Install and Configure AIDE on Debian 10

0
112

In this tutorial, you will learn how to install and configure AIDE on Debian 10. AIDE stands for Advanced Intrusion Detection Environment.

AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. Some of the file properties that AIDE can check include file permissions, inodes, modification time, file contents, user, group, file size…

Install and Configure AIDE on Debian 10

Run System Update

Before you can begin to install and configure AIDE on Debian 10, update your system packages

apt update

Install AIDE on Debian 10

AIDE is available on the default Debian repositories.

apt-cache policy aide
aide:
  Installed: (none)
  Candidate: 0.16.1-1
  Version table:
     0.16.1-1 500
        500 http://deb.debian.org/debian buster/main amd64 Packages

However, as of this writing, the current release version of AIDE is 0.17.3.

Unfortunately, the Debian repos do not provide this latest release version of AIDE as it is still under testing. In that case, we will install the current stable release version available on the default repos, which AIDE v0.16.1-1.

Execute the command below to install stable release version of AIDE on Debian 10;

apt install aide

Once AIDE has been successfully installed, you can verify the installed version by executing;

aide -v

The command shows the current installed version of AIDE as well options installed with it.

Aide 0.16.1

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"

Configuring AIDE on Debian 10

The general configuration file for AIDE is located under /etc/default/aide.

The rules and other configurations resides under /etc/aide/.

The AIDE database is located under /var/lib/aide/.

Initialize AIDE Database on Debian 10

Create new AIDE database.

aideinit

The aideinit will create a new baseline database,  /var/lib/aide/aide.db.new.

The command might take a few mins though.

Running aide --init...
Start timestamp: 2021-05-13 14:06:27 -0400 (AIDE 0.16.1)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6

Number of entries:	205656

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new
  RMD160   : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
  TIGER    : /TaHlucsBgKis1UAWqApNi05/irDr/EK
  SHA256   : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
             ZgZLEM5aZRo=
  SHA512   : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
             E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
             8rx7wQ2VMcn1aDfA8aXtNQ==
  CRC32    : ibeVcw==
  HAVAL    : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
             7TtzPAdV9Nk=
  GOST     : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
             8vsT+WVZAjQ=


End timestamp: 2021-05-13 14:13:05 -0400 (run time: 6m 38s)

As you can see, a new baseline AIDE database has been created, /var/lib/aide/aide.db.new.

Install New AIDE Database

To install the newly created AIDE database, you need to copy it to place as follows;

cp /var/lib/aide/aide.db{.new,}

Rebuild AIDE Configuration

To update AIDE runtime configuration, /etc/aide/aide.conf, execute the command below

update-aide.conf

The command generates a new configuration file, /var/lib/aide/aide.conf.autogenerated. Copy the new configuration file to the default AIDE configs directory and overwrite the existing;

cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

Check AIDE Database for any Inconsistencies

Once the new configuration is generated, run the manual database check against the new configuration by executing the command below;

aide -c /etc/aide/aide.conf -C

The command will basically try to check the deviation between the AIDE database and the filesystem. See the example output below;

Start timestamp: 2021-05-13 14:59:37 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6

Summary:
  Total number of entries:	205656
  Added entries:		1
  Removed entries:		1
  Changed entries:		23

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/lib/aide/aide.db

---------------------------------------------------
Removed entries:
---------------------------------------------------

l----------------: /run/systemd/units/invocation:session-3.scope

---------------------------------------------------
Changed entries:
---------------------------------------------------

f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /root/.bash_history
f =.... mc.....  : /run/systemd/timesync/synchronized
d <.... mc.. ..  : /run/systemd/units
f <b... mc..C.. .: /var/lib/dhcp/dhclient.leases
f =.... mc..... .: /var/lib/systemd/timers/stamp-anacron.timer
f =.... mc..... .: /var/lib/systemd/timesync/clock
d =.... mc.. .. .: /var/ossec/etc/shared/default
f =.... mc..... .: /var/ossec/etc/shared/default/merged.mg
f >b... mc..C.. .: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.json
f >b... mc..C.. .: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.log
f >b... mc..C.. .: /var/ossec/logs/alerts/alerts.json
f >b... mc..C.. .: /var/ossec/logs/alerts/alerts.log
f >.... mc..C.. .: /var/ossec/logs/ossec.log
d =.... mc.. .. .: /var/ossec/queue/db
f >b... mc..C.. .: /var/ossec/queue/db/000.db
f <.... mc..C.. .: /var/ossec/queue/diff/debian/535/last-entry
f >.... mc..C.. .: /var/ossec/stats/totals/2021/May/ossec-totals-13.log
d =.... mc.. .. .: /var/ossec/var/run
f =.... mci.... .: /var/ossec/var/run/ossec-analysisd.state
f =.... mci.... .: /var/ossec/var/run/ossec-remoted.state
f =.... mc..C.. .: /var/ossec/var/wodles/syscollector
f =.... mc..C.. .: /var/webmin/miniserv.lastcrons

