Install and Configure AIDE on Ubuntu 18.04

2
5623

Welcome to our guide on how to install and configure AIDE on Ubuntu 18.04. AIDE is an acronym for Advanced Intrusion Detection Environment. It is a free replacement of the popular Tripwire. It is an host-based intrusion detection system used to specifically monitor file integrity to detect any possible unauthorized changes. AIDE, when it runs for the first time, it creates a database of files which acts as the baseline against which subsequent files check is ran. Some of the file properties that AIDE can check include file permissions, inodes, modification time, file contents, user, group, file size…

Install and Configure AIDE on Ubuntu 18.04

Before you can begin to install and configure AIDE on Ubuntu 18.04, update and upgrade your system packages

sudo apt update
sudo apt upgrade

Install AIDE on Ubuntu 18.04

Once the system update is done, it is time to install AIDE on Ubuntu 18.04. The good thing is AIDE is available on the default Ubuntu repositories. and you can simply be install it as follows;

sudo apt install aide

During installation, you will be prompted to configure Postfix. Set the correct mail server configuration type and the mail name.

Configuring AIDE on Ubuntu 18.04

AIDE has been successfully installed, You can run aide -v to check the installed version and the options with which AIDE is compiled.

aide -v
Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"

The general configuration file for AIDE is located under /etc/default/aide. The rules and configurations resides under /etc/aide/ and the AIDE database is located under /var/lib/aide/.

Before we can proceed with configuration of AIDE, you need to create new AIDE database. This can be done by using the aideinit script. The aideinit will create a new database,  /var/lib/aide/aide.db.new. Creating a new AIDE database may take some few minutes though.

sudo aideinit
Running aide --init...
Start timestamp: 2019-01-29 18:24:13 +0000 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6

Number of entries:	138400

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new
  RMD160   : d4SEVhfZEguCINwJEQJvot2tjWc=
  TIGER    : vhiRANRpGuACXvn9isU/wR3B1KRJ4hwr
  SHA256   : SdlgAB01p9Jn0yblMYZNauSKAPkhgWLz
             GcxrN+SnYhE=
  SHA512   : 1LPRiANnSxI6ZWq6ktoWLciQQqL9RTk1
             Opu6uBvB40LqDPHznoQxGhHZLPX8q2K7
             6+HrNm6UqnSK/+c4+TBu/g==
  CRC32    : Ls1tow==
  HAVAL    : P0mlZhSNQ08kBi6kBOXeP5MSiBo1Gkf9
             guVLoYa3C5I=
  GOST     : 1BZxQdadYtSX1sED9Z+tJk+9uXm8SmId
             r10Oa1rpcYk=


End timestamp: 2019-01-29 18:30:27 +0000 (run time: 6m 14s)

To install the newly created AIDE database, you need to copy it to place as follows;

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Update AIDE configuration

update-aide.conf

Copy the new configuration file to place.

cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

Testing AIDE

Once the configuration is done, it is time to test the magics of this awesome tool. At first, just run the manual check by executing the command below;

aide -c /etc/aide/aide.conf -C

The command will basically try to check the deviation between the AIDE database and the filesystem. See the example output below;

Start timestamp: 2019-01-30 10:48:31 +0000 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Verbose level: 6

Summary:
  Total number of entries:	102617
  Added entries:		1
  Removed entries:		0
  Changed entries:		2

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/lib/aide/aide.db

---------------------------------------------------
Changed entries:
---------------------------------------------------

f >b... mc..C.. .: /etc/aide/aide.conf
f =.... mc..C.. .: /var/log/journal/bb7e8bffbe43449e9565bf8712dbee8c/system.journal

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/aide/aide.conf
  Size     : 6598                             | 57102
  Bcount   : 16                               | 112
  Mtime    : 2018-02-02 19:16:08 +0000        | 2019-01-30 10:48:06 +0000
  Ctime    : 2019-01-30 10:35:48 +0000        | 2019-01-30 10:48:06 +0000
  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | NJrrqPQmqjX6MXVSufzWl9DwUq4=
  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | eK8XUz4hSjVP5ynT08cKKOW3Cl3SMWog
  SHA256   : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | mOJ+dgkewL5A2aTe+YohLx8VfnVIyPeo
             0B5VVewz3h8=                     | gITBqrv4/qA=
  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | +obSMFAoSWuMSl9wqCrWmTlBvVI46llZ
             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | TfRBJckm6jSP4RP1nsEgjEhazp3xGfE9
             yKP7Fvoitf+jHcriq57Pgg==         | He0zfwcn+GgFAaGhYB6GuA==
  CRC32    : S3Rhfg==                         | 8wC5XQ==
  HAVAL    : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | is4+L0o7TwyG96tI/bvAJfLg5vyjXHUt
             S+TXtMWVN/E=                     | w68Mv8ISFaA=
  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | kjH6QLrtARoVVIthW9dRjl6lcGbdO9RL
             NhV8dix9LIw=                     | lmHOUtPcL0g=

