How to install and use AIDE Advanced Intrusion Detection Environment on CentOS 8

How to install and use AIDE Advanced Intrusion Detection Environment on CentOS 8

AIDE stands for “Advanced Intrusion Detection Environment” and it is one of the most popular tools for monitoring changes in Linux-based operating systems. It is used to protect your system from malware, viruses and detect unauthorized activities. It works by creating a database of file systems and checking the database against the system to ensure file integrity and detect system intrusions. AIDE helps you reduce investigation time during incident response by focusing on changed files.

feature

  • Supports various attributes including file type, i-node, Uid, Gid, permissions, number of links, Mtime, Ctime and Atime.
  • Supports Gzip compression, SELinux, XAttrs, Posix ACL and extended file system attributes.
  • Ability to create and compare various message digest algorithms, including md5, sha1, sha256, sha512, rmd160, crc32, etc.
  • Ability to notify you via email.

In this tutorial, we will show you how to install and use AIDE to detect intrusions on CentOS 8.

prerequisites

  • A CentOS 8 server running at least 2 GB of RAM.
  • A root password is configured on your server.

getting Started

Before you start, it’s a good idea to update your system to a newer version. Run the following command to update the system.

dnf update -y

After the system is updated, restart to implement the changes.

Install AIDE

By default, AIDE is available in the CentOS 8 default repository. You can easily install it by simply running:

dnf install aide -y

After the installation is complete, you can check the installed version of AIDE using the following command:

aide --version

You should see the following output:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

You can also see all the options available with the aide command with:

aide --help

You should see the following screen:

Create and initialize the database

After installing AIDE, the first thing you need to do is initialize the settings. Initialization creates a database (snapshot) of all files and directories on the server.

Run the following command to initialize the database:

aide --init

You should see the following output:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

The above command will create a new AIDE database aide.db.new.gz in the / var / lib / aide directory. You can view it using:

ls -l /var/lib/aide

You should see the following output:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE will not use the new database file until it is renamed to aide.db.gz. You can rename it using:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

It is recommended to update this database within a set period of time to ensure that changes are properly monitored. You can also change the location of the AIDE database by editing the /etc/aide.conf file and modifying the DBDIR value.

Inspection Assistant

At this point, AIDE is ready to use the new database. Now, run the first AIDE check without making any changes:

aide --check

This command will take some time depending on your file system size and the amount of RAM in your server. After the AIDE check is complete, you should see the following output:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

The output above shows that each file and directory matches the AIDE database.

Test Assistant

By default, AIDE is not configured to monitor the files and directories of the Apache default document root / var / www / html. So you will need to configure AIDE to monitor the directory / var / www / html. You can configure it by editing the file /etc/aide.conf.

nano /etc/aide.conf

Add the following line above the “/ root / CONTENT_EX” line:

/var/www/html/ CONTENT_EX

Save and close the file when you are finished.

Next, create the aide.txt file in the / var / www / html / directory using the following command:

echo "Test AIDE" > /var/www/html/aide.txt

Now, run AIDE check and verify that Aide check detected the newly created file.

aide --check

You should see the following output:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

The above output indicates that the assistant checked to detect the newly created file aide.txt.

Next, a good idea is to update the AIDE database after the inspection assistant checks the detected changes. You can use the following command to update the AIDE database:

aide --update

After the database is updated, you should see the following output:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

The above command will create a new database named aide.db.new.gz in the / var / lib / aide / directory.

You can view it using:

ls -l /var/lib/aide/

You should see the following output:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Now, rename the new database again so that AIDE uses this new database to track any new changes. You can use the following command to rename the database:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Now, run the AIDE check again to check if AIDE uses the new database:

aide --check

You should see the following output:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

When you are done, you can proceed to the next step.

Automated AIDE inspection

It is a good idea to automate the AIDE check every day and email the report to the system. You can use cron jobs to automate this process.

To do this, edit the cron default configuration file as follows:

nano /etc/crontab

Add the following line at the end of the file to automatically perform AIDE checks at 10:15 AM every day:

15 10 * * * root /usr/sbin/aide --check

Save and close the file when you are finished.

AIDE will now notify you via system mail.

You can check the system mail with the following command:

tail -f /var/mail/root

You can also check the AIDE logs using:

tail -f /var/log/aide/aide.log

in conclusion

In the above tutorial, you learned how to use AIDE to understand server changes and determine unauthorized access to the server. You can modify the /etc/aide.conf file to see your application directory or any advanced settings. For security reasons, it is recommended to keep the AIDE database and configuration files on read-only media. For more information, you can view the AIDE documentation at: Ed document.

Sidebar