How to Install and Use AIDE Advanced Intrusion Detection Environment on CentOS 8
AIDE stands for "Advanced Intrusion Detection Environment" is one of the most popular tools for monitoring changes to Linux-based operating systems. It is used to protect your system against malware, viruses and detect unauthorized activities. It works by creating a database of the file system and checks this database against the system to ensure file integrity and detect system intrusions. AIDE helps you to shorten the investigation time during the incident response by focusing in on the files that have been changed.
Features
- Supports various attributes including, File type, Inode, Uid, Gid, Permissions, Number of links, Mtime, Ctime and Atime.
- Supports Gzip compression, SELinux, XAttrs, Posix ACL and Extended file system attributes.
- Capable of creating and comparing various message digest algorithms including, md5, sha1, sha256, sha512, rmd160, crc32, etc.
- Capable of notifying you via email.
In this tutorial, we will show you how to install and use AIDE to detect intrusions on CentOS 8.
Prerequisites
- A server running CentOS 8 with a minimum 2 GB RAM.
- A root password is configured on your server.
Getting Started
Before starting, it is a good idea to update your system to the updated version. Run the following command to update your system.
dnf update -y
Once your system is updated, restart it to implement the changes.
Install AIDE
By default, AIDE is available in the CentOS 8 default repository. You can install it easily by just running the following command:
dnf install aide -y
Once the installation has been completed, you can check the installed version of AIDE using the following command:
aide --version
You should see the following output:
Aide 0.16 Compiled with the following options: WITH_MMAP WITH_PCRE WITH_POSIX_ACL WITH_SELINUX WITH_XATTR WITH_E2FSATTRS WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_CURL WITH_GCRYPT WITH_AUDIT CONFIG_FILE = "/etc/aide.conf"
You can also see all the option available with aide command using the following command:
aide --help
You should see the following screen:
Create and Initialize the Database
After installing AIDE, first thing you will need to do is to initialize the setup. This initialization will create a database (snapshot) of all the files and directories of your server.
Run the following command to initialize the database:
aide --init
You should see the following output:
Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16) AIDE initialized database at /var/lib/aide/aide.db.new.gz Number of entries: 49472 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.new.gz MD5 : 4N79P7hPE2uxJJ1o7na9sA== SHA1 : Ic2XBj50MKiPd1UGrtcUk4LGs0M= RMD160 : rHMMy5WwHVb9TGUc+TBHFHsPCrk= TIGER : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0 SHA256 : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9 xWXT2iaEHgQ= SHA512 : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI nDw6lgDNI/ls2esijukliQ== End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)
The above command will create a new AIDE database aide.db.new.gz within /var/lib/aide directory. You can see it using the following command:
ls -l /var/lib/aide
You should see the following output:
total 2800 -rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz
AIDE will not use the new database file until it has been renamed to aide.db.gz. You can rename it with the following command:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
It is recommended to update this database on a set period to ensure appropriate monitoring of changes. You can also change the location of the AIDE database by editing the /etc/aide.conf file and modify the DBDIR value.
Check AIDE
At this point, AIDE is ready to use the new database. Now, run your first AIDE check without making any changes:
aide --check
This command will take some time depending on your file system size and amount of RAM in your server. Once the AIDE check has been completed, you should see the following output:
Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!!
The above output indicates that every file and directory match with the AIDE database.
Test AIDE
By default, AIDE is not configured to watch files and directories of the Apache default document root /var/www/html. So, you will need to configure AIDE to watch the directory /var/www/html. You can configure it by editing the file /etc/aide.conf.
nano /etc/aide.conf
Add the following line above the line "/root/ CONTENT_EX":
/var/www/html/ CONTENT_EX
Save and close the file when you are finished.
Next, create an aide.txt file inside /var/www/html/ directory using the following command:
echo "Test AIDE" > /var/www/html/aide.txt
Now, run AIDE check and verify that the newly created file is detected by the aide check.
aide --check
You should see the following output:
Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16) AIDE found differences between database and filesystem!! Summary: Total number of entries: 49475 Added entries: 1 Removed entries: 0 Changed entries: 0 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++++++: /var/www/html/aide.txt
The above output indicates that the newly created file aide.txt is detected by the aide check.
Next, it is a good idea to update the AIDE database after review the changes detected by aide check. You can update the AIDE database using the following command:
aide --update
Once the database is updated, you should see the following output:
Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16) AIDE found differences between database and filesystem!! New AIDE database written to /var/lib/aide/aide.db.new.gz Summary: Total number of entries: 49475 Added entries: 1 Removed entries: 0 Changed entries: 0 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++++++: /var/www/html/aide.txt
The above command will create a new database called aide.db.new.gz in /var/lib/aide/ directory.
You can see it using the following command:
ls -l /var/lib/aide/
You should see the following output:
total 5600 -rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz -rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz
Now, rename the new database again so that AIDE uses this new database to keep track of any new changes. You can rename the database using the following command:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Now, run the AIDE check again to check whether the AIDE uses the new database or not:
aide --check
You should see the following output:
Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!!
Once you are done, you can proceed to the next step.
Automate AIDE Check
It is a good idea to automate the AIDE check every day and send the report to a system via mail. You can automate this process using the cron job.
To do so, edit the cron default configuration file as shown below:
nano /etc/crontab
Add the following line at the end of the file to automate the AIDE check on every day at 10:15 AM:
15 10 * * * root /usr/sbin/aide --check
Save and close the file when you are finished.
Now, AIDE will notify you via system mail.
You can check your system mail using the following command:
tail -f /var/mail/root
You can also check the AIDE log with the following command:
tail -f /var/log/aide/aide.log
Conclusion
In the above tutorial, you learned how to use AIDE to understand the server changes and identify unauthorized access to your server. You can modify the /etc/aide.conf file to watch your application directory or any advanced settings. It is recommended to keep your AIDE database and configuration file in a read-only media for security reasons. For more information, you can check the AIDE documentation at AIDE Doc.