Cyberithub

How to Install and Use AIDE on RHEL/CentOS 7/8 [Easy Steps]

Advertisements

In this article, I will take you through the steps to install and use aide on RHEL/CentOS 7/8. AIDE or Advanced Intrusion Detection Environment is a free and open source utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions. It uses several message digest algorithms to check the integrity of the file. All the usual file attributes can also be checked for Inconsistencies. More on RHEL Security Guide.

Features of AIDE

  • It supports message digest algorithms like md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool along with libmhash - gost, haval, crc32b.
  • It supports number of file attributes like File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime.
  • It also has support for Posix ACL, SELinux, XAttrs and Extended file system attributes.
  • It provides powerful regular expression support to selectively include or exclude files and directories to be monitored.
  • It also provides gzip database compression if zlib support is compiled in.
  • It has stand alone static binary support for easy client/server monitoring configurations. More on aide.github.io

How Does AIDE Works

AIDE works by creating a database of all the files from the rules defined in /etc/aide.conf configuration file during initialization. After the database initialization, we can perform file integrity checks and system intrusion detection against those files. If you want to add some more files and directories then you need to modify the configuration from /etc/aide.conf file and then go for checks against those respective files and directories.

Advertisements

How to Install and Use AIDE on RHEL/CentOS 7/8 [Easy Steps]

Steps to Install and Use AIDE on RHEL/CentOS 7/8

Also Read: How to Install and Use Apache Cassandra on Ubuntu 20.04 LTS(Focal Fossa)

Step 1: Prerequisites

a) You should have a running RHEL/CentOS 7/8 Server.

Advertisements

b) You should have root access to run privileged command on the Server.

c) You should have yum utility available in your Server.

Advertisements

 

Step 2: Update Your Server

Before installing a new package, it is always recommended to update the package cache with all the latest releases from the repo using yum update command as shown below. If any package needs to be upgraded then you can upgrade it by using yum upgrade command.

[root@cyberithub ~]# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.snu.edu.in
* extras: centos.mirror.snu.edu.in
* updates: centos.mirror.snu.edu.in
No packages marked for update

 

Step 3: Install AIDE

To install AIDE utility in your System, run yum install aide command as shown below. This will download and install the package from RHEL/CentOS default repo along with all its dependencies.

Advertisements
[root@cyberithub ~]# yum install aide
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.snu.edu.in
* extras: centos.mirror.snu.edu.in
* updates: centos.mirror.snu.edu.in
Resolving Dependencies
--> Running transaction check
---> Package aide.x86_64 0:0.15.1-13.el7_9.1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
aide x86_64 0.15.1-13.el7_9.1 updates 133 k

Transaction Summary
=============================================================================================================================================================
Install 1 Package

Total download size: 133 k
Installed size: 311 k
Is this ok [y/d/N]: y
Downloading packages:
aide-0.15.1-13.el7_9.1.x86_64.rpm | 133 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : aide-0.15.1-13.el7_9.1.x86_64 1/1
Verifying : aide-0.15.1-13.el7_9.1.x86_64 1/1

Installed:
aide.x86_64 0:0.15.1-13.el7_9.1

Complete!

 

Step 4: Check Version

After successful installation you can check the utility version by using aide --version command as shown below.

[root@cyberithub ~]# aide --version
Aide 0.15.1

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

 

Step 5: Generate Initial Database

Before performing integrity and system intrusion checks you need to initialize database based on /etc/aide.conf configuration using aide --init command as shown below. If you want to include additional files and directories in the database then you need to edit the /etc/aide.conf configuration accordingly.

[root@cyberithub ~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

 

Step 6: Perform Integrity Checks

You can either initiate the checks manually or through cron job. To initiate manually checks, you need to use aide --check command as shown below but if you are looking to perform checks on daily, weekly or monthly basis then it is always a good idea to set a cron job for that.

[root@cyberithub ~]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

 

Step 7: Update AIDE Database

If you want you can also update the AIDE database by using aide --update command as shown below.

[root@cyberithub ~]# aide --update
File database must have one db_spec specification
File database must have one db_spec specification
..............................................................
added: /usr/share/zsh/site-functions/_systemd-tmpfiles
added: /usr/share/zsh/site-functions/_timedatectl
added: /usr/share/zsh/site-functions/_udevadm
added: /usr/src
added: /usr/tmp
added: /var/log/lastlog
added: /var/run/utmp

 

Step 8: Check all the Available Options

If you want to check all the options available with aide command then you need to use aide --help command as shown below.

[root@cyberithub ~]# aide --help
Aide 0.15.1

Usage: aide [options] command

Commands:
-i, --init Initialize the database
-C, --check Check the database
-u, --update Check and update the database non-interactively
--compare Compare two databases

Miscellaneous:
-D, --config-check Test the configuration file
-v, --version Show version of AIDE and compilation options
-h, --help Show this help message

Options:
-c [cfgfile] --config=[cfgfile] Get config options from [cfgfile]
-B "OPTION" --before="OPTION" Before configuration file is read define OPTION
-A "OPTION" --after="OPTION" After configuration file is read define OPTION
-r [reporter] --report=[reporter] Write report output to [reporter] url
-V[level] --verbose=[level] Set debug message level to [level]

 

Step 9: Troubleshooting

Sometimes it might happen that when you perform integrity checks using aide --check command then you end up with having Couldn't open file /var/lib/aide/aide.db.gz for reading error.

[root@cyberithub ~]# aide --check
Couldn't open file /var/lib/aide/aide.db.gz for reading

If you are getting above error, then all you need to do is to go to /var/lib/aide directory and create a soft link of aide.db.gz using ln -s aide.db.new.gz aide.db.gz command.

[root@cyberithub ~]# cd /var/lib/aide/
[root@cyberithub aide]# ln -s aide.db.new.gz aide.db.gz

Now if you try again, you should be able to perform the Integrity checks.

 

Step 10: Uninstall AIDE 

Once you are done using AIDE utility, you can choose to uninstall from your System by using yum remove aide command as shown below.

[root@cyberithub ~]# yum remove aide
Loaded plugins: fastestmirror
Resolving Dependencies
--> Running transaction check
---> Package aide.x86_64 0:0.15.1-13.el7_9.1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================
Removing:
aide x86_64 0.15.1-13.el7_9.1 @updates 311 k

Transaction Summary
=============================================================================================================================================================
Remove 1 Package

Installed size: 311 k
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing : aide-0.15.1-13.el7_9.1.x86_64 1/1
Verifying : aide-0.15.1-13.el7_9.1.x86_64 1/1

Removed:
aide.x86_64 0:0.15.1-13.el7_9.1

Complete!


Leave a Comment