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/aide/aide.conf
  Size     : 6598                             | 46195
  Bcount   : 16                               | 96
  Mtime    : 2016-04-16 13:57:29 -0400        | 2021-05-13 14:52:51 -0400
  Ctime    : 2021-05-13 05:34:15 -0400        | 2021-05-13 14:52:51 -0400
  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | 8wjI15r0D6K1MUVoiyjJPOlGv18=
  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL
  SHA256   : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji
             0B5VVewz3h8=                     | WcEO1u90BTg=
  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft/kjH
             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw/K4u+WwMMUeg8iKdNkCL6YPc49X
             yKP7Fvoitf+jHcriq57Pgg==         | xEkz4dL2MjSFBj0i+zQW1g==
  CRC32    : S3Rhfg==                         | XsRmRw==
  HAVAL    : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB
             S+TXtMWVN/E=                     | 4YrUy9kI6IU=
  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j
             NhV8dix9LIw=                     | Zf744WY7Flk=

File: /root/.bash_history
  Size     : 5796                             | 8040
  Mtime    : 2021-05-11 10:25:18 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 05:14:51 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : r8qlsnSTkGosX0fsArK8zsWqTXU=     | 1upKL9INTLUGKEWMIxLmc8CRxJ4=
  TIGER    : 2uPjP9oFh0nVhGjPQqJti44Q3bF4KHNq | +pJmPgLgd3blY4u+BA6AZiwto8VS5Cvl
  SHA256   : dCwQv9ucRkmGT0fl5ucRdu+mP9xzM2pF | x2EA+tw6mqkGRq33h7dLOr/t0pX3HR61
             w26HE7Pws5Y=                     | vQDZsEhmJD8=
  SHA512   : /W3bSTf1qOpkav1Gucjv0iCcGn0Z7G6U | kxOIprR2dkw/LCCZg61E5kBGSpi4ZGA3
             rUh3loPZBEQDvGrMc+9zw5FZKko4tfOM | 6T3UZ0Cr22B5CWWkoObGZQ24e3NvmTH5
             1v/0FqiB4MhBvZkGU5l0cA==         | pcAhiv4GdP83jO5+Hm2kpA==
  CRC32    : KkRAtg==                         | SUGh1Q==
  HAVAL    : JBPLwPshi3ls05OEx2RA4yCYLt7m8+wS | Jb1L2/dFG0A8ghyV1txmjwlgsZ1wb8f0
             a3UmYwGZDJo=                     | MOpMWDzQHAs=
  GOST     : NK8Tmk801XGP72lQktmnfPJ34DFQOuYs | FBMm5BduPdQ2EIw3bYLAS+0uhvdXKSa9
             OFvxMiIcmXI=                     | 11y3Y1oUsyg=

File: /run/systemd/timesync/synchronized
  Mtime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400
  Ctime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400

Directory: /run/systemd/units
  Size     : 940                              | 920
  Mtime    : 2021-05-13 14:01:15 -0400        | 2021-05-13 14:31:33 -0400
  Ctime    : 2021-05-13 14:01:15 -0400        | 2021-05-13 14:31:33 -0400

File: /var/lib/dhcp/dhclient.leases
  Size     : 5344                             | 2222
  Bcount   : 16                               | 8
  Mtime    : 2021-05-13 14:08:06 -0400        | 2021-05-13 15:01:44 -0400
  Ctime    : 2021-05-13 14:08:06 -0400        | 2021-05-13 15:01:44 -0400
  RMD160   : x6g8TEahygu/Y6vTVmTHz+jG7/g=     | A8i8GUKMIZPvQ67ncZ3vaCulf24=
  TIGER    : vopFlCGZMR5fD59z2IyqwGTPB4vaPLL7 | ZTotg1uJnCtyljIMyukQsXdIcRxRMBpb
  SHA256   : 4aB4sFExXuQgHU36/U4Gpllva+ew5BwK | rPPBKCIrTIK3E4l8g1kcMDEYIWsBAK7g
             K6IzFjbxGtI=                     | XeH+hNDUQVg=
  SHA512   : oauEMDY2HKK4cNHJyaE9zL9jeIZomb+B | oL4A/nW81CzmU+wLwL2gj4o5i+RSFuDr
             Qr66zW+FblCBjpX9+hPP+C3GWkuhooVO | dMRE57iAr5zpQIaNrsULOBcjf+xVl9/x
             DFLNYa2uAy7M+IZsAoXD1w==         | jWyRn+SAWeFgCbrQ1wVNuA==
  CRC32    : vKR/CQ==                         | iP46NQ==
  HAVAL    : 52H8l2m8tGeeGGb7gC3N3bHcid1pvWDB | pcYoOf6Vk2JyMWqP7qOh+URg9Gz0Cabx
             DZLJ7dflako=                     | kht7TRr3I0A=
  GOST     : 4YlQabl31XCpQCioZVXpyR+cDcW4po24 | RUA3L4LrEvpAz3LYTDG+38Qz4Aco1HKz
             81HDK676bSU=                     | gGtZSrw6AlE=

