Install and Configure AIDE on Ubuntu 20.04

0
346

In this tutorial, you will learn how to install and configure AIDE on Ubuntu 20.04. AIDE stands for Advanced Intrusion Detection Environment.

AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. Some of the file properties that AIDE can check include file permissions, inodes, modification time, file contents, user, group, file size…

Install and Configure AIDE on Ubuntu 20.04

Run System Update

Before you can begin to install and configure AIDE on Ubuntu 20.04, update and upgrade your system packages

sudo apt update
sudo apt upgrade

Install AIDE on Ubuntu 20.04

AIDE is available on the default Ubuntu repositories.

apt-cache policy aide
aide:
  Installed: (none)
  Candidate: 0.16.1-1build2
  Version table:
     0.16.1-1build2 500
        500 http://ke.archive.ubuntu.com/ubuntu focal/main amd64 Packages

So you can simply be install it by executing the command below;

sudo apt install aide

Configuring AIDE on Ubuntu 20.04

AIDE has been successfully installed.

You can check the installed version and the options with which AIDE is compiled by executing the command below.

aide -v
Aide 0.16.1

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"

The general configuration file for AIDE is located under /etc/default/aide. The rules and configurations resides under /etc/aide/ and the AIDE database is located under /var/lib/aide/.

Initialize AIDE Database on Ubuntu 20.04

Before you can proceed with configuration of AIDE, you need to create new AIDE database. This can be done by using the aideinit script. The aideinit will create a new baseline database,  /var/lib/aide/aide.db.new.

Creating a new AIDE database may take some few minutes though.

sudo aideinit
...
Start timestamp: 2020-08-17 21:16:09 +0300 (AIDE 0.16.1)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6

Number of entries:	394993

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new
  RMD160   : GAsN4WEjhdn24HElaCb/daTKDjw=
  TIGER    : gwq53qWUr8hNSR2QnQficDJXungcT0B8
  SHA256   : UpDqEtrLclqTqueWyXY5QOaivAMIhG1m
             BXLExj07yaA=
  SHA512   : lEj5QZJDraeraqx99J9Vi5AUBa3VPtH1
             ZsWQret9+hXpvlyKV9jYzjLT/nSRYZjb
             3yiwEOnk2N5Tsao+XEALew==
  CRC32    : exgbFw==
  HAVAL    : 0EJFOeHe63tSE7qV0xdMHabpQr4kQkdy
             6b0UxZbknxM=
  GOST     : hK/QHynp7XXi8tD3c1K5WLGCCnHcgMaS
             HyQgh9uB5Os=


End timestamp: 2020-08-17 21:32:02 +0300 (run time: 6m 53s)

As you can see, a new baseline AIDE database has been created, /var/lib/aide/aide.db.new.

Install New AIDE Database

To install the newly created AIDE database, you need to copy it to place as follows;

cp /var/lib/aide/aide.db{.new,}

Rebuild AIDE Configuration

To update AIDE runtime configuration, /etc/aide/aide.conf, execute the command below

update-aide.conf

The command generates a new configuration file, /var/lib/aide/aide.conf.autogenerated. Copy the new configuration file to the default AIDE configs directory and overwrite the existing;

cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

Check AIDE Database for any Inconsistencies

Once the new configuration is generated, run the manual database check against the new configuration by executing the command below;

aide -c /etc/aide/aide.conf -C

The command will basically try to check the deviation between the AIDE database and the filesystem. See the example output below;

...
Start timestamp: 2020-08-17 22:58:29 +0300 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6

Summary:
  Total number of entries:	395004
  Added entries:		8
  Removed entries:		0
  Changed entries:		13

---------------------------------------------------
Added entries:
---------------------------------------------------

d++++++++++++++++: /run/motd.d
d++++++++++++++++: /run/motd.d/fwupd
f++++++++++++++++: /run/motd.d/fwupd/85-fwupd
d++++++++++++++++: /run/systemd/dynamic-uid
l++++++++++++++++: /run/systemd/units/invocation:fwupd.service
d++++++++++++++++: /tmp/systemd-private-a6c413acea194aa1bd41d2936e4d4ea6-fwupd.service-Xwi4Fh
d++++++++++++++++: /tmp/systemd-private-a6c413acea194aa1bd41d2936e4d4ea6-fwupd.service-Xwi4Fh/tmp
f++++++++++++++++: /var/lib/aide/aide.db

