AIDE Installation on CentOS

AIDE (Advanced Intrusion Detection Environment) is an host based intrusion detection system written for Linux systems.

Installation

yum install aide

Configuration

Edit the config file at /etc/aide.conf if necessary. One important thing to add would be the location of the DocumentRoot for webservers. On CentOS + Apache2 this defaults to /var/www/html, and is exempt from the AIDE database by the default config as it is a child of /var which is considered too volatile.

Run the prelink program before creating to initial database to prevent a flood of false positives: prelink -a

Create the initial database

aide --init 
AIDE, version 0.13.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Rename and move the ‘new’ database to the database name aide is configured to use (default: aide.db.gz).

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run a test scan

aide --check 
AIDE, version 0.13.1 ### All files match AIDE database. Looks okay!

Next, create a cron.daily job to run an AIDE check and email the results

#!/bin/bash /usr/sbin/aide --check | /bin/mail -s "`hostname` AIDE Report" your@email.com

Don’t forget to +x it.

Ideally, the AIDE database, binaries, and configs should be moved to read-only media (ie. cdrom). The config and cron job will need to be modified to work with the new locations. Once a new package is installed or files are changed, the AIDE database will need to be updated else the new files will show up in the report. Even if the changed/added files are known, it’s a bad idea to use an outdated database, as it could be just those files which become compromised. This is especially true of webservers where updates to code could indicate a compromise

Updating the database

Prior to updating the database, remember to run prelink -a if any packages have been installed

To update the db run aide --update. This will create a new aide.db.new.gz, which will need to be renamed/moved to reflect the database location in the config.

More info is available at the AIDE manual


If you enjoyed this post consider sharing it on , , , or , and .