Beginners Guide to Linux Advanced Intrusion Detection Environment (AIDE)

Introduction

What is the Advanced Intrusion Detection Environment (AIDE) utility? AIDE is a small, yet powerful, intrusion detection tool automatically installed with the Linux Operating System, that uses predefined rules to check file and directory integrity. It is meant to protect the system internally, by providing a layer of protection against viruses, rootkits, malware, and detection of unauthorized activities. It is an independent static binary for simplified client/server monitoring configurations. It runs on demand, and the time to report changes is dependent on the system checks (usually at least once a day). This document will take you through the setup and monitoring of the utility. The utility works by using a number of algorithms (such as, but not limited to, md5, sha1, rmd160, tiger), supports common file attributes, and also supports regular expression parsers for file(s) to be included or excluded from the scan.

Configuration

The first check is to see if the database for the AIDE utility has been created and initialized. You can do that by the following command:

# aide --check
Couldn't open file /var/lib/aide/aide.db.gz for reading

In the preceding example, we see that the utility is installed, but the database has not been created and initialized. This can be done by the following step:

# aide --init
WARNING: AIDE detected pre-linked binary objects on your system but the prelink tool (/usr/sbin/prelink) is missing!
WARNING: pre-linked files will be processed without a prelink undo operation! Please install prelink to fix this.
AIDE, version 0.14

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

This will take some time to run since it is initializing the database and utilizing the default rules for files from when it was installed. We will deal next with the rules and implementation of the utility. You might notice the WARNING messages above about the prelink utility not being available. Those can be ignored. When the command is complete you will see the new database created and initialized. The first process we have to complete is renaming the database just created. It needs to be named for the AIDE utility to find it. Consider the following check of the utility and renaming:

Attempt to check the setup after initialization (it should fail):

# aide --check
Couldn't open file /var/lib/aide/aide.db.gz for reading

Now rename the database that was created in the prior step:

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

The check (which takes some time to complete) will now run properly and look something like this (every system will be slightly different):

# aide --check
WARNING: AIDE detected pre-linked binary objects on your system but the prelink tool (/usr/sbin/prelink) is missing!
WARNING: pre-linked files will be processed without a prelink undo operation! Please install prelink to fix this.
AIDE found differences between database and filesystem!!
Start timestamp: 2019-12-02 07:26:47
Summary:
Total number of files: 186903
Added files: 28
Removed files: 17
Changed files: 19

---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/log/cellos/__imglog_stderr_rredts_golgmi__.80naKzjt0HzhkSCuRwqD1bGsTT15r7wQ
added: /var/log/cellos/__imglog_stdout_tuodts_golgmi__.80naKzjt0HzhkSCuRwqD1bGsTT15r7wQ
added: /var/log/cellos/__imglog_stderr_rredts_golgmi__.GtybUjr6netNOSn29y9B7pNG7ln55b79
added: /var/log/cellos/__imglog_stdout_tuodts_golgmi__.ZhLV65GXGMap7SGKut5QPiO76ALQQdzN
added: /var/log/cellos/__imglog_stdout_tuodts_golgmi__.GtybUjr6netNOSn29y9B7pNG7ln55b79
added: /var/log/cellos/__imglog_stderr_rredts_golgmi__.ZhLV65GXGMap7SGKut5QPiO76ALQQdzN
added: /opt/oracle.ExaWatcher/archive/Netstat.ExaWatcher/2019_12_02_06_17_19_NetstatExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/Netstat.ExaWatcher/2019_12_02_07_20_46_NetstatExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Diskinfo.ExaWatcher/2019_12_02_07_07_54_DiskinfoExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Diskinfo.ExaWatcher/2019_12_02_06_07_39_DiskinfoExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/IBprocs.ExaWatcher/2019_12_02_07_06_55_IBprocsExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Meminfo.ExaWatcher/2019_12_02_07_07_16_MeminfoExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Meminfo.ExaWatcher/2019_12_02_06_07_10_MeminfoExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/IBCardInfo.ExaWatcher/2019_12_02_06_08_14_IBCardInfoExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/IBCardInfo.ExaWatcher/2019_12_02_07_08_40_IBCardInfoExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Top.ExaWatcher/2019_12_02_07_13_05_TopExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Top.ExaWatcher/2019_12_02_06_11_31_TopExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/Ps.ExaWatcher/2019_12_02_06_11_24_PsExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/Ps.ExaWatcher/2019_12_02_07_12_45_PsExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Vmstat.ExaWatcher/2019_12_02_06_07_42_VmstatExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/Vmstat.ExaWatcher/2019_12_02_07_07_58_VmstatExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Lsof.ExaWatcher/2019_12_02_06_23_25_LsofExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/Mpstat.ExaWatcher/2019_12_02_06_07_05_MpstatExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/Mpstat.ExaWatcher/2019_12_02_07_07_10_MpstatExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Iostat.ExaWatcher/2019_12_02_07_06_53_IostatExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/Iostat.ExaWatcher/2019_12_02_06_06_52_IostatExaWatcher_somewhere.com.dat.bz2
added: /opt/oracle.ExaWatcher/archive/LGWR.ExaWatcher/2019_12_02_07_10_33_LGWRExaWatcher_somewhere.com.dat
added: /opt/oracle.ExaWatcher/archive/LGWR.ExaWatcher/2019_12_02_06_09_38_LGWRExaWatcher_somewhere.com.dat.bz2

