{"id":6718,"date":"2020-08-17T23:53:29","date_gmt":"2020-08-17T20:53:29","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6718"},"modified":"2024-03-14T22:29:00","modified_gmt":"2024-03-14T19:29:00","slug":"install-and-configure-aide-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-aide-on-ubuntu-20-04\/","title":{"rendered":"Install and Configure AIDE on Ubuntu 20.04"},"content":{"rendered":"\n

In this tutorial, you will learn how to install and configure AIDE on Ubuntu 20.04. AIDE<\/a> stands for A<\/strong>dvanced I<\/strong>ntrusion D<\/strong>etection E<\/strong>nvironment.<\/p>\n\n\n\n

AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. Some of the file properties that AIDE can check include file permissions, inodes, modification time, file contents, user, group, file size\u2026<\/p>\n\n\n\n

Installing AIDE on Ubuntu 20.04<\/h2>\n\n\n\n

Run System Update<\/h3>\n\n\n\n

Before you can procee, update and upgrade your system packages<\/p>\n\n\n\n

sudo apt update\nsudo apt upgrade<\/code><\/pre>\n\n\n\n
Install AIDE on Ubuntu 20.04<\/h3>\n\n\n\n
AIDE is available on the default Ubuntu repositories.<\/p>\n\n\n\n
apt-cache policy aide<\/code><\/pre>\n\n\n\n
aide:\n  Installed: (none)\n  Candidate: 0.16.1-1build2\n  Version table:\n     0.16.1-1build2 500\n        500 http:\/\/ke.archive.ubuntu.com\/ubuntu focal\/main amd64 Packages<\/code><\/pre>\n\n\n\n
So you can simply be install it by executing the command below;<\/p>\n\n\n\n
sudo apt install aide<\/code><\/pre>\n\n\n\n
Configuring AIDE on Ubuntu 20.04<\/h3>\n\n\n\n
AIDE has been successfully installed.<\/p>\n\n\n\n
You can check the installed version and the options with which AIDE is compiled by executing the command below.<\/p>\n\n\n\n
aide -v<\/code><\/pre>\n\n\n\n
Aide 0.16.1\n\nCompiled with the following options:\n\nWITH_MMAP\nWITH_PCRE\nWITH_POSIX_ACL\nWITH_SELINUX\nWITH_XATTR\nWITH_E2FSATTRS\nWITH_LSTAT64\nWITH_READDIR64\nWITH_ZLIB\nWITH_MHASH\nWITH_AUDIT\nCONFIG_FILE = \"\/dev\/null\"\n<\/code><\/pre>\n\n\n\n
The general configuration file for AIDE is located under \/etc\/default\/aide<\/strong><\/code>. The rules and configurations resides under \/etc\/aide\/<\/strong><\/code> and the AIDE database is located under \/var\/lib\/aide\/<\/strong><\/code>.<\/p>\n\n\n\n
Initialize AIDE Database on Ubuntu 20.04<\/h4>\n\n\n\n
Before you can proceed with configuration of AIDE, you need to create new AIDE database. This can be done by using the aideinit<\/code> script. The aideinit<\/code> will create a new baseline database,  \/var\/lib\/aide\/aide.db.new<\/code>.<\/p>\n\n\n\n
Creating a new AIDE database may take some few minutes though.<\/p>\n\n\n\n
sudo aideinit<\/code><\/pre>\n\n\n\n