File: /var/log/journal/bb7e8bffbe43449e9565bf8712dbee8c/system.journal
  Mtime    : 2019-01-30 10:35:50 +0000        | 2019-01-30 10:52:45 +0000
  Ctime    : 2019-01-30 10:35:50 +0000        | 2019-01-30 10:52:45 +0000
  RMD160   : OPiOJ+A052D16445d4V0UKKwxNc=     | ixkNOr8URmd9PHa8E9LHV6KX9Qg=
  TIGER    : Dq0dBwnP/KZLbjeNZexIZ/xXGp3Fqrsg | Nmdzpx3B1ovx/QnenWib6Gvlnxp+NyYr
  SHA256   : 5aFVHAAioL812oDAvVSKOr9TYL/lss18 | ZRPPaSlC7SLXkKAJprkZkX4G2S6UF8XV
             lB2XKJqrG5U=                     | IwBcDY8wQ/U=
  SHA512   : y+vkFBDok4qluzbz1N3h9Mnxu6mFKork | wo7mRX0gHq6U9B5DGv2gYtvXF49oz9kR
             ajNB49g+xva/jqEFbsr+ovFPRVj29DNV | XDQ/aF5uDv5NXX2m+EB5K040AKVoqx3q
             YvAJ7vJO+/5piFepTcyFSA==         | yIA4EeEzvNW0/z0fUva7lQ==
  CRC32    : OHFR6g==                         | ZlMqdw==
  HAVAL    : 7axEtl8NfeAUhB6WlP4hRuMcuBXnusXY | gj+HFZd02z7Z5Sz61lq/lYpj0v/wz2Gb
             BsN2+eDOgmg=                     | BdMolbUMyI8=
  GOST     : 8mMuqnlKzrJPE17i4ZQg/qkjXkGm6jUS | U03sH84MOVTn9/TVW2LSL5LNv9wQ1p8V
             rMLZbCPp1+o=                     | WXNnGHU6/Ec=


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  RMD160   : 72ztIXlQ94R/e74lT+MkWN9MQVk=
  TIGER    : eQYlNo/Tuc5LsjHq+5I4DL4YWge0tdG8
  SHA256   : 89UyTx3dEhmWclY0X/BiAFzONiPcsRF0
             5YsPRNuS5/M=
  SHA512   : 54uVoLOZJpRwYr2fCgxxYwPAIkvBIrkS
             t29yQpjYejD8LUw/Hqpb9YyTCvd7DdsH
             wH+e442KrS2Ri30sOIHyVA==
  CRC32    : CQDToQ==
  HAVAL    : edaIw5A4PSajIwv6UhKMt9gvw1LtprRJ
             zjCPN9sixUM=
  GOST     : XI+xehHMm71rHhij61vW0cBBRinGCspc
             uT9aVbxxRnI=


End timestamp: 2019-01-30 10:54:01 +0000 (run time: 5m 30s)

Next, you can go ahead and create new files, edit some and even delete some so that you can see how AIDE can detect all this.

If you need to run AIDE daily, lucky you. AIDE sets up itself a daily execution script, /etc/cron.daily/aide.

If you however needs to get the check status via mail, you need to edit the file, /etc/default/aide and set the value of MAILTO directive to your email ID such that it looks like below. The default recipient is root.

MAILTO [email protected]

Further more, if you need to limit the integrity checks to a specific entries for example /etc, pass the --limit REGEX where REGEX is the entry to check. For example, check and update the database entries matching /etc, you would run aide command as shown below;

aide -c /etc/aide/aide.conf --limit /etc --check

To exclude some directories, edit the configuration file, /etc/aide/aide.conf, and add the directories to ignore to the end of the file in the format;

!/home/
!/var/lib/
!/proc
Whenever you make such changes, remember to initialize the database to create a baseline.
You can also create your own configuration and define what needs to be checked and what not. See example configuration below;
vim /home/amos/aide.conf
# Path for creating the databases
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new

# Set your own AIDE rule.
MYRULE =  p+n+u+g+s+m+c+xattrs+md5+sha512

# Directories/files to be monitored and rule to apply
/etc MYRULE
/bin MYRULE
/usr/bin MYRULE

# Directories to ignore
!/home
!/proc

Basically, the rule set above checks, permissions, number of links, user, group, modification time, inode/file change time, extended file attributes, MD5 checksum, SHA512 checksum.

Verify the configuration file for errors by running the command below;

aide -c /home/amos/aide.conf --config-check

Check the command exit status.

echo $?

To learn more on commands and parameters used with aide command, explore the man pages and the AIDE manual pages.

man aide

To wrap up with, ensure that you keep updating the AIDE database after every check to ensure that you don’t have the previous checks reported on the subsequent AIDE checks.

Great. That is all we could cover on our how to Install and configure AIDE on Ubuntu 18.04 guide.

2 COMMENTS

  1. What you don’t explain here (like ALL the other pages about AIDE) is why AIDE keeps alerting, even when there’s no change

    When you make a legit change to a file, you have to update the db
    aide -c –update

    Problem is, and NO ONE explains this, it’s not the db that’s updated, but a NEW DB is create

    Thus, you have to copy the new DB to replace the previous one :
    cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

  2. Thank you for this tutorial. It might be interesting to know how the daily cron job can be edited to use the custom configuration file. Also, I wonder if the alerts contain information about modifications made by legitimate system management actions.

LEAVE A REPLY

Please enter your comment!
Please enter your name here