---------------------------------------------------
Changed entries:
---------------------------------------------------

f >b... mc..C.. .: /etc/aide/aide.conf
d   ...    n ..  : /run
d >.... mc.n ..  : /run/systemd
f =.... mci....  : /run/systemd/resolve/stub-resolv.conf
f =.... mc.....  : /run/systemd/timesync/synchronized
d >.... mc.. ..  : /run/systemd/units
d =.... mc.. .. .: /var/cache/fwupd
f >b... mci.C.. .: /var/cache/fwupd/metadata.xmlb
d =.... mc.. .. .: /var/cache/private/fwupdmgr/fwupd
f >b... mci.C.. .: /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz
f =.... mci.C.. .: /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz.asc
f =.... mc..C.. .: /var/log/journal/088f282d218f4067987670b09ad3319e/system.journal
d   ...   .n .. .: /var/tmp

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/aide/aide.conf
  Size     : 6598                             | 57485
  Bcount   : 16                               | 120
  Mtime    : 2016-04-16 20:57:29 +0300        | 2020-08-17 22:58:04 +0300
  Ctime    : 2020-08-17 22:32:14 +0300        | 2020-08-17 22:58:04 +0300
  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | VS/qXLCjQQoZvM9PiMN0vognx+8=
  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | PlLfFDUNNN4gLjonNvJmrzyTGKeSwhLi
  SHA256   : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | kot4UpZLPPGlEUJdW8VtupXCjeITR4H6
             0B5VVewz3h8=                     | HsG+rB0f6L8=
  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | spATSozxKYXnmS83qGHC9ijpT3RDFxMx
             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 6/1vnTRZy/csfmaY6D9MBMkujB5blhFf
             yKP7Fvoitf+jHcriq57Pgg==         | mD+ynvYvCwyCVjNcRe5dGg==
  CRC32    : S3Rhfg==                         | cEpRww==
  HAVAL    : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | elv71LkPurGiLw2qtG4cDF5xozVJccsG
             S+TXtMWVN/E=                     | JRzZvSiA994=
  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | J5cKfKZL53NeV7TFaTZNJSKptrSXA0Io
             NhV8dix9LIw=                     | oX5CeovHm/M=

Directory: /run
  Linkcount: 30                               | 31

Directory: /run/systemd
  Size     : 500                              | 520
  Mtime    : 2020-08-17 21:15:49 +0300        | 2020-08-17 22:49:28 +0300
  Ctime    : 2020-08-17 21:15:49 +0300        | 2020-08-17 22:49:28 +0300
  Linkcount: 23                               | 24

File: /run/systemd/resolve/stub-resolv.conf
  Mtime    : 2020-08-17 22:38:02 +0300        | 2020-08-17 22:57:59 +0300
  Ctime    : 2020-08-17 22:38:02 +0300        | 2020-08-17 22:57:59 +0300
  Inode    : 659                              | 640

File: /run/systemd/timesync/synchronized
  Mtime    : 2020-08-17 22:16:12 +0300        | 2020-08-17 22:50:20 +0300
  Ctime    : 2020-08-17 22:16:12 +0300        | 2020-08-17 22:50:20 +0300

Directory: /run/systemd/units
  Size     : 1420                             | 1440
  Mtime    : 2020-08-17 22:37:42 +0300        | 2020-08-17 22:49:37 +0300
  Ctime    : 2020-08-17 22:37:42 +0300        | 2020-08-17 22:49:37 +0300

Directory: /var/cache/fwupd
  Mtime    : 2020-08-09 16:13:39 +0300        | 2020-08-17 22:49:36 +0300
  Ctime    : 2020-08-09 16:13:39 +0300        | 2020-08-17 22:49:36 +0300

