How to Install AIDE on CentOS 7

AIDE otherwise called as Advanced Intrusion Detection Environment. AIDE is one of the most popular tools for monitoring the server changes in a LINUX based system. It is used as a files/folders integrity checker. The installation of this Software is much simple. This is originally written by Rami Lehti and Pablo Virolainen in 1999. The system check is initialized by database. This database is created from a regular expresssion rules in the configuration files. Once the database is initialized, it can be further used to verify the server integrity. Several digest algorithms are incorporated to serve this purpose. It can be also used to check the file attributes for inconsistencies.

MAIN features:

  • Support several digest algorithms like md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool and several others
  • Support file attributes like file type, permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
  • Supports Posix ACL, SELinux, XAttrs and Extended file system attributes
  • Support regular expression to include or exclude files/directories selectively.
  • Support GZIP database compression.
  • Standalone Static binary for easy client/server monitoring configurations.

In this article, I'm discussing about installing and configuring the current stable version 0.15.1 of AIDE on a CentOS 7 server. Let's walk through the procedures.

Step 1: Installation

We can use yum command to install the AIDE software.

[[email protected] ~]# yum install aide
Loaded plugins: fastestmirror

Dependencies Resolved

===============================================================================================================================================
Package Arch Version Repository Size
===============================================================================================================================================
Installing:
aide x86_64 0.15.1-9.el7 base 129 k

Transaction Summary
===============================================================================================================================================
Install 1 Package

Total download size: 129 k
Installed size: 304 k

Step 2: Check and verify the AIDE version

We can run this command to confirm the AIDE version and locate the configuration file.

[[email protected] ~]# aide -v
Aide 0.15.1

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Step 3: Create the database

Once the installation of the AIDE is done, we need to create the primary database which is initialized from the set of rules/expressions in the configuration files.

[[email protected][[email protected] ~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
server1 ~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Once the database is created, you can move it to orginal one by re-naming it to make the AIDE work.

[email protected] ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[root[email protected] ~]# cd /var/lib/aide
[[email protected] aide]# ls
aide.db.gz
[[email protected] aide]#
[[email protected] aide]#
[[email protected] aide]# ls -lt
total 2136
-rw------- 1 root root 2186673 Apr 1 04:09 aide.db.gz

Step 4: Run the AIDE check

[[email protected] aide]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

Step 5 : Confirm its functionality and create an updated AIDE database

Create a binary file manually and check if AIDE detects that.

[email protected] aide]# touch /usr/sbin/testbinary
[[email protected] aide]#
[[email protected] aide]#
[[email protected] aide]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-04-01 04:14:10

Summary:
Total number of files: 23028
Added files: 1
Removed files: 0
Changed files: 1
---------------------------------------------------
Added files:
---------------------------------------------------

added: /usr/sbin/testbinary

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /usr/sbin

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /usr/sbin
Mtime : 2016-04-01 03:42:47 , 2016-04-01 04:14:03
Ctime : 2016-04-01 03:42:47 , 2016-04-01 04:14:03

We can verify the presence of the new file from the AIDE check reports. We can even identify any file attribute changes too from these checks.
Once we've reviewed these changes, it is always better to update the aide database so that it's not reported again on the next AIDE check.

[[email protected] aide]# aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-04-01 04:15:21

Summary:
Total number of files: 23028
Added files: 1
Removed files: 0
Changed files: 1
---------------------------------------------------
Added files:
---------------------------------------------------

added: /usr/sbin/testbinary

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /usr/sbin

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

It is always advised to keep the old AIDE database untouched and re-name the updated database on daily basics to keep track.

[[email protected] tmp]# cd /var/lib/aide/
[email protected] aide]# ls
aide.db.gz aide.db.new.gz
[[email protected] aide]# mv aide.db.gz aide.db.gz-Apr012016
[[email protected] aide]# mv aide.db.new.gz aide.db.gz

These processes are rather tedious to check each time and re-name the database, we can use some scripts to update these settings.

