How to Install AIDE on CentOS 7

April 28, 2016 | By
| Reply More

AIDE otherwise called as Advanced Intrusion Detection Environment. AIDE is one of the most popular tools for monitoring the server changes in a LINUX based system. It is used as a files/folders integrity checker. The installation of this Software is much simple. This is originally written by Rami Lehti and Pablo Virolainen in 1999. The system check is initialized by database. This database is created from a regular expresssion rules in the configuration files. Once the database is initialized, it can be further used to verify the server integrity. Several digest algorithms are incorporated to serve this purpose. It can be also used to check the file attributes for inconsistencies.

MAIN features:

  • Support several digest algorithms like md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool and several others
  • Support file attributes like file type, permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
  • Supports Posix ACL, SELinux, XAttrs and Extended file system attributes
  • Support regular expression to include or exclude files/directories selectively.
  • Support GZIP database compression.
  • Standalone Static binary for easy client/server monitoring configurations.

In this article, I'm discussing about installing and configuring the current stable version 0.15.1 of AIDE on a CentOS 7 server. Let's walk through the procedures.

Step 1: Installation

We can use yum command to install the AIDE software.

[root@server1 ~]# yum install aide
Loaded plugins: fastestmirror

Dependencies Resolved

===============================================================================================================================================
Package Arch Version Repository Size
===============================================================================================================================================
Installing:
aide x86_64 0.15.1-9.el7 base 129 k

Transaction Summary
===============================================================================================================================================
Install 1 Package

Total download size: 129 k
Installed size: 304 k

Step 2: Check and verify the AIDE version

We can run this command to confirm the AIDE version and locate the configuration file.

[root@server1 ~]# aide -v
Aide 0.15.1

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Step 3: Create the database

Once the installation of the AIDE is done, we need to create the primary database which is initialized from the set of rules/expressions in the configuration files.

[root@[root@server1 ~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
server1 ~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Once the database is created, you can move it to orginal one by re-naming it to make the AIDE work.

root@server1 ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[root@server1 ~]# cd /var/lib/aide
[root@server1 aide]# ls
aide.db.gz
[root@server1 aide]#
[root@server1 aide]#
[root@server1 aide]# ls -lt
total 2136
-rw------- 1 root root 2186673 Apr 1 04:09 aide.db.gz

Step 4: Run the AIDE check

[root@server1 aide]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

Step 5 : Confirm its functionality and create an updated AIDE database

Create a binary file manually and check if AIDE detects that.

root@server1 aide]# touch /usr/sbin/testbinary
[root@server1 aide]#
[root@server1 aide]#
[root@server1 aide]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-04-01 04:14:10

Summary:
Total number of files: 23028
Added files: 1
Removed files: 0
Changed files: 1
---------------------------------------------------
Added files:
---------------------------------------------------

added: /usr/sbin/testbinary

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /usr/sbin

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /usr/sbin
Mtime : 2016-04-01 03:42:47 , 2016-04-01 04:14:03
Ctime : 2016-04-01 03:42:47 , 2016-04-01 04:14:03

We can verify the presence of the new file from the AIDE check reports. We can even identify any file attribute changes too from these checks.
Once we've reviewed these changes, it is always better to update the aide database so that it's not reported again on the next AIDE check.

[root@server1 aide]# aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-04-01 04:15:21

Summary:
Total number of files: 23028
Added files: 1
Removed files: 0
Changed files: 1
---------------------------------------------------
Added files:
---------------------------------------------------

added: /usr/sbin/testbinary

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /usr/sbin

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

It is always advised to keep the old AIDE database untouched and re-name the updated database on daily basics to keep track.

[root@server1 tmp]# cd /var/lib/aide/
root@server1 aide]# ls
aide.db.gz aide.db.new.gz
[root@server1 aide]# mv aide.db.gz aide.db.gz-Apr012016
[root@server1 aide]# mv aide.db.new.gz aide.db.gz

These processes are rather tedious to check each time and re-name the database, we can use some scripts to update these settings.

