How to Install and configure AIDE Host Based IDS on RHEL 8 / CentOS 8

Posted on 31 views

AIDE (Advanced Intrusion Detection Environment) is a Host Based Intrusion Detection System (HIDS) for checking the integrity of files. AIDE creates a baseline database of files on an initial run, and then checks this database against the system on subsequent runs.

The file properties that can be checked against include:

  • inode
  • Permissions
  • Modification time
  • File contents, etc.

Please note that AIDE does not check for rootkits or parse logfiles for suspicious activity. For this, you can use other HIDS systems such as OSSEC.

How to Install AIDE on RHEL 8

AIDE package is available on default RHEL 8 repositories. Just execute the commands below to install it.

sudo yum -y install aide

View more package details.

$ rpm -qi aide
 Name        : aide
 Version     : 0.16
 Release     : 8.el8
 Architecture: x86_64
 Install Date: Wed 20 NOV 2022 10:19:13 AM EAT
 Group       : Unspecified
 Size        : 382492
 License     : GPLv2+
 Signature   : RSA/SHA256, Fri 12 Oct 2018 02:15:34 PM EAT, Key ID 199e2f91fd431d51
 Source RPM  : aide-0.16-8.el8.src.rpm
 Build Date  : Wed 10 Oct 2018 08:50:10 PM EAT
 Build Host  : x86-vm-08.build.eng.bos.redhat.com
 Relocations : (not relocatable)
 Packager    : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla
 Vendor      : Red Hat, Inc.
 URL         : http://sourceforge.net/projects/aide
 Summary     : Intrusion detection environment
 Description :
 AIDE (Advanced Intrusion Detection Environment) is a file integrity
 checker and intrusion detection program.

Configuring AIDE on RHEL 8

The default config file at /etc/aide.conf has pretty sane defaults and is heavily commented.

If you want to change the rules, see:

 man aide.conf

You can also read the AIDE Manual for documentation.

Set /var/log monitoring

Edit the the /var/log line in the /etc/aide.conf and change from

/var/log   LOG

To:

/var/log   p+u+g+i+n+acl+selinux+xattrs

Initialize database

You can make other changes as you wish. When done, initialize AIDE database by running the command:

$ sudo aide --init 
 Start timestamp: 2019-01-02 10:43:56 +0300 (AIDE 0.16)
 AIDE initialized database at /var/lib/aide/aide.db.new.gz
 Number of entries:    36380
 
 The attributes of the (uncompressed) database(s):
 /var/lib/aide/aide.db.new.gz
   MD5      : oNfFcURzLLDyAJjlLWAM1A==
   SHA1     : k8ln2HHU9ylfP2Btvmvubt+CxDs=
   RMD160   : ln350FamsGUpt5TdLNMvDGRc18w=
   TIGER    : d3nafwSfYSC83zQTII9WpPNTo4iI0xTQ
   SHA256   : 4vybmPIwHjO0Lmp1gePwoohUx/Gi9wC9
              KTPPhvoYWNk=
   SHA512   : SjrNZ94tZGoJImhLsY6Pah/P4JwwKJ7j
              IDxOoTvflM1roQWpjtK22HCvozXPycIp
              26E/AtBZz9KY+urxFQq5NA==
 End timestamp: 2019-01-02 10:44:23 +0300 (run time: 0m 27s)

When done, copy the generated AIDE database file to master Database.

sudo cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

To check for AIDE configuration, use:

$ sudo aide -D

Check the database against the baseline database, use:

$ sudo aide --check
 Start timestamp: 2019-01-02 10:57:22 +0300 (AIDE 0.16)
 AIDE found differences between database and filesystem!!
 Summary:
   Total number of entries:    36380
   Added entries:        0
   Removed entries:        0
   Changed entries:        1
 
 Changed entries:
 f = … mc..C… : /var/log/lastlog
 
 Detailed information about changes:
 File: /var/log/lastlog
   Mtime    : 2019-01-02 10:16:52 +0300        | 2019-01-02 10:53:53 +0300
   Ctime    : 2019-01-02 10:16:52 +0300        | 2019-01-02 10:53:53 +0300
   SHA256   : x7kD8sPdgABF4g4Bqtg0bn1NQAEmrd0Q | BuJ2L78swglnMol2Fi/PvzdQommDhy/a
              7p818Je1NeY=                     | Zk+qg77jXYM=
   SHA512   : AVN6NJXSLJSVe3WzCl9f4hE0BrHMN/Sz | cduO7gO6MIzpnndpakge01potUDeMnn1
              WB4To8uhsa7X5YWvg3pbMoIm5571Hdd2 | lNtsoP2N2zQNPSJNEMQxhy/78JdL6N5q
              kxFERBgvE/6Yk/cSM5Vm4g==         | K8EJ9/YNV+2RGJbRgiaCxA==
 
 The attributes of the (uncompressed) database(s):
 /var/lib/aide/aide.db.gz
   MD5      : oNfFcURzLLDyAJjlLWAM1A==
   SHA1     : k8ln2HHU9ylfP2Btvmvubt+CxDs=
   RMD160   : ln350FamsGUpt5TdLNMvDGRc18w=
   TIGER    : d3nafwSfYSC83zQTII9WpPNTo4iI0xTQ
   SHA256   : 4vybmPIwHjO0Lmp1gePwoohUx/Gi9wC9
              KTPPhvoYWNk=
   SHA512   : SjrNZ94tZGoJImhLsY6Pah/P4JwwKJ7j
              IDxOoTvflM1roQWpjtK22HCvozXPycIp
              26E/AtBZz9KY+urxFQq5NA==
 End timestamp: 2019-01-02 10:57:40 +0300 (run time: 0m 18s)

If you modify a file and recheck, you should get changes.

