×
Community Blog How to Install AIDE on Ubuntu 16.04

How to Install AIDE on Ubuntu 16.04

In this tutorial, we will be installing and configuring AIDE on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

AIDE also known as "Advanced Intrusion Detection Environment" is a free, open source and powerful file and directory integrity checker tool that uses predefined rules to check file and directory integrity in Unix-like operating systems. AIDE works by taking a snapshot of the state of the system, register hashes, modification times, inode number, user, group, file size and other data regarding the files defined by the administrator. This snapshot will be used to build a database. When you run an integrity test, AIDE compares the database against the real status of the system. If any changes have happened between the snapshot creation and the test, AIDE will detect it and report it to you. AIDE is a host-based IDS that means it scans the filesystem and logs the attributes of important files, directories, and devices.

In this tutorial, we will be installing and configuring AIDE on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.

Requirements

  • A fresh Alibaba Cloud Ubuntu 16.04 instance.
  • A root password is set up to your instance.

Launch Alibaba Cloud ECS Instance

First, Login to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install AIDE

By default, AIDE can be found in the Ubuntu 16.04 default repository. You can install it by just running the following command:

apt-get install aide -y

Once the AIDE has been installed, you can verify the AIDE version using the following command:

aide -v

You should see the following output:

Aide 0.16a2-19-g16ed855

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"

You can also run aide --help command to list all the options available with AIDE:

aide --help

You should see the following output:

Aide 0.16a2-19-g16ed855 

Usage: aide [options] command

Commands:
  -i, --init        Initialize the database
  -C, --check        Check the database
  -u, --update        Check and update the database non-interactively
  -E, --compare        Compare two databases

Miscellaneous:
  -D, --config-check    Test the configuration file
  -v, --version        Show version of AIDE and compilation options
  -h, --help        Show this help message

Options:
  -c [cfgfile]    --config=[cfgfile]    Get config options from [cfgfile]
  -B "OPTION"    --before="OPTION"    Before configuration file is read define OPTION
  -A "OPTION"    --after="OPTION"    After configuration file is read define OPTION
  -r [reporter]    --report=[reporter]    Write report output to [reporter] url
  -V[level]    --verbose=[level]    Set debug message level to [level]

The AIDE default configuration file is located at /etc/aide/aide.conf. You can define the database location, rules, directories and files to be included in the database using this file.

Initialize the AIDE Database

You can initialize the AIDE database using the aideinit command. By default, aideinit command checks just a set of directories and files defined in the /etc/aide/aide.conf file. You can also include and exclude additional directories or files in the AIDE database by editing /etc/aide/aide.conf file as per your need.

Let's start by generating a database using the AIDE default configuration file using the following command:

aideinit

This command will create a database of all of the files that you selected in the configuration file:

Running aide --init...

AIDE 0.16a2-19-g16ed855 initialized AIDE database at /var/lib/aide/aide.db.new
Start timestamp: 2018-10-26 13:55:24 +0530
Verbose level: 6

Number of entries:    106121

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new
  RMD160   : 50sFdIM75d6BdpLLWOElGFGe4l8=
  TIGER    : 4yo3X/K1yKiTG4S949Q0HVyyUoKpaZ6S
  SHA256   : mOPM3QgWEj/Qf6YPSfEMgAxnUR25EnwV
             YS9tj1orSjE=
  SHA512   : R1PMjSwyCo/Mrxsl2VYJmPkQifMFCCsu
             47ENh6aeti/9uG+VTL4N8Jr/ZFqQCEGk
             I9rMIhyvHj7KgItXXtkYcA==
  CRC32    : qg0IOg==
  HAVAL    : eGIq1QLfp+cJF4p6M0t5Rhsq8RAne2dk
             r83W4WQEWNM=
  GOST     : nGcToJbKzp+RcA9F9N1sQ1ai6liqkTuU
             2Cv0akkfVy0=


End timestamp: 2018-10-26 14:10:52 +0530 (run time: 15m 28s)

After initializing the database, you will need to move the newly created database to the original one.

mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Run AIDE Integrity Check

After creating the database, you will need to check the integrity of the files and directory. You can do this by running the following command:

aide -c /etc/aide/aide.conf --check

This command will read the snapshot from the database and compares it to the current file system state. If it finds any changes between them, it generates a report.

