Welcome to our guide on how to install and configure AIDE on Ubuntu 18.04. AIDE is an acronym for Advanced Intrusion Detection Environment. It is a free replacement of the popular Tripwire. It is an host-based intrusion detection system used to specifically monitor file integrity to detect any possible unauthorized changes. AIDE, when it runs for the first time, it creates a database of files which acts as the baseline against which subsequent files check is ran. Some of the file properties that AIDE can check include file permissions, inodes, modification time, file contents, user, group, file size…
Install and Configure AIDE on Ubuntu 18.04
Before you can begin to install and configure AIDE on Ubuntu 18.04, update and upgrade your system packages
sudo apt update sudo apt upgrade
Install AIDE on Ubuntu 18.04
Once the system update is done, it is time to install AIDE on Ubuntu 18.04. The good thing is AIDE is available on the default Ubuntu repositories. and you can simply be install it as follows;
sudo apt install aide
During installation, you will be prompted to configure Postfix. Set the correct mail server configuration type and the mail name.
Configuring AIDE on Ubuntu 18.04
AIDE has been successfully installed, You can run aide -v to check the installed version and the options with which AIDE is compiled.
aide -v
Aide 0.16 Compiled with the following options: WITH_MMAP WITH_PCRE WITH_POSIX_ACL WITH_SELINUX WITH_XATTR WITH_E2FSATTRS WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_MHASH WITH_AUDIT CONFIG_FILE = "/dev/null"
The general configuration file for AIDE is located under /etc/default/aide. The rules and configurations resides under /etc/aide/ and the AIDE database is located under /var/lib/aide/.
Before we can proceed with configuration of AIDE, you need to create new AIDE database. This can be done by using the aideinit script. The aideinit will create a new database, /var/lib/aide/aide.db.new. Creating a new AIDE database may take some few minutes though.
sudo aideinit
Running aide --init...
Start timestamp: 2019-01-29 18:24:13 +0000 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6
Number of entries: 138400
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new
RMD160 : d4SEVhfZEguCINwJEQJvot2tjWc=
TIGER : vhiRANRpGuACXvn9isU/wR3B1KRJ4hwr
SHA256 : SdlgAB01p9Jn0yblMYZNauSKAPkhgWLz
GcxrN+SnYhE=
SHA512 : 1LPRiANnSxI6ZWq6ktoWLciQQqL9RTk1
Opu6uBvB40LqDPHznoQxGhHZLPX8q2K7
6+HrNm6UqnSK/+c4+TBu/g==
CRC32 : Ls1tow==
HAVAL : P0mlZhSNQ08kBi6kBOXeP5MSiBo1Gkf9
guVLoYa3C5I=
GOST : 1BZxQdadYtSX1sED9Z+tJk+9uXm8SmId
r10Oa1rpcYk=
End timestamp: 2019-01-29 18:30:27 +0000 (run time: 6m 14s)
To install the newly created AIDE database, you need to copy it to place as follows;
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Update AIDE configuration
update-aide.conf
Copy the new configuration file to place.
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
Testing AIDE
Once the configuration is done, it is time to test the magics of this awesome tool. At first, just run the manual check by executing the command below;
aide -c /etc/aide/aide.conf -C
The command will basically try to check the deviation between the AIDE database and the filesystem. See the example output below;
Start timestamp: 2019-01-30 10:48:31 +0000 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Verbose level: 6
Summary:
Total number of entries: 102617
Added entries: 1
Removed entries: 0
Changed entries: 2
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /var/lib/aide/aide.db
---------------------------------------------------
Changed entries:
---------------------------------------------------
f >b... mc..C.. .: /etc/aide/aide.conf
f =.... mc..C.. .: /var/log/journal/bb7e8bffbe43449e9565bf8712dbee8c/system.journal
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/aide/aide.conf
Size : 6598 | 57102
Bcount : 16 | 112
Mtime : 2018-02-02 19:16:08 +0000 | 2019-01-30 10:48:06 +0000
Ctime : 2019-01-30 10:35:48 +0000 | 2019-01-30 10:48:06 +0000
RMD160 : kHZi6LuS1X5nlHkrtCLV9UdgDxo= | NJrrqPQmqjX6MXVSufzWl9DwUq4=
TIGER : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | eK8XUz4hSjVP5ynT08cKKOW3Cl3SMWog
SHA256 : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | mOJ+dgkewL5A2aTe+YohLx8VfnVIyPeo
0B5VVewz3h8= | gITBqrv4/qA=
SHA512 : o4LOstw3erheco5dpKcKLadGav29Ud9E | +obSMFAoSWuMSl9wqCrWmTlBvVI46llZ
ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | TfRBJckm6jSP4RP1nsEgjEhazp3xGfE9
yKP7Fvoitf+jHcriq57Pgg== | He0zfwcn+GgFAaGhYB6GuA==
CRC32 : S3Rhfg== | 8wC5XQ==
HAVAL : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | is4+L0o7TwyG96tI/bvAJfLg5vyjXHUt
S+TXtMWVN/E= | w68Mv8ISFaA=
GOST : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | kjH6QLrtARoVVIthW9dRjl6lcGbdO9RL
NhV8dix9LIw= | lmHOUtPcL0g=
File: /var/log/journal/bb7e8bffbe43449e9565bf8712dbee8c/system.journal
Mtime : 2019-01-30 10:35:50 +0000 | 2019-01-30 10:52:45 +0000
Ctime : 2019-01-30 10:35:50 +0000 | 2019-01-30 10:52:45 +0000
RMD160 : OPiOJ+A052D16445d4V0UKKwxNc= | ixkNOr8URmd9PHa8E9LHV6KX9Qg=
TIGER : Dq0dBwnP/KZLbjeNZexIZ/xXGp3Fqrsg | Nmdzpx3B1ovx/QnenWib6Gvlnxp+NyYr
SHA256 : 5aFVHAAioL812oDAvVSKOr9TYL/lss18 | ZRPPaSlC7SLXkKAJprkZkX4G2S6UF8XV
lB2XKJqrG5U= | IwBcDY8wQ/U=
SHA512 : y+vkFBDok4qluzbz1N3h9Mnxu6mFKork | wo7mRX0gHq6U9B5DGv2gYtvXF49oz9kR
ajNB49g+xva/jqEFbsr+ovFPRVj29DNV | XDQ/aF5uDv5NXX2m+EB5K040AKVoqx3q
YvAJ7vJO+/5piFepTcyFSA== | yIA4EeEzvNW0/z0fUva7lQ==
CRC32 : OHFR6g== | ZlMqdw==
HAVAL : 7axEtl8NfeAUhB6WlP4hRuMcuBXnusXY | gj+HFZd02z7Z5Sz61lq/lYpj0v/wz2Gb
BsN2+eDOgmg= | BdMolbUMyI8=
GOST : 8mMuqnlKzrJPE17i4ZQg/qkjXkGm6jUS | U03sH84MOVTn9/TVW2LSL5LNv9wQ1p8V
rMLZbCPp1+o= | WXNnGHU6/Ec=
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : 72ztIXlQ94R/e74lT+MkWN9MQVk=
TIGER : eQYlNo/Tuc5LsjHq+5I4DL4YWge0tdG8
SHA256 : 89UyTx3dEhmWclY0X/BiAFzONiPcsRF0
5YsPRNuS5/M=
SHA512 : 54uVoLOZJpRwYr2fCgxxYwPAIkvBIrkS
t29yQpjYejD8LUw/Hqpb9YyTCvd7DdsH
wH+e442KrS2Ri30sOIHyVA==
CRC32 : CQDToQ==
HAVAL : edaIw5A4PSajIwv6UhKMt9gvw1LtprRJ
zjCPN9sixUM=
GOST : XI+xehHMm71rHhij61vW0cBBRinGCspc
uT9aVbxxRnI=
End timestamp: 2019-01-30 10:54:01 +0000 (run time: 5m 30s)
Next, you can go ahead and create new files, edit some and even delete some so that you can see how AIDE can detect all this.
If you need to run AIDE daily, lucky you. AIDE sets up itself a daily execution script, /etc/cron.daily/aide.
If you however needs to get the check status via mail, you need to edit the file, /etc/default/aide and set the value of MAILTO directive to your email ID such that it looks like below. The default recipient is root.
MAILTO [email protected]
Further more, if you need to limit the integrity checks to a specific entries for example /etc, pass the --limit REGEX where REGEX is the entry to check. For example, check and update the database entries matching /etc, you would run aide command as shown below;
aide -c /etc/aide/aide.conf --limit /etc --check
To exclude some directories, edit the configuration file, /etc/aide/aide.conf, and add the directories to ignore to the end of the file in the format;
!/home/ !/var/lib/ !/proc
vim /home/amos/aide.conf
# Path for creating the databases database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new # Set your own AIDE rule. MYRULE = p+n+u+g+s+m+c+xattrs+md5+sha512 # Directories/files to be monitored and rule to apply /etc MYRULE /bin MYRULE /usr/bin MYRULE # Directories to ignore !/home !/proc
Basically, the rule set above checks, permissions, number of links, user, group, modification time, inode/file change time, extended file attributes, MD5 checksum, SHA512 checksum.
Verify the configuration file for errors by running the command below;
aide -c /home/amos/aide.conf --config-check
Check the command exit status.
echo $?
To learn more on commands and parameters used with aide command, explore the man pages and the AIDE manual pages.
man aide
To wrap up with, ensure that you keep updating the AIDE database after every check to ensure that you don’t have the previous checks reported on the subsequent AIDE checks.
Great. That is all we could cover on our how to Install and configure AIDE on Ubuntu 18.04 guide.
What you don’t explain here (like ALL the other pages about AIDE) is why AIDE keeps alerting, even when there’s no change
When you make a legit change to a file, you have to update the db
aide -c –update
Problem is, and NO ONE explains this, it’s not the db that’s updated, but a NEW DB is create
Thus, you have to copy the new DB to replace the previous one :
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Thank you for this tutorial. It might be interesting to know how the daily cron job can be edited to use the custom configuration file. Also, I wonder if the alerts contain information about modifications made by legitimate system management actions.