{"id":2154,"date":"2019-01-30T17:25:48","date_gmt":"2019-01-30T14:25:48","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2154"},"modified":"2020-08-17T23:27:06","modified_gmt":"2020-08-17T20:27:06","slug":"install-and-configure-aide-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-aide-on-ubuntu-18-04\/","title":{"rendered":"Install and Configure AIDE on Ubuntu 18.04"},"content":{"rendered":"

Welcome to our guide on how to install and configure AIDE on Ubuntu 18.04. AIDE<\/a> is an acronym for A<\/strong>dvanced I<\/strong>ntrusion D<\/strong>etection E<\/strong>nvironment. It is a free replacement of the popular Tripwire. It is an host-based intrusion detection system used to specifically monitor file integrity to detect any possible unauthorized changes. AIDE, when it runs for the first time, it creates a database of files which acts as the baseline against which subsequent files check is ran. Some of the file properties that AIDE can check include file permissions, inodes, modification time, file contents, user, group, file size…<\/p>\n

Install and Configure AIDE on Ubuntu 18.04<\/h2>\n

Before you can begin to install and configure AIDE on Ubuntu 18.04, update and upgrade your system packages<\/p>\n

sudo apt update\nsudo apt upgrade<\/code><\/pre>\n
Install AIDE on Ubuntu 18.04<\/h3>\n
Once the system update is done, it is time to install AIDE on Ubuntu 18.04. The good thing is AIDE is available on the default Ubuntu repositories. and you can simply be install it as follows;<\/p>\n
sudo apt install aide<\/code><\/pre>\n
During installation, you will be prompted to configure Postfix. Set the correct mail server configuration type and the mail name.<\/p>\n
Configuring AIDE on Ubuntu 18.04<\/h3>\n
AIDE has been successfully installed, You can run aide -v<\/code> to check the installed version and the options with which AIDE is compiled.<\/p>\n
aide -v<\/code><\/pre>\n
Aide 0.16\n\nCompiled with the following options:\n\nWITH_MMAP\nWITH_PCRE\nWITH_POSIX_ACL\nWITH_SELINUX\nWITH_XATTR\nWITH_E2FSATTRS\nWITH_LSTAT64\nWITH_READDIR64\nWITH_ZLIB\nWITH_MHASH\nWITH_AUDIT\nCONFIG_FILE = \"\/dev\/null\"<\/code><\/pre>\n
The general configuration file for AIDE is located under \/etc\/default\/aide. The rules and configurations resides under \/etc\/aide\/<\/code> and the AIDE database is located under \/var\/lib\/aide\/<\/code>.<\/p>\n
Before we can proceed with configuration of AIDE, you need to create new AIDE database. This can be done by using the aideinit<\/code> script. The aideinit<\/code> will create a new database,  \/var\/lib\/aide\/aide.db.new<\/code>. Creating a new AIDE database may take some few minutes though.<\/p>\n
sudo aideinit<\/code><\/pre>\n
