By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.
AIDE also known as "Advanced Intrusion Detection Environment" is a free, open source and powerful file and directory integrity checker tool that uses predefined rules to check file and directory integrity in Unix-like operating systems. AIDE works by taking a snapshot of the state of the system, register hashes, modification times, inode number, user, group, file size and other data regarding the files defined by the administrator. This snapshot will be used to build a database. When you run an integrity test, AIDE compares the database against the real status of the system. If any changes have happened between the snapshot creation and the test, AIDE will detect it and report it to you. AIDE is a host-based IDS that means it scans the filesystem and logs the attributes of important files, directories, and devices.
In this tutorial, we will be installing and configuring AIDE on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 server.
Launch Alibaba Cloud ECS Instance
First, Login to your Alibaba Cloud ECS Console. Create a new ECS instance, choosing Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.
Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.
apt-get update -y
By default, AIDE can be found in the Ubuntu 16.04 default repository. You can install it by just running the following command:
apt-get install aide -y
Once the AIDE has been installed, you can verify the AIDE version using the following command:
aide -v
You should see the following output:
Aide 0.16a2-19-g16ed855
Compiled with the following options:
WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"
You can also run aide --help
command to list all the options available with AIDE:
aide --help
You should see the following output:
Aide 0.16a2-19-g16ed855
Usage: aide [options] command
Commands:
-i, --init Initialize the database
-C, --check Check the database
-u, --update Check and update the database non-interactively
-E, --compare Compare two databases
Miscellaneous:
-D, --config-check Test the configuration file
-v, --version Show version of AIDE and compilation options
-h, --help Show this help message
Options:
-c [cfgfile] --config=[cfgfile] Get config options from [cfgfile]
-B "OPTION" --before="OPTION" Before configuration file is read define OPTION
-A "OPTION" --after="OPTION" After configuration file is read define OPTION
-r [reporter] --report=[reporter] Write report output to [reporter] url
-V[level] --verbose=[level] Set debug message level to [level]
The AIDE default configuration file is located at /etc/aide/aide.conf
. You can define the database location, rules, directories and files to be included in the database using this file.
You can initialize the AIDE database using the aideinit
command. By default, aideinit
command checks just a set of directories and files defined in the /etc/aide/aide.conf file. You can also include and exclude additional directories or files in the AIDE database by editing /etc/aide/aide.conf file as per your need.
Let's start by generating a database using the AIDE default configuration file using the following command:
aideinit
This command will create a database of all of the files that you selected in the configuration file:
Running aide --init...
AIDE 0.16a2-19-g16ed855 initialized AIDE database at /var/lib/aide/aide.db.new
Start timestamp: 2018-10-26 13:55:24 +0530
Verbose level: 6
Number of entries: 106121
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new
RMD160 : 50sFdIM75d6BdpLLWOElGFGe4l8=
TIGER : 4yo3X/K1yKiTG4S949Q0HVyyUoKpaZ6S
SHA256 : mOPM3QgWEj/Qf6YPSfEMgAxnUR25EnwV
YS9tj1orSjE=
SHA512 : R1PMjSwyCo/Mrxsl2VYJmPkQifMFCCsu
47ENh6aeti/9uG+VTL4N8Jr/ZFqQCEGk
I9rMIhyvHj7KgItXXtkYcA==
CRC32 : qg0IOg==
HAVAL : eGIq1QLfp+cJF4p6M0t5Rhsq8RAne2dk
r83W4WQEWNM=
GOST : nGcToJbKzp+RcA9F9N1sQ1ai6liqkTuU
2Cv0akkfVy0=
End timestamp: 2018-10-26 14:10:52 +0530 (run time: 15m 28s)
After initializing the database, you will need to move the newly created database to the original one.
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
After creating the database, you will need to check the integrity of the files and directory. You can do this by running the following command:
aide -c /etc/aide/aide.conf --check
This command will read the snapshot from the database and compares it to the current file system state. If it finds any changes between them, it generates a report.
WARNING: Old db contains a entry that shouldn't be there, run --init or --update
AIDE 0.16a2-19-g16ed855 found NO differences between database and filesystem. Looks okay!!
