
To limit the integrity checks to a specific entries for example /etc, pass the --limit REGEX option to AIDE check command where REGEX is the entry to check.
For example, check and update the database entries matching /etc, you would run aide command as shown below;
aide -c /etc/aide/aide.conf --limit /etc --checkSample output;
Start timestamp: 2021-05-13 15:13:34 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Limit: /etc | Verbose level: 6
Summary:
Total number of entries: 205656
Added entries: 1
Removed entries: 1
Changed entries: 2
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/newfile
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /etc/issue
---------------------------------------------------
Changed entries:
---------------------------------------------------
f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /etc/hosts
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/aide/aide.conf
Size : 6598 | 46195
Bcount : 16 | 96
Mtime : 2016-04-16 13:57:29 -0400 | 2021-05-13 14:52:51 -0400
Ctime : 2021-05-13 05:34:15 -0400 | 2021-05-13 14:52:51 -0400
RMD160 : kHZi6LuS1X5nlHkrtCLV9UdgDxo= | 8wjI15r0D6K1MUVoiyjJPOlGv18=
TIGER : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL
SHA256 : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji
0B5VVewz3h8= | WcEO1u90BTg=
SHA512 : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft/kjH
ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw/K4u+WwMMUeg8iKdNkCL6YPc49X
yKP7Fvoitf+jHcriq57Pgg== | xEkz4dL2MjSFBj0i+zQW1g==
CRC32 : S3Rhfg== | XsRmRw==
HAVAL : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB
S+TXtMWVN/E= | 4YrUy9kI6IU=
GOST : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j
NhV8dix9LIw= | Zf744WY7Flk=
File: /etc/hosts
Size : 186 | 218
Mtime : 2021-01-29 14:23:36 -0500 | 2021-05-13 15:07:59 -0400
Ctime : 2021-01-29 14:23:36 -0500 | 2021-05-13 15:07:59 -0400
RMD160 : pgg6hjBhDjMlk+l8yu0LB1SL7o8= | sUqfThZK2gYBG5rgKCY0882JsFE=
TIGER : 6rCGqnmCVSK81X5SatwKyW6Cybt1B9yP | 04im6NfESOdCKzANx6VA3ehjZ0skylIh
SHA256 : XJiphdFN5h4JGKNCqvrG71xF+FyFEi5E | rjTkky/c4992255kH3yXciO+SHZa8wlA
SvfqvfKxUng= | 9brQo29MU+o=
SHA512 : Frpi7XYfQq7SA8HSImzFystaarku/1Cs | jqUFxAQYoNlj5LXVZxn6kJGwQLePCWcs
Ba7vka2boOYZsqzVoXq0c6zlxb5AVX7J | Ay3i8i8bAv59cfjRpxQpTj3rNdeS70pp
Yl+VEG/SZpPvca+6xn4P8Q== | xj1P9YWWTtn6unB6ZON2pg==
CRC32 : xZ01PQ== | 9LtLwA==
HAVAL : 17oJH6iVQGXq3ge2uXnwumq0xCLaF+fS | Qty/rrMbvG1RTmj6+PvPUtB6zAk6x/na
Goy5GCiijPI= | oiBWgvPWsmY=
GOST : X8Mnh75FrKoDQl88Ez1l0hRH4pR9lOon | zjAjM0BCHajG4Xb1AIZGOXOzjOtRQ7lZ
jkxNlJeC1fA= | EzBfUnAXze0=
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
TIGER : /TaHlucsBgKis1UAWqApNi05/irDr/EK
SHA256 : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
ZgZLEM5aZRo=
SHA512 : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
8rx7wQ2VMcn1aDfA8aXtNQ==
CRC32 : ibeVcw==
HAVAL : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
7TtzPAdV9Nk=
GOST : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
8vsT+WVZAjQ=
End timestamp: 2021-05-13 15:14:04 -0400 (run time: 0m 30s)
Exclude Specific Directories from AIDE Checks
To exclude some directories, edit the configuration file, /etc/aide/aide.conf, and add the directories to ignore to the end of the file in the format;
!/home/
!/var/lib/
!/procUsing Custom AIDE Configuration
You can also create your own configuration and define what needs to be checked and what not.
See example configuration below;
mkdir /home/koromicha/aidevim /home/koromicha/aide/aide.conf# Path for creating the databases
database=file:/home/koromicha/aide/aide.db
database_out=file:/home/koromicha/aide/aide.db.new
database_new=file:/home/koromicha/aide/aide.db.new
# Set your own AIDE rule.
MYRULE=p+n+u+g+s+m+c+xattrs+md5+sha512
# Directories/files to be monitored and rule to apply
#/etc MYRULE
#/bin MYRULE
#/usr/bin MYRULE
# Directories to ignore
/home MYRULE
!/proc
Basically, the rule set above checks:
- permissions,
- number of links,
- user,
- group,
- modification time,
- inode/file change time,
- extended file attributes,
- MD5 checksum,
- SHA512 checksum.
Initialize the database with the new configuration;
aide -c /home/koromicha/aide/aide.conf -iCopy the database in place;
cp /home/koromicha/aide/aide.db{.new,}AIDE Diagnostics
Verify the configuration file for errors by running the command below;
aide -c /home/koromicha/aide/aide.conf --config-check
Check the command exit status.
echo $?According to AIDE man pages, the AIDE’s exit status is normally 0 if no errors occurred. Except when the –check, –compare or –update command was requested, in which case the exit status is defined as:
1 * (new files detected?) +
2 * (removed files detected?) +
4 * (changed files detected?)
