AIDE – Advanced Intrusion Detection Environment HowTo – Ubuntu Linux

AIDE is an advanced intrusion detection environment software which monitors changes in your files and/or filesystem/s. AIDE let’s you know if a file has been accessed, changed, or modified (atime, ctime, or mtime, for the Unix geeks) and alerts you to the fact providing a report which by default is mailed to your root user. Some file systems offer a btime (birth time), or file creation date, however this is on a per filesystem type basis and was something not tracked in the original Unix or early Linux filesystems.

The aide program recursively goes through files and directories and compares the full suite of inode information against a master database to see if any changes have been made since the last aide run. The inode information is the metadata of the file such as atime, ctime, and mtime plus much more.

For example, a relatively unchanging directory in a Unix or Linux filesystem is the /etc directory. The /etc directory contains entries which handle system startup and shutdown as well as configuration files for most of the shell utilities, programs, or scripts which one would commonly use in the course of daily usage and administration. In the normal course of operation the contents of this directory normally remains relatively static and unchanging. If something in here changes and your unaware of it, you want to become aware of it.

Install AIDE (Ubuntu and Debian variants):

apt install aide

Configuration directory and config file:

/etc/aide
/etc/aide/aide.conf

Output and check directory:

/var/lib/aide

Once aide is installed, you’ll want to initialize it to create the initial database. You can do that with:

aide -c /etc/aide/aide.conf --init

Once the initialization is complete you’ll need to change to the data directory (/var/lib/aide) and move the new database in place:

mv aide.db.new aide.db

Now you run a check and compare against the database with:

aide -c /etc/aide/aide.conf --check

Once the command completes, the output will be sent to screen and let you know if anything has changed. After viewing the report if everything looks good or there are no changes there’s mothing else to do. If after viewing the report you want to check on or confirm any of the differences, perform any administration you need to, then:

aide -c /etc/aide/aide.conf --update

That will note all the changes, update the aide database, and output the new database as /var/lib/aide/aide.db.new. You’ll then need to move the updated database in place:

mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

From this point on, you’ll either be running checks against the database (–check option) or updates to the database (–update option). This is the base minimum you need to know for proper ongoing administration of the aide subsystem. So in effect you only to know the following two commands:

aide -c /etc/aide/aide.conf --check
aide -c /etc/aide/aide.conf --update

I usually change to the “/var/lib/aide” directory when I’m interacting with aide because for me it just makes this easier. You’re either “checking” the database for changes or “updating” to reflect the new changes and output a new database (aide.db.new). You’ll know which of the two commands you need to run by doing a simple “ls -l” of the /var/lib/aide directory. If there’s a “aide.db.new” file you’ll need to move it in place. If there’s not a “aide.db.new” then you’ll be running a “check”


Above is the barebones description of the installation, configuration, and administration of aide, and is in fact the description of processes I perform on a daily basis. There are a number of directories you’ll want to suppress as during the course of normal Ubuntu/Linux operation there are many dynamic directories you’ll not want checked otherwise you’re reports will be voluminous and impede usefulness.

You suppress directories by installing the entries in the config file (/etc/aide/aide.conf) at the end of the file. The syntax is as follows:

!/mnt/c
!/mnt/e
!/mnt/f
!/mnt/g
!/run
!/tmp
!/var/backups
!/var/cache
!/var/lib
!/var/log
!/var/snap
!/var/www

You just enter the “bang” or exclamation point followed by the directory you want suppressed. The above is the configuration I use for my Windows Subsystem for Linux (WSL) on my daily Windows workstation. It’s pretty much my sandbox for testing (highly recommended).

This howto just goes over the bare minimum you need to know to properly and effectively install, configure, and administrate aide. There are however other ways to use aide. Let’s stay instead of checking the whole of all filesystems, you want to check specific or even a single directory. This not only makes for speedy aide runs, but it allows for highly configurable operation. I will leave that up to you to learn and it may easily be gleaned by perusing the aide man page (man aide).

Thank you for taking the time to read this.


— Example Report Without Changes

root@lite:/var/lib/aide# aide -c /etc/aide/aide.conf –check
Start timestamp: 2024-03-24 14:20:49 +0000 (AIDE 0.17.4)
AIDE found NO differences between database and filesystem. Looks okay!!
Ignored e2fs attributes: EIh

Number of entries: 247872

The attributes of the (uncompressed) database(s):

