Hardening Linux Server With AIDE

What is AIDE?

AIDE is an Intrusion Detection System for checking file integrity. This is done through the comparison of database files. AIDE is capable of checking inode, permissions, modification time and file content changes.

Installation

Installation is very simple for AIDE you just need to install the package. For openSUSE you can just install it from the default OSS or security repo from OBS.

[code language=”bash”]
zypper in aide
[/code]

Setup

First of all we need to tell AIDE what directories to monitor as well as where to store the database files that it will use to compare the state of the system.

Open up /etc/aide.conf in your favorite text editor and check out the following values.

The “database” is where the “good” or initial state of the system is stored, this can be on the local system but it may be a good idea to store this on a read only network mount if you are running AIDE on a production server. When AIDE runs it will create a “new” or “current” state database and perform a comparison with the known good state and notify you if there are differences detected.

[code]
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
[/code]
 
When AIDE prints out its messages it can be configured by the administrator to only provide certain details. AIDE is very flexible in what it can display, a full list can be found here(http://aide.sourceforge.net/stable/manual.html)

[code]
Binlib = p+i+n+u+g+s+b+m+c+sha256+sha512
ConfFiles = p+i+n+u+g+s+b+m+c+sha256+sha512
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+sha256+sha512
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+sha256+sha512
[/code]
 
Further down in the configuration file you will find definitions for what directories AIDE should ignore, which it should track and what rule they fall under.

To tell AIDE to ignore a directory simply put a “!” before its declaration:
[code]
!/etc/mtab
[/code]
 
To track a directory and match it to a rule simply declare the rule you wish to match right after the directory.
[code]
/etc ConfFiles
[/code]
 
For example the /etc rule matching a changed file would result in the following output:
[code]
File: /etc/resolv.conf
Size : 76 , 49
Mtime : 2016–03–13 15:05:13 , 2016–03–14 13:25:26
Ctime : 2016–03–13 15:05:13 , 2016–03–14 13:25:26
Inode : 772672 , 772869
SHA256 : qCbGw+A+0SnH+O0FflNzPdV1erRYhuPj , NxfZibNn41iitzt6HyCtPaW9t/K+e23T
SHA512 : weUPRQHqB0nzlhi2SEwhRD49LPUxKG0y , gI8iXh74BsDY8Ol3x4YlzepHtk8uFyxD
[/code]

Its important to understand the basics of this configuration file as it makes AIDE a very flexible auditing tool.

Scheduling

The easiest way to schedule regular AIDE audits is to make use of cron and running a script. As the root user you can create a file /root/bin/aide.sh and add the following lines:

[code language=”bash”]
#!/bin/bash

# these should be the same as what’s defined in /etc/aide.conf
database=/var/lib/aide/aide.db
database_out=/var/lib/aide/aide.db.new
 
ADDR=”root@localhost”
[/code]
 
The first thing the script needs to do is to check if the “good” state database exists. If it does not then the script should exit as it cannot make the comparison.

[code language=”bash”]
if [ ! -f “$database” ]; then
 echo “$database not found” >&2
 exit 1
fi
[/code]
 
This next part is relevant on desktop systems because they change far too often for a single state to always be good. Instead the script will copy the previous runs “new” database over the old “good” database and then generate a new database of the current state.

[code language=”bash”]
mv $database_out $database
aide -u
aide — check — verbose > /tmp/aide.txt
[/code]

Once that is done the script needs to see if there was any difference found, and if there was to send the data to the administrator.

[code language=”bash”]
grep “Looks okay” /tmp/aide.txt &> /dev/null

if [[ $? == “0” ]]; then
 echo “No difference found!” | mail -s “AIDE Report” $ADDR
else
 cat /tmp/aide.txt | mail -s “AIDE Report” $ADDR
fi
[/code]

Lastly the script should remove the file it created in /tmp

[code language=”bash”]
rm /tmp/aide.txt
[/code]
 
Save the file and open a terminal as root and enter the /etc/cron.daily and create a symlink to the aide.sh script

[code language=”bash”]
cd /etc/cron.daily/
ln -s /root/bin/aide.sh aide.sh
[/code]
 
Note that if you are finding the daily scheduled time to be inconvenient you can edit the /etc/sysconfig/cron file and change DAILY_TIME value. For example:

[code]
DAILY_TIME=”18:30"
[/code]
 
Once that is done, wait for the DAILY_TIME value to be hit then see if it emails the user you defined in the script.