AIDE stands for Advanced Intrusion Detection Environment. AIDE is a file and directory integrity checker written by Rami Lehti and Pablo Virolainen in 1999.
AIDE supports several message digest algorithms, for example, md5, sha1, rmd160, tiger, crc32, sha256, sha512 to check the integrity of the files.
How AIDE works.
AIDE scans the filesystem and stores the attributes of files, directories in its database. Every time when we run AIDE, it compares the new changes against its previous database and if some file has been altered then it notifies the user.
With this in mind, AIDE should be the first thing you should install after buying a new VPS.
This article a Linux Aide tutorial about how to configure, and use Aide on CentOS 7 in an effective way.
Here’s a what you will find in this Guide.
- Install AIDE.
- Create/Initialize AIDE Database.
- Test working of AIDE.
- Automate the AIDE Daily reporting process.
- EXTRA: Create a label and filter to manage AIDE mail reports in Gmail.
Install AIDE on CentOS 7.
AIDE runs on almost any modern Unix. for example, Linux, Solaris, Mac OS, Unix, OpenBSD, HP-UX etc. We will install AIDE on CentOS 7 in this article. To install AIDE on CentOS 7, we can use this simple command:
shell> yum install aide -y
Check the version of aide by using this command:
shell> aide -v Aide 0.15.1 Compiled with the following options: WITH_MMAP WITH_POSIX_ACL WITH_SELINUX WITH_PRELINK WITH_XATTR WITH_E2FSATTRS WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_GCRYPT WITH_AUDIT CONFIG_FILE = "/etc/aide.conf"
Also, we can see here the location of AIDE CentOS 7 configuration file /etc/aide.conf.
Now that we have installed AIDE in CentOS 7, we will create our first AIDE database.
Step 2 – Create/Initialize first aide database
We can initialize the first aide database by using the following command:
shell> aide --init
The new AIDE database will be in /var/lib/aide directory.
shell> cd /var/lib/aide [root@debyum aide]# ls -lt total 1352 -rw------- 1 root root 1170228 Dec 5 12:28 aide.db.new.gz
To use this database in AIDE we need to rename it as AIDE only recognizes a database if its name is aide.db.gz.
Now, we will rename the AIDE database by using mv command.
[root@debyum aide]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz [root@debyum aide]# ls -lt total 1352 -rw------- 1 root root 1170228 Dec 5 12:28 aide.db.gz
Next, we will test the working of the aide.
Step 3 – Test the working of AIDE.
Run the first aide –check without making any changes.
[root@myserver aide]# aide --check
Everything Looks Okay. Now we will create a new file. Now, run this check again to see whether AIDE will detect the presence of the new file or not.
Create a new file in /usr/bin/ directory named test.sh.
[root@myserver aide]# touch /usr/bin/test.sh
(DELETE test.sh After setting up AIDE.)
Now we will run aide –check to detect new file.
[root@myserver aide]# aide --check
AIDE has detected the new file and it shows that AIDE is working fine. Now we don’t want AIDE to report this change, again and again, on the next run of AIDE check. So we will update our AIDE database to absorb this change.
Update the AIDE database.
To update the AIDE database with the new changes we will use the aide –update command.
This command will update the new file (test.sh that we created for verification) in AIDE database. After that, it will not report it in the next AIDE check.
Next, create an updated aide database.
[root@myserver aide]# aide --update
Verify the new database.
[root@myserver aide]# ls -lt total 2976 -rw------- 1 root root1170310 Dec 5 12:35 aide.db.new.gz -rw------- 1 root root 1170228 Dec 5 12:28 aide.db.gz
Again, The new aide database created is aide.db.new.gz. To use it with AIDE, we need to again rename it to aide.db.gz.
It’s good practice to save the old database (aide.db.gz) before renaming the new database. This way, we can trace back any changes in the future.
