Hardening Linux Server With AIDE
What is AIDE?
AIDE is an Intrusion Detection System for checking file integrity. This is done through the comparison of database files. AIDE is capable of checking inode, permissions, modification time and file content changes.
Installation is very simple for AIDE you just need to install the package. For openSUSE you can just install it from the default OSS or security repo from OBS.
zypper in aide
First of all we need to tell AIDE what directories to monitor as well as where to store the database files that it will use to compare the state of the system.
Open up /etc/aide.conf in your favorite text editor and check out the following values.
The “database” is where the “good” or initial state of the system is stored, this can be on the local system but it may be a good idea to store this on a read only network mount if you are running AIDE on a production server. When AIDE runs it will create a “new” or “current” state database and perform a comparison with the known good state and notify you if there are differences detected.
When AIDE prints out its messages it can be configured by the administrator to only provide certain details. AIDE is very flexible in what it can display, a full list can be found here(http://aide.sourceforge.net/stable/manual.html)
Binlib = p+i+n+u+g+s+b+m+c+sha256+sha512
ConfFiles = p+i+n+u+g+s+b+m+c+sha256+sha512
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+sha256+sha512
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+sha256+sha512
Further down in the configuration file you will find definitions for what directories AIDE should ignore, which it should track and what rule they fall under.
To tell AIDE to ignore a directory simply put a “!” before its declaration:
To track a directory and match it to a rule simply declare the rule you wish to match right after the directory.
For example the /etc rule matching a changed file would result in the following output:
Size : 76 , 49
Mtime : 2016–03–13 15:05:13 , 2016–03–14 13:25:26
Ctime : 2016–03–13 15:05:13 , 2016–03–14 13:25:26
Inode : 772672 , 772869
SHA256 : qCbGw+A+0SnH+O0FflNzPdV1erRYhuPj , NxfZibNn41iitzt6HyCtPaW9t/K+e23T
SHA512 : weUPRQHqB0nzlhi2SEwhRD49LPUxKG0y , gI8iXh74BsDY8Ol3x4YlzepHtk8uFyxD
Its important to understand the basics of this configuration file as it makes AIDE a very flexible auditing tool.
The easiest way to schedule regular AIDE audits is to make use of cron and running a script. As the root user you can create a file /root/bin/aide.sh and add the following lines:
# these should be the same as what’s defined in /etc/aide.conf
The first thing the script needs to do is to check if the “good” state database exists. If it does not then the script should exit as it cannot make the comparison.
if [ ! -f “$database” ]; then
echo “$database not found” >&2
This next part is relevant on desktop systems because they change far too often for a single state to always be good. Instead the script will copy the previous runs “new” database over the old “good” database and then generate a new database of the current state.
mv $database_out $database
aide — check — verbose > /tmp/aide.txt
Once that is done the script needs to see if there was any difference found, and if there was to send the data to the administrator.
grep “Looks okay” /tmp/aide.txt &> /dev/null
if [[ $? == “0” ]]; then
echo “No difference found!” | mail -s “AIDE Report” $ADDR
cat /tmp/aide.txt | mail -s “AIDE Report” $ADDR
Lastly the script should remove the file it created in /tmp
Save the file and open a terminal as root and enter the /etc/cron.daily and create a symlink to the aide.sh script
ln -s /root/bin/aide.sh aide.sh
Note that if you are finding the daily scheduled time to be inconvenient you can edit the /etc/sysconfig/cron file and change DAILY_TIME value. For example:
Once that is done, wait for the DAILY_TIME value to be hit then see if it emails the user you defined in the script.