How to install and use AIDE Advanced Intrusion Detection Environment on CentOS 8
How to install and use AIDE Advanced Intrusion Detection Environment on CentOS 8
AIDE stands for “Advanced Intrusion Detection Environment” and it is one of the most popular tools for monitoring changes in Linux-based operating systems. It is used to protect your system from malware, viruses and detect unauthorized activities. It works by creating a database of file systems and checking the database against the system to ensure file integrity and detect system intrusions. AIDE helps you reduce investigation time during incident response by focusing on changed files.
feature
- Supports various attributes including file type, i-node, Uid, Gid, permissions, number of links, Mtime, Ctime and Atime.
- Supports Gzip compression, SELinux, XAttrs, Posix ACL and extended file system attributes.
- Ability to create and compare various message digest algorithms, including md5, sha1, sha256, sha512, rmd160, crc32, etc.
- Ability to notify you via email.
In this tutorial, we will show you how to install and use AIDE to detect intrusions on CentOS 8.
prerequisites
- A CentOS 8 server running at least 2 GB of RAM.
- A root password is configured on your server.
getting Started
Before you start, it’s a good idea to update your system to a newer version. Run the following command to update the system.
dnf update -yAfter the system is updated, restart to implement the changes.
Install AIDE
By default, AIDE is available in the CentOS 8 default repository. You can easily install it by simply running:
dnf install aide -yAfter the installation is complete, you can check the installed version of AIDE using the following command:
aide --versionYou should see the following output:
Aide 0.16 Compiled with the following options: WITH_MMAP WITH_PCRE WITH_POSIX_ACL WITH_SELINUX WITH_XATTR WITH_E2FSATTRS WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_CURL WITH_GCRYPT WITH_AUDIT CONFIG_FILE = "/etc/aide.conf"
You can also see all the options available with the aide command with:
aide --helpYou should see the following screen:
Create and initialize the database
After installing AIDE, the first thing you need to do is initialize the settings. Initialization creates a database (snapshot) of all files and directories on the server.
Run the following command to initialize the database:
aide --initYou should see the following output:
Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 49472
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : 4N79P7hPE2uxJJ1o7na9sA==
SHA1 : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
RMD160 : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
TIGER : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
SHA256 : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
xWXT2iaEHgQ=
SHA512 : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
nDw6lgDNI/ls2esijukliQ==
End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)
The above command will create a new AIDE database aide.db.new.gz in the / var / lib / aide directory. You can view it using:
ls -l /var/lib/aideYou should see the following output:
total 2800 -rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz
AIDE will not use the new database file until it is renamed to aide.db.gz. You can rename it using:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzIt is recommended to update this database within a set period of time to ensure that changes are properly monitored. You can also change the location of the AIDE database by editing the /etc/aide.conf file and modifying the DBDIR value.
Inspection Assistant
At this point, AIDE is ready to use the new database. Now, run the first AIDE check without making any changes:
aide --checkThis command will take some time depending on your file system size and the amount of RAM in your server. After the AIDE check is complete, you should see the following output:
Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!!
The output above shows that each file and directory matches the AIDE database.
Test Assistant
By default, AIDE is not configured to monitor the files and directories of the Apache default document root / var / www / html. So you will need to configure AIDE to monitor the directory / var / www / html. You can configure it by editing the file /etc/aide.conf.
nano /etc/aide.confAdd the following line above the “/ root / CONTENT_EX” line:
/var/www/html/ CONTENT_EX
Save and close the file when you are finished.
Next, create the aide.txt file in the / var / www / html / directory using the following command:
echo "Test AIDE" > /var/www/html/aide.txtNow, run AIDE check and verify that Aide check detected the newly created file.
aide --checkYou should see the following output:
Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16) AIDE found differences between database and filesystem!! Summary: Total number of entries: 49475 Added entries: 1 Removed entries: 0 Changed entries: 0 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++++++: /var/www/html/aide.txt
The above output indicates that the assistant checked to detect the newly created file aide.txt.
Next, a good idea is to update the AIDE database after the inspection assistant checks the detected changes. You can use the following command to update the AIDE database:
aide --updateAfter the database is updated, you should see the following output:
Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16) AIDE found differences between database and filesystem!! New AIDE database written to /var/lib/aide/aide.db.new.gz Summary: Total number of entries: 49475 Added entries: 1 Removed entries: 0 Changed entries: 0 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++++++: /var/www/html/aide.txt
The above command will create a new database named aide.db.new.gz in the / var / lib / aide / directory.
You can view it using:
ls -l /var/lib/aide/You should see the following output:
total 5600 -rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz -rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz
Now, rename the new database again so that AIDE uses this new database to track any new changes. You can use the following command to rename the database:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzNow, run the AIDE check again to check if AIDE uses the new database:
aide --checkYou should see the following output:
Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!!
When you are done, you can proceed to the next step.
Automated AIDE inspection
It is a good idea to automate the AIDE check every day and email the report to the system. You can use cron jobs to automate this process.
To do this, edit the cron default configuration file as follows:
nano /etc/crontabAdd the following line at the end of the file to automatically perform AIDE checks at 10:15 AM every day:
15 10 * * * root /usr/sbin/aide --check
Save and close the file when you are finished.
AIDE will now notify you via system mail.
You can check the system mail with the following command:
tail -f /var/mail/rootYou can also check the AIDE logs using:
tail -f /var/log/aide/aide.login conclusion
In the above tutorial, you learned how to use AIDE to understand server changes and determine unauthorized access to the server. You can modify the /etc/aide.conf file to see your application directory or any advanced settings. For security reasons, it is recommended to keep the AIDE database and configuration files on read-only media. For more information, you can view the AIDE documentation at: Ed document.