...\nStart timestamp: 2020-08-17 21:16:09 +0300 (AIDE 0.16.1)\nAIDE initialized database at \/var\/lib\/aide\/aide.db.new\nVerbose level: 6\n\nNumber of entries:\t394993\n\n---------------------------------------------------\nThe attributes of the (uncompressed) database(s):\n---------------------------------------------------\n\n\/var\/lib\/aide\/aide.db.new\n  RMD160   : GAsN4WEjhdn24HElaCb\/daTKDjw=\n  TIGER    : gwq53qWUr8hNSR2QnQficDJXungcT0B8\n  SHA256   : UpDqEtrLclqTqueWyXY5QOaivAMIhG1m\n             BXLExj07yaA=\n  SHA512   : lEj5QZJDraeraqx99J9Vi5AUBa3VPtH1\n             ZsWQret9+hXpvlyKV9jYzjLT\/nSRYZjb\n             3yiwEOnk2N5Tsao+XEALew==\n  CRC32    : exgbFw==\n  HAVAL    : 0EJFOeHe63tSE7qV0xdMHabpQr4kQkdy\n             6b0UxZbknxM=\n  GOST     : hK\/QHynp7XXi8tD3c1K5WLGCCnHcgMaS\n             HyQgh9uB5Os=\n\n\nEnd timestamp: 2020-08-17 21:32:02 +0300 (run time: 6m 53s)\n<\/code><\/pre>\n\n\n\n
As you can see, a new baseline AIDE database has been created, \/var\/lib\/aide\/aide.db.new<\/strong><\/code>. <\/p>\n\n\n\n
Install New AIDE Database<\/h4>\n\n\n\n
To install the newly created AIDE database, you need to copy it to place as follows;<\/p>\n\n\n\n
cp \/var\/lib\/aide\/aide.db{.new,}<\/code><\/pre>\n\n\n\n
Rebuild AIDE Configuration<\/h4>\n\n\n\n
To update AIDE runtime configuration, \/etc\/aide\/aide.conf<\/strong><\/code>, execute the command below<\/p>\n\n\n\n
update-aide.conf<\/code><\/pre>\n\n\n\n
The command generates a new configuration file, \/var\/lib\/aide\/aide.conf.autogenerated<\/strong><\/code>. Copy the new configuration file to the default AIDE configs directory and overwrite the existing;<\/p>\n\n\n\n
cp \/var\/lib\/aide\/aide.conf.autogenerated \/etc\/aide\/aide.conf<\/code><\/pre>\n\n\n\n
Check AIDE Database for any Inconsistencies<\/h4>\n\n\n\n
Once the new configuration is generated, run the manual database check against the new configuration by executing the command below;<\/p>\n\n\n\n
aide -c \/etc\/aide\/aide.conf -C<\/code><\/pre>\n\n\n\n
The command will basically try to check the deviation between the AIDE database and the filesystem. See the example output below;<\/p>\n\n\n\n
...\nStart timestamp: 2020-08-17 22:58:29 +0300 (AIDE 0.16.1)\nAIDE found differences between database and filesystem!!\nVerbose level: 6\n\nSummary:\n  Total number of entries:\t395004\n  Added entries:\t\t8\n  Removed entries:\t\t0\n  Changed entries:\t\t13\n\n---------------------------------------------------\nAdded entries:\n---------------------------------------------------\n\nd++++++++++++++++: \/run\/motd.d\nd++++++++++++++++: \/run\/motd.d\/fwupd\nf++++++++++++++++: \/run\/motd.d\/fwupd\/85-fwupd\nd++++++++++++++++: \/run\/systemd\/dynamic-uid\nl++++++++++++++++: \/run\/systemd\/units\/invocation:fwupd.service\nd++++++++++++++++: \/tmp\/systemd-private-a6c413acea194aa1bd41d2936e4d4ea6-fwupd.service-Xwi4Fh\nd++++++++++++++++: \/tmp\/systemd-private-a6c413acea194aa1bd41d2936e4d4ea6-fwupd.service-Xwi4Fh\/tmp\nf++++++++++++++++: \/var\/lib\/aide\/aide.db\n\n---------------------------------------------------\nChanged entries:\n---------------------------------------------------\n\nf >b... mc..C.. .: \/etc\/aide\/aide.conf\nd   ...    n ..  : \/run\nd >.... mc.n ..  : \/run\/systemd\nf =.... mci....  : \/run\/systemd\/resolve\/stub-resolv.conf\nf =.... mc.....  : \/run\/systemd\/timesync\/synchronized\nd >.... mc.. ..  : \/run\/systemd\/units\nd =.... mc.. .. .: \/var\/cache\/fwupd\nf >b... mci.C.. .: \/var\/cache\/fwupd\/metadata.xmlb\nd =.... mc.. .. .: \/var\/cache\/private\/fwupdmgr\/fwupd\nf >b... mci.C.. .: \/var\/cache\/private\/fwupdmgr\/fwupd\/lvfs-metadata.xml.gz\nf =.... mci.C.. .: \/var\/cache\/private\/fwupdmgr\/fwupd\/lvfs-metadata.xml.gz.asc\nf =.... mc..C.. .: \/var\/log\/journal\/088f282d218f4067987670b09ad3319e\/system.journal\nd   ...   .n .. .: \/var\/tmp\n\n---------------------------------------------------\nDetailed information about changes:\n---------------------------------------------------\n\nFile: \/etc\/aide\/aide.conf\n  Size     : 6598                             | 57485\n  Bcount   : 16                               | 120\n  Mtime    : 2016-04-16 20:57:29 +0300        | 2020-08-17 22:58:04 +0300\n  Ctime    : 2020-08-17 22:32:14 +0300        | 2020-08-17 22:58:04 +0300\n  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | VS\/qXLCjQQoZvM9PiMN0vognx+8=\n  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa\/7Ftv+VpV37 | PlLfFDUNNN4gLjonNvJmrzyTGKeSwhLi\n  SHA256   : RN1UT38\/wRA8N5o4M4MHU8N+G49sK9nB | kot4UpZLPPGlEUJdW8VtupXCjeITR4H6\n             0B5VVewz3h8=                     | HsG+rB0f6L8=\n  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | spATSozxKYXnmS83qGHC9ijpT3RDFxMx\n             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 6\/1vnTRZy\/csfmaY6D9MBMkujB5blhFf\n             yKP7Fvoitf+jHcriq57Pgg==         | mD+ynvYvCwyCVjNcRe5dGg==\n  CRC32    : S3Rhfg==                         | cEpRww==\n  HAVAL    : +O7017egNOm+\/TJW\/3HxeQcxmz55pDM7 | elv71LkPurGiLw2qtG4cDF5xozVJccsG\n             S+TXtMWVN\/E=                     | JRzZvSiA994=\n  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | J5cKfKZL53NeV7TFaTZNJSKptrSXA0Io\n             NhV8dix9LIw=                     | oX5CeovHm\/M=\n\nDirectory: \/run\n  Linkcount: 30                               | 31\n\nDirectory: \/run\/systemd\n  Size     : 500                              | 520\n  Mtime    : 2020-08-17 21:15:49 +0300        | 2020-08-17 22:49:28 +0300\n  Ctime    : 2020-08-17 21:15:49 +0300        | 2020-08-17 22:49:28 +0300\n  Linkcount: 23                               | 24\n\nFile: \/run\/systemd\/resolve\/stub-resolv.conf\n  Mtime    : 2020-08-17 22:38:02 +0300        | 2020-08-17 22:57:59 +0300\n  Ctime    : 2020-08-17 22:38:02 +0300        | 2020-08-17 22:57:59 +0300\n  Inode    : 659                              | 640\n\nFile: \/run\/systemd\/timesync\/synchronized\n  Mtime    : 2020-08-17 22:16:12 +0300        | 2020-08-17 22:50:20 +0300\n  Ctime    : 2020-08-17 22:16:12 +0300        | 2020-08-17 22:50:20 +0300\n\nDirectory: \/run\/systemd\/units\n  Size     : 1420                             | 1440\n  Mtime    : 2020-08-17 22:37:42 +0300        | 2020-08-17 22:49:37 +0300\n  Ctime    : 2020-08-17 22:37:42 +0300        | 2020-08-17 22:49:37 +0300\n\nDirectory: \/var\/cache\/fwupd\n  Mtime    : 2020-08-09 16:13:39 +0300        | 2020-08-17 22:49:36 +0300\n  Ctime    : 2020-08-09 16:13:39 +0300        | 2020-08-17 22:49:36 +0300\n\nFile: \/var\/cache\/fwupd\/metadata.xmlb\n  Size     : 1879141                          | 1887049\n  Bcount   : 3672                             | 3688\n  Mtime    : 2020-08-09 16:13:39 +0300        | 2020-08-17 22:49:36 +0300\n  Ctime    : 2020-08-09 16:13:39 +0300        | 2020-08-17 22:49:36 +0300\n  Inode    : 1181994                          | 1181386\n  RMD160   : pYzImUr\/9IKcF\/SsT+tijWj6o48=     | lNG+19YEXBaY429TNxZkLlZfuVY=\n  TIGER    : mCYoqhqfFNesX1DBDyNE0YyU9DHANfsr | IO3tgHWnfLb+q4+hnVjJUEliGJsoiBtt\n  SHA256   : LZuTxCE1d4uxstnNw85aPmd3waqIiaUt | fchrp9FBGA0lcNqelgDUttBwUcedo+Yi\n             ED7Mux5lkvI=                     | niwWtEj+h2k=\n  SHA512   : 9\/l4bMAUVMkk3MJxW\/dG\/kE6izzuwmzd | EaApKbI8wPTtUw+4q7g9VHMLQgmeH7lk\n             Mne02Yp6wtvH9b7lMhl6t5tGqIXMIy6h | lyet7Sc2YrP4sUE5ZDPX0OVut0+rFN5B\n             0gxhD5pBiJrAcpdwgUSvZw==         | be75hImQJReXevqXgC+\/eg==\n  CRC32    : PU7mFA==                         | spejqA==\n  HAVAL    : ZJpdjXOB1L+AupLhbvX4pUPLA+31vYrJ | jiAxgrp+7q4U7v7vxRAUOwAVzbxCrqTl\n             WOaHdM9b55M=                     | JlJZrosn4fI=\n  GOST     : wttUYlhB+GClZQkO85v2CaoSrM3ebi65 | HLlRZjmex\/GvqPX0XHAk04Y5xsSyBWbN\n             +oZSpV60PGg=                     | UCqD96u9v48=\n\nDirectory: \/var\/cache\/private\/fwupdmgr\/fwupd\n  Mtime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300\n  Ctime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300\n\nFile: \/var\/cache\/private\/fwupdmgr\/fwupd\/lvfs-metadata.xml.gz\n  Size     : 424119                           | 426248\n  Bcount   : 832                              | 840\n  Mtime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300\n  Ctime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300\n  Inode    : 1181212                          | 1180811\n  RMD160   : YFUDWdSVHPkiQcLISZDtJ20ky\/A=     | bjaeAnUPskzRnUT2R2T\/j6YijII=\n  TIGER    : t0kardgEjTOXg6kjTOGK1Mjx8jreOu0t | Y3T5gm10e0xJDigOB4ptR4P8a3gIm\/BO\n  SHA256   : ytgCFZCZrZVDM\/2pEwuMplVVQFovJtp\/ | fXsj5k8OZd6253M1rKW5byDKBxVr+rJz\n             jn4\/PtfIwMg=                     | d8iXbqQjp2Y=\n  SHA512   : xD+fcT1TfYyZ2P\/64bwhqF8QfjLA3beU | KR0xDT3k5arE4UW6kkj1a9BcEwWmQYq5\n             3DEWBbHYh7RUXqsgw5M31XuPXd07yTGf | JU+IaCYSIZYTHyGqL\/TNfcgs3r6IF3cC\n             PLF8BSXO+lg2FJutVTICnQ==         | HR7aRxWRpCtZkXaa\/LLb9Q==\n  CRC32    : 7iORCA==                         | 9AxJqw==\n  HAVAL    : LU36UpTcbBHZreZtS1DVY\/Mu7VAlwufB | Lg1NC9WNPmzu363oOCcwOGpqTCcKQXXB\n             dkh20rP9YN0=                     | fYZu63QXIdo=\n  GOST     : UizSu5hJ9mvqCHDunME\/8o1LtXGkpCBs | oKfk9n2Jb+MlDmQ7E6gPARIRR\/FN6qV1\n             Fem5UwkVNso=                     | Rc88UrTd4Cg=\n\nFile: \/var\/cache\/private\/fwupdmgr\/fwupd\/lvfs-metadata.xml.gz.asc\n  Mtime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300\n  Ctime    : 2020-08-09 16:13:38 +0300        | 2020-08-17 22:49:35 +0300\n  Inode    : 1181386                          | 1181212\n  RMD160   : vQ1t+LGm8JuDNXaNfQf5Nu2uLBs=     | qYgiTufncPHlLLPVTBTBnjwen70=\n  TIGER    : C\/FgkLFD0yvufVxCIJ1557UwwmB5gT6g | Hrr56nR+iS22evWzhCcjsaB3b18ex4n7\n  SHA256   : AZx4XHuXpkh5nNNJvwBbss02Q4JHar8m | u0qnWOIOXKe4MqWv2NoRA+aEiCv+RAoO\n             XVbklfUeh44=                     | hFC2pluDo3A=\n  SHA512   : oyfQwrMKK6ClBDTpfl1ws83JauDn2jZB | JfbGNhvPrpPBNmix0TGRhDira4Q+uAMj\n             zOrKNml9JckZUIyWfo+LXGxTfFFMFqda | 