Running aide --init...\nStart timestamp: 2019-01-29 18:24:13 +0000 (AIDE 0.16)\nAIDE initialized database at \/var\/lib\/aide\/aide.db.new\nVerbose level: 6\n\nNumber of entries:\t138400\n\n---------------------------------------------------\nThe attributes of the (uncompressed) database(s):\n---------------------------------------------------\n\n\/var\/lib\/aide\/aide.db.new\n  RMD160   : d4SEVhfZEguCINwJEQJvot2tjWc=\n  TIGER    : vhiRANRpGuACXvn9isU\/wR3B1KRJ4hwr\n  SHA256   : SdlgAB01p9Jn0yblMYZNauSKAPkhgWLz\n             GcxrN+SnYhE=\n  SHA512   : 1LPRiANnSxI6ZWq6ktoWLciQQqL9RTk1\n             Opu6uBvB40LqDPHznoQxGhHZLPX8q2K7\n             6+HrNm6UqnSK\/+c4+TBu\/g==\n  CRC32    : Ls1tow==\n  HAVAL    : P0mlZhSNQ08kBi6kBOXeP5MSiBo1Gkf9\n             guVLoYa3C5I=\n  GOST     : 1BZxQdadYtSX1sED9Z+tJk+9uXm8SmId\n             r10Oa1rpcYk=\n\n\nEnd timestamp: 2019-01-29 18:30:27 +0000 (run time: 6m 14s)<\/code><\/pre>\n
To install the newly created AIDE database, you need to copy it to place as follows;<\/p>\n
cp \/var\/lib\/aide\/aide.db.new \/var\/lib\/aide\/aide.db<\/code><\/pre>\n
Update AIDE configuration<\/p>\n
update-aide.conf<\/code><\/pre>\n
Copy the new configuration file to place.<\/p>\n
cp \/var\/lib\/aide\/aide.conf.autogenerated \/etc\/aide\/aide.conf<\/code><\/pre>\n
Testing AIDE<\/h3>\n
Once the configuration is done, it is time to test the magics of this awesome tool. At first, just run the manual check by executing the command below;<\/p>\n
aide -c \/etc\/aide\/aide.conf -C<\/code><\/pre>\n
The command will basically try to check the deviation between the AIDE database and the filesystem. See the example output below;<\/p>\n
Start timestamp: 2019-01-30 10:48:31 +0000 (AIDE 0.16)\nAIDE found differences between database and filesystem!!\nVerbose level: 6\n\nSummary:\n  Total number of entries:\t102617\n  Added entries:\t\t1\n  Removed entries:\t\t0\n  Changed entries:\t\t2\n\n---------------------------------------------------\nAdded entries:\n---------------------------------------------------\n\nf++++++++++++++++: \/var\/lib\/aide\/aide.db\n\n---------------------------------------------------\nChanged entries:\n---------------------------------------------------\n\nf >b... mc..C.. .: \/etc\/aide\/aide.conf\nf =.... mc..C.. .: \/var\/log\/journal\/bb7e8bffbe43449e9565bf8712dbee8c\/system.journal\n\n---------------------------------------------------\nDetailed information about changes:\n---------------------------------------------------\n\nFile: \/etc\/aide\/aide.conf\n  Size     : 6598                             | 57102\n  Bcount   : 16                               | 112\n  Mtime    : 2018-02-02 19:16:08 +0000        | 2019-01-30 10:48:06 +0000\n  Ctime    : 2019-01-30 10:35:48 +0000        | 2019-01-30 10:48:06 +0000\n  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | NJrrqPQmqjX6MXVSufzWl9DwUq4=\n  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa\/7Ftv+VpV37 | eK8XUz4hSjVP5ynT08cKKOW3Cl3SMWog\n  SHA256   : RN1UT38\/wRA8N5o4M4MHU8N+G49sK9nB | mOJ+dgkewL5A2aTe+YohLx8VfnVIyPeo\n             0B5VVewz3h8=                     | gITBqrv4\/qA=\n  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | +obSMFAoSWuMSl9wqCrWmTlBvVI46llZ\n             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | TfRBJckm6jSP4RP1nsEgjEhazp3xGfE9\n             yKP7Fvoitf+jHcriq57Pgg==         | He0zfwcn+GgFAaGhYB6GuA==\n  CRC32    : S3Rhfg==                         | 8wC5XQ==\n  HAVAL    : +O7017egNOm+\/TJW\/3HxeQcxmz55pDM7 | is4+L0o7TwyG96tI\/bvAJfLg5vyjXHUt\n             S+TXtMWVN\/E=                     | w68Mv8ISFaA=\n  