Aide is an integrity monitoring app, or host-based intrusion detection system, that can be used to monitor changes to the file-system on Linux. It can be used to detect changes to the file-system that were not authorized or expected. It can be run on-demand or as part of a cron job. It hashes each file with one or many hashing algorithms and puts the file hashes into a database. This database is then used to compare against future runs of the application.
These instructions were tested on Ubuntu 12.04 LTS (Precise Pangolin) and Debian 7 (Wheezy), but are likely applicable for a larger range of Debain and Ubuntu versions and distributions based on them.
Note: Ideally Aide should be running on a system before it goes into production. If deploying afterwards, be sure the computer is trusted and clean, otherwise it may not do any good to be running Aide.
Aide has been heavily customized for Debian and Ubuntu using scripts and pre-built configurations. This is a good thing, but the documentation leaves much to be desired. By default, a large number of rules are included to help reduce the number of false alerts. For example, log files are expected to change, but they should generally GROW in size. Databases generally are also expected to change. Many rules are included and you can write your own if necessary. By default, the Aide package on Debian/Ubuntu installs a complex script in cron.daily. Of course, it doesn’t work the first time without some help.
Installation and Configuration
To install aide, simply type:
apt-get install aide
That part was easy. On some systems you might need to configure the mail subsystem, there’s plenty of help on Google for that.
If you try to run aide, something funny happens.
Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db for reading
More about how to actually run the application later.
Next let’s edit some configuration files. Feel free to substitute your favorite text editor.
This file has the general Aide configurations. The settings in here can be left alone successfully. However, we’re going to look at this line:
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger
I don’t know about your thoughts on hashing algorithms, but this is too many and increases the time it takes the application to run putting unnecessary load on the system. Really, just sha512 should be fine right now, but for safety’s sake we’ll pick two. I’d recommend sha512 and one of the other ones without known collisions, I picked tiger. So the line would then be:
Checksums = sha512+tiger
Hit ctrl-x to exit nano and type y to save the file giving it the same name.
Next, let’s edit the variables used by the custom scripts that run aide:
This file contains fairly decent instructions, so I’ll just point out the following lines should be considered.
Consider replacing this with an email address you’d like to have receive daily reports.
Consider changing this to yes for some deployments. If left as no, the cron script will always compare the file-system to the aide database that you manually create. If changed to yes, it will compare to the last time the cron job was run. For a daily report of changed files, setting this to yes is helpful. Additionally, logs are kept that can be read for looking at changes over time. Lastly, you could manually copy a database off to another location for checking over a longer period. In all of my deployments, I set this to yes.
Consider changing this to yes to have the email report–but not the full log–ignore changes found in /var/log/dpkg.log for updates, (e.g. from apt-get upgrade). This setting is mostly that of personal preference and depends on the purpose of the deployment of aide.
Consider changing this to yes to have the email report–but not the full log–ignore changes found in /var/log/dpkg.log for new package installs, (e.g. from apt-get install). This setting is mostly that of personal preference and depends on the purpose of the deployment of aide.
Feel free to look over the rest of the file for settings you might like. Once done, hit ctrl-x to exit nano and type y to save the file giving it the same name.
Before running aide for the first time, let’s consider a change to the cron script itself. The script runs the savelog command to rotate logs. The script is set to only save 7 logs. That is likely too low for most installs. In the file /etc/cron.daily/aide, look for the line:
[ -f "$LOGFILE" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGFILE" > /dev/null
In savelog, the -c flag stands for cycle. Change the 7 after the -c to your preferred number of logs to keep. Keep in mind that the cron script generally runs daily. Once done, hit ctrl-x to exit nano and type y to save the file giving it the same name. Beyond the above change, I do not recommend making any changes to the cron script.
Now we’re ready to run aide for the first time. We need to call a special script that will generate the file /var/lib/aide/aide.db.new when ran. Type:
Let the process complete. You now have a file-system database located at aide.db.new in the /var/lib/aide directory. However, aide needs something to compare to, so let’s rename that file to simply aide.db. Without this rename, the cron job will fail to run successfully.
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Now whenever the cron script runs, it will compare against aide.db successfully. You could stop here if you wanted and wait to make sure it works. To manually kick off the cron job type:
If you make a large number of changes to a system, run the cron job manually as listed above. If you chose NOT to have the aide database copied over after each cron run, you should copy the new database over the old one:
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Keep in mind that you will find changes on many systems between runs. You’ll have to use sound judgement to decide if each change is a problem or not. You can write custom rules to exclude expected changes. Generally I review the results and learn what changes to expect. Typically you’ll find additional log files that aren’t included in the defined rules. Some databases are also expected to change as are files residing in user’s home directories on most systems. I watch home directories as my systems do not have end-user log ons, and I’d want to know if something unscrupulous was put into a home directory.
Logs from aide will appear in the /var/log/aide directory. If you set an email address earlier, they will also be sent to that email address.
While I will not dive into much more detail, you should occasionally copy off aide.db files to external media and run occasional scans on those databases. An attacker can compromise the aide executable, scripts, or databases in order to cover their tracks, so consider keeping a list of the hashes of the aide scripts and executable and compare them from a trusted system.