$ ll /etc/issue
 -rw-r--r--. 1 root root 23 Oct 16 10:39 /etc/issue
$ sudo chmod 0664 /etc/issue
$ ll /etc/issue
 -rw-rw-r--. 1 root root 23 Oct 16 10:39 /etc/issue
$ sudo  aide --check
............................................

File: /etc/issue
   Perm     : -rw-r--r--                       | -rw-rw-r--
   Ctime    : 2018-12-30 23:45:39 +0300        | 2019-01-02 11:06:07 +0300
   ACL      : A: user::rw-                     | A: user::rw-
              A: group::r--                    | A: group::rw-
              A: other::r--                    | A: other::r--
...............................................................
# Revert the change
$ sudo chmod 0644 /etc/issue

To check the database and update the database, use:

$ sudo aide --update
 Start timestamp: 2019-01-02 11:01:05 +0300 (AIDE 0.16)
 AIDE found differences between database and filesystem!!
 New AIDE database written to /var/lib/aide/aide.db.new.gz
 Summary:
   Total number of entries:    36380
   Added entries:        0
   Removed entries:        0
   Changed entries:        1
 
 Changed entries:
 f = … mc..C… : /var/log/lastlog
 
 Detailed information about changes:
 File: /var/log/lastlog
   Mtime    : 2019-01-02 10:16:52 +0300        | 2019-01-02 10:53:53 +0300
   Ctime    : 2019-01-02 10:16:52 +0300        | 2019-01-02 10:53:53 +0300
   SHA256   : x7kD8sPdgABF4g4Bqtg0bn1NQAEmrd0Q | BuJ2L78swglnMol2Fi/PvzdQommDhy/a
              7p818Je1NeY=                     | Zk+qg77jXYM=
   SHA512   : AVN6NJXSLJSVe3WzCl9f4hE0BrHMN/Sz | cduO7gO6MIzpnndpakge01potUDeMnn1
              WB4To8uhsa7X5YWvg3pbMoIm5571Hdd2 | lNtsoP2N2zQNPSJNEMQxhy/78JdL6N5q
              kxFERBgvE/6Yk/cSM5Vm4g==         | K8EJ9/YNV+2RGJbRgiaCxA==
 
 The attributes of the (uncompressed) database(s):
 /var/lib/aide/aide.db.gz
   MD5      : oNfFcURzLLDyAJjlLWAM1A==
   SHA1     : k8ln2HHU9ylfP2Btvmvubt+CxDs=
   RMD160   : ln350FamsGUpt5TdLNMvDGRc18w=
   TIGER    : d3nafwSfYSC83zQTII9WpPNTo4iI0xTQ
   SHA256   : 4vybmPIwHjO0Lmp1gePwoohUx/Gi9wC9
              KTPPhvoYWNk=
   SHA512   : SjrNZ94tZGoJImhLsY6Pah/P4JwwKJ7j
              IDxOoTvflM1roQWpjtK22HCvozXPycIp
              26E/AtBZz9KY+urxFQq5NA==
 /var/lib/aide/aide.db.new.gz
   MD5      : QCnHueXv69soyePzxSVNHg==
   SHA1     : erpgcR9xv6CKiDGBkrZn5xdPwhk=
   RMD160   : MOPpCCAPRosIpTzu2eCGzSyfZyY=
   TIGER    : PlVr5EYqxn9uvQB7GI9/r5+SKvjiLASo
   SHA256   : dG5abCnUCW3k11uh9UFB8Xkc8sF4S17W
              6FxhCa7kXoI=
   SHA512   : HUfQd5GI1fEXSDOTsX5TWAlkwla7mG8Y
              g3rdtbtVmN2ss8ytehA8s68cT6aGvWdE
              pJf8WJ8vj7gEGKAIZkcJqw==
 End timestamp: 2019-01-02 11:01:25 +0300 (run time: 0m 20s)

Set update cron and email notification

For this we will use pre-created script. Download it with wget

sudo yum -y install wget
wget https://rfxn.com/downloads/cron.aide -O  aide_cron.sh
chmod +x aide_cron.sh

Edit the file to set E-mail addresses (comma spaced) for change reports.

email="[email protected],[email protected]"

Set cron

# crontab -e
00 01 * * * /path/to/cron/script

That’s all. Enjoy your AIDE Host Based Intrusion Detection System on RHEL 8.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.