AIDE On CentOS 7
File and directory integrity checker.

AIDE (Advanced Intrusion Detection Environment, [eyd]) is a file and directory integrity checker.

AIDE is one of the most popular tools for monitoring the server changes in a LINUX based system.

Aide creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. 

Main Features

  • supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
  • supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
  • support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
  • plain text configuration files and database for simplicity
  • powerful regular expression support to selectively include or exclude files and directories to be monitored
  • gzip database compression if zlib support is compiled in
  • stand alone static binary for easy client/server monitoring configuration

We will be installing AIDE On CentOS 7 linux server.

The current stable version of AIDE is 0.15.1 via YUM

1. We will be using the YUM package manager to install AIDE.

[hme@hme ~]# sudo yum install aide -y

Resolving Dependencies

--> Running transaction check

---> Package aide.x86_64 0:0.15.1-13.el7 will be installed

--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================================================================

 Package                             Arch                                  Version                                         Repository                           Size

=====================================================================================================================================================================

Installing:

 aide                                x86_64                                0.15.1-13.el7                                   base                                133 k

Transaction Summary

=====================================================================================================================================================================

Install  1 Package

Total download size: 133 k

Installed size: 311 k

Downloading packages:

aide-0.15.1-13.el7.x86_64.rpm                                                                                                                 | 133 kB  00:00:00     

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : aide-0.15.1-13.el7.x86_64                                                                                                                         1/1 

  Verifying  : aide-0.15.1-13.el7.x86_64                                                                                                                         1/1 

Installed:

  aide.x86_64 0:0.15.1-13.el7                                                                                                                                        

Complete!

2. We can run the aide -v command to confirm the AIDE version and locate the configuration file.

[hme@hme ~]# sudo aide -v

Aide 0.15.1

Compiled with the following options:

WITH_MMAP

WITH_POSIX_ACL

WITH_SELINUX

WITH_PRELINK

WITH_XATTR

WITH_E2FSATTRS

WITH_LSTAT64

WITH_READDIR64

WITH_ZLIB

WITH_GCRYPT

WITH_AUDIT

CONFIG_FILE = "/etc/aide.conf"

3. We next need to create the database of our files and directory structure for AIDE to check against when it is run.

[hme@hme ~]# sudo aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

4. We run the mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz command to rename the new database to aide.db.gz. 

[hme@hme ~]# sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

5. Once the database has been renamed we can run the aide --check command to confirm the database is correct.

If all is ok you should get back the message below.

### All files match AIDE database. Looks okay!

[hme@hme ~]# sudo aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

6. To check AIDE is checking your files and directories, we can create a file manually to see if it's detected.

Create a file with the touch and re-run the aide -- check command.

[hme@hme ~]# touch testfile

[hme@hme ~]# aide --check

AIDE 0.15.1 found differences between database and filesystem!!

Start timestamp: 2021-01-31 17:06:11

Summary:

  Total number of files: 88889

  Added files: 1

  Removed files: 0

  Changed files: 0

---------------------------------------------------

Added files:

---------------------------------------------------

added: /hme/testfile

7. As shown below AIDE has detected the new file. If the file is ok and is meant to be on the server you can run the command aide --update to add the files to the existing database or re-run the commands from section 3 above.

[hme@hme ~]# aide --update

AIDE 0.15.1 found differences between database and filesystem!!

Start timestamp: 2021-01-31 17:18:04

Summary:

  Total number of files: 88889

  Added files: 1

  Removed files: 0

  Changed files: 0

---------------------------------------------------

Added files:

---------------------------------------------------

added: /hme/testfile

8. Its good practice to always keep the old AIDE database and rename the updated database on a daily bases incase you need to look at the changes from the past.

[hme@hme ~]# cd /var/lib/aide/

[hme@hme aide]# ls

aide.db.gz  aide.db.new.gz

[hme@hme aide]# mv aide.db.gz aide.db.gz-Jan312021

[hme@hme aide]# mv aide.db.new.gz aide.db.gz

[hme@hme aide]# ls

aide.db.gz  aide.db.gz-Jan312021

[hme@hme aide]# 

9. Some files will be constantly changing, log files for example, for this we can add exceptions to the AIDE config file so they are ignored.

Open the AIDE conf file nano /etc/aide.conf and add the path to the files you would like AIDE to ignore.

[hme@hme ~]# nano /etc/aide.conf 

!/var/log/.*     # ignore the log dir it changes too often

10. We can automate the process with cron to run aide --check and save to a file, then use mailx to send us the file every hour, day, week etc. what ever period of time that suits our needs.

0 */12 * * * /usr/sbin/aide --check > /var/log/aide/SystemFileCheck.log

11. We can also check the AIDE log files less /var/log/aide/aide.log

[hme@hme aide]# less /var/log/aide/aide.log

AIDE 0.15.1 found differences between database and filesystem!!

Start timestamp: 2021-01-31 17:20:13

Summary:

  Total number of files:        88889

  Added files:                  1

  Removed files:                0

  Changed files:                0

---------------------------------------------------

Added files:

---------------------------------------------------

added: /root/testfile

/var/log/aide/aide.log (END)

And that's the basics of getting the AIDE (Advanced Intrusion Detection Environment)up and running on your CentOS 7 server. 

AIDE website: https://aide.github.io

AIDE GitHub: https://github.com/aide/aide


Looking for a custom solution?

Our technicians can provide you with the best custom made solutions on the market, no

matter whether you’re a small business or large enterprise.
Get In Touch
We provide cloud based enterprise hosting, server and storage solutions of unmatched quality. Feel free to visit or contact us for a custom quote.
Copyright © 2021 Hosting Made Easy. All Rights Reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram