Table of Contents
In this article, I will take you through the steps to install and use aide on RHEL/CentOS 7/8. AIDE or Advanced Intrusion Detection Environment is a free and open source utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions. It uses several message digest algorithms to check the integrity of the file. All the usual file attributes can also be checked for Inconsistencies. More on RHEL Security Guide.
Features of AIDE
- It supports message digest algorithms like md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool along with libmhash - gost, haval, crc32b.
- It supports number of file attributes like File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime.
- It also has support for Posix ACL, SELinux, XAttrs and Extended file system attributes.
- It provides powerful regular expression support to selectively include or exclude files and directories to be monitored.
- It also provides gzip database compression if zlib support is compiled in.
- It has stand alone static binary support for easy client/server monitoring configurations. More on aide.github.io
How Does AIDE Works
AIDE works by creating a database of all the files from the rules defined in
/etc/aide.conf configuration file during initialization. After the database initialization, we can perform file integrity checks and system intrusion detection against those files. If you want to add some more files and directories then you need to modify the configuration from
/etc/aide.conf file and then go for checks against those respective files and directories.
Steps to Install and Use AIDE on RHEL/CentOS 7/8
Step 1: Prerequisites
a) You should have a running RHEL/CentOS 7/8 Server.
b) You should have
root access to run privileged command on the Server.
c) You should have yum utility available in your Server.
Step 2: Update Your Server
Before installing a new package, it is always recommended to update the package cache with all the latest releases from the repo using
yum update command as shown below. If any package needs to be upgraded then you can upgrade it by using yum upgrade command.
[root@cyberithub ~]# yum update Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.mirror.snu.edu.in * extras: centos.mirror.snu.edu.in * updates: centos.mirror.snu.edu.in No packages marked for update
Step 3: Install AIDE
To install AIDE utility in your System, run
yum install aide command as shown below. This will download and install the package from RHEL/CentOS default repo along with all its dependencies.
[root@cyberithub ~]# yum install aide Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.mirror.snu.edu.in * extras: centos.mirror.snu.edu.in * updates: centos.mirror.snu.edu.in Resolving Dependencies --> Running transaction check ---> Package aide.x86_64 0:0.15.1-13.el7_9.1 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================= Installing: aide x86_64 0.15.1-13.el7_9.1 updates 133 k Transaction Summary ============================================================================================================================================================= Install 1 Package Total download size: 133 k Installed size: 311 k Is this ok [y/d/N]: y Downloading packages: aide-0.15.1-13.el7_9.1.x86_64.rpm | 133 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : aide-0.15.1-13.el7_9.1.x86_64 1/1 Verifying : aide-0.15.1-13.el7_9.1.x86_64 1/1 Installed: aide.x86_64 0:0.15.1-13.el7_9.1 Complete!
Step 4: Check Version
After successful installation you can check the utility version by using
aide --version command as shown below.
[root@cyberithub ~]# aide --version Aide 0.15.1 Compiled with the following options: WITH_MMAP WITH_POSIX_ACL WITH_SELINUX WITH_PRELINK WITH_XATTR WITH_E2FSATTRS WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_GCRYPT WITH_AUDIT CONFIG_FILE = "/etc/aide.conf"
Step 5: Generate Initial Database
Before performing integrity and system intrusion checks you need to initialize database based on
/etc/aide.conf configuration using
aide --init command as shown below. If you want to include additional files and directories in the database then you need to edit the
/etc/aide.conf configuration accordingly.
[root@cyberithub ~]# aide --init AIDE, version 0.15.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
Step 6: Perform Integrity Checks
You can either initiate the checks manually or through cron job. To initiate manually checks, you need to use
aide --check command as shown below but if you are looking to perform checks on daily, weekly or monthly basis then it is always a good idea to set a cron job for that.
[root@cyberithub ~]# aide --check AIDE, version 0.15.1 ### All files match AIDE database. Looks okay!
Step 7: Update AIDE Database
If you want you can also update the AIDE database by using
aide --update command as shown below.
[root@cyberithub ~]# aide --update File database must have one db_spec specification File database must have one db_spec specification .............................................................. added: /usr/share/zsh/site-functions/_systemd-tmpfiles added: /usr/share/zsh/site-functions/_timedatectl added: /usr/share/zsh/site-functions/_udevadm added: /usr/src added: /usr/tmp added: /var/log/lastlog added: /var/run/utmp
Step 8: Check all the Available Options
If you want to check all the options available with aide command then you need to use
aide --help command as shown below.
[root@cyberithub ~]# aide --help Aide 0.15.1 Usage: aide [options] command Commands: -i, --init Initialize the database -C, --check Check the database -u, --update Check and update the database non-interactively --compare Compare two databases Miscellaneous: -D, --config-check Test the configuration file -v, --version Show version of AIDE and compilation options -h, --help Show this help message Options: -c [cfgfile] --config=[cfgfile] Get config options from [cfgfile] -B "OPTION" --before="OPTION" Before configuration file is read define OPTION -A "OPTION" --after="OPTION" After configuration file is read define OPTION -r [reporter] --report=[reporter] Write report output to [reporter] url -V[level] --verbose=[level] Set debug message level to [level]
Step 9: Troubleshooting
Sometimes it might happen that when you perform integrity checks using
aide --check command then you end up with having
Couldn't open file /var/lib/aide/aide.db.gz for reading error.
[root@cyberithub ~]# aide --check Couldn't open file /var/lib/aide/aide.db.gz for reading
If you are getting above error, then all you need to do is to go to
/var/lib/aide directory and create a soft link of
ln -s aide.db.new.gz aide.db.gz command.
[root@cyberithub ~]# cd /var/lib/aide/ [root@cyberithub aide]# ln -s aide.db.new.gz aide.db.gz
Now if you try again, you should be able to perform the Integrity checks.
Step 10: Uninstall AIDE
Once you are done using AIDE utility, you can choose to uninstall from your System by using
yum remove aide command as shown below.
[root@cyberithub ~]# yum remove aide Loaded plugins: fastestmirror Resolving Dependencies --> Running transaction check ---> Package aide.x86_64 0:0.15.1-13.el7_9.1 will be erased --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================= Removing: aide x86_64 0.15.1-13.el7_9.1 @updates 311 k Transaction Summary ============================================================================================================================================================= Remove 1 Package Installed size: 311 k Is this ok [y/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Erasing : aide-0.15.1-13.el7_9.1.x86_64 1/1 Verifying : aide-0.15.1-13.el7_9.1.x86_64 1/1 Removed: aide.x86_64 0:0.15.1-13.el7_9.1 Complete!