Table of Contents
In this tutorial, I will take you through the steps to use AIDE for Integrity checks in Linux. AIDE (Advanced Intrusion Detection Environment) is a strong open source utility which is used for intrusion detection in Linux. AIDE creates it’s own database of files and directories with predefined rules on which detection is performed. We will see the steps to use AIDE for Integrity Checks in great detail. More on RHEL Security Guide.
How to Use AIDE for Integrity Checks in Linux (RHEL/CentOS 7/8)
Also Read: How to Check and Log Malicious RPM Installation in 3 Easy Steps
Step 1: Prerequisites
a) You should have a running Linux(RHEL/CentOS 7/8) Server.
b) You should have root access to run privileged commands.
c) You should have yum utility available in your System.
Step 2: Install AIDE Package
Firstly, install the aide package if not installed already.
[root@cyberithub ~]# yum install aide -y
Last metadata expiration check: 1:46:41 ago on Thu 17 Feb 2022 04:22:25 PM IST.
Dependencies resolved.
==================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================
Installing:
aide x86_64 0.16-14.el8 appstream 156 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 156 k
Installed size: 366 k
Downloading Packages:
aide-0.16-14.el8.x86_64.rpm 48 kB/s | 156 kB 00:03
----------------------------------------------------------------------------------------------------------------------------------
Total 48 kB/s | 156 kB 00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : aide-0.16-14.el8.x86_64 1/1
Running scriptlet: aide-0.16-14.el8.x86_64 1/1
Verifying : aide-0.16-14.el8.x86_64 1/1
Installed:
aide-0.16-14.el8.x86_64
Complete!
Step 3: Verify Package
To verify the installation, you can query the RPM database and check the package using below command.
[root@cyberithub ~]# rpm -qa | grep aide
aide-0.16-14.el8.x86_64
Default AIDE directories
Once installed, we will see certain folders created like below:-
/var/lib/aide -> where aide databases will be stored by default
/var/log/aide -> where aide log files will be generated by default.
/etc/aide.conf -> default aide configuration file with predefined rules and other configuration
Step 4: Check AIDE version
To check the current installed version, you can use aide -v command as shown below.
[root@cyberithub ~]# aide -v
Aide 0.16
Compiled with the following options:
WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"
Step 5: AIDE configuration file
The config file resides at /etc/aide.conf . All the default rules, database location and other info are defined in the config file.
PERMS -> to detect change in permission in any file/directory.
CONTENT -> to check file content and file type
CONTENT_EX -> extended version of previous rule
DATAONLY -> to check any change in content inside all files/directory.
Step 6: Perform Binaries Checks
We will check any changes to binaries files (user binaries or system binaries). add below directories in /etc/aide.conf where system binaries and application binaries are stored.
#Binaries check
/bin CONTENT_EX
/usr/bin CONTENT_EX
/sbin CONTENT_EX
/usr/sbin CONTENT_EX
Note: We can comment out the default /etc paths in the config file during testing so that any change in /etc directories are avoided by aide check. Use below command to do so.
[root@cyberithub ~]# sed -i 's|^/etc|#/etc|g' /etc/aide.conf
Step 7: Create AIDE database
First and foremost job is to create aide’s initial database which contains all the files/directory which we have configured in the configuration file. Use below command to create the database.
[root@cyberithub ~]# aide --init
Start timestamp: 2022-02-17 19:17:53 +0530 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 44096
---------------------------------------------------
The attributes of the (uncompressed) database(s):
--------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : oVHYEVkYAm59iv4HAnrAsw==
SHA1 : yMV2o0c9OXhILGng3d9iGVwN61I=
RMD160 : naUHifrdLrukfRw67e5qBTGEhsQ=
TIGER : 6LKzoP6oawblEAfhmzWXxidMCH0OYbyT
SHA256 : KDaGGwuSZsTL8k5INhrXRifg2jriIGlzrthdYx779s4=
SHA512 : O86HwDN30cKvrk0JSnlEDlVNzWttN7O0ZAWW2TmLf6kg4nyIh7p/yYJrNPmGWx0y1WWSFQ17U6xxnlxcSd7Uog==
End timestamp: 2022-02-17 19:18:19 +0530 (run time: 0m 26s)
A tar file will get created inside /var/lib/aide.
[root@cyberithub ~]# cd /var/lib/aide [root@cyberithub aide]# ll total 2480 -rw------- 1 root root 2538109 Feb 17 19:18 aide.db.new.gz
Step 8: Rename the tar file
To use the database for aide check, remove new from the string as shown below.