Since those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files detected, the exit status will be 1 + 2 = 3.
Additionally, the following exit codes are defined for generic error conditions:
14 Error writing error
15 Invalid argument error
16 Unimplemented function error
17 Invalid configureline error
18 IO error
19 Version mismatch error
NOTE: Whenever you make any AIDE configuration changes, remember to initialize the database to create a baseline.
Make changes like create a new directory, files;
rm -rf /home/koromicha/aide/aide.db.new
mkdir /home/koromicha/test-dir
touch /home/koromicha/test-fileYou can then run AIDE against your custom configuration.
aide -c /home/koromicha/aide/aide.conf -CStart timestamp: 2021-05-13 15:20:06 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 10
Added entries: 3
Removed entries: 1
Changed entries: 2
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /home/koromicha/aide/aide.db
d++++++++++++++++: /home/koromicha/test-dir
f++++++++++++++++: /home/koromicha/test-file
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /home/koromicha/aide/aide.db.new
---------------------------------------------------
Changed entries:
---------------------------------------------------
d = ... mc n . : /home/koromicha
d = ... mc . . : /home/koromicha/aide
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /home/koromicha
Mtime : 2021-05-13 15:17:02 -0400 | 2021-05-13 15:19:59 -0400
Ctime : 2021-05-13 15:17:02 -0400 | 2021-05-13 15:19:59 -0400
Linkcount: 3 | 4
Directory: /home/koromicha/aide
Mtime : 2021-05-13 15:18:19 -0400 | 2021-05-13 15:19:59 -0400
Ctime : 2021-05-13 15:18:19 -0400 | 2021-05-13 15:19:59 -0400
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/home/koromicha/aide/aide.db
MD5 : f0gmAXaAnpmsLpcqEB2yaw==
SHA1 : HjZ96ZFaLaGXT7oLQHetDByRcfg=
RMD160 : ND0cqBPVsKaZw6peqJq81oAckx8=
TIGER : GsNazCXJu/wNbSTKyXUSPXgGImsKYZSj
SHA256 : yz0xi62lx4v4yxwvcVG4DcrEpaszxCFi
M5SFuRB7rFc=
SHA512 : bMqIRxmfMz/Id1aKhKNUfZbG6I/Jn5UD
6+G7x0oTFwf/GxUn8AVbhDyitO4bDjE/
6yw2N+Ea4b69UgYkt8v6xQ==
CRC32 : amnOHQ==
HAVAL : lKVe1OAZ/RHx8vq3AH1td++qnLZhomN/
8VWvgolh12Y=
GOST : WzrpoPdX5kbKV9+XXKO2B6mWdyPq2m17
u3querF/YTk=
WHIRLPOOL: gsUPlPVbwDJYOXOWi30/1PXONnTZqMGM
fQOCS8VsEpV9tYUuM2Yrb78hCjfjACla
SdxnhuyiM3DPwIVS9c1x9Q==
End timestamp: 2021-05-13 15:20:06 -0400 (run time: 0m 0s)
Sending AIDE Report via Mail
By default, AIDE sets up itself a daily execution script, /etc/cron.daily/aide, upon installation.
The the output of checks is mailed to the user specified in the MAILTO= directive of the /etc/default/aide configuration file as detailed above.
To sent the AIDE report via mail, you need to edit the file, /etc/default/aide and set the value of MAILTO directive to your email ID such that it looks like below. The default recipient is root.
vim /etc/default/aide...
#MAILTO=root
[email protected]Most of the AIDE default parameter settings are defined in this file. It is highly commended for easy understanding, therefore go through this file to see what other options to enable or disable.
The email delivery can only work if you have configure your MTA for email transfer. Follow the link below to learn how to configure Postfix to use Gmail SMTP for relay;
Configure Postfix to Use Gmail SMTP
Configure Postfix to Use Gmail SMTP on Ubuntu 18.04
Instead of using the cron mail recipient address above, you can edit Postfix mail aliases and set an alias for root to the email address you want to receive AIDE report on;
vim /etc/aliasespostmaster: root
root: [email protected]Ensure you update aliases;
newaliasesYou can as well install a cron job to execute AIDE at specific time intervals;
sudo crontab -e*/10 * * * * aide -c /home/koromicha/aide/aide.conf -u && cp /home/koromicha/aide/aide.db{.new,}This will execute AIDE system check every 10 mins and email the report to [email protected] as per my setup.
It is also good to note that AIDE checks might be resource intensive and may cause a performance issue on your system during integrity checks. If you are scanning system wide, be sure to provide “enough” resources.
Other Tutorials
Install ModSecurity 3 with Apache in a Docker Container
Intercept Malicious File Upload with ModSecurity and ClamAV
Protect WordPress Against Brute force Attacks Using Fail2ban
You’ll need package ‘aide-common’ to get configuration files in /etc.
thanks for the feedback John.
Very useful. There’s a subtle difference between older Debian versions that this helped me understand.
Running it on bullseye just works as per the regular docs. On buster it ignores the /etc/aide/aide.conf in favour of using aide-update.conf and /var/lib/aide/aide.conf.autogenerated
It caused me some frustration until I found this page.
Thank you.