File: /var/lib/systemd/timers/stamp-anacron.timer
  Mtime    : 2021-05-13 13:57:07 -0400        | 2021-05-13 14:31:33 -0400
  Ctime    : 2021-05-13 13:57:07 -0400        | 2021-05-13 14:31:33 -0400

File: /var/lib/systemd/timesync/clock
  Mtime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400
  Ctime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400

Directory: /var/ossec/etc/shared/default
  Mtime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400
  Ctime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400

File: /var/ossec/etc/shared/default/merged.mg
  Mtime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400
  Ctime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400

File: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.json
  Size     : 303004                           | 303699
  Bcount   : 600                              | 608
  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : HI8kVRJVmBHQ12uM4mgjgC8tG7c=     | rXlxkYtULGVhokQ2Plf1gsRwfeU=
  TIGER    : fYh0uHAKUPT1rbJ/b/e/PcFOCIAqIGfn | 5mbOOvGc9vIdu/fu1HhzjYtSCNaMSA+W
  SHA256   : xRC0btISZjbwp3HJ6YWTx8qVl/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu
             +GDwaFVbOiM=                     | 2B3mpC3PNrk=
  SHA512   : GYVO1j/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi
             aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0/pH/SCacBUILfKQVBbU
             Jisfz69u8Fc3WEhGfvN4hQ==         | nEBwUdlorF+p3oPQ4lpipg==
  CRC32    : mIJZOg==                         | EaLg9w==
  HAVAL    : Jt9WwS1ZnQ/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN/6wrrOtC+4K3BIpO
             OJBxqeEjgtA=                     | Sxlq8e5pWqc=
  GOST     : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq
             76dAVlPr8QU=                     | JyOluc+3ikE=

File: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.log
  Size     : 196342                           | 196713
  Bcount   : 392                              | 400
  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : /5NDXAKCiQxSuPHVbhi9VQOLLak=     | IDKuML9GS4sQO8oF6Cxz/vupSJs=
  TIGER    : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU
  SHA256   : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb
             f1I4fTI8FOg=                     | /dHjbIBnNS4=
  SHA512   : N9PN7Zm2+6zqZEP/2O4EBU0wGfV+q/ap | ZTb1mxGjv2n/vnwq58/rTUQIdW0o/fxa
             E/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6
             A5wLwkdp9CRzuqNIAS/WMg==         | dpg9q4ewGLAmwHYMPBbgMg==
  CRC32    : aTphhA==                         | LFRiBQ==
  HAVAL    : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB
             s78/EtSkPEc=                     | S0VrHY0GV08=
  GOST     : pI74rIIHDI7TDrCA+Sx/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824
             NX+WsahkgQI=                     | Qv+qrf4TU6U=

File: /var/ossec/logs/alerts/alerts.json
  Size     : 303004                           | 303699
  Bcount   : 600                              | 608
  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : HI8kVRJVmBHQ12uM4mgjgC8tG7c=     | rXlxkYtULGVhokQ2Plf1gsRwfeU=
  TIGER    : fYh0uHAKUPT1rbJ/b/e/PcFOCIAqIGfn | 5mbOOvGc9vIdu/fu1HhzjYtSCNaMSA+W
  SHA256   : xRC0btISZjbwp3HJ6YWTx8qVl/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu
             +GDwaFVbOiM=                     | 2B3mpC3PNrk=
  SHA512   : GYVO1j/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi
             aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0/pH/SCacBUILfKQVBbU
             Jisfz69u8Fc3WEhGfvN4hQ==         | nEBwUdlorF+p3oPQ4lpipg==
  CRC32    : mIJZOg==                         | EaLg9w==
  HAVAL    : Jt9WwS1ZnQ/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN/6wrrOtC+4K3BIpO
             OJBxqeEjgtA=                     | Sxlq8e5pWqc=
  GOST     : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq
             76dAVlPr8QU=                     | JyOluc+3ikE=

File: /var/ossec/logs/alerts/alerts.log
  Size     : 196342                           | 196713
  Bcount   : 392                              | 400
  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : /5NDXAKCiQxSuPHVbhi9VQOLLak=     | IDKuML9GS4sQO8oF6Cxz/vupSJs=
  TIGER    : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU
  SHA256   : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb
             f1I4fTI8FOg=                     | /dHjbIBnNS4=
  SHA512   : N9PN7Zm2+6zqZEP/2O4EBU0wGfV+q/ap | ZTb1mxGjv2n/vnwq58/rTUQIdW0o/fxa
             E/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6
             A5wLwkdp9CRzuqNIAS/WMg==         | dpg9q4ewGLAmwHYMPBbgMg==
  CRC32    : aTphhA==                         | LFRiBQ==
  HAVAL    : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB
             s78/EtSkPEc=                     | S0VrHY0GV08=
  GOST     : pI74rIIHDI7TDrCA+Sx/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824
             NX+WsahkgQI=                     | Qv+qrf4TU6U=