---------------------------------------------------
Removed files:
---------------------------------------------------

removed: /var/log/cellos/__imglog_stderr_rredts_golgmi__.EB1VJGIwGs5dDfKfy5xz5xETqRePC3hJ
removed: /var/log/cellos/__imglog_stderr_rredts_golgmi__.E8qsD4LlQjQM3E8uMyI9qPZsWuCWdvXT
removed: /var/log/cellos/__imglog_stdout_tuodts_golgmi__.MHb9ZVRfwJuj2EIUa7r1BPj85pI4uP4J
removed: /var/log/cellos/__imglog_stderr_rredts_golgmi__.MHb9ZVRfwJuj2EIUa7r1BPj85pI4uP4J
removed: /var/log/cellos/__imglog_stdout_tuodts_golgmi__.EB1VJGIwGs5dDfKfy5xz5xETqRePC3hJ
removed: /var/log/cellos/__imglog_stdout_tuodts_golgmi__.E8qsD4LlQjQM3E8uMyI9qPZsWuCWdvXT
removed: /opt/oracle.ExaWatcher/archive/Netstat.ExaWatcher/2019_12_02_06_17_19_NetstatExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/Diskinfo.ExaWatcher/2019_12_02_06_07_39_DiskinfoExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/Meminfo.ExaWatcher/2019_12_02_06_07_10_MeminfoExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/IBCardInfo.ExaWatcher/2019_12_02_06_08_14_IBCardInfoExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/Top.ExaWatcher/2019_12_02_06_11_31_TopExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/Ps.ExaWatcher/2019_12_02_06_11_24_PsExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/Vmstat.ExaWatcher/2019_12_02_06_07_42_VmstatExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/Lsof.ExaWatcher/2019_12_02_06_23_25_LsofExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/Mpstat.ExaWatcher/2019_12_02_06_07_05_MpstatExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/Iostat.ExaWatcher/2019_12_02_06_06_52_IostatExaWatcher_somewhere.com.dat
removed: /opt/oracle.ExaWatcher/archive/LGWR.ExaWatcher/2019_12_02_06_09_38_LGWRExaWatcher_somewhere.com.dat

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /var/log/lastlog
changed: /opt/oracle.ExaWatcher/archive/Netstat.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/Diskinfo.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/IBprocs.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/Meminfo.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/IBCardInfo.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/RDSinfo.ExaWatcher/2019_12_02_06_45_27_RDSinfoExaWatcher_somewhere.com.dat
changed: /opt/oracle.ExaWatcher/archive/Top.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/Ps.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/Vmstat.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/Lsof.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/Mpstat.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/Iostat.ExaWatcher
changed: /opt/oracle.ExaWatcher/archive/LGWR.ExaWatcher
changed: /opt/oracle.ExaWatcher/tmp
changed: /opt/oracle.ExaWatcher/tmp/mlx4_3.state
changed: /opt/oracle.ExaWatcher/tmp/mlx4_2.state
changed: /opt/oracle.ExaWatcher/tmp/mlx4_0.state
changed: /opt/oracle.ExaWatcher/tmp/mlx4_1.state