/var/lib/aide/aide.db
SHA256 : ekJ6GKf3qamMXagCgLixNXbmBCrrIWpf
pgLb4E5lQIs=
SHA512 : e1o7wmeU2yyFcpvKSgS/vmbAMwK2CfSf
S8H2yNx7Dj77v6sK1AuMWhyxanNGeWGS
fMcoIOxpkw6k0Z0SwAlNlQ==
RMD160 : Qy3txUfccO3irXcz+tdDV8ZOJvw=
TIGER : PZBG1R94dKslNSgJj46PBUGJZC3jBavS
CRC32 : lKJ5JQ==
HAVAL : mn6tCt0qHR/iWGVvsKso3kYBCWx28gbu
klljTxcLXCM=
WHIRLPOOL : bbcNXHOGsp2lIeqAOoP7GhyAPbu6FV0Z
mqZ88bqn2NgReuYeIFm9mYpMhsiQBH/1
Z9TttviSOAuPaF9f9GZGHw==
GOST : jZwaTsBP1drybFGuOLfFCGvW5SSVyVkK
F5iIdxD2AmE=


— Example Report With Changes

Start timestamp: 2024-03-26 14:58:17 +0000 (AIDE 0.17.4)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new
Ignored e2fs attributes: EIh

Summary:
Total number of entries: 247912
Added entries: 40
Removed entries: 0
Changed entries: 6

Added entries:

f+++++++++++++++++: /usr/bin/alpine
l+++++++++++++++++: /usr/bin/alpinef
f+++++++++++++++++: /usr/bin/mlock
f+++++++++++++++++: /usr/bin/rpdump
f+++++++++++++++++: /usr/bin/rpload
d+++++++++++++++++: /usr/share/doc/alpine
f+++++++++++++++++: /usr/share/doc/alpine/NOTICE.gz
f+++++++++++++++++: /usr/share/doc/alpine/README.Debian
f+++++++++++++++++: /usr/share/doc/alpine/README.gz
f+++++++++++++++++: /usr/share/doc/alpine/brochure.txt
f+++++++++++++++++: /usr/share/doc/alpine/changelog.Debian.gz
f+++++++++++++++++: /usr/share/doc/alpine/copyright
d+++++++++++++++++: /usr/share/doc/alpine/tech-notes
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/Makefile
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/background.html
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/cmd-line.html
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/config-notes.html
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/config.html
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/for.pnuts
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/index.html
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/installation.html
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/introduction.html
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/low-level.html
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/pn4tn
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/pnuts.4tech-notes
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/porting.html
f+++++++++++++++++: /usr/share/doc/alpine/tech-notes/tech-notes.txt.gz
d+++++++++++++++++: /usr/share/doc/alpine-doc
f+++++++++++++++++: /usr/share/doc/alpine-doc/changelog.Debian.gz
f+++++++++++++++++: /usr/share/doc/alpine-doc/copyright
d+++++++++++++++++: /usr/share/doc/mlock
f+++++++++++++++++: /usr/share/doc/mlock/NEWS.Debian.gz
f+++++++++++++++++: /usr/share/doc/mlock/changelog.Debian.gz
f+++++++++++++++++: /usr/share/doc/mlock/copyright
f+++++++++++++++++: /usr/share/lintian/overrides/mlock
f+++++++++++++++++: /usr/share/man/man1/alpine.1.gz
l+++++++++++++++++: /usr/share/man/man1/alpinef.1.gz
f+++++++++++++++++: /usr/share/man/man1/mlock.1.gz
f+++++++++++++++++: /usr/share/man/man1/rpdump.1.gz
f+++++++++++++++++: /usr/share/man/man1/rpload.1.gz

Changed entries:

d =…. mc.. .. . : /root
f <…. mci.H.. . : /root/.bash_history
d =…. mc.. .. . : /usr/bin
d =…. mc.n .. . : /usr/share/doc
d =…. mc.. .. . : /usr/share/lintian/overrides
d =…. mc.. .. . : /usr/share/man/man1

Detailed information about changes:

Directory: /root
Mtime : 2024-03-26 01:30:27 +0000 | 2024-03-26 14:09:43 +0000
Ctime : 2024-03-26 01:30:27 +0000 | 2024-03-26 14:09:43 +0000