File: /var/ossec/logs/ossec.log
  Size     : 11605                            | 11757
  Mtime    : 2021-05-13 13:57:32 -0400        | 2021-05-13 14:25:18 -0400
  Ctime    : 2021-05-13 13:57:32 -0400        | 2021-05-13 14:25:18 -0400
  RMD160   : UrndE9lRw2gEB6OGZuQ/mnGRc7U=     | rMF+/kDPzTEQp4+fG4nWvCrRdfk=
  TIGER    : j4s+XmwXPueAQuAciYwhO7X455MBGq4r | x61JVqPEUAm6ZSQ0S37CA+stHjQyh2KV
  SHA256   : 9kdSlM2EjZKe451VHXo+BXd3fAtVsRt8 | qktJymmvRRyM1jjuLlvVscpDMBfs/eds
             CcloQ1jNTzo=                     | EQ5zKH61/2o=
  SHA512   : pTDO+6p6JzruJ+AMsZ4LCIqQsKCeagOj | Ga+4TvLk90Q5lTMK1iO/2Zw4Ic0eCLt4
             4OeJYhAdNRJ+1QSFabUatNuwltW0uIs+ | 5X0c7AH5GvbUCs5Cw4y9RUHQlGF7BLVA
             Sj6ab2HDu0RJEmy/EQVAOA==         | cLxxRzeSvk6MKK00DtwotQ==
  CRC32    : Xq9wkw==                         | qoNgtQ==
  HAVAL    : fMCtlMz5vBfRN/UZm+nigxdn/lphzAag | J6sZyDnrOV+vT07OER46CGex4nUPjNAU
             EVwoljewwnk=                     | hZRJBEQuXvQ=
  GOST     : vG3FbAnnsorn5Wa69JWn+rVBLNSWOy0o | mi1diJV7nKcX4li9XFdcYs1rA4rLzcSI
             TvuIiF4Ohzo=                     | r+Y1bqomAjg=

Directory: /var/ossec/queue/db
  Mtime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400
  Ctime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400

File: /var/ossec/queue/db/000.db
  Size     : 2113536                          | 2228224
  Bcount   : 4128                             | 4328
  Mtime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400
  Ctime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400
  RMD160   : h9D0qcSXGbRqsZGJV5wNywYfO30=     | OSPi2pAhW/rVJrwB2NL/NGlcc9U=
  TIGER    : MFWistAyOA7gy+T4ZtmuwmCBghe8ndnN | V00qPUeAtE5+i/uMTSbfidq3Q3dIFxj/
  SHA256   : JMeairDZxZUWoA2Rcpw0CoLxUllolk3l | T0UJvOvhurdsnLokgrBqmIUDLVdJ4HI5
             j79VsRy1d/E=                     | 3IPq7G21RZY=
  SHA512   : sbtVw881IhIicV5UfsWvpbdOOHzb8aVw | XBE7eta1oMwAsG4kOcj793f16ZqMeGh+
             Fy7jrUgDkQSfnMYiNnD329pRbw61OxY8 | k4kw4Q7+lzJYrILo8a5/Ea7cCShz2cnv
             j/dO5nqq7H3tHhzou+bf0A==         | UU6gNnzyT3HslSTfXm2upQ==
  CRC32    : RqsdGg==                         | LD0Qpw==
  HAVAL    : vSCMk/LypxzM/KT0mX/xAZkIMZNt8Qeq | 6vHfo9hW75oG2PksEcaE0IPYLlMxukZU
             RqMoxzLqfcc=                     | eIAcYWyfr6w=
  GOST     : GTCGuUTPs0BM2pSO4/PgO/HXI8P0tgid | Ec053qs2D5hjYO8IxHmW6g6UhW0tK4aE
             mYVX1XfJHM8=                     | vypwpBv5bb8=