69NUjYgioKTLP3gHWy6ya0T\/aaZW9nNG\n             SvNMs5h6hLHA6OgAjGeZAw==         | r5Vp20NYg3ovJGecFN3r\/w==\n  CRC32    : K4sNnw==                         | ju3ORQ==\n  HAVAL    : QDsY4hzIXYWAntBnZdDHyUVhd78YzBmS | Wve1Dsn7wJ3Mg+tUIOQ0BJ1GuXj3OFXA\n             6EaWU+pYT6Q=                     | mDBV\/Fe7Y4M=\n  GOST     : 4atPHXn4P+PDrEWCb152oGA85SLNMaDu | K0ZAsfW3Su73\/Rcfmg1Ktl73rTt6YogM\n             L4WsklT4hhA=                     | u+5mW4UGSIs=\n\nFile: \/var\/log\/journal\/088f282d218f4067987670b09ad3319e\/system.journal\n  Mtime    : 2020-08-17 22:49:37 +0300        | 2020-08-17 23:08:00 +0300\n  Ctime    : 2020-08-17 22:49:37 +0300        | 2020-08-17 23:08:00 +0300\n  RMD160   : Yr9Qt19hUZ\/vs5VHanGI0XWPsec=     | sxiZM4GD9+bT7xpnQaQ2Y4BXgBg=\n  TIGER    : n4IiYoU+90aNo48QP8NNJ+UqRpnYmSIj | Yc0FFEN093uNlzOju7CnxbgxAkGiGFeZ\n  SHA256   : MChIPiES5Fy1s2cPY6NrEzSj2QcukevK | 5bewLryKRLaDtmVztDAPnF4yXjCGPgvD\n             oIvAVvFr2IY=                     | D6L08jLUvMk=\n  SHA512   : 0Q1LGzvO2+GyEagYpI8L9Piwy2gK5mpk | 99Oh6\/6dLkz2hLKxc9fLGMSL+9YPBzgH\n             Qh5m6r16cvD1eMVIvczF7xuh34wD3464 | AAuGk7aLHfJkOWDOBqAAL35+0J\/7nipy\n             \/ljj8kNwm9MTkTWO9AXs0Q==         | 90PGDHUYX91R9R1ZPggD3A==\n  CRC32    : aKCqmw==                         | cWJs5g==\n  HAVAL    : evOCIyBezEFHhlPo1udj0pzEe4yCyqLV | pHrfpI3QSMlc+mws8OwsLtSdTH2Ra8jU\n             aYmYblzdGl8=                     | e8bAgekKWpg=\n  GOST     : +9GrDgi8EyOZk\/msfzK3Tngs\/d06\/R16 | 2K0ZA6o9634mdHTTfeEWVQ1BGY9zB9eA\n             bbeLzmRnGMU=                     | GI9VMXJbAxs=\n\nDirectory: \/var\/tmp\n  Linkcount: 5                                | 6\n\n\n---------------------------------------------------\nThe attributes of the (uncompressed) database(s):\n---------------------------------------------------\n\n\/var\/lib\/aide\/aide.db\n  RMD160   : SHHCkuxGwovE79pnRzjF2FWY9l0=\n  TIGER    : 4WDF8gbxMdVskus0b683V4qei0dmZ9OE\n  SHA256   : iWlmKb+neZVRRT66cce5oY8yYcj21F2d\n             RmQr0OZlAiU=\n  SHA512   : 2mne5zEs5MbQnsVf0HOCUgPf892GfGQF\n             duxUaOzNU9F7gFdpp7W1\/LWYsq2IqkzV\n             kN0eJX0mq7vZaa37lr\/kpg==\n  CRC32    : vLZ\/gQ==\n  HAVAL    : apU71suq+RVvyVm+OzkNE26OCSQ6d3AE\n             8g9DUVYavJY=\n  GOST     : PICK1Cdw+Ma5OYP4JKhxRsyhQ8cXiBjG\n             XsbXV19I+0E=\n\n\nEnd timestamp: 2020-08-17 23:14:03 +0300 (run time: 15m 34s)\n<\/code><\/pre>\n\n\n\n
From the output above, AIDE found a number of file system changes. Check the report.<\/p>\n\n\n\n
Testing AIDE on Ubuntu 20.04<\/h4>\n\n\n\n
You can now create new files, edit some and even delete some and re-run AIDE check to actually see how AIDE can detect all these changes.<\/p>\n\n\n\n
echo \"1.2.3.4 test.kifarunix-demo.com\" >> \/etc\/hosts<\/code><\/pre>\n\n\n\n
touch \/etc\/newfile<\/code><\/pre>\n\n\n\n
rm -rf \/etc\/issue<\/code><\/pre>\n\n\n\n
After all that changes, re-run AIDE database check against the filesystem.<\/p>\n\n\n\n
aide -c \/etc\/aide\/aide.conf -C<\/code><\/pre>\n\n\n\n
Limiting AIDES Integrity Checks to Specific Files\/Directories<\/h4>\n\n\n\n