[root@cyberithub aide]# mv aide.db.new.gz aide.db.gz
Step 9: Check Integrity
After the initial database creation, I have not made any changes in any file/directory which we have configured in config file. Hence aide should not detect any change in the database.
[root@cyberithub ~]# aide --check
Start timestamp: 2022-02-17 19:22:58 +0530 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
Number of entries: 44096
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : oVHYEVkYAm59iv4HAnrAsw==
SHA1 : yMV2o0c9OXhILGng3d9iGVwN61I=
RMD160 : naUHifrdLrukfRw67e5qBTGEhsQ=
TIGER : 6LKzoP6oawblEAfhmzWXxidMCH0OYbyT
SHA256 : KDaGGwuSZsTL8k5INhrXRifg2jriIGlzrthdYx779s4=
SHA512 : O86HwDN30cKvrk0JSnlEDlVNzWttN7O0ZAWW2TmLf6kg4nyIh7p/yYJrNPmGWx0y1WWSFQ17U6xxnlxcSd7Uog==
End timestamp: 2022-02-17 19:23:15 +0530 (run time: 0m 17s)
Step 10: Make changes and re-check integrity
Let’s now make some changes and see what happens. We have created 2 new files in 2 different path
a) Change 1
[root@cyberithub ~]# cd /sbin [root@cyberithub sbin]# touch file.txt
b) Change 2
[root@cyberithub sbin]# cd /usr/bin [root@cyberithub bin]# touch binary
Re-execute aide check and observe the report . This time it will detect the changes in the configured paths.
Use case 1 -> When new file is created
[root@cyberithub ~]# aide --check
Start timestamp: 2022-02-17 19:32:33 +0530 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 44098
Added entries: 2
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /usr/bin/binary
f++++++++++++++++: /usr/sbin/file.txt
---------------------------------------------------
The attributes of the (uncompressed) database(s): /var/lib/aide/aide.db.gz
---------------------------------------------------
MD5 : oVHYEVkYAm59iv4HAnrAsw==
SHA1 : yMV2o0c9OXhILGng3d9iGVwN61I=
RMD160 : naUHifrdLrukfRw67e5qBTGEhsQ=
TIGER : 6LKzoP6oawblEAfhmzWXxidMCH0OYbyT
SHA256 : KDaGGwuSZsTL8k5INhrXRifg2jriIGlzrthdYx779s4=
SHA512 : O86HwDN30cKvrk0JSnlEDlVNzWttN7O0ZAWW2TmLf6kg4nyIh7p/yYJrNPmGWx0y1WWSFQ17U6xxnlxcSd7Uog==
Use case 2 -> When content of file is changed
[root@cyberithub aide]# aide --check
Start timestamp: 2022-02-17 22:55:16 +0530 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 43294
Added entries: 0
Removed entries: 0
Changed entries: 1
---------------------------------------------------
Changed entries:
---------------------------------------------------
f ... .C.. : /usr/sbin/file
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /usr/sbin/file
SHA512 : fchbRsdGGytVcbFbNbY1jipoujkA7DpV | 9AY+cJFMosihu+ZtKAptlDLVgZ6sDIFQsou0iMntDDRZtPB9e5/He3pNVXkM3Bav | qdeo1XRvRBa8R5z0mJjMAXz0XSer0vs6QRG7lqVKqZjdNa6BP72e2Q== | EuGePFTkWWbuYxTjB+I8fg==
---------------------------------------------------
The attributes of the (uncompressed) database(s):/var/lib/aide/aide.db.gz
---------------------------------------------------
MD5 : b8EEQcgpiJDuyHEiOSNvkQ==
SHA1 : TbYgdVU+dF8eiJ44M5/RhxHeXD8=
RMD160 : XSDdlIBrmsG8L+/QfQ2Oo7/E19w=
TIGER : VXHFWDMFEf1QNVKk3fPjiPmM0kSqBPaK
SHA256 : JFbHqcSZZI5afCtswBeikjGc9J80FAKxtRxr/TVmmew=
SHA512 : jmgUGv2WP5i7ff7yDgdGnCxS/t3r0Vr4NsLWtGUnxaQlo8PS1RTJq+m7lSVw02XyxNSzPVeR1yCcVZbmKOgB6g==
End timestamp: 2022-02-17 22:55:38 +0530 (run time: 0m 22s)
Use case 3 -> When file permission is changed