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | kjH6QLrtARoVVIthW9dRjl6lcGbdO9RL\n             NhV8dix9LIw=                     | lmHOUtPcL0g=\n\nFile: \/var\/log\/journal\/bb7e8bffbe43449e9565bf8712dbee8c\/system.journal\n  Mtime    : 2019-01-30 10:35:50 +0000        | 2019-01-30 10:52:45 +0000\n  Ctime    : 2019-01-30 10:35:50 +0000        | 2019-01-30 10:52:45 +0000\n  RMD160   : OPiOJ+A052D16445d4V0UKKwxNc=     | ixkNOr8URmd9PHa8E9LHV6KX9Qg=\n  TIGER    : Dq0dBwnP\/KZLbjeNZexIZ\/xXGp3Fqrsg | Nmdzpx3B1ovx\/QnenWib6Gvlnxp+NyYr\n  SHA256   : 5aFVHAAioL812oDAvVSKOr9TYL\/lss18 | ZRPPaSlC7SLXkKAJprkZkX4G2S6UF8XV\n             lB2XKJqrG5U=                     | IwBcDY8wQ\/U=\n  SHA512   : y+vkFBDok4qluzbz1N3h9Mnxu6mFKork | wo7mRX0gHq6U9B5DGv2gYtvXF49oz9kR\n             ajNB49g+xva\/jqEFbsr+ovFPRVj29DNV | XDQ\/aF5uDv5NXX2m+EB5K040AKVoqx3q\n             YvAJ7vJO+\/5piFepTcyFSA==         | yIA4EeEzvNW0\/z0fUva7lQ==\n  CRC32    : OHFR6g==                         | ZlMqdw==\n  HAVAL    : 7axEtl8NfeAUhB6WlP4hRuMcuBXnusXY | gj+HFZd02z7Z5Sz61lq\/lYpj0v\/wz2Gb\n             BsN2+eDOgmg=                     | BdMolbUMyI8=\n  GOST     : 8mMuqnlKzrJPE17i4ZQg\/qkjXkGm6jUS | U03sH84MOVTn9\/TVW2LSL5LNv9wQ1p8V\n             rMLZbCPp1+o=                     | WXNnGHU6\/Ec=\n\n\n---------------------------------------------------\nThe attributes of the (uncompressed) database(s):\n---------------------------------------------------\n\n\/var\/lib\/aide\/aide.db\n  RMD160   : 72ztIXlQ94R\/e74lT+MkWN9MQVk=\n  TIGER    : eQYlNo\/Tuc5LsjHq+5I4DL4YWge0tdG8\n  SHA256   : 89UyTx3dEhmWclY0X\/BiAFzONiPcsRF0\n             5YsPRNuS5\/M=\n  SHA512   : 54uVoLOZJpRwYr2fCgxxYwPAIkvBIrkS\n             t29yQpjYejD8LUw\/Hqpb9YyTCvd7DdsH\n             wH+e442KrS2Ri30sOIHyVA==\n  CRC32    : CQDToQ==\n  HAVAL    : edaIw5A4PSajIwv6UhKMt9gvw1LtprRJ\n             zjCPN9sixUM=\n  GOST     : XI+xehHMm71rHhij61vW0cBBRinGCspc\n             uT9aVbxxRnI=\n\n\nEnd timestamp: 2019-01-30 10:54:01 +0000 (run time: 5m 30s)<\/code><\/pre>\n
Next, you can go ahead and create new files, edit some and even delete some so that you can see how AIDE can detect all this.<\/p>\n
If you need to run AIDE daily, lucky you. AIDE sets up itself a daily execution script, \/etc\/cron.daily\/aide<\/code>.<\/p>\n
If you however needs to get the check status via mail, you need to edit the file, \/etc\/default\/aide<\/code> and set the value of MAILTO<\/code> directive to your email ID such that it looks like below. The default recipient is root<\/code>.<\/p>\n
MAILTO user@domain.com<\/code><\/pre>\n
Further more, if you need to limit the integrity checks to a specific entries for example \/etc<\/code>, pass the --limit REGEX<\/code> where REGEX is the entry to check. For example, check and update the database entries matching \/etc<\/code>, you would run aide command as shown below;<\/p>\n
aide -c \/etc\/aide\/aide.conf --limit \/etc --check<\/code><\/pre>\n
To exclude some directories, edit the configuration file, \/etc\/aide\/aide.conf<\/code>, and add the directories to ignore to the end of the file in the format;<\/p>\n
!\/home\/\n!\/var\/lib\/\n!\/proc<\/code><\/pre>\n