[root@debyum aide]# ls -lshrt total 2.2M 1.1M -rw------- 1 root root 1.1M Dec 5 12:28 aide.db.gz 1.1M -rw------- 1 root root 1.1M Dec 5 12:35 aide.db.new.gz [root@debyum aide]# mv aide.db.gz aide.db.gz.$(date +%Y-%m-%d) [root@debyum aide]# mv aide.db.new.gz aide.db.gz [root@debyum aide]# [root@debyum aide]# ls -lshrt total 2.2M 1.1M -rw------- 1 root root 1.1M Dec 5 12:28 aide.db.gz.2016-12-05 1.1M -rw------- 1 root root 1.1M Dec 5 12:35 aide.db.gz
We can and should automate all these steps to reduce our workload by using a cronjob and a simple script.
Automate the AIDE email reporting process by setting up a Cron Job.
Install Sendmail and Mailx on CentOS 7.
First of all, we need to Install Sendmail and Mailx package.
shell> yum install mailx sendmail -y
Make sure your hostname is a fully qualified domain name(FQDN). server1.domain.com is usually a good choice.
Configure SELinux for Sendmail in CentOS 7.
Check if httpd_can_sendmail boolean is on or off.
shell> getsebool -a | grep sendmail gitosis_can_sendmail --> off httpd_can_sendmail --> off # set this on logging_syslogd_can_sendmail --> off
Now, set httpd_can_sendmail boolean to on (Permanently) by this command:
shell> setsebool -P httpd_can_sendmail=on
Also, Start Sendmail service and enable it to start automatically after reboot.
shell> systemctl enable sendmail.service shell> systemctl start sendmail.service
Create a Script for automatic AIDE email reporting.
Now, we will create a simple script to automate the aide check and email the full report to us on daily basis.
shell> vi /var/log/aide/aide_report.sh #!/bin/sh #DebYum Server report. DATE=`date +%Y-%m-%d` echo $DATE REPORT="Aide-Report-"$DATE.txt echo $REPORT echo "System check !! `date`" > /tmp/$REPORT /usr/sbin/aide --check > /tmp/aide_report.txt cat /tmp/aide_report.txt|/bin/grep -v failed >> /tmp/$REPORT echo "**************************************" >> /tmp/$REPORT /usr/bin/tail -20 /tmp/aide_report.txt >> /tmp/$REPORT echo "****************DONE******************" >> /tmp/$REPORT mail -s "$REPORT `date`" firstname.lastname@example.org < /tmp/$REPORT
Do replace the email address with your own email address.
Finally, set cron job to automate the Aide email reporting process.
shell> crontab -e 06 01 * * 0-6 /var/log/aide/aide_report.sh
For security, change the attributes of this AIDE script.
shell> chattr +i /var/log/aide/aide_report.sh
Don’t forget to restart the Crond Service.
shell> systemctl restart crond.service
Here’s a sample Report sent to my Gmail account by AIDE script.
Create a label and filter to manage AIDE mail reports in Gmail.
The email your server will send as report will most likely end up as a spam in you Email account. To store these reports in a structured way you should create a Label in Gmail. Also, create a filter that will catch those reports and store them under the new label and not as spam.
This is how you can create a new label and filter in Gmail.
Login to your Gmail account and go to Settings.
Under the labels tab, click on Create a new label.
Give the label a new name and click create.
Again, under the Filters and Blocked Addresses tab, click on Create a new filter.
Create a filter by using the most common words that you will expect to find in your AIDE mail report’s subject. Next, click on Create filter with this search.
Add this filter to a label.
Security of your website should always be your first priority. AIDE can help you in detecting authorized and unauthorized changes made in your system. One more time, AIDE should be the first package you should install after buying a new VPS.
If possible, configure AIDE before connecting your system to any network.
I hope this Linux Aide tutorial is useful for you! If I have missed anything, please update us through comment box. I will keep updating the same based on feedback’s received. Thank you! Have a Good day 🙂