File: /var/ossec/queue/diff/debian/535/last-entry
  Size     : 1024                             | 1021
  Mtime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:33:10 -0400
  Ctime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:33:10 -0400
  RMD160   : qHsDObPkZuJcZNKKxWUlkN1TmdI=     | j2zl43WJTJelXeuFTkIVH8uCW9A=
  TIGER    : Q8rEdFootqfUPYX6I5u7UC+IBXt1EtQ4 | XPAYBNVvJ+mtPHWOemVeZ7xjls5bE9kQ
  SHA256   : tkk1KU58wTyYjwdmyF4aFWWBttu2gnua | 09g04YBhFqG1lbLtHvyxvBcUbNYwnv7p
             7eqkATbNMy4=                     | LfG5wba7E2Q=
  SHA512   : sKOr9fAXVeaAfmNGTQrJfAeG4nghNw17 | dE7AD9uML4iQcMmH1W38MJu5ngzLxyvZ
             FIjGsgxU3erZS0iIEncQL7XgMBeC9Jts | +e22ULMcqxJC+7GunqeNMn6ADesqjZN1
             bllmBgLe/elsofeGAXfRvQ==         | Tj6RdqgqnxDEmIPnf1tJKg==
  CRC32    : Q0OBsA==                         | CIXH/Q==
  HAVAL    : PFRZcbTmd11VMc9WDRKR5nMvyVVbTwU7 | LY0Eu6iQTPTOTyp2TqXW2/IPvBK5dsn3
             vnQHgGKEN/Y=                     | GOFLTBzoCvE=
  GOST     : 11cAAblplJja5/rktHJDKzFraTKbaqz5 | leGBDPnpRhyRLTGo8QMaMkYHjOSkdqa+
             By98fbs8dTw=                     | +6QrJ4E5rQs=

File: /var/ossec/stats/totals/2021/May/ossec-totals-13.log
  Size     : 894                              | 999
  Mtime    : 2021-05-13 14:01:16 -0400        | 2021-05-13 15:01:46 -0400
  Ctime    : 2021-05-13 14:01:16 -0400        | 2021-05-13 15:01:46 -0400
  RMD160   : zJ8At9unwQxEzSe9J4GrzbqTMz8=     | COrlpQLyTK+TCf8KkThMAyvseig=
  TIGER    : gs7ydELV5qsqM6gqkk3VubEx9WZvybNH | nNzaNRkTekRV/eE7mrzj8wypqqQ3X02M
  SHA256   : OrAiYG8X0UfOSTWwfcFs1gl0CkAwC7aR | 9OjAmTYpHgKyhQ2aXWzbRoTIRjDDpGlk
             52uZF3374G8=                     | SzQNk0h7bHk=
  SHA512   : atNLeqF+T7DoIyN5XBh9Z7Lxvtxv88kv | FOxCmlwtkJ2/ej5BM6HX13p9UpiP+9mV
             u+XHdKFZIr6UMf7UTycb/+qso33BlVfH | CtmkyaWXNcOhw1moeRUGHKdkRUdWh06a
             Mn8sGcjy4DuchZpZeggdyA==         | TpH4CYF4P6uMH4VMfhUwDg==
  CRC32    : f5dIXg==                         | lVKiZg==
  HAVAL    : PO/8wHY4EFaVnO/yUEIPCr9UmrujdHoH | HZF3AmNvk8PNec0OcUHsNWs8TeIJ7Bm/
             baDhTTJixt0=                     | GhgPEEhrtYc=
  GOST     : SDdETY0dZJHWCQGIl4cggiwFBQwp/Ely | lm4MpfRUd+5kF8PkFi066ESY/4ISLjhy
             HVZbNI4G/LM=                     | /w68fjIDHL4=

Directory: /var/ossec/var/run
  Mtime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Ctime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400

File: /var/ossec/var/run/ossec-analysisd.state
  Mtime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Ctime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Inode    : 291862                           | 304591

File: /var/ossec/var/run/ossec-remoted.state
  Mtime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Ctime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Inode    : 304591                           | 307354

File: /var/ossec/var/wodles/syscollector
  Mtime    : 2021-05-13 05:03:42 -0400        | 2021-05-13 14:25:18 -0400
  Ctime    : 2021-05-13 05:03:42 -0400        | 2021-05-13 14:25:18 -0400
  RMD160   : t2dgf7PI+qjCpifY2lsAcxDF9Fk=     | cntjaDX/DCNzvCfiCA1kXl7KCCM=
  TIGER    : +Gq9NCskrl71MYuh9vQY/9SKFmdwV2WC | w2KPhzO5tiv/GcsGpi6kfqs8JPsH4h2J
  SHA256   : YWnwELAriPpKVUvzp48A36IsQiLiDrPa | 5AwQ6d972QnzU6DymNjanYsORD2V5TIQ
             +xaI8POCyBo=                     | yPakdvhIjIQ=
  SHA512   : TmNSY5LxyrRar/OWhzGR/IzBw33HSywQ | adcpxpI3Q9psuemsly3IVcpaXJUKt88W
             eQb39k+4WJOY1Dag638EQj0PQDFTJTyo | zbzT2XtMHO8lWny35/AdVVOYvW56aD6K
             IfHuoARl+hAG/NeGUrb/Nw==         | D0jnB0YUWop4oQI2Exhsgw==
  CRC32    : YrOyVA==                         | Jcfn4Q==
  HAVAL    : kZ1+RJgVhR5Ye4SBgUA++Opyag/JQw5X | JnJ1PH1Qst5GxeaKBT/G9vvBrJJ1v+iO
             7f0i/Y4BMZc=                     | sGj6SbculZI=
  GOST     : c56J+RwvEsiWC3j3TwCigV9ip7G26cc4 | iUktb3cvt2mwTIbtf5pD5y2RBq4c0f/1
             RjAfGj8Yklg=                     | 792rogTuXMw=