\n
Whenever you make such changes, remember to initialize the database to create a baseline.<\/div>\n
You can also create your own configuration and define what needs to be checked and what not. See example configuration below;<\/div>\n
vim \/home\/amos\/aide.conf<\/code><\/pre>\n
# Path for creating the databases<\/span><\/strong>\ndatabase<\/span>=<\/span>file<\/span>:<\/span>\/<\/span>var<\/span>\/<\/span>lib<\/span>\/<\/span>aide<\/span>\/<\/span>aide<\/span>.<\/span>db<\/span>\ndatabase_out<\/span>=<\/span>file<\/span>:<\/span>\/<\/span>var<\/span>\/<\/span>lib<\/span>\/<\/span>aide<\/span>\/<\/span>aide<\/span>.<\/span>db<\/span>.<\/span>new<\/span>\ndatabase_new<\/span>=<\/span>file<\/span>:<\/span>\/<\/span>var<\/span>\/<\/span>lib<\/span>\/<\/span>aide<\/span>\/<\/span>aide<\/span>.<\/span>db<\/span>.<\/span>new<\/span>\n\n# Set your own AIDE rule.<\/span>\nMYRULE<\/span> =<\/span>  p<\/span>+<\/span>n<\/span>+<\/span>u<\/span>+<\/span>g<\/span>+<\/span>s<\/span>+<\/span>m<\/span>+<\/span>c<\/span>+<\/span>xattrs<\/span>+<\/span>md5<\/span>+<\/span>sha512<\/span>\n\n# Directories\/files to be monitored and rule to apply<\/span>\n\/etc<\/span> MYRULE\n<\/span>\/bin MYRULE\n\/usr\/bin MYRULE\n\n# Directories to ignore\n!<\/span>\/<\/span>home<\/span>\n!<\/span>\/<\/span>proc<\/span><\/code><\/pre>\n<\/div>\n
Basically, the rule set above checks, p<\/strong>ermissions, n<\/strong>umber of links, u<\/strong>ser, g<\/strong>roup, m<\/strong>odification time, inode\/file c<\/strong>hange time, ex<\/strong>tended file attr<\/strong>ibutes<\/strong>, MD5<\/strong> checksum, SHA512<\/strong> checksum.<\/p>\n
Verify the configuration file for errors by running the command below;<\/p>\n
aide<\/span> -<\/span>c<\/span> \/<\/span>home\/amos\/<\/span>aide<\/span>.<\/span>conf<\/span> --<\/span>config<\/span>-<\/span>check<\/span><\/code><\/pre>\n
Check the command exit status.<\/p>\n
echo $?\n<\/span><\/code><\/pre>\n
To learn more on commands and parameters used with aide command, explore the man pages and the AIDE manual pages<\/a>.<\/p>\n
man aide<\/a><\/code><\/pre>\n
To wrap up with, ensure that you keep updating the AIDE database after every check to ensure that you don’t have the previous checks reported on the subsequent AIDE checks.<\/p>\n
Great. That is all we could cover on our how to Install and configure AIDE on Ubuntu 18.04 guide.<\/p>\n","protected":false},"excerpt":{"rendered":"
Welcome to our guide on how to install and configure AIDE on Ubuntu 18.04. AIDE is an acronym for Advanced Intrusion Detection Environment. It is<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[310,34],"tags":[311,67],"class_list":["post-2154","post","type-post","status-publish","format-standard","hentry","category-fim","category-security","tag-aide","tag-ubuntu-18-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2154"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2154"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2154\/revisions"}],"predecessor-version":[{"id":6720,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2154\/revisions\/6720"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}