Posted by chantra on December 18th, 2006
AIDE is an Intrusion Detection System (IDS). Which means that AIDE is not a tool to prevent an intrusion but is actually here to report that an intrusion might have happened.
This tutorial will show how-to install and configure AIDE so you get daily reports emailed directly to you in which you will be informed of which files might have been modified.
While you might have taken all possible protections not to get cracked by using a firewall, keeping your system softwares up to date, stopping all unrequired services, using long and difficult password… There is still a chance that someone might get into your system.
When intruders penetrate your system there is a great chance that they will want to make their presence as quiet as possible. To do so, they might start by replacing some common binaries such as ls, netstat or ps with versions that won’t make their presence visible.
For instance, ls could be replace with an ls version that won’t show the files they created, netstat will not show certain connection that are used by the intruder and ps will hide the processes ran by the intruder.
AIDE is better installed before your computer even connect to the internet for the first time so you are sure that your machine is clear.
On a debian based system, you can simply run:
#apt-get install aide
In order to get the package installed. At the time of writing, the package was slightly broken so you add to manually run:
# touch /var/lib/aide/aide.db
The latest command will actually complain about the non-presence of /var/lib/aide/aide.conf.autogenerated but don’t worry, the file is actually going to be created.
Default configuration of aide is quite fine. But we are going to tweak it slightly more.
3.1. Who to send the report to?
Reports which are created once a day can be sent to a custom address. On a debian sarge, you need to change the variable MAILTO to which ever address you like.
Default is to send them to root on localhost.
To change it, open and edit /etc/default/aide
3.2. Configuring aide
Most AIDE configuration is in file /etc/aide/aide.conf. This file is pretty well documented and default rules are descent but we are going to make some slight changes.
As I said earlier on, AIDE aims at reporting files that changed since the last snapshot (/var/lib/aide/aide.db). A good security measure is to keep that file on a read-only device such as a floppy disk or a cdrom. If your machine has such a device, you could use the snapshot from that device. So let say that you have a copy of aide.db on a cdrom. To use that snapshot, you could change:
instead. That way, if an intruder get into your machine, he won’t be able to modify aide.db.
Ok, now let see what is going on in /etc/aide/aide.conf.
By default, AIDE checks for changes in Binaries and Libraries directories. Those changes are matched to the BinLib rule, which basically check for any changes in permissions, ownership, modification, access and creation date, size change, md5 and sha1 signature, inode, number of links and block count.
Then, it also check for modifications in the log files against the rule Logs. Because log files tends to grow, you cannot use a signature there and you also have to asked aide not to check for size modification (S).
Okie, this should be enough to get to understand how aide works. Reading through /etc/aide/aide.conf is a good place to learn more.
To me, there is actually another place I would like aide to go and check. This is /etc/. To do so, I added:
in /etc/aide/aide.conf, this will check for changes in /etc/.
3.3. Updating aide
On debian likes, aide is run on a daily basis through the script /etc/cron.daily/aide. Default settings in /etc/default/aide tells aide to update it’s database. Using database_out value in /etc/aide/aide.conf, aide is going to output a new database any time it runs in /var/lib/aide/aide.db.new if you kept the default settings.
Any time you will install new packages, change some configuration settings… it will be worth using an up-to-date database so aide won’t report any changes or addition in /etc/mynewsoft, /bin/mynewsoft …
So, when you install new softwares, make some configuration changes …, run:
Then, check in the report that modifications were only brought to the files you intended to modify and that added files are only coming from packages you have just installed.
Once you are sure that everything is fine, copy the new database to whatever place your database points to (cdrom, floppy, somewhere on you filesystem….).
This way, you will get lighter reports next time aide runs.
Aide is not meant to prevent intrusion, but rather detect if an intrusion occured. Using aide, you will be able to get a report of which files have changed since the last snapshot which will help you out in sanitizing your box to be back up.