File: /var/webmin/miniserv.lastcrons
  Mtime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:57:09 -0400
  Ctime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:57:09 -0400
  RMD160   : l4hocPE/SHW9NhN2NCF2nQX+fbU=     | pm7WC+m645+3fPpMGPfMIbZML1c=
  TIGER    : AZZbVVUb9d9+o+IPaFHr/1JTepGY0skV | QG8yw6Ma8zTNORA5mvFJgZvdZVRRqarp
  SHA256   : OZbnUDEbF2h8/h3wEy+xQ0+qQ+X1IdED | ZmH3hXZrdFopMfPquWUplysApSgaCLbN
             tW0z/XmwFgE=                     | woeJMG74uoY=
  SHA512   : ebuDdi38UvLbg7hE5b90rU01dTNsH8PT | pcFF4JY4+w/OL9gujrtJ1OqWyDyQabrM
             Vyn01yobjF9ieXuIVgtohQFhfj4V/ciG | VLmyprO+sEYWvkCWE028s350NM1ZOIzI
             jH49Npaj0MOT418Lj7sbBw==         | feXBta/T/EvgzOi5Uz/oCQ==
  CRC32    : /ZYiew==                         | 8UcOAw==
  HAVAL    : K2mLlgdjxme5iRQ8+GS1fbIa0wkKR4Q2 | nMGCLXkIIls7X6YraMeRbq3+mnboYOe8
             fUXtscLxzYw=                     | pidvAJg7Q0M=
  GOST     : eMerS2vevb7fswadmjiZLo0ImDxQ2uo/ | 5rwUUkXBg6z9QsYhGJ7pOVkwaeZfHt5X
             fRjhDng5dWg=                     | c1AvM7h2otw=


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  RMD160   : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
  TIGER    : /TaHlucsBgKis1UAWqApNi05/irDr/EK
  SHA256   : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
             ZgZLEM5aZRo=
  SHA512   : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
             E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
             8rx7wQ2VMcn1aDfA8aXtNQ==
  CRC32    : ibeVcw==
  HAVAL    : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
             7TtzPAdV9Nk=
  GOST     : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
             8vsT+WVZAjQ=


End timestamp: 2021-05-13 15:02:37 -0400 (run time: 3m 0s)

From the output above, AIDE found a number of file system changes. Check the report.

Testing AIDE on Debian 10

You can now create new files, edit some and even delete some and re-run AIDE check to actually see how AIDE can detect all these changes.

echo "1.2.3.4 test.kifarunix-demo.com" >> /etc/hosts
touch /etc/newfile
rm -rf /etc/issue

After all that changes, re-run AIDE database check against the filesystem.

aide -c /etc/aide/aide.conf -C

Sample output;

Start timestamp: 2021-05-13 15:08:24 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6

Summary:
  Total number of entries:	205656
  Added entries:		2
  Removed entries:		2
  Changed entries:		24

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/newfile
f++++++++++++++++: /var/lib/aide/aide.db

---------------------------------------------------
Removed entries:
---------------------------------------------------

f----------------: /etc/issue
l----------------: /run/systemd/units/invocation:session-3.scope

---------------------------------------------------
Changed entries:
---------------------------------------------------

f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /etc/hosts
...

Limiting AIDES Integrity Checks to Specific Files/Directories

To limit the integrity checks to a specific entries for example /etc, pass the --limit REGEX option to AIDE check command where REGEX is the entry to check.

For example, check and update the database entries matching /etc, you would run aide command as shown below;

aide -c /etc/aide/aide.conf --limit /etc --check

Sample output;

Start timestamp: 2021-05-13 15:13:34 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Limit: /etc | Verbose level: 6

Summary:
  Total number of entries:	205656
  Added entries:		1
  Removed entries:		1
  Changed entries:		2

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/newfile

---------------------------------------------------
Removed entries:
---------------------------------------------------

f----------------: /etc/issue

---------------------------------------------------
Changed entries:
---------------------------------------------------

f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /etc/hosts

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/aide/aide.conf
  Size     : 6598                             | 46195
  Bcount   : 16                               | 96
  Mtime    : 2016-04-16 13:57:29 -0400        | 2021-05-13 14:52:51 -0400
  Ctime    : 2021-05-13 05:34:15 -0400        | 2021-05-13 14:52:51 -0400
  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | 8wjI15r0D6K1MUVoiyjJPOlGv18=
  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL
  SHA256   : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji
             0B5VVewz3h8=                     | WcEO1u90BTg=
  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft/kjH
             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw/K4u+WwMMUeg8iKdNkCL6YPc49X
             yKP7Fvoitf+jHcriq57Pgg==         | xEkz4dL2MjSFBj0i+zQW1g==
  CRC32    : S3Rhfg==                         | XsRmRw==
  HAVAL    : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB
             S+TXtMWVN/E=                     | 4YrUy9kI6IU=
  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j
             NhV8dix9LIw=                     | Zf744WY7Flk=