[root@cyberithub aide]# aide --check
Start timestamp: 2022-02-17 23:04:26 +0530 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 43294
Added entries: 0
Removed entries: 0
Changed entries: 1
---------------------------------------------------
Changed entries:
---------------------------------------------------
f p.. ..A. : /usr/sbin/file
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /usr/sbin/file
Perm : -rw-r--r-- | -rwxr--r--
ACL : A: user::rw- | A: user::rwx
A: group::r-- | A: group::r--
A: other::r-- | A: other::r--
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : WysMh+gg/pwho2y7Kj6QUQ==
SHA1 : 8gm7uJmyX1lXDXwb24vqAMfMOEs=
RMD160 : nfCUJkfwL9nic9zoW/whffnjbYg=
TIGER : ONtPhZyQm4dku7D9DqPVk91CcjVFJTAB
SHA256 : wotUDlfG0XcKaBLK2T+yTv+l+t567WVNKvu6hh8gXcg=
SHA512 : fIKdhAtTQs+dmhbMDC2xbzxIWACXFWs3HuiqdR0MJcgzni7qjIRIDvB8UJpYMPAyAY8zzjDFaPnXwGWfp8Q2aQ==
End timestamp: 2022-02-17 23:04:48 +0530 (run time: 0m 22s)
Use case 4 -> When File is deleted
[root@cyberithub aide]# aide --check
Start timestamp: 2022-02-17 23:08:06 +0530 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 43293
Added entries: 0
Removed entries: 1
Changed entries: 0
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /usr/sbin/file
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : WysMh+gg/pwho2y7Kj6QUQ==
SHA1 : 8gm7uJmyX1lXDXwb24vqAMfMOEs=
RMD160 : nfCUJkfwL9nic9zoW/whffnjbYg=
TIGER : ONtPhZyQm4dku7D9DqPVk91CcjVFJTAB
SHA256 : wotUDlfG0XcKaBLK2T+yTv+l+t567WVNKvu6hh8gXcg=
SHA512 : fIKdhAtTQs+dmhbMDC2xbzxIWACXFWs3HuiqdR0MJcgzni7qjIRIDvB8UJpYMPAyAY8zzjDFaPnXwGWfp8Q2aQ==
End timestamp: 2022-02-17 23:08:30 +0530 (run time: 0m 24s)
Step 11: Re-initialize Database
To re-initialize the aide database to make new changes part of database, use below command. It will create new db file. Rename the string as done before to use the updated db.
[root@cyberithub aide]# aide --update
--------------------------------------------------------------------------------------------------------
New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary:
Total number of entries: 43294
Added entries: 1
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /usr/sbin/file
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : Ek6q+FbgsVlm6yHTliy2jw==
SHA1 : XBNgN576s3EM1JzPSV9U2eswkw4=
RMD160 : YirpGPuOe2x2XKFZB22IojSyq5A=
TIGER : DrfFQr5u9/brSgPiHzRsuqTc1rwSnzYl
SHA256 : 9yvjUAOehXKTGUy7IQzJ0J2Kr33XH+NHm6o7IlG5s04=
SHA512 : KTFOBxgw4crGWsUgN81bAoJJspCB5PpB07e5CQerl3eVee58MEM1k2aJPDDdx72ZNiIeepBIJNmeAzvXhLZ5Aw==
/var/lib/aide/aide.db.new.gz
MD5 : b8EEQcgpiJDuyHEiOSNvkQ==
SHA1 : TbYgdVU+dF8eiJ44M5/RhxHeXD8=
RMD160 : XSDdlIBrmsG8L+/QfQ2Oo7/E19w=
TIGER : VXHFWDMFEf1QNVKk3fPjiPmM0kSqBPaK
SHA256 : JFbHqcSZZI5afCtswBeikjGc9J80FAKxtRxr/TVmmew=
SHA512 : jmgUGv2WP5i7ff7yDgdGnCxS/t3r0Vr4NsLWtGUnxaQlo8PS1RTJq+m7lSVw02XyxNSzPVeR1yCcVZbmKOgB6g==
End timestamp: 2022-02-17 22:49:27 +0530 (run time: 0m 22s)
Step 12: AIDE log file
Aide generates it’s report in default aide.log file. Content of log file remains the same as what it prints on the console whenever we invoke any of aide’s command. We can change the log path by configuring the same in config file.
[root@cyberithub ~]# cd /var/log/aide [root@cyberithub aide]# ls aide.log