Sep 272012
 

Aide is an integrity monitoring app, or host-based intrusion detection system, that can be used to monitor changes to the file-system on Linux. It can be used to detect changes to the file-system that were not authorized or expected. It can be run on-demand or as part of a cron job. It hashes each file with one or many hashing algorithms and puts the file hashes into a database. This database is then used to compare against future runs of the application.

These instructions were tested on Ubuntu 12.04 LTS (Precise Pangolin) and Debian 7 (Wheezy), but are likely applicable for a larger range of Debain and Ubuntu versions and distributions based on them.

Note: Ideally Aide should be running on a system before it goes into production. If deploying afterwards, be sure the computer is trusted and clean, otherwise it may not do any good to be running Aide.

Aide has been heavily customized for Debian and Ubuntu using scripts and pre-built configurations. This is a good thing, but the documentation leaves much to be desired. By default, a large number of rules are included to help reduce the number of false alerts. For example, log files are expected to change, but they should generally GROW in size. Databases generally are also expected to change. Many rules are included and you can write your own if necessary. By default, the Aide package on Debian/Ubuntu installs a complex script in cron.daily. Of course, it doesn’t work the first time without some help.

Installation and Configuration

To install aide, simply type:


apt-get install aide

That part was easy. On some systems you might need to configure the mail subsystem, there’s plenty of help on Google for that.

If you try to run aide, something funny happens.


root@ubuntu:/# aide
Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db for reading

More about how to actually run the application later.

Next let’s edit some configuration files. Feel free to substitute your favorite text editor.


nano /etc/aide/aide.conf

This file has the general Aide configurations. The settings in here can be left alone successfully. However, we’re going to look at this line:


Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger

I don’t know about your thoughts on hashing algorithms, but this is too many and increases the time it takes the application to run putting unnecessary load on the system. Really, just sha512 should be fine right now, but for safety’s sake we’ll pick two. I’d recommend sha512 and one of the other ones without known collisions, I picked tiger. So the line would then be:


Checksums = sha512+tiger

Hit ctrl-x to exit nano and type y to save the file giving it the same name.

Next, let’s edit the variables used by the custom scripts that run aide:


nano /etc/default/aide

This file contains fairly decent instructions, so I’ll just point out the following lines should be considered.


MAILTO=root

Consider replacing this with an email address you’d like to have receive daily reports.


COPYNEWDB=no

Consider changing this to yes for some deployments. If left as no, the cron script will always compare the file-system to the aide database that you manually create. If changed to yes, it will compare to the last time the cron job was run. For a daily report of changed files, setting this to yes is helpful. Additionally, logs are kept that can be read for looking at changes over time. Lastly, you could manually copy a database off to another location for checking over a longer period. In all of my deployments, I set this to yes.


FILTERUPDATES=no

Consider changing this to yes to have the email report–but not the full log–ignore changes found in /var/log/dpkg.log for updates, (e.g. from apt-get upgrade). This setting is mostly that of personal preference and depends on the purpose of the deployment of aide.


FILTERINSTALLATIONS=no

Consider changing this to yes to have the email report–but not the full log–ignore changes found in /var/log/dpkg.log for new package installs, (e.g. from apt-get install). This setting is mostly that of personal preference and depends on the purpose of the deployment of aide.

Feel free to look over the rest of the file for settings you might like. Once done, hit ctrl-x to exit nano and type y to save the file giving it the same name.

Before running aide for the first time, let’s consider a change to the cron script itself. The script runs the savelog command to rotate logs.  The script is set to only save 7 logs. That is likely too low for most installs. In the file /etc/cron.daily/aide, look for the line:


[ -f "$LOGFILE" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGFILE" > /dev/null

In savelog, the -c flag stands for cycle. Change the 7 after the -c to your preferred number of logs to keep. Keep in mind that the cron script generally runs daily. Once done, hit ctrl-x to exit nano and type y to save the file giving it the same name. Beyond the above change, I do not recommend making any changes to the cron script.

First Run

Now we’re ready to run aide for the first time. We need to call a special script that will generate the file /var/lib/aide/aide.db.new when ran. Type:


aideinit

Let the process complete. You now have a file-system database located at aide.db.new in the /var/lib/aide directory. However, aide needs something to compare to, so let’s rename that file to simply aide.db. Without this rename, the cron job will fail to run successfully.


mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Now whenever the cron script runs, it will compare against aide.db successfully. You could stop here if you wanted and wait to make sure it works. To manually kick off the cron job type:


/etc/cron.daily/aide

If you make a large number of changes to a system, run the cron job manually as listed above. If you chose NOT to have the aide database copied over after each cron run, you should copy the new database over the old one:


cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Understanding Results

Keep in mind that you will find changes on many systems between runs. You’ll have to use sound judgement to decide if each change is a problem or not. You can write custom rules to exclude expected changes. Generally I review the results and learn what changes to expect. Typically you’ll find additional log files that aren’t included in the defined rules. Some databases are also expected to change as are files residing in user’s home directories on most systems. I watch home directories as my systems do not have end-user log ons, and I’d want to know if something unscrupulous was put into a home directory.

Logs from aide will appear in the /var/log/aide directory. If you set an email address earlier, they will also be sent to that email address.

Additional Ideas

While I will not dive into much more detail, you should occasionally copy off aide.db files to external media and run occasional scans on those databases. An attacker can compromise the aide executable, scripts, or databases in order to cover their tracks, so consider keeping a list of the hashes of the aide scripts and executable and compare them from a trusted system.

 Posted by at 4:14 PM

  4 Responses to “Using Aide on Ubuntu 12.04 LTS (Precise Pangolin) and Debian 7 (Wheezy)”

  1. Thanks!

    Something may have changed in Debian 7.1. On a clean install I had to do this:

    aide –config /etc/aide/aide.conf –init

    Otherwise /usr/bin/aide.wrapper ran like this:
    /usr/bin/aide –config /var/lib/aide/aide.conf.autogenerated –init

    Which gave this error:
    Caught SIGBUS/SEGV while mmapping. File was truncated while aide was running?

  2. ubuntu@master:~$ sudo /etc/cron.daily/aide
    send-mail: fatal: open /etc/postfix/main.cf: No such file or directory
    Can’t send mail: sendmail process failed with error code 75

    Any idea as to how to fix this. Thanks for writing this, it was very easy to follow.

    • Do you actually have postfix installed?

      and to Eric Lukens… Captcha are already a *itch to read… if you have black over a dark gray background it makes it harder to write as well… for a human…

  3. Hi,

    I get an error when installing Aide on the latest LTS for Ubuntu (14.04) saying it doesn’t have permission to access a file ending gvfs.
    I’ve found I can bypass this by using umount gvfs when in the directory it lists as insufficient permission, but then I get another error on install.

    I carried out the rest of the tutorial anyway, but as expected get an error when running /etc/cron.daily/aide – the emailed error:
    ******************************************************************************
    *AIDE returned with exit code 137. AIDE returned an unknown non-zero exit value*
    * exit value is 137 *
    ******************************************************************************
    Errors produced (1 lines):
    Killed

    End of AIDE error output.

    funny, AIDE did not leave a log.

    End of AIDE daily cron job at 2014-08-14 08:54, run time 239 seconds

    Any ideas of what could be going wrong? Is Aide just simply not compatible with this version of Ubuntu?

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>