To limit the integrity checks to a specific entries for example \/etc<\/code>, pass the --limit REGEX<\/code> option to AIDE check command where REGEX is the entry to check.<\/p>\n\n\n\n
For example, check and update the database entries matching \/etc<\/code>, you would run aide command as shown below;<\/p>\n\n\n\n
aide -c \/etc\/aide\/aide.conf --limit \/etc --check<\/code><\/pre>\n\n\n\n
To exclude some directories, edit the configuration file, \/etc\/aide\/aide.conf<\/code>, and add the directories to ignore to the end of the file in the format;<\/p>\n\n\n\n
!\/home\/\n!\/var\/lib\/\n!\/proc<\/code><\/pre>\n\n\n\n
Using Custom AIDE Configuration<\/h4>\n\n\n\n
You can also create your own configuration and define what needs to be checked and what not. See example configuration below;<\/p>\n\n\n\n
mkdir \/home\/koromicha\/aide<\/code><\/pre>\n\n\n\n
vim \/home\/koromicha\/aide\/aide.conf<\/code><\/pre>\n\n\n\n
# Path for creating the databases\ndatabase=file:\/home\/koromicha\/aide\/aide.db\ndatabase_out=file:\/home\/koromicha\/aide\/aide.db.new\ndatabase_new=file:\/home\/koromicha\/aide\/aide.db.new\n\n# Set your own AIDE rule.\nMYRULE=p+n+u+g+s+m+c+xattrs+md5+sha512\n\n# Directories\/files to be monitored and rule to apply\n#\/etc MYRULE\n#\/bin MYRULE\n#\/usr\/bin MYRULE\n\n# Directories to ignore\n\/home MYRULE\n!\/proc<\/code><\/pre>\n\n\n\n
Basically, the rule set above checks, p<\/strong>ermissions, n<\/strong>umber of links, u<\/strong>ser, g<\/strong>roup, m<\/strong>odification time, inode\/file c<\/strong>hange time, ex<\/strong>tended file attr<\/strong>ibutes<\/strong>, MD5<\/strong> checksum, SHA512<\/strong> checksum.<\/p>\n\n\n\n
Initialize the database with the new configuration;<\/p>\n\n\n\n
sudo aide -c \/home\/koromicha\/aide\/aide.conf -i<\/code><\/pre>\n\n\n\n
Copy the database in place;<\/p>\n\n\n\n
cp \/home\/koromicha\/aide\/aide.db{.new,}<\/code><\/pre>\n\n\n\n
Verify the configuration file for errors by running the command below;<\/p>\n\n\n\n
aide -c \/home\/koromicha\/aide\/aide.conf --config-check<\/code><\/pre>\n\n\n\n
Check the command exit status.<\/p>\n\n\n\n
echo $?<\/code><\/pre>\n\n\n\n
AIDE Diagnostics<\/h4>\n\n\n\n
According to AIDE man pages, the AIDE’s exit status is normally 0 if no errors occurred. Except when the –check, –compare or –update command was requested, in which case the exit status is defined as:<\/p>\n\n\n\n
   1 * (new files detected?)     +\n\n   2 * (removed files detected?) +\n\n   4 * (changed files detected?)\n\n   Since  those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files detected, the exit status will be 1 + 2 = 3.\n\n   Additionally, the following exit codes are defined for generic error conditions:\n\n   14 Error writing error\n\n   15 Invalid argument error\n\n   16 Unimplemented function error\n\n   17 Invalid configureline error\n\n   18 IO error\n\n   19 Version mismatch error\n<\/code><\/pre>\n\n\n\n
NOTE<\/strong>: Whenever you make any AIDE configuration changes, remember to initialize the database to create a baseline.<\/p>\n\n\n\n
Make changes like create a new directory, files;<\/p>\n\n\n\n
rm -rf \/home\/koromicha\/aide\/aide.db.new\nmkdir \/home\/koromicha\/test-dir\ntouch \/home\/koromicha\/test-file<\/code><\/pre>\n\n\n\n