File: /etc/hosts
  Size     : 186                              | 218
  Mtime    : 2021-01-29 14:23:36 -0500        | 2021-05-13 15:07:59 -0400
  Ctime    : 2021-01-29 14:23:36 -0500        | 2021-05-13 15:07:59 -0400
  RMD160   : pgg6hjBhDjMlk+l8yu0LB1SL7o8=     | sUqfThZK2gYBG5rgKCY0882JsFE=
  TIGER    : 6rCGqnmCVSK81X5SatwKyW6Cybt1B9yP | 04im6NfESOdCKzANx6VA3ehjZ0skylIh
  SHA256   : XJiphdFN5h4JGKNCqvrG71xF+FyFEi5E | rjTkky/c4992255kH3yXciO+SHZa8wlA
             SvfqvfKxUng=                     | 9brQo29MU+o=
  SHA512   : Frpi7XYfQq7SA8HSImzFystaarku/1Cs | jqUFxAQYoNlj5LXVZxn6kJGwQLePCWcs
             Ba7vka2boOYZsqzVoXq0c6zlxb5AVX7J | Ay3i8i8bAv59cfjRpxQpTj3rNdeS70pp
             Yl+VEG/SZpPvca+6xn4P8Q==         | xj1P9YWWTtn6unB6ZON2pg==
  CRC32    : xZ01PQ==                         | 9LtLwA==
  HAVAL    : 17oJH6iVQGXq3ge2uXnwumq0xCLaF+fS | Qty/rrMbvG1RTmj6+PvPUtB6zAk6x/na
             Goy5GCiijPI=                     | oiBWgvPWsmY=
  GOST     : X8Mnh75FrKoDQl88Ez1l0hRH4pR9lOon | zjAjM0BCHajG4Xb1AIZGOXOzjOtRQ7lZ
             jkxNlJeC1fA=                     | EzBfUnAXze0=


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  RMD160   : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
  TIGER    : /TaHlucsBgKis1UAWqApNi05/irDr/EK
  SHA256   : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
             ZgZLEM5aZRo=
  SHA512   : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
             E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
             8rx7wQ2VMcn1aDfA8aXtNQ==
  CRC32    : ibeVcw==
  HAVAL    : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
             7TtzPAdV9Nk=
  GOST     : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
             8vsT+WVZAjQ=


End timestamp: 2021-05-13 15:14:04 -0400 (run time: 0m 30s)

Exclude Specific Directories from AIDE Checks

To exclude some directories, edit the configuration file, /etc/aide/aide.conf, and add the directories to ignore to the end of the file in the format;

!/home/
!/var/lib/
!/proc

Using Custom AIDE Configuration

You can also create your own configuration and define what needs to be checked and what not.

See example configuration below;

mkdir /home/koromicha/aide
vim /home/koromicha/aide/aide.conf
# Path for creating the databases
database=file:/home/koromicha/aide/aide.db
database_out=file:/home/koromicha/aide/aide.db.new
database_new=file:/home/koromicha/aide/aide.db.new

# Set your own AIDE rule.
MYRULE=p+n+u+g+s+m+c+xattrs+md5+sha512

# Directories/files to be monitored and rule to apply
#/etc MYRULE
#/bin MYRULE
#/usr/bin MYRULE

# Directories to ignore
/home MYRULE
!/proc

Basically, the rule set above checks:

  • permissions,
  • number of links,
  • user,
  • group,
  • modification time,
  • inode/file change time,
  • extended file attributes,
  • MD5 checksum,
  • SHA512 checksum.

Initialize the database with the new configuration;

aide -c /home/koromicha/aide/aide.conf -i

Copy the database in place;

cp /home/koromicha/aide/aide.db{.new,}

AIDE Diagnostics

Verify the configuration file for errors by running the command below;

aide -c /home/koromicha/aide/aide.conf --config-check

Check the command exit status.

echo $?

According to AIDE man pages, the AIDE’s exit status is normally 0 if no errors occurred. Except when the –check, –compare or –update command was requested, in which case the exit status is defined as:

   1 * (new files detected?)     +

   2 * (removed files detected?) +

   4 * (changed files detected?)

   Since  those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files detected, the exit status will be 1 + 2 = 3.

   Additionally, the following exit codes are defined for generic error conditions:

   14 Error writing error

   15 Invalid argument error

   16 Unimplemented function error

   17 Invalid configureline error

   18 IO error

   19 Version mismatch error

NOTE: Whenever you make any AIDE configuration changes, remember to initialize the database to create a baseline.