WARNING: Old db contains a entry that shouldn't be there, run --init or --update
AIDE 0.16a2-19-g16ed855 found NO differences between database and filesystem. Looks okay!!
Start timestamp: 2018-10-26 15:58:22 +0530
Verbose level: 6

Number of entries:    0

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  RMD160   : gjtiL04CMVHcaPXwL1b3cwWD7c8=
  TIGER    : HxjPwn6jF9whYglTGi7gvd5fLjSIRvSy
  SHA256   : 6BPVFAjo/FrhcEwAgLTFG65NRPwQaWVi
             j9YW6MD7Ef8=
  SHA512   : 6eZC1+RlI3VIethVTEbFgTwh9mITwStK
             6BjzWQn7Wj6WsbAc/sGSmbiSRlC9xar5
             0nH9YSaxkFI36hng+UF94Q==
  CRC32    : nJvZRg==
  HAVAL    : jEZQmafv5tWiF2p7rvyvDLeA/4tmK5dh
             rVshQWdqVx0=
  GOST     : /ePMms8ANBSPynGCzAw1Vj+J3fF6sAMA
             n/9U+gabMx8=


End timestamp: 2018-10-26 15:58:22 +0530 (run time: 0m 0s)

Test AIDE

Before testing the AIDE, you will need to create a new AIDE configuration file. You can do this with the following command:

update-aide.conf

Next, copy the updated AIDE configuration file to the /etc/aide directory with the following command:

cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf.

Now, let's create some files and directories in filesystem with the following command:

touch /etc/start.sh
touch /root/file1
touch /root/file2
mkdir /root/dir1
mkdir /root/dir2

Now, run AIDE check to detect newly created files and directories using the following command:

aide -c /etc/aide/aide.conf --check

You should see the newly created files and directories in the following output:

AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
Start timestamp: 2018-10-26 16:08:33 +0530
Verbose level: 6

Summary:
  Total number of entries:    96090
  Added entries:        7
  Removed entries:        9
  Changed entries:        18

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/start.sh
f++++++++++++++++: /root/aide.conf
d++++++++++++++++: /root/dir1
d++++++++++++++++: /root/dir2
f++++++++++++++++: /root/file1
f++++++++++++++++: /root/file2
f++++++++++++++++: /var/lib/aide/aide.db

---------------------------------------------------

After reviewing the changes, it is recommended to update the AIDE database so that it is not reported again on the next AIDE check. You can update the database with the following command:

aide -c /etc/aide/aide.conf --update

Output:

AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new
Start timestamp: 2018-10-26 16:43:36 +0530
Verbose level: 6

Summary:
  Total number of entries:    96099
  Added entries:        16
  Removed entries:        9
  Changed entries:        19

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/start.sh
f++++++++++++++++: /root/aide.conf
d++++++++++++++++: /root/dir1
d++++++++++++++++: /root/dir2
f++++++++++++++++: /root/file1
f++++++++++++++++: /root/file2
f++++++++++++++++: /run/systemd/sessions/9
F++++++++++++++++: /run/systemd/sessions/9.ref
d++++++++++++++++: /run/systemd/system/session-9.scope.d
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-After-systemd-logind\x2eservice.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-After-systemd-user-sessions\x2eservice.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-Description.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-SendSIGHUP.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-Slice.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-TasksMax.conf
f++++++++++++++++: /var/lib/aide/aide.db

Next, move the newly created database to the original one with the following command:

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Next, update the AIDE configuration file with the following command:

update-aide.conf
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

Conclusion

Congratulations! You have successfully installed AIDE on Ubuntu 16.04 server. I hope you can now easily use the AIDE to understand the server changes and identify the unauthorized access to your server. You can also use advanced settings in AIDE configuration file /etc/aide/aide.conf for better results.

0 0 0
Share on

Alibaba Clouder

1,902 posts | 405 followers

You may also like

Comments