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /var/log/lastlog
Mtime : 2019-12-02 06:37:30 , 2019-12-02 06:58:54
Ctime : 2019-12-02 06:37:30 , 2019-12-02 06:58:54
MD5 : W0XDreJJiFC9WyEk6ifX5g== , 9B8MXcmbozwj1A3FTcgUVA==
SHA256 : IceoiemHXT+YEUkK0+n5qei/ZOcsYYuS , D5sCDtpDvXc15yEj6FG5HCPsievAMfN6

Directory: /opt/oracle.ExaWatcher/archive/Netstat.ExaWatcher
Mtime : 2019-12-02 06:17:19 , 2019-12-02 07:20:46
Ctime : 2019-12-02 06:17:19 , 2019-12-02 07:20:46

Directory: /opt/oracle.ExaWatcher/archive/Diskinfo.ExaWatcher
Mtime : 2019-12-02 06:07:39 , 2019-12-02 07:07:54
Ctime : 2019-12-02 06:07:39 , 2019-12-02 07:07:54

Directory: /opt/oracle.ExaWatcher/archive/IBprocs.ExaWatcher
Mtime : 2019-12-02 06:56:55 , 2019-12-02 07:06:55
Ctime : 2019-12-02 06:56:55 , 2019-12-02 07:06:55

Directory: /opt/oracle.ExaWatcher/archive/Meminfo.ExaWatcher
Mtime : 2019-12-02 06:07:10 , 2019-12-02 07:07:16
Ctime : 2019-12-02 06:07:10 , 2019-12-02 07:07:16

Directory: /opt/oracle.ExaWatcher/archive/IBCardInfo.ExaWatcher
Mtime : 2019-12-02 06:08:14 , 2019-12-02 07:08:40
Ctime : 2019-12-02 06:08:14 , 2019-12-02 07:08:40

File: /opt/oracle.ExaWatcher/archive/RDSinfo.ExaWatcher/2019_12_02_06_45_27_RDSinfoExaWatcher_somewhere.com.dat
Size : 2526614 , 7570218
Mtime : 2019-12-02 06:57:30 , 2019-12-02 07:25:38
Ctime : 2019-12-02 06:57:30 , 2019-12-02 07:25:38
MD5 : IPscMVW4rH9pdKVhnTnESQ== , Mz1wk8Zz0mGsipVnkqG9AA==
RMD160 : GL8i9tiyZ6SysQgqtHLYME+IRaI= , rmFBl297tZUZtsaeIfynMXZ8cGM=
SHA256 : x3z7ZNV8rO/ey5Xz0MTSMbnkCw6V63na , Nkc3UD6pG6rzIEgW2Um61Mx9bA8zHXa4

Directory: /opt/oracle.ExaWatcher/archive/Top.ExaWatcher
Mtime : 2019-12-02 06:11:31 , 2019-12-02 07:13:05
Ctime : 2019-12-02 06:11:31 , 2019-12-02 07:13:05

Directory: /opt/oracle.ExaWatcher/archive/Ps.ExaWatcher
Mtime : 2019-12-02 06:11:24 , 2019-12-02 07:12:45
Ctime : 2019-12-02 06:11:24 , 2019-12-02 07:12:45

Directory: /opt/oracle.ExaWatcher/archive/Vmstat.ExaWatcher
Mtime : 2019-12-02 06:07:42 , 2019-12-02 07:07:58
Ctime : 2019-12-02 06:07:42 , 2019-12-02 07:07:58

Directory: /opt/oracle.ExaWatcher/archive/Lsof.ExaWatcher
Mtime : 2019-12-02 06:23:25 , 2019-12-02 07:27:00
Ctime : 2019-12-02 06:23:25 , 2019-12-02 07:27:00

Directory: /opt/oracle.ExaWatcher/archive/Mpstat.ExaWatcher
Mtime : 2019-12-02 06:07:05 , 2019-12-02 07:07:10
Ctime : 2019-12-02 06:07:05 , 2019-12-02 07:07:10

Directory: /opt/oracle.ExaWatcher/archive/Iostat.ExaWatcher
Mtime : 2019-12-02 06:06:52 , 2019-12-02 07:06:53
Ctime : 2019-12-02 06:06:52 , 2019-12-02 07:06:53

Directory: /opt/oracle.ExaWatcher/archive/LGWR.ExaWatcher
Mtime : 2019-12-02 06:09:38 , 2019-12-02 07:10:33
Ctime : 2019-12-02 06:09:38 , 2019-12-02 07:10:33

Directory: /opt/oracle.ExaWatcher/tmp
Mtime : 2019-12-02 06:53:35 , 2019-12-02 07:23:49
Ctime : 2019-12-02 06:53:35 , 2019-12-02 07:23:49

File: /opt/oracle.ExaWatcher/tmp/mlx4_3.state
Mtime : 2019-12-02 06:58:38 , 2019-12-02 07:23:49
Ctime : 2019-12-02 06:58:38 , 2019-12-02 07:23:49
Inode : 1322786 , 1322844
MD5 : 8jNopu54ZvlM5HFkuUi9kA== , PseDnZLCDvg/7eB4jNHnTw==
RMD160 : tLHZH8n42FDDQJA6Rauuv/cIbKI= , zzYW1jJs6V5aN0u1xZmt53eI/XY=
SHA256 : fjg0NR8AVAr58hdIyEYAERSchTS71lxz , 1jGarEu3tQH8TkYtMbuqFj+mYd/KhBoW

File: /opt/oracle.ExaWatcher/tmp/mlx4_2.state
Mtime : 2019-12-02 06:58:38 , 2019-12-02 07:23:49
Ctime : 2019-12-02 06:58:38 , 2019-12-02 07:23:49
MD5 : b0D8Xjg/y04hqkTMclBzZw== , y4PIGFdr91RWD3uBxoNE7g==
RMD160 : e9N+eVrNVU3gBiBDQ0zg/bTS0Yo= , zdOLfW2vUcfN6aKsSmLCAzeu6HI=
SHA256 : rzYzS6vxtHQRX6hV+aI/FataUKhbOdaS , p65o1YSDo7nWhr0orvB0B8Wt1n7MzPdg

File: /opt/oracle.ExaWatcher/tmp/mlx4_0.state
Mtime : 2019-12-02 06:58:38 , 2019-12-02 07:23:49
Ctime : 2019-12-02 06:58:38 , 2019-12-02 07:23:49
Inode : 1322837 , 1322847
MD5 : EZcVKKLdmZsZ7PCe5Oehwg== , auac8cCtIiUHKogMmWEmYw==
RMD160 : fMGcLwJKcvZsjBHE5cUkRbsetHI= , MoX6CLiX+5OEII+affbW/oV1vHk=
SHA256 : iwq9SyB7/c8grUVU8SjsF9mowjXsZIuo , pev9/h8NzCDvzuFfLweR3bcITpXL7476

File: /opt/oracle.ExaWatcher/tmp/mlx4_1.state
Mtime : 2019-12-02 06:58:38 , 2019-12-02 07:23:49
Ctime : 2019-12-02 06:58:38 , 2019-12-02 07:23:49
Inode : 1322824 , 1322848
MD5 : 90XZUnoeApNN4gsPzUmLKw== , N3NG+r3o9QkzLV95iZYeXw==
RMD160 : 8J0N6ijEmkI1G1JufgNURqUXndk= , iDble/ieQA2ReEKUvaYrcIJDajU=
SHA256 : KrWTpwej+sUBmPOm61LIVdDVrlqMpF91 , 2TJEJIiLFKrwmuPd6qBXOJPt0y7GC1ph

To keep from seeing this list make sure to update the AIDE database (so it won’t continue to report the same newly created file) with the command:

# aide --update

The list you see displayed here can also be found in the AIDE log at /var/log/aide/aide.log. First let’s look at our AIDE configuration:

# aide -v
Aide 0.14
Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

The ‘-v’ tells us the version, the options that the AIDE was compiled with and where the configuration file is located. Now we delve into the configuration of the utility. The default AIDE file usually resides in /etc/aide.conf, but its location in any particular system will be returned by the command above. We are going to go through the basics of setup. There are many more avenues one can explore in advanced setup then we will go into here.

# cat /etc/aide.conf
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz

# Whether to gzip the output to database
gzip_dbout=yes

# Default.
verbose=5

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:[email protected]
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum

#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)

#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES

# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only
PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change
LOG = >