Make changes like create a new directory, files;

rm -rf /home/koromicha/aide/aide.db.new
mkdir /home/koromicha/test-dir
touch /home/koromicha/test-file

You can then run AIDE against your custom configuration.

aide -c /home/koromicha/aide/aide.conf -C
Start timestamp: 2021-05-13 15:20:06 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	10
  Added entries:		3
  Removed entries:		1
  Changed entries:		2

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /home/koromicha/aide/aide.db
d++++++++++++++++: /home/koromicha/test-dir
f++++++++++++++++: /home/koromicha/test-file

---------------------------------------------------
Removed entries:
---------------------------------------------------

f----------------: /home/koromicha/aide/aide.db.new

---------------------------------------------------
Changed entries:
---------------------------------------------------

d = ... mc n  .  : /home/koromicha
d = ... mc .  .  : /home/koromicha/aide

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /home/koromicha
  Mtime    : 2021-05-13 15:17:02 -0400        | 2021-05-13 15:19:59 -0400
  Ctime    : 2021-05-13 15:17:02 -0400        | 2021-05-13 15:19:59 -0400
  Linkcount: 3                                | 4

Directory: /home/koromicha/aide
  Mtime    : 2021-05-13 15:18:19 -0400        | 2021-05-13 15:19:59 -0400
  Ctime    : 2021-05-13 15:18:19 -0400        | 2021-05-13 15:19:59 -0400


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/home/koromicha/aide/aide.db
  MD5      : f0gmAXaAnpmsLpcqEB2yaw==
  SHA1     : HjZ96ZFaLaGXT7oLQHetDByRcfg=
  RMD160   : ND0cqBPVsKaZw6peqJq81oAckx8=
  TIGER    : GsNazCXJu/wNbSTKyXUSPXgGImsKYZSj
  SHA256   : yz0xi62lx4v4yxwvcVG4DcrEpaszxCFi
             M5SFuRB7rFc=
  SHA512   : bMqIRxmfMz/Id1aKhKNUfZbG6I/Jn5UD
             6+G7x0oTFwf/GxUn8AVbhDyitO4bDjE/
             6yw2N+Ea4b69UgYkt8v6xQ==
  CRC32    : amnOHQ==
  HAVAL    : lKVe1OAZ/RHx8vq3AH1td++qnLZhomN/
             8VWvgolh12Y=
  GOST     : WzrpoPdX5kbKV9+XXKO2B6mWdyPq2m17
             u3querF/YTk=
  WHIRLPOOL: gsUPlPVbwDJYOXOWi30/1PXONnTZqMGM
             fQOCS8VsEpV9tYUuM2Yrb78hCjfjACla
             SdxnhuyiM3DPwIVS9c1x9Q==


End timestamp: 2021-05-13 15:20:06 -0400 (run time: 0m 0s)

Sending AIDE Report via Mail

By default, AIDE sets up itself a daily execution script, /etc/cron.daily/aide, upon installation.

The the output of checks is mailed to the user specified in the MAILTO= directive of the /etc/default/aide configuration file as detailed above.

To sent the AIDE report via mail, you need to edit the file, /etc/default/aide and set the value of MAILTO directive to your email ID such that it looks like below. The default recipient is root.

vim /etc/default/aide
...
#MAILTO=root
[email protected]

Most of the AIDE default parameter settings are defined in this file. It is highly commended for easy understanding, therefore go through this file to see what other options to enable or disable.

The email delivery can only work if you have configure your MTA for email transfer. Follow the link below to learn how to configure Postfix to use Gmail SMTP for relay;

Configure Postfix to Use Gmail SMTP

Configure Postfix to Use Gmail SMTP on Ubuntu 18.04

Instead of using the cron mail recipient address above, you can edit Postfix mail aliases and set an alias for root to the email address you want to receive AIDE report on;

vim /etc/aliases
postmaster:    root
root:   [email protected]

Ensure you update aliases;

newaliases

You can as well install a cron job to execute AIDE at specific time intervals;

sudo crontab -e
*/10 * * * * aide -c /home/koromicha/aide/aide.conf -u && cp /home/koromicha/aide/aide.db{.new,}

This will execute AIDE system check every 10 mins and email the report to [email protected] as per my setup.

It is also good to note that AIDE checks might be resource intensive and may cause a performance issue on your system during integrity checks. If you are scanning system wide, be sure to provide “enough” resources.

That marks the end of our tutorial on how to install and configure AIDE on Debian 10.

Other Tutorials

Install ModSecurity 3 with Apache in a Docker Container

Intercept Malicious File Upload with ModSecurity and ClamAV

Protect WordPress Against Brute force Attacks Using Fail2ban

Install Arkime (Moloch) Full Packet Capture tool on Ubuntu

LEAVE A REPLY

Please enter your comment!
Please enter your name here