File: /root/.bash_history
Size : 30770 | 30761
Mtime : 2024-03-26 01:30:27 +0000 | 2024-03-26 14:09:43 +0000
Ctime : 2024-03-26 01:30:27 +0000 | 2024-03-26 14:09:43 +0000
Inode : 1953 | 1933
SHA256 : Akr2l2lMWWdp1mBHMPlqqouaUsR99e4d | k8UCrPP7wN45Ys4LhQA6O0y5oCCET0WH
BbzGqFLk2lg= | s5ln+is3njA=
SHA512 : 9MrLQUCZMk+hzfY7ProSAH56bCVUZU30 | v+KcK52tkTcGJ4qCXvQ7OqQKVxi7PTjx
22xttyhxnQ6g5eyVfh6USL19uC9dTNvB | 0PIa/kJCXymsPMbCkBvzFKWdIufDbMPL
ODBg1J1H7jDZq4k6yyFN6g== | xIERwyf79xOzXFsoeH/5jg==
RMD160 : I241i5HyqnSVCB4tBa2FUHxW8Fs= | 1XFGCUmQpzdfcNTQYBsXRdAFsA0=
TIGER : NVz1iNNTXvwQfx1GLl6zS2c8/qdVqVZk | oTDHQEHhYz0mEs0tDY1uKrOhTZrC51Xc
CRC32 : Cse8xA== | Ykw0GA==
HAVAL : z6TBb79s+op2OfQqh04ZdsGe8q3pjjHo | yDneQT8mt9uPA85HJk6FyURMaFxYOW7t
P23Mi0WSfTw= | N3avqzI+d04=
WHIRLPOOL : AEJfZtT5s0vCUG8gLERnS8GsGWLCWtQh | Yxd+cfZXvbYdoRUf6LGnHCR8FZUZhmYO
4J1oGcmlfLT5iSnUxT7PI9LTh/q/pL7s | 6AjZJQbPNG2fblqH4sdRW0c/Oz+2OKKM
OifLrVYjiusoPgcbSpIt9A== | 350vkDlA9J629cStmnGn5Q==
GOST : T/o3bHstogmOIHNT6XuoyhUecfcZKYog | 6O8s1P1h9S+ru6uZkc6ZOzAZ55gQrvff
Jq9a0SU/TL4= | r5qYWI9AV8s=

Directory: /usr/bin
Mtime : 2024-03-26 06:02:44 +0000 | 2024-03-26 14:28:06 +0000
Ctime : 2024-03-26 06:02:44 +0000 | 2024-03-26 14:28:06 +0000

Directory: /usr/share/doc
Mtime : 2024-03-19 08:26:08 +0000 | 2024-03-26 14:28:06 +0000
Ctime : 2024-03-19 08:26:08 +0000 | 2024-03-26 14:28:06 +0000
Linkcount : 1179 | 1182

Directory: /usr/share/lintian/overrides
Mtime : 2024-03-26 06:02:44 +0000 | 2024-03-26 14:28:05 +0000
Ctime : 2024-03-26 06:02:44 +0000 | 2024-03-26 14:28:05 +0000

Directory: /usr/share/man/man1
Mtime : 2024-03-26 06:02:44 +0000 | 2024-03-26 14:28:06 +0000
Ctime : 2024-03-26 06:02:44 +0000 | 2024-03-26 14:28:06 +0000

The attributes of the (uncompressed) database(s):

/var/lib/aide/aide.db
SHA256 : Pr4c0mwjVXpa7u8lAFeNMs0QRkKMoVtS
EjIp5C2tCSc=
SHA512 : cY+3fpNedMOKrXr/aXJ6i3gj5ZlLqotK
CG5IYGbeyP2nCDG6UQTmUFuhBwivRk85
OaoNoDPJ8kW/5ZZXjavv3g==
RMD160 : bdUJTs3alJnj1gvsCHApu1BRuj4=
TIGER : CJeAPvgkkgyTpSYXObYjnuUMQkY9Y5mA
CRC32 : 5hDQog==
HAVAL : ZxmcPkx1SByEkJLq/XO5JqrF7QYrtvsx
fGrX+xh8YLI=
WHIRLPOOL : Xp5O99ES6eOtWoZ08QXFCkhTJ/3Nvtsd
g1Eb7AwDUIIpkKGhKKJGHBAsgkKlEDR8
Kpi06NGotwuZJnG+YWvjqw==
GOST : t72GwhmLWM5Fzt+KQW4PKqq38zn67Z2k
0Cc23hvEUFg=

/var/lib/aide/aide.db.new
SHA256 : KAyoFnTrhwMC9rPxZMr+QzHDr6gI6sIl
LI5VTUAswX0=
SHA512 : 8gzZ6y9ihtN+PmWi1a7L4s+8k1ArrkCQ
tAsQcGOrippj9OYQULQ7om6nZS2cNDLv
4JDMfUVuVlO4At7SSCWqNA==
RMD160 : YejBurzaSL1HbTZszgDZnVT6iaI=
TIGER : ggo7O2ZyahiXn6rF04ZUnNKmzJiekiw1
CRC32 : pYf5Nw==
HAVAL : f8Uxl/6D39kT1DPPEvO5o1BZVSnHzHYt
xS1If80VNkY=
WHIRLPOOL : 4GSN9KhOJNbZ6t+Sp9unJzo2X0vN5w5l
8Tl2Gjy6LvBPHZ9VXXIYLKh+KIjE2wyD
9ovg16nOSgqI3HD4yrycEw==
GOST : J3K3LqmBH7+mL//q4KKL91KNeV1IzqVI
v3fPTlkHeiE=

End timestamp: 2024-03-26 15:25:55 +0000 (run time: 27m 38s)

Note: This report came in right after I performed apt update/apt upgrade command.


Comments

One response to “AIDE – Advanced Intrusion Detection Environment HowTo – Ubuntu Linux”

  1. Good post.I subscribed. Have a happy day☘️⭐️

Leave a Reply

Your email address will not be published. Required fields are marked *