File: /var/cache/fwupd/metadata.xmlb
  Size     : 1879141                          | 1887049
  Bcount   : 3672                             | 3688
  Mtime    : 2020-08-09 16:13:39 +0300        | 2020-08-17 22:49:36 +0300
  Ctime    : 2020-08-09 16:13:39 +0300        | 2020-08-17 22:49:36 +0300
  Inode    : 1181994                          | 1181386
  RMD160   : pYzImUr/9IKcF/SsT+tijWj6o48=     | lNG+19YEXBaY429TNxZkLlZfuVY=
  TIGER    : mCYoqhqfFNesX1DBDyNE0YyU9DHANfsr | IO3tgHWnfLb+q4+hnVjJUEliGJsoiBtt
  SHA256   : LZuTxCE1d4uxstnNw85aPmd3waqIiaUt | fchrp9FBGA0lcNqelgDUttBwUcedo+Yi
             ED7Mux5lkvI=                     | niwWtEj+h2k=
  SHA512   : 9/l4bMAUVMkk3MJxW/dG/kE6izzuwmzd | EaApKbI8wPTtUw+4q7g9VHMLQgmeH7lk
             Mne02Yp6wtvH9b7lMhl6t5tGqIXMIy6h | lyet7Sc2YrP4sUE5ZDPX0OVut0+rFN5B
             0gxhD5pBiJrAcpdwgUSvZw==         | be75hImQJReXevqXgC+/eg==
  CRC32    : PU7mFA==                         | spejqA==
  HAVAL    : ZJpdjXOB1L+AupLhbvX4pUPLA+31vYrJ | jiAxgrp+7q4U7v7vxRAUOwAVzbxCrqTl
             WOaHdM9b55M=                     | JlJZrosn4fI=
  GOST     : wttUYlhB+GClZQkO85v2CaoSrM3ebi65 | HLlRZjmex/GvqPX0XHAk04Y5xsSyBWbN
             +oZSpV60PGg=                     | UCqD96u9v48=

Directory: /var/cache/private/fwupdmgr/fwupd
  Mtime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300
  Ctime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300

File: /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz
  Size     : 424119                           | 426248
  Bcount   : 832                              | 840
  Mtime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300
  Ctime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300
  Inode    : 1181212                          | 1180811
  RMD160   : YFUDWdSVHPkiQcLISZDtJ20ky/A=     | bjaeAnUPskzRnUT2R2T/j6YijII=
  TIGER    : t0kardgEjTOXg6kjTOGK1Mjx8jreOu0t | Y3T5gm10e0xJDigOB4ptR4P8a3gIm/BO
  SHA256   : ytgCFZCZrZVDM/2pEwuMplVVQFovJtp/ | fXsj5k8OZd6253M1rKW5byDKBxVr+rJz
             jn4/PtfIwMg=                     | d8iXbqQjp2Y=
  SHA512   : xD+fcT1TfYyZ2P/64bwhqF8QfjLA3beU | KR0xDT3k5arE4UW6kkj1a9BcEwWmQYq5
             3DEWBbHYh7RUXqsgw5M31XuPXd07yTGf | JU+IaCYSIZYTHyGqL/TNfcgs3r6IF3cC
             PLF8BSXO+lg2FJutVTICnQ==         | HR7aRxWRpCtZkXaa/LLb9Q==
  CRC32    : 7iORCA==                         | 9AxJqw==
  HAVAL    : LU36UpTcbBHZreZtS1DVY/Mu7VAlwufB | Lg1NC9WNPmzu363oOCcwOGpqTCcKQXXB
             dkh20rP9YN0=                     | fYZu63QXIdo=
  GOST     : UizSu5hJ9mvqCHDunME/8o1LtXGkpCBs | oKfk9n2Jb+MlDmQ7E6gPARIRR/FN6qV1
             Fem5UwkVNso=                     | Rc88UrTd4Cg=

