How to Install and Use AIDE Advanced Intrusion Detection Environment on CentOS 8

AIDE stands for "Advanced Intrusion Detection Environment" is one of the most popular tools for monitoring changes to Linux-based operating systems. It is used to protect your system against malware, viruses and detect unauthorized activities. It works by creating a database of the file system and checks this database against the system to ensure file integrity and detect system intrusions. AIDE helps you to shorten the investigation time during the incident response by focusing in on the files that have been changed.

Features

  • Supports various attributes including, File type, Inode, Uid, Gid, Permissions, Number of links, Mtime, Ctime and Atime.
  • Supports Gzip compression, SELinux, XAttrs, Posix ACL and Extended file system attributes.
  • Capable of creating and comparing various message digest algorithms including, md5, sha1, sha256, sha512, rmd160, crc32, etc.
  • Capable of notifying you via email.

In this tutorial, we will show you how to install and use AIDE to detect intrusions on CentOS 8.

Prerequisites

  • A server running CentOS 8 with a minimum 2 GB RAM.
  • A root password is configured on your server.

Getting Started

Before starting, it is a good idea to update your system to the updated version. Run the following command to update your system.

dnf update -y

Once your system is updated, restart it to implement the changes.

Install AIDE

By default, AIDE is available in the CentOS 8 default repository. You can install it easily by just running the following command:

dnf install aide -y

Once the installation has been completed, you can check the installed version of AIDE using the following command:

aide --version

You should see the following output:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

You can also see all the option available with aide command using the following command:

aide --help

You should see the following screen:

Advanced Intrusion Detection Environment

Create and Initialize the Database

After installing AIDE, first thing you will need to do is to initialize the setup. This initialization will create a database (snapshot) of all the files and directories of your server.

Run the following command to initialize the database:

aide --init

You should see the following output:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

The above command will create a new AIDE database aide.db.new.gz within /var/lib/aide directory. You can see it using the following command:

ls -l /var/lib/aide

You should see the following output:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE will not use the new database file until it has been renamed to aide.db.gz. You can rename it with the following command:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

It is recommended to update this database on a set period to ensure appropriate monitoring of changes. You can also change the location of the AIDE database by editing the /etc/aide.conf file and modify the DBDIR value.

Check AIDE

At this point, AIDE is ready to use the new database. Now, run your first AIDE check without making any changes:

aide --check

This command will take some time depending on your file system size and amount of RAM in your server. Once the AIDE check has been completed, you should see the following output:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

The above output indicates that every file and directory match with the AIDE database.

Test AIDE

By default, AIDE is not configured to watch files and directories of the Apache default document root /var/www/html. So, you will need to configure AIDE to watch the directory /var/www/html. You can configure it by editing the file /etc/aide.conf.

nano /etc/aide.conf

Add the following line above the line "/root/ CONTENT_EX":

/var/www/html/ CONTENT_EX

Save and close the file when you are finished.

Next, create an aide.txt file inside /var/www/html/ directory using the following command:

echo "Test AIDE" > /var/www/html/aide.txt

Now, run AIDE check and verify that the newly created file is detected by the aide check.

aide --check

You should see the following output:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

The above output indicates that the newly created file aide.txt is detected by the aide check.

Next, it is a good idea to update the AIDE database after review the changes detected by aide check. You can update the AIDE database using the following command:

aide --update

Once the database is updated, you should see the following output:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

The above command will create a new database called aide.db.new.gz in /var/lib/aide/ directory.

You can see it using the following command:

ls -l /var/lib/aide/

You should see the following output:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Now, rename the new database again so that AIDE uses this new database to keep track of any new changes. You can rename the database using the following command:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Now, run the AIDE check again to check whether the AIDE uses the new database or not:

aide --check

You should see the following output:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Once you are done, you can proceed to the next step.

Automate AIDE Check

It is a good idea to automate the AIDE check every day and send the report to a system via mail. You can automate this process using the cron job.

To do so, edit the cron default configuration file as shown below:

nano /etc/crontab

Add the following line at the end of the file to automate the AIDE check on every day at 10:15 AM:

15 10 * * * root /usr/sbin/aide --check

Save and close the file when you are finished.

Now, AIDE will notify you via system mail.

You can check your system mail using the following command:

tail -f /var/mail/root

You can also check the AIDE log with the following command:

tail -f /var/log/aide/aide.log

Conclusion

In the above tutorial, you learned how to use AIDE to understand the server changes and identify unauthorized access to your server. You can modify the /etc/aide.conf file to watch your application directory or any advanced settings. It is recommended to keep your AIDE database and configuration file in a read-only media for security reasons. For more information, you can check the AIDE documentation at AIDE Doc.

Share this page:

0 Comment(s)