You can then run AIDE against your custom configuration.<\/p>\n\n\n\n
aide -c \/home\/koromicha\/aide\/aide.conf -C<\/code><\/pre>\n\n\n\n
Start timestamp: 2020-08-18 08:35:18 +0300 (AIDE 0.16.1)\nAIDE found differences between database and filesystem!!\n\nSummary:\n  Total number of entries:\t59\n  Added entries:\t\t4\n  Removed entries:\t\t2\n  Changed entries:\t\t2\n\n---------------------------------------------------\nAdded entries:\n---------------------------------------------------\n\nf++++++++++++++++: \/home\/koromicha\/aide\/aide.conf\nf++++++++++++++++: \/home\/koromicha\/aide\/aide.db\nd++++++++++++++++: \/home\/koromicha\/test-dir\nf++++++++++++++++: \/home\/koromicha\/test-file\n\n---------------------------------------------------\nRemoved entries:\n---------------------------------------------------\n\nf----------------: \/home\/koromicha\/aide\/aide.db.new\nf----------------: \/home\/koromicha\/aide.conf\n\n---------------------------------------------------\nChanged entries:\n---------------------------------------------------\n\nd = ... mc n  .  : \/home\/koromicha\nd = ... mc .  .  : \/home\/koromicha\/aide\n\n---------------------------------------------------\nDetailed information about changes:\n---------------------------------------------------\n\nDirectory: \/home\/koromicha\n  Mtime    : 2020-08-18 08:26:21 +0300        | 2020-08-18 08:31:31 +0300\n  Ctime    : 2020-08-18 08:26:21 +0300        | 2020-08-18 08:31:31 +0300\n  Linkcount: 9                                | 10\n\nDirectory: \/home\/koromicha\/aide\n  Mtime    : 2020-08-18 08:27:52 +0300        | 2020-08-18 08:31:14 +0300\n  Ctime    : 2020-08-18 08:27:52 +0300        | 2020-08-18 08:31:14 +0300\n\n\n---------------------------------------------------\nThe attributes of the (uncompressed) database(s):\n---------------------------------------------------\n\n\/home\/koromicha\/aide\/aide.db\n  MD5      : w7Z1b0myNGwnbiexjCsY8Q==\n  SHA1     : PcxP7dFM\/QifwAmkETeX2jdipEc=\n  RMD160   : cOFuj1oXo66UJszu++O3sJSgLtU=\n  TIGER    : 0kW96KfuYLcqSemVRPIQdpItMMqjqk5O\n  SHA256   : CJxvbpOch28A0zbBds\/WsVHwIoD2m9wR\n             Z3eZLE8nSkQ=\n  SHA512   : WhCWUC0HX2vcQLxS+CMe3iMmw4tjzM4N\n             72q+Ni+kn4AVMMB8MD6mDtouRYwtnEI0\n             nH7c+WdCoX303Y6dmjH65Q==\n  CRC32    : qhiKSQ==\n  HAVAL    : bIk9sCi3W\/CA2Xen1KHvr5558udvZZcl\n             PzAY\/GgIRd4=\n  GOST     : jpVKL+hk3+IaZ3J+zJkLaU1IlMWksrDo\n             +wNm5MOoWfA=\n  WHIRLPOOL: 2RcZzpfvzIkRRcfkw0TMXZT2zEFammH4\n             j5JT9ZO41knXTmMkJ4TT1PD4+uRNBFBW\n             Bylc3q2qfpC+Z1lPQ4lKkQ==\n\n\nEnd timestamp: 2020-08-18 08:35:19 +0300 (run time: 0m 1s)\n<\/code><\/pre>\n\n\n\n
Sending AIDE Report via Mail<\/h4>\n\n\n\n
By default, AIDE sets up itself a daily execution script, \/etc\/cron.daily\/aide<\/code>, upon installation. The the output of checks is mailed to the user specified in the MAILTO=<\/strong><\/code> directive of the \/etc\/default\/aide<\/strong><\/code> configuration file as detailed above.<\/p>\n\n\n\n