File: /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz.asc
  Mtime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300
  Ctime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300
  Inode    : 1181386                          | 1181212
  RMD160   : vQ1t+LGm8JuDNXaNfQf5Nu2uLBs=     | qYgiTufncPHlLLPVTBTBnjwen70=
  TIGER    : C/FgkLFD0yvufVxCIJ1557UwwmB5gT6g | Hrr56nR+iS22evWzhCcjsaB3b18ex4n7
  SHA256   : AZx4XHuXpkh5nNNJvwBbss02Q4JHar8m | u0qnWOIOXKe4MqWv2NoRA+aEiCv+RAoO
             XVbklfUeh44=                     | hFC2pluDo3A=
  SHA512   : oyfQwrMKK6ClBDTpfl1ws83JauDn2jZB | JfbGNhvPrpPBNmix0TGRhDira4Q+uAMj
             zOrKNml9JckZUIyWfo+LXGxTfFFMFqda | 69NUjYgioKTLP3gHWy6ya0T/aaZW9nNG
             SvNMs5h6hLHA6OgAjGeZAw==         | r5Vp20NYg3ovJGecFN3r/w==
  CRC32    : K4sNnw==                         | ju3ORQ==
  HAVAL    : QDsY4hzIXYWAntBnZdDHyUVhd78YzBmS | Wve1Dsn7wJ3Mg+tUIOQ0BJ1GuXj3OFXA
             6EaWU+pYT6Q=                     | mDBV/Fe7Y4M=
  GOST     : 4atPHXn4P+PDrEWCb152oGA85SLNMaDu | K0ZAsfW3Su73/Rcfmg1Ktl73rTt6YogM
             L4WsklT4hhA=                     | u+5mW4UGSIs=

File: /var/log/journal/088f282d218f4067987670b09ad3319e/system.journal
  Mtime    : 2020-08-17 22:49:37 +0300        | 2020-08-17 23:08:00 +0300
  Ctime    : 2020-08-17 22:49:37 +0300        | 2020-08-17 23:08:00 +0300
  RMD160   : Yr9Qt19hUZ/vs5VHanGI0XWPsec=     | sxiZM4GD9+bT7xpnQaQ2Y4BXgBg=
  TIGER    : n4IiYoU+90aNo48QP8NNJ+UqRpnYmSIj | Yc0FFEN093uNlzOju7CnxbgxAkGiGFeZ
  SHA256   : MChIPiES5Fy1s2cPY6NrEzSj2QcukevK | 5bewLryKRLaDtmVztDAPnF4yXjCGPgvD
             oIvAVvFr2IY=                     | D6L08jLUvMk=
  SHA512   : 0Q1LGzvO2+GyEagYpI8L9Piwy2gK5mpk | 99Oh6/6dLkz2hLKxc9fLGMSL+9YPBzgH
             Qh5m6r16cvD1eMVIvczF7xuh34wD3464 | AAuGk7aLHfJkOWDOBqAAL35+0J/7nipy
             /ljj8kNwm9MTkTWO9AXs0Q==         | 90PGDHUYX91R9R1ZPggD3A==
  CRC32    : aKCqmw==                         | cWJs5g==
  HAVAL    : evOCIyBezEFHhlPo1udj0pzEe4yCyqLV | pHrfpI3QSMlc+mws8OwsLtSdTH2Ra8jU
             aYmYblzdGl8=                     | e8bAgekKWpg=
  GOST     : +9GrDgi8EyOZk/msfzK3Tngs/d06/R16 | 2K0ZA6o9634mdHTTfeEWVQ1BGY9zB9eA
             bbeLzmRnGMU=                     | GI9VMXJbAxs=

Directory: /var/tmp
  Linkcount: 5                                | 6


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  RMD160   : SHHCkuxGwovE79pnRzjF2FWY9l0=
  TIGER    : 4WDF8gbxMdVskus0b683V4qei0dmZ9OE
  SHA256   : iWlmKb+neZVRRT66cce5oY8yYcj21F2d
             RmQr0OZlAiU=
  SHA512   : 2mne5zEs5MbQnsVf0HOCUgPf892GfGQF
             duxUaOzNU9F7gFdpp7W1/LWYsq2IqkzV
             kN0eJX0mq7vZaa37lr/kpg==
  CRC32    : vLZ/gQ==
  HAVAL    : apU71suq+RVvyVm+OzkNE26OCSQ6d3AE
             8g9DUVYavJY=
  GOST     : PICK1Cdw+Ma5OYP4JKhxRsyhQ8cXiBjG
             XsbXV19I+0E=


End timestamp: 2020-08-17 23:14:03 +0300 (run time: 15m 34s)

From the output above, AIDE found a number of file system changes. Check the report.