Start timestamp: 2018-10-26 15:58:22 +0530
Verbose level: 6
Number of entries: 0
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : gjtiL04CMVHcaPXwL1b3cwWD7c8=
TIGER : HxjPwn6jF9whYglTGi7gvd5fLjSIRvSy
SHA256 : 6BPVFAjo/FrhcEwAgLTFG65NRPwQaWVi
j9YW6MD7Ef8=
SHA512 : 6eZC1+RlI3VIethVTEbFgTwh9mITwStK
6BjzWQn7Wj6WsbAc/sGSmbiSRlC9xar5
0nH9YSaxkFI36hng+UF94Q==
CRC32 : nJvZRg==
HAVAL : jEZQmafv5tWiF2p7rvyvDLeA/4tmK5dh
rVshQWdqVx0=
GOST : /ePMms8ANBSPynGCzAw1Vj+J3fF6sAMA
n/9U+gabMx8=
End timestamp: 2018-10-26 15:58:22 +0530 (run time: 0m 0s)
Before testing the AIDE, you will need to create a new AIDE configuration file. You can do this with the following command:
update-aide.conf
Next, copy the updated AIDE configuration file to the /etc/aide directory with the following command:
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf.
Now, let's create some files and directories in filesystem with the following command:
touch /etc/start.sh
touch /root/file1
touch /root/file2
mkdir /root/dir1
mkdir /root/dir2
Now, run AIDE check to detect newly created files and directories using the following command:
aide -c /etc/aide/aide.conf --check
You should see the newly created files and directories in the following output:
AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
Start timestamp: 2018-10-26 16:08:33 +0530
Verbose level: 6
Summary:
Total number of entries: 96090
Added entries: 7
Removed entries: 9
Changed entries: 18
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/start.sh
f++++++++++++++++: /root/aide.conf
d++++++++++++++++: /root/dir1
d++++++++++++++++: /root/dir2
f++++++++++++++++: /root/file1
f++++++++++++++++: /root/file2
f++++++++++++++++: /var/lib/aide/aide.db
---------------------------------------------------
After reviewing the changes, it is recommended to update the AIDE database so that it is not reported again on the next AIDE check. You can update the database with the following command:
aide -c /etc/aide/aide.conf --update
Output:
AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new
Start timestamp: 2018-10-26 16:43:36 +0530
Verbose level: 6
Summary:
Total number of entries: 96099
Added entries: 16
Removed entries: 9
Changed entries: 19
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/start.sh
f++++++++++++++++: /root/aide.conf
d++++++++++++++++: /root/dir1
d++++++++++++++++: /root/dir2
f++++++++++++++++: /root/file1
f++++++++++++++++: /root/file2
f++++++++++++++++: /run/systemd/sessions/9
F++++++++++++++++: /run/systemd/sessions/9.ref
d++++++++++++++++: /run/systemd/system/session-9.scope.d
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-After-systemd-logind\x2eservice.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-After-systemd-user-sessions\x2eservice.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-Description.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-SendSIGHUP.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-Slice.conf
f++++++++++++++++: /run/systemd/system/session-9.scope.d/50-TasksMax.conf
f++++++++++++++++: /var/lib/aide/aide.db
Next, move the newly created database to the original one with the following command:
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Next, update the AIDE configuration file with the following command:
update-aide.conf
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
Congratulations! You have successfully installed AIDE on Ubuntu 16.04 server. I hope you can now easily use the AIDE to understand the server changes and identify the unauthorized access to your server. You can also use advanced settings in AIDE configuration file /etc/aide/aide.conf for better results.
2,599 posts | 758 followers
FollowAlibaba Clouder - August 16, 2019
Alibaba Clouder - February 13, 2018
Alibaba Clouder - April 23, 2019
Alibaba Clouder - May 7, 2019
Alibaba Clouder - June 4, 2019
Alibaba Clouder - February 13, 2019
2,599 posts | 758 followers
FollowElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreMarketplace is an online market for users to search and quickly use the software as image for Alibaba Cloud products.
Learn MoreAlibaba Cloud is committed to safeguarding the cloud security for every business.
Learn MoreMore Posts by Alibaba Clouder