How To Configure The AIDE (Advanced Intrusion Detection Environment) File Integrity Scanner For Your Website

A file integrity scanner is something you need to have.  Imagine a hacker placing a backdoor on your web site, or changing your order form to email him a copy of everyone's credit card while leaving it appear to be functionally normally.

By setting up daily reporting, this notifies you within, at most, 24 hours of when any file was changed, added, or removed.  It also helps establish an audit trail in the event your site is compromised.

These instructions are designed for an end user, where you don't need to have root access, to implement and assumes your server has the aide binary installed.  Most hosts will have this installed already, or will install it for you upon request.

 

Step 1: Download A Sample AIDE config file

We will start with a simple one, this will scan your web root directory for md5 hash changes.

To download the file, SSH into your account and run:

$ wget securehostingdirectory.com/aide.conf

What you will want to change in this file, is replace "username" on the first line, and confirm that is the path to your root directory.

Then on the last line, confirm that public_html is your web root directory.  If your host uses the cPanel control panel, then public_html is your web root.

 

Step 2: Initialize the AIDE database

The command to initialize the AIDE database is:

$ nice -19 aide --init --config=/home/username/aide.conf

AIDE is not the least resource intensive software in the world so we are running it with a 19 priority using nice.

Now copy your AIDE output database file to the input file:

$ cp aide.db.out aide.db.in

You can test aide by doing:

$ nice -19 aide -C --config=/home/username/aide.conf

Go ahead and run that now, it will say all files match, then make a change to a file and add a file, rerun it and see what the report says.

 

Step 3: Daily Reporting

There are a few ways to get the aide reports, a common one is to have it email you the reports, for this you can set a cronjob to run aide everyday, or even more frequently if you'd like.

Open up the crontab editor and paste in:

0 1 * * * nice -19 /usr/local/bin/aide --config=/home/username/aide.conf -C| mail [email protected] -saide\ domain

The reports can get rather lengthy overtime, so if you want to reset the database, say weekly, you can add this to the crontab:

0 2 * * 0  nice -19 /usr/local/bin/aide --config=/home/username/aide.conf --init;mv -f /home/username/aide.db.out /home/username/aide.db.in

 

Step 4: Extras

We have covered the basics, and that is actually only the tip of the iceberg of what you can do with AIDE.

You can get the full AIDE config file here: Full AIDE Config File

And you might want to exclude certain files, for example if you have a forum or gallery and a lot of images are added regularly you can exclude those from the report. For example to exclude all jpg files in images/ you would put the following in the config file:

 [email protected]@{TOPDIR}/public_html/images/.*\.jpg$

And that would go right above this line:

@@{TOPDIR}/public_html MD

Another thing you can do for extra security is, have your host chown your in database file, and your config file to another user, this way if your user is compromised, the hacker could not compromise your AIDE database, without also gaining access to the second user.

To be even more secure, you can download your AIDE database after creating it, and then upload it before you run a scan.

I hope this Howto lets you see the need for a file integrity checker, and makes it easy to setup, no matter what your user level is.

Share this page:

Suggested articles

8 Comment(s)

Add comment

Comments

By:

is that link securehostingdirectory.com/aide.conf secured enough? is that the best link to get this thing?

 

By: Aura23

This is the Sourceforge project link:

http://aide.sourceforge.net/

By: Aura23

... oh dear I'm so stupid. I thought you were talking about aide itself, not the config.

 Well, the installation of aide will create a basic configuration itself, so if you like to tinker on it then you probably won't have to download the provided configuration.

By: Anonymous

or if your server has a cd drive you can write the AIDE db to the cd-r on another computer. that way is read only, no matter who hack your server. just a thought 

By: Anonymous

The link in this tutorial no longer works:

wget securehostingdirectory.com/aide.conf

By: Anonymous

Is their way to configure AIDE to not send email if the body of the email reads:

"AIDE, version 0.14### All files match AIDE database. Looks okay!"? I want to only be emailed in the event of an issue.

By: John Doe

Awesome HowTo! Thx a lot for this.

By: Jacob Amey

I ended up writing a script to do just this. It does not search for that text but instead exit codes. If its return code is a zero, no change happened. A 1+ and change or failure occurred so it will notify with a generated report.# Start of Script.

#!/bin/bash

#

# Variables

###########

#

AIDE=$(which aide)

DATE=$(date +%Y-%m-%d)

TIME=$(date +%r)

ORGANIZATION=DevOps

REPORT=/tmp/aide/aide-report-"$DATE".txt

EMAIL="[email protected],[email protected]"

SUBJECT="[ Security Check ] $ORGANIZATION Aide Report - $(hostname) - $DATE"

LOCKFILE=/tmp/aide-job.lck

 

#

# Functions

###########

#

aide_init () {

  echo "=========="

  echo "[AIDE] - Is performing an init of its DB for next run."

  echo "=========="

  rm /var/lib/aide/aide.db.gz

  $AIDE --init

  mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

}

 

aide_check () {

  echo "=========="

  echo "[AIDE] - Is Performing an audit check..."

  echo "=========="

  if [[ -f /var/lib/aide/aide.db.gz ]]; then

    $AIDE --check

  else

    $AIDE --init

    mv -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

    $AIDE --check

 

  fi

}

 

aide_notify () {

aide_message | mailx -a $REPORT -s "$SUBJECT" $EMAIL

}

 

aide_cleanup () {

  echo "=========="

  echo "[SYSTEM] - Is cleaning up lockfiles and old reports."

  echo "=========="

  rm -f $LOCKFILE

  find /tmp/aide/aide-report-* -mtime +10 -type f -delete

  echo "-------------------------------------"

  echo "AIDE process finished at $(date +%r)."

  exec 1>&3

}

 

aide_message () {

echo -e "

The Advanced Intrusion Detection Environment (AIDE) has finished a system check on $DATE at $TIME.

Please review the attachment for $(hostname).

 

Regards,

The $ORGANIZATION Security Team

[Please do not reply to this message. This notification is an automatically generated email; We do not monitor this mailbox.]"

}

 

###########

# Ensure logfile exist.

#

mkdir -p /tmp/aide

touch $REPORT

 

###########

# Redirect output to a logfile.

#

exec 3>&1

exec 1>> $REPORT

 

###########

# AIDE Process Start

#

echo -e "

------------: AIDE CHECK :---------------

Hostname : $(hostname)

IP : $(hostname -i)

Date and Time : $(date)

-------------------------------------------

 

"

echo "aide check started at $(date +%r)."

echo "----------------------------------"

###########

# Creat lock file;

#

if [ -f $LOCKFILE ]; then

  echo "A lock file already exists, we will not run an aide check since it's already running."

  echo "aide check stopped at $(date +%r)."

  exec 1>&3

  exit 0

else

  echo "There is no lock file; Creating it and starting aide system check."

  touch $LOCKFILE

fi

 

###########

# run aide.

# send aide report.

# update aide for next run.

# cleanup.

aide_check

  if [[ $? != 0 ]]; then

    echo "AIDE detected changes, cleaning up and sending a notification."

    aide_init

    aide_cleanup

    aide_notify

    exit 0

  else

    echo "AIDE detected no changes, cleaning up and exiting."

    aide_init

    aide_cleanup

    exit 0

fi

 

# End of script.