To sent the AIDE report via mail, you need to edit the file, \/etc\/default\/aide<\/code> and set the value of MAILTO<\/code> directive to your email ID such that it looks like below. The default recipient is root<\/code>.<\/p>\n\n\n\n
vim \/etc\/default\/aide<\/code><\/pre>\n\n\n\n
...\n#MAILTO=root\nMAILTO=analyst@kifarunix-demo.com<\/code><\/pre>\n\n\n\n
Most of the AIDE default parameter settings are defined in this file. It is highly commended for easy understanding, therefore go through this file to see what other options to enable or disable.<\/p>\n\n\n\n
The email delivery can only work if you have configure your MTA for email transfer. Follow the link below to learn how to configure Postfix to use Gmail SMTP for relay;<\/p>\n\n\n\n
Configure Postfix to Use Gmail SMTP on Ubuntu 20.04<\/a><\/p>\n\n\n\n
Configure Postfix to Use Gmail SMTP on Ubuntu 18.04<\/a><\/p>\n\n\n\n
Instead of using the cron mail recipient address above, you can edit Postfix mail aliases and set an alias for root to the email address you want to receive AIDE report on;<\/p>\n\n\n\n
vim \/etc\/aliases<\/code><\/pre>\n\n\n\n
postmaster:    root\nroot:   analyst@kifarunix-demo.com<\/code><\/pre>\n\n\n\n
You can as well install a cron job to execute AIDE at specific time intervals;<\/p>\n\n\n\n
sudo crontab -e<\/code><\/pre>\n\n\n\n
*\/10 * * * * aide -c \/home\/koromicha\/aide\/aide.conf -u && cp \/home\/koromicha\/aide\/aide.db{.new,}<\/code><\/pre>\n\n\n\n
This will execute AIDE system check every 10 mins and email the report to analyst@kifarunix-demo.com<\/strong><\/code> as per my setup.<\/p>\n\n\n\n
It is also good to note that AIDE checks might be resource intensive and may cause a performance issue on your system during integrity checks.<\/p>\n\n\n\n
Reference<\/h3>\n\n\n\n
man aide<\/code><\/p>\n\n\n\n
man aide.conf<\/code><\/p>\n\n\n\n
AIDE<\/a><\/p>\n\n\n\n
Related Tutorials<\/h3>\n\n\n\n
Install and Configure Tripwire Security Monitoring tool on CentOS 8<\/a><\/p>\n\n\n\n
Install and Configure AIDE on Ubuntu 18.04<\/a><\/p>\n\n\n\n
Install and Setup Lynis Security Auditing tool on CentOS 8<\/a><\/p>\n\n\n\n
Install OSSEC HIDS Agent on Ubuntu 20.04<\/a><\/p>\n\n\n\n
Install OSSEC Agent on CentOS 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this tutorial, you will learn how to install and configure AIDE on Ubuntu 20.04. AIDE stands for Advanced Intrusion Detection Environment. AIDE is an intrusion detection system that detects<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,34],"tags":[311,1918,1919,1897,1920,1917,1200],"class_list":["post-6718","post","type-post","status-publish","format-standard","hentry","category-howtos","category-security","tag-aide","tag-configure-aide-for-file-integrity-checks","tag-file-integrity","tag-file-integrity-checks-in-linux","tag-file-integrity-monitoring","tag-install-aide-on-ubuntu-20-04","tag-ubuntu-20-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6718"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6718"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6718\/revisions"}],"predecessor-version":[{"id":21475,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6718\/revisions\/21475"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}