Step 6 : Set cronjob to run AIDE check and report automatically

I create a cron to automatically initiate AIDE check to confirm my server integrity and report me on daily basis. Please see my script details below:

[root@server1 cron]# crontab -l
00 01 * * 0-6 /var/log/aide/aidechk.sh

[root@server1 cron]# systemctl restart crond.service
[root@server1 cron]#
[root@server1 cron]# systemctl status crond.service
crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled)
Active: active (running) since Fri 2016-04-01 04:28:22 UTC; 8s ago
Main PID: 12378 (crond)
CGroup: /system.slice/crond.service
└─12378 /usr/sbin/crond -n

Apr 01 04:28:22 server1.centos7-test.com systemd[1]: Started Command Scheduler.
Apr 01 04:28:22 server1.centos7-test.com crond[12378]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 98% if used.)
Apr 01 04:28:22 server1.centos7-test.com crond[12378]: (CRON) INFO (running with inotify support)
Apr 01 04:28:22 server1.centos7-test.com crond[12378]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
[root@server1 cron]#

root@server1 tmp]# cat /var/log/aide/aidechk.sh

#!/bin/sh
#aide check - SShameer
DATE=`date +%Y-%m-%d`
echo $DATE
REPORT="Aide-"$DATE.txt
echo $REPORT
echo "System check !! `date`" > /tmp/$REPORT
aide --check > /tmp/aidecheck.txt
cat /tmp/aidecheck.txt|/bin/grep -v failed >> /tmp/$REPORT
echo "**************************************" >> /tmp/$REPORT
tail -20 /tmp/aidecheck.txt >> /tmp/$REPORT
echo "****************DONE******************" >> /tmp/$REPORT
mail -s "$REPORT `date`" sshameer@gmail.com < /tmp/$REPORT

Install the mailx command or mail utilities to enhance the emailing, if it isn't present. As per our script, the report will be regenerated on /tmp with the time stamp and will be emailed to us on a daily basis. Please see one of my sample report format below:

root@server1 tmp]# cat Aide-2016-04-01.txt
System check !! Fri Apr 1 05:04:40 UTC 2016
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-04-01 05:04:40

Summary:
Total number of files: 23043
Added files: 15
Removed files: 0
Changed files: 4
---------------------------------------------------
Added files:
---------------------------------------------------

added: /etc/mail.rc
added: /usr/bin/Mail
added: /usr/bin/mail
added: /usr/bin/mailx
added: /usr/bin/nail
added: /usr/share/doc/mailx-12.5
added: /usr/share/doc/mailx-12.5/AUTHORS
added: /usr/share/doc/mailx-12.5/COPYING
added: /usr/share/doc/mailx-12.5/README
added: /usr/share/man/man1/Mail.1.gz
added: /usr/share/man/man1/mail.1.gz
added: /usr/share/man/man1/mailx.1.gz
added: /usr/share/man/man1/nail.1.gz
added: /var/log/aide/aidechk.sh
added: /var/spool/cron/root

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root
changed: /usr/bin
changed: /usr/share/doc
changed: /usr/share/man/man1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /root
Mtime : 2014-07-07 21:41:51 , 2016-04-01 05:02:57
Ctime : 2014-07-07 21:41:51 , 2016-04-01 05:02:57

Directory: /usr/bin
Mtime : 2014-10-21 14:33:45 , 2016-04-01 05:04:29
Ctime : 2014-10-21 14:33:45 , 2016-04-01 05:04:29

Directory: /usr/share/doc
Mtime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Ctime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Linkcount: 240 , 241

Directory: /usr/share/man/man1
Mtime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Ctime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
**************************************
Detailed information about changes:
---------------------------------------------------
Directory: /root
Mtime : 2014-07-07 21:41:51 , 2016-04-01 05:02:57
Ctime : 2014-07-07 21:41:51 , 2016-04-01 05:02:57

Directory: /usr/bin
Mtime : 2014-10-21 14:33:45 , 2016-04-01 05:04:29
Ctime : 2014-10-21 14:33:45 , 2016-04-01 05:04:29

Directory: /usr/share/doc
Mtime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Ctime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Linkcount: 240 , 241

Directory: /usr/share/man/man1
Mtime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
Ctime : 2016-04-01 03:42:47 , 2016-04-01 05:04:29
****************DONE******************

We can also modify the AIDE configuration file /etc/aide.conf for advanced settings. But the default configuration is almost worthwhile and good to go.

This is how we can make use of AIDE to understand the server changes and identify the unauthorized access to our server which can be either through some malicious contents or by human intervention. I hope this article is useful for you! I would recommend your valuable suggestions and recommendations on this.

Thank you! Have a Good day :)

Filed Under : MONITORING, OPEN SOURCE TOOLS

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.