# Just do md5 and sha256 hashes
LSPP = R+sha256

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

# Next decide what directories/files you want in the database.

/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp

# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL

/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL

/etc/sudoers NORMAL
/etc/skel NORMAL

/etc/logrotate.d NORMAL

/etc/resolv.conf DATAONLY

/etc/nscd.conf NORMAL
/etc/securetty NORMAL

# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL

# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL

/var/log LOG
/var/run/utmp LOG

# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log

# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP

/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP

/etc/hosts LSPP
/etc/sysconfig LSPP

/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP

/etc/ld.so.conf LSPP

/etc/localtime LSPP

/etc/sysctl.conf LSPP

/etc/modprobe.conf LSPP

/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP

/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP

/etc/stunnel LSPP

/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP

/etc/issue LSPP
/etc/issue.net LSPP

/etc/cups LSPP

# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR

# Ditto /var/log/sa reason...
!/var/log/and-httpd

# Admins dot files constantly change, just check perms
/root/\..* PERMS

We will now walk through the preceding setup stanza by stanza. The first stanza is the configuration of the tools of the utility, such as database, directories and reporting.

@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz

# Whether to gzip the output to database
gzip_dbout=yes

# Default.
verbose=5

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:[email protected]
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

There are three types of defines:

  • @@define
  • @@undef
  • @@ifdef (must be terminated with @@endif)

The default setup files uses only the @@define to define the location of the database and log directories. The variables are not reserved keywords and are used throughout the script where the users needs them. One can unset the variable that was previously set with the @@undef statement. This would most likely only be used in advanced scripting of the utility. The @@ifdef is a loop construct for use in advanced scripting which we will not cover in this document.

Next, commented out in the file are the rules definitions:

# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)

#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES

# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only
PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change
LOG = >

# Just do md5 and sha256 hashes
LSPP = R+sha256

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

The rule is the mnemonic before the : is how the rule is expressed in the macros that follow. A short explanation of every rule is there after the :. The rules can be concatenated by the + sign to form macros against which files are watched. The upper case letters are the premade macros assembled for use. The user may define any set of macros to their liking and to suit the use. The default configuration features a number of macros. One can get very advanced, not only in macro definition, but in the advanced use of the macros for individual files. How “hardened” one wants their system will determine how on configures these macros. The idea is to watch for the changes specified in macros and size algorithms specified. The number of custom rules that can be created, and the low level of granularity applied, can be as stringent as the user requires. Now that we have basic rules defined we need to apply them to files.

This is a default set of directories and can be changed for any installation to fit the set of directories that have files one would wish to have reviewed. You would want any directory where executables or other files could result in a malicious change harmful to your system, including injection style attacks.

# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp

These are the most common and obvious places one would want to protect in a Linux installation. Note the the term NORMAL is after each of the directories. If you look back to our macro definitions you see:

#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
...
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256

This means that this set of definitions will be used on any file(s) found in the named directory structure. Of course the user is free to have defined their own set of macros and apply them to any set of directories any way they see fit to harden their system. The next part deals with the serach and logging.

# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log

This updates the file list daily in the in the database. Files removed yesterday will be gone from the database today. Names of files placed there today will be added to the database according to the ruleset applied. The next line is the logging, which simply truncates yesterdays log and fills it with the new log from today.

The next part gets really long and we wont go over it in detail here. AIDE works its way through the tree of nodes to be scanned, and writes out a database of the attributes found. There are currently thirteen attributes that AIDE can log — including permissions, owner, group, size, all three timestamps (atime, ctime, and mtime), plus lower-level stuff like inode, block count, number of links, and so on that we covered here previously.

On top of those, AIDE supports multiple has algorithms with which it can generate checksums for each file. By default, the list includes MD5, SHA-1, SHA-256, SHA-512, RMD-160, Tiger, HAVAL, and CRC-32. If you compile AIDE with the mhash option to the configuration script, you can also use GOST and Whirlpool hashes.

Defining your regular expressions and rules is the essence of using AIDE. Too many files and directories, and you will end up with extremely long logs to read through on every integrity check. Too narrow of a set, and you risk missing an important change to your system. By default the system on initialization creates a set of definitions for you. You should review your corporate security policies to decide on the implementation that is correct for your situation.

Now we have initialized the database and generated the configuration file, we need to run the facility. Understand the AIDE utility is NOT going to remove files. It is simply going to advise you as to when files change in the log file. You will need to define how often to run the utility on your computer as well. To run AIDE there are two simple command lines that can be utilized:

# aide --check    ==> which runs a check on the system based upon the initialized database and currently loaded configuration.
# aide --update   ==> which will load any changes to the configuration file and create a new database. Like in the original initialization the database will have to be renamed after this is run.

At a minimum AIDE should be configured to run weekly, though it is not uncommon for it to run daily either. Both would be defined as a cron job in the system.