Step 6 : Set cronjob to run AIDE check and report automatically

I create a cron to automatically initiate AIDE check to confirm my server integrity and report me on daily basis. Please see my script details below:

[[email protected] cron]# crontab -l
00 01 * * 0-6 /var/log/aide/aidechk.sh

[[email protected] cron]# systemctl restart crond.service
[[email protected] cron]#
[[email protected] cron]# systemctl status crond.service
crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled)
Active: active (running) since Fri 2016-04-01 04:28:22 UTC; 8s ago
Main PID: 12378 (crond)
CGroup: /system.slice/crond.service
└─12378 /usr/sbin/crond -n

Apr 01 04:28:22 server1.centos7-test.com systemd[1]: Started Command Scheduler.
Apr 01 04:28:22 server1.centos7-test.com crond[12378]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 98% if used.)
Apr 01 04:28:22 server1.centos7-test.com crond[12378]: (CRON) INFO (running with inotify support)
Apr 01 04:28:22 server1.centos7-test.com crond[12378]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
[[email protected] cron]#

[email protected] tmp]# cat /var/log/aide/aidechk.sh

#!/bin/sh
#aide check - SShameer
DATE=`date +%Y-%m-%d`
echo $DATE
REPORT="Aide-"$DATE.txt
echo $REPORT
echo "System check !! `date`" > /tmp/$REPORT
aide --check > /tmp/aidecheck.txt
cat /tmp/aidecheck.txt|/bin/grep -v failed >> /tmp/$REPORT
echo "**************************************" >> /tmp/$REPORT
tail -20 /tmp/aidecheck.txt >> /tmp/$REPORT
echo "****************DONE******************" >> /tmp/$REPORT
mail -s "$REPORT `date`" [email protected] < /tmp/$REPORT

Install the mailx command or mail utilities to enhance the emailing, if it isn't present. As per our script, the report will be regenerated on /tmp with the time stamp and will be emailed to us on a daily basis. Please see one of my sample report format below:

[email protected] tmp]# cat Aide-2016-04-01.txt
System check !! Fri Apr 1 05:04:40 UTC 2016
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-04-01 05:04:40

Summary:
Total number of files: 23043
Added files: 15
Removed files: 0
Changed files: 4
---------------------------------------------------
Added files:
---------------------------------------------------

added: /etc/mail.rc
added: /usr/bin/Mail
added: /usr/bin/mail
added: /usr/bin/mailx
added: /usr/bin/nail
added: /usr/share/doc/mailx-12.5
added: /usr/share/doc/mailx-12.5/AUTHORS
added: /usr/share/doc/mailx-12.5/COPYING
added: /usr/share/doc/mailx-12.5/README
added: /usr/share/man/man1/Mail.1.gz
added: /usr/share/man/man1/mail.1.gz
added: /usr/share/man/man1/mailx.1.gz
added: /usr/share/man/man1/nail.1.gz
added: /var/log/aide/aidechk.sh
added: /var/spool/cron/root

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root
changed: /usr/bin
changed: /usr/share/doc
changed: /usr/share/man/man1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /root
Mtime : 2014-07-07 21:41:51 , 2016-04-01 05:02:57
Ctime : 2014-07-07 21:41:51 , 2016-04-01 05:02:57

Directory: /usr/bin
Mtime : 2014-10-21 14:33:45 , 2016-04-01 05:04:29
Ctime : 2014-10-21 14:33:45 , 2016-04-01 05:04:29

Directory: /usr/share/doc
Mtime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Ctime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Linkcount: 240 , 241

Directory: /usr/share/man/man1
Mtime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Ctime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
**************************************
Detailed information about changes:
---------------------------------------------------
Directory: /root
Mtime : 2014-07-07 21:41:51 , 2016-04-01 05:02:57
Ctime : 2014-07-07 21:41:51 , 2016-04-01 05:02:57

Directory: /usr/bin
Mtime : 2014-10-21 14:33:45 , 2016-04-01 05:04:29
Ctime : 2014-10-21 14:33:45 , 2016-04-01 05:04:29

Directory: /usr/share/doc
Mtime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Ctime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Linkcount: 240 , 241

Directory: /usr/share/man/man1
Mtime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Ctime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
****************DONE******************

We can also modify the AIDE configuration file /etc/aide.conf for advanced settings. But the default configuration is almost worthwhile and good to go.

This is how we can make use of AIDE to understand the server changes and identify the unauthorized access to our server which can be either through some malicious contents or by human intervention. I hope this article is useful for you! I would recommend your valuable suggestions and recommendations on this.

Thank you! Have a Good day :)

Saheetha Shameer 3:00 am

About Saheetha Shameer

I’m working as a Senior System Administrator. I’m a quick learner and have a slight inclination towards following the current and emerging trends in the industry. My hobbies include hearing music, playing strategy computer games, reading and gardening. I also have a high passion for experimenting with various culinary delights :-)

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.