{"id":12020,"date":"2019-03-21T03:13:27","date_gmt":"2019-03-21T03:13:27","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=12020"},"modified":"2019-03-21T03:13:27","modified_gmt":"2019-03-21T03:13:27","slug":"how-to-check-integrity-of-file-and-directory-using-aide-in-linux","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/21\/how-to-check-integrity-of-file-and-directory-using-aide-in-linux\/","title":{"rendered":"How to Check Integrity of File and Directory Using \u201cAIDE\u201d in Linux"},"content":{"rendered":"

In our mega guide to\u00a0hardening and securing CentOS 7<\/a>, under the section \u201cprotect system internally<\/strong>\u201d, one of the useful security tools we listed for internal system protection against viruses, rootkits, malware, and detection of unauthorized activities is\u00a0AIDE<\/strong>.<\/p>\n

AIDE<\/strong>\u00a0(Advanced Intrusion Detection Environment<\/strong>) is a small yet powerful, free open source intrusion detection tool, that uses predefined rules to check file and directory integrity in Unix-like operating systems such as Linux. It is an independent static binary for simplified client\/server monitoring configurations.<\/p>\n

It is feature-rich: uses plain text configuration files and database making it easy to use; supports several message digest algorithms such as but not limited to md5, sha1, rmd160, tiger; supports common file attributes; also supports powerful regular expressions to selectively include or exclude files and directories to be scanned.<\/p>\n

Also it can be compiled with exceptional support for Gzip compression, Posix ACL, SELinux, XAttrs and Extended file system attributes.<\/p>\n

Aide works by creating a database (which is simply a snapshot of selected parts of the file system), from the regular expression rules defined in the configuration file(s). Once this database is initialized, you can verify the integrity of the system files against it. This guide will show how to install and use aide in Linux.<\/p>\n

How to Install AIDE in Linux<\/h3>\n

Aide is packaged in official repositories of mainstream Linux distributions, to install it run the command for your distribution using a package manager.<\/p>\n

# apt install aide \t   [On Debian\/Ubuntu]\r\n# yum install aide\t   [On RHEL\/CentOS] \t\r\n# dnf install aide\t   [On Fedora 22+]\r\n# zypper install aide\t   [On openSUSE]\r\n# emerge aide \t           [On Gentoo]\r\n<\/pre>\n
After installing it, the main configuration file is\u00a0\/etc\/aide.conf<\/strong>. To view the installed version as well as compile time parameters, run the command below on your terminal:<\/p>\n
# aide -v\r\n<\/pre>\n
Sample Output<\/h5>\n
Aide 0.14\r\n\r\nCompiled with the following options:\r\n\r\nWITH_MMAP\r\nWITH_POSIX_ACL\r\nWITH_SELINUX\r\nWITH_PRELINK\r\nWITH_XATTR\r\nWITH_LSTAT64\r\nWITH_READDIR64\r\nWITH_ZLIB\r\nWITH_GCRYPT\r\nWITH_AUDIT\r\nCONFIG_FILE = \"\/etc\/aide.conf\"\r\n<\/pre>\n
You can open the configuration using your favorite editor.<\/p>\n
# vi \/etc\/aide.conf\r\n<\/pre>\n
It has directives that define the database location, report location, default rules, the directories\/files to be included in the database.<\/p>\n
Understanding Default Aide Rules<\/h4>\n
\n
\"AIDE<\/a><\/p>\n
AIDE Default Rules<\/p>\n<\/div>\n
Using the above default rules, you can define new custom rules in the\u00a0aide.conf<\/strong>\u00a0file for example.<\/p>\n
PERMS = p+u+g+acl+selinux+xattrs\r\n<\/pre>\n
The\u00a0PERMS<\/strong>\u00a0rule is used for access control only, it will detect any changes to file or directories based on file\/directory permissions, user, group, access control permissions, SELinux context and file attributes.<\/p>\n
This will only check file content and file type.<\/p>\n
CONTENT = sha256+ftype\r\n<\/pre>\n
This is an extended version of the previous rule, it checks extended content, file type and access.<\/p>\n
CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs\r\n<\/pre>\n
The\u00a0DATAONLY<\/strong>\u00a0rule below will help detect any changes in data inside all files\/directory.<\/p>\n
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256\r\n<\/pre>\n
\n
\"Configure<\/a><\/p>\n
Configure Aide Rules<\/p>\n<\/div>\n
Defining Rules to Watch Files and Directories<\/h3>\n
Once you have defined rules, you can specify the file and directories to watch. Considering the PERMS rule above, this definition will check permissions for all files in root directory.<\/p>\n
\/root\/\\..*  PERMS\r\n<\/pre>\n
This will check all files in the\u00a0\/root<\/strong>\u00a0directory for any changes.<\/p>\n
\/root\/   CONTENT_EX\r\n<\/pre>\n
To help you detect any changes in data inside all files\/directory under\u00a0\/etc\/<\/strong>, use this.<\/p>\n
\/etc\/   DATAONLY \r\n<\/pre>\n
\n
\"Configure<\/a><\/p>\n
Configure Aide Rules for Filesystem<\/p>\n<\/div>\n
Using AIDE to Check File and Directory Integrity in Linux<\/h3>\n
Start by constructing a database against the checks that will be performed using\u00a0--init<\/code>\u00a0flag. This is expected to be done before your system is connected to a network.<\/p>\n
The command below will create a database that contains all of the files that you selected in your configuration file.<\/p>\n
# aide --init\r\n<\/pre>\n
\n
\"Initialize<\/a><\/p>\n
Initialize Aide Database<\/p>\n<\/div>\n
Then rename the database to\u00a0\/var\/lib\/aide\/aide.db.gz<\/strong>\u00a0before proceeding, using this command.<\/p>\n
# mv \/var\/lib\/aide\/aide.db.new.gz \/var\/lib\/aide\/aide.db.gz<\/pre>\n
It is recommended to move the database to a secure location possibly in a read-only media or on another machines, but ensure that you update the configuration file to read it from there.<\/p>\n
After the database is created, you can now check the integrity of the files and directories using the\u00a0--check<\/code>flag.<\/p>\n
# aide --check\r\n<\/pre>\n
It will read the snapshot in the database and compares it to the files\/directories found you system disk. If it finds changes in places that you might not expect, it generates a report which you can then review.<\/p>\n
\n
\"Run<\/a><\/p>\n
Run File Integrity Check<\/p>\n<\/div>\n
Since no changes have been made to the file system, you will only get an output similar to the one above. Now try to create some files in the file system, in areas defined in the configuration file.<\/p>\n
# vi \/etc\/script.sh\r\n# touch all.txt\r\n<\/pre>\n
Then run a check once more, which should report the files added above. The output of this command depends on the parts of the file system you configured for checking, it can be lengthy overtime.<\/p>\n
# aide --check\r\n<\/pre>\n
\n
\"Check<\/a><\/p>\n
Check File System Changes<\/p>\n<\/div>\n
You need to run aide checks regularly, and in case of any changes to already selected files or addition of new file definitions in the configuration file, always update the database using the\u00a0--update<\/code>\u00a0option:<\/p>\n
# aide --update\r\n<\/pre>\n
After running a database update, to use the new database for future scans, always rename it to\u00a0\/var\/lib\/aide\/aide.db.gz<\/strong>:<\/p>\n
# mv \/var\/lib\/aide\/aide.db.new.gz  \/var\/lib\/aide\/aide.db.gz<\/pre>\n
That\u2019s all for now! But take note of these important points:<\/p>\n