Testing AIDE on Ubuntu 20.04

You can now create new files, edit some and even delete some and re-run AIDE check to actually see how AIDE can detect all these changes.

echo "1.2.3.4 test.kifarunix-demo.com" >> /etc/hosts
touch /etc/newfile
rm -rf /etc/issue

After all that changes, re-run AIDE database check against the filesystem.

aide -c /etc/aide/aide.conf -C

Limiting AIDES Integrity Checks to Specific Files/Directories

To limit the integrity checks to a specific entries for example /etc, pass the --limit REGEX option to AIDE check command where REGEX is the entry to check.

For example, check and update the database entries matching /etc, you would run aide command as shown below;

aide -c /etc/aide/aide.conf --limit /etc --check

To exclude some directories, edit the configuration file, /etc/aide/aide.conf, and add the directories to ignore to the end of the file in the format;

!/home/
!/var/lib/
!/proc

Using Custom AIDE Configuration

You can also create your own configuration and define what needs to be checked and what not. See example configuration below;

mkdir /home/koromicha/aide
vim /home/koromicha/aide/aide.conf
# Path for creating the databases
database=file:/home/koromicha/aide/aide.db
database_out=file:/home/koromicha/aide/aide.db.new
database_new=file:/home/koromicha/aide/aide.db.new

# Set your own AIDE rule.
MYRULE=p+n+u+g+s+m+c+xattrs+md5+sha512

# Directories/files to be monitored and rule to apply
#/etc MYRULE
#/bin MYRULE
#/usr/bin MYRULE

# Directories to ignore
/home MYRULE
!/proc

Basically, the rule set above checks, permissions, number of links, user, group, modification time, inode/file change time, extended file attributesMD5 checksum, SHA512 checksum.

Initialize the database with the new configuration;

sudo aide -c /home/koromicha/aide/aide.conf -i

Copy the database in place;

cp /home/koromicha/aide/aide.db{.new,}

Verify the configuration file for errors by running the command below;

aide -c /home/koromicha/aide/aide.conf --config-check

Check the command exit status.

echo $?

AIDE Diagnostics

According to AIDE man pages, the AIDE’s exit status is normally 0 if no errors occurred. Except when the –check, –compare or –update command was requested, in which case the exit status is defined as:

   1 * (new files detected?)     +

   2 * (removed files detected?) +

   4 * (changed files detected?)

   Since  those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files detected, the exit status will be 1 + 2 = 3.

   Additionally, the following exit codes are defined for generic error conditions:

   14 Error writing error

   15 Invalid argument error

   16 Unimplemented function error

   17 Invalid configureline error

   18 IO error

   19 Version mismatch error

NOTE: Whenever you make any AIDE configuration changes, remember to initialize the database to create a baseline.

Make changes like create a new directory, files;

rm -rf /home/koromicha/aide/aide.db.new
mkdir /home/koromicha/test-dir
touch /home/koromicha/test-file

You can then run AIDE against your custom configuration.

aide -c /home/koromicha/aide/aide.conf -C
Start timestamp: 2020-08-18 08:35:18 +0300 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	59
  Added entries:		4
  Removed entries:		2
  Changed entries:		2

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /home/koromicha/aide/aide.conf
f++++++++++++++++: /home/koromicha/aide/aide.db
d++++++++++++++++: /home/koromicha/test-dir
f++++++++++++++++: /home/koromicha/test-file

---------------------------------------------------
Removed entries:
---------------------------------------------------

f----------------: /home/koromicha/aide/aide.db.new
f----------------: /home/koromicha/aide.conf

---------------------------------------------------
Changed entries:
---------------------------------------------------

d = ... mc n  .  : /home/koromicha
d = ... mc .  .  : /home/koromicha/aide

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /home/koromicha
  Mtime    : 2020-08-18 08:26:21 +0300        | 2020-08-18 08:31:31 +0300
  Ctime    : 2020-08-18 08:26:21 +0300        | 2020-08-18 08:31:31 +0300
  Linkcount: 9                                | 10

Directory: /home/koromicha/aide
  Mtime    : 2020-08-18 08:27:52 +0300        | 2020-08-18 08:31:14 +0300
  Ctime    : 2020-08-18 08:27:52 +0300        | 2020-08-18 08:31:14 +0300


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/home/koromicha/aide/aide.db
  MD5      : w7Z1b0myNGwnbiexjCsY8Q==
  SHA1     : PcxP7dFM/QifwAmkETeX2jdipEc=
  RMD160   : cOFuj1oXo66UJszu++O3sJSgLtU=
  TIGER    : 0kW96KfuYLcqSemVRPIQdpItMMqjqk5O
  SHA256   : CJxvbpOch28A0zbBds/WsVHwIoD2m9wR
             Z3eZLE8nSkQ=
  SHA512   : WhCWUC0HX2vcQLxS+CMe3iMmw4tjzM4N
             72q+Ni+kn4AVMMB8MD6mDtouRYwtnEI0
             nH7c+WdCoX303Y6dmjH65Q==
  CRC32    : qhiKSQ==
  HAVAL    : bIk9sCi3W/CA2Xen1KHvr5558udvZZcl
             PzAY/GgIRd4=
  GOST     : jpVKL+hk3+IaZ3J+zJkLaU1IlMWksrDo
             +wNm5MOoWfA=
  WHIRLPOOL: 2RcZzpfvzIkRRcfkw0TMXZT2zEFammH4
             j5JT9ZO41knXTmMkJ4TT1PD4+uRNBFBW
             Bylc3q2qfpC+Z1lPQ4lKkQ==


End timestamp: 2020-08-18 08:35:19 +0300 (run time: 0m 1s)

Sending AIDE Report via Mail

By default, AIDE sets up itself a daily execution script, /etc/cron.daily/aide, upon installation. The the output of checks is mailed to the user specified in the MAILTO= directive of the /etc/default/aide configuration file as detailed above.

To sent the AIDE report via mail, you need to edit the file, /etc/default/aide and set the value of MAILTO directive to your email ID such that it looks like below. The default recipient is root.

vim /etc/default/aide
...
#MAILTO=root
[email protected]

Most of the AIDE default parameter settings are defined in this file. It is highly commended for easy understanding, therefore go through this file to see what other options to enable or disable.

The email delivery can only work if you have configure your MTA for email transfer. Follow the link below to learn how to configure Postfix to use Gmail SMTP for relay;

Configure Postfix to Use Gmail SMTP on Ubuntu 20.04

Configure Postfix to Use Gmail SMTP on Ubuntu 18.04

Instead of using the cron mail recipient address above, you can edit Postfix mail aliases and set an alias for root to the email address you want to receive AIDE report on;

vim /etc/aliases
postmaster:    root
root:   [email protected]

You can as well install a cron job to execute AIDE at specific time intervals;

sudo crontab -e
*/10 * * * * aide -c /home/koromicha/aide/aide.conf -u && cp /home/koromicha/aide/aide.db{.new,}

This will execute AIDE system check every 10 mins and email the report to [email protected] as per my setup.

It is also good to note that AIDE checks might be resource intensive and may cause a performance issue on your system during integrity checks.

That marks the end of our tutorial on how to install and configure AIDE on Ubuntu 20.04.

Reference

man aide

man aide.conf

AIDE

Related Tutorials

Install and Configure Tripwire Security Monitoring tool on CentOS 8

Install and Configure AIDE on Ubuntu 18.04

Install and Setup Lynis Security Auditing tool on CentOS 8

Install OSSEC HIDS Agent on Ubuntu 20.04

Install OSSEC Agent on CentOS 8

LEAVE A REPLY

Please enter your comment!
Please enter your name here