Check Integrity Using Aide

Posted on Sunday March 13, 2016 / by Eric Potvin

Aide is an integrity software that monitors app, or host-based intrusion detection system. This can be used to monitor unauthorized or unexpected changes made to the file-system on Ubuntu. AIDE can be run on-demand or automatically, like a cron job.

Installing AIDE

AIDE can be installed using this command:

sudo apt-get install aide

Setup the database

To make sure the database is setup properly, you need to initialize it using this command:

sudo aideinit

You should see something like this:

### AIDE database at /var/lib/aide/aide.db.new initialized

This might take some times!

Make sure the new database is setup and itinialized properly:

cd /var/lib/aide/
ls -lt

You should see something like this:

total 21988
-rw------- 1 root root 11227321 Apr 12 16:25 aide.db
-rw------- 1 root root 11227321 Apr 12 16:25 aide.db.new
-rw-r--r-- 1 root root    49291 Apr 12 16:19 aide.conf.autogenerated

configuration for Aide

You alwasy can modify the /etc/aide.conf file to personalized or change default settings.

sudo vi /etc/aide/aide.conf

The default checksums is way too much and can be minimzed to avoid unnecessary loads on the system. sha512 should be fine by itself, but you can add one more just in case. For example,

Checksums = sha512+crc32

Database

Install the new generated database:

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

First run

Let's run it for the first time using the --check. This will build the initial database.

sudo aide -c /etc/aide/aide.conf --check

This will output a bunch of information. At the end, you should see:

### All files match AIDE database. Looks okay!

Test AIDE

Let's test AIDE by creating a file in the /usr/sbin/ folder.

touch /usr/sbin/aide-test-file.txt

Run AIDE to detect the changes

Now, AIDE should detect the new file created previously.

sudo aide --check

Updating the database

If you install new packages, update the system, or simply update an HTML file and want to make sure AIDE will save this information. You can run this command:

sudo aide --update

This will update the AIDE database. This is telling AIDE that the changes you made are authorized and are safe.

Make sure you rename the database again so it update the new changes. I recommend to rename the file using a filename convention like this:

mv aide.db.gz aide.db.gz-Dec082013

Using AIDE with cron

You can create your own script and automatically send you a report when AIDE is done.

cat /var/log/aide/chaide.sh

and paste the following code:

#!/bin/bash
now=`date +%Y-%m-%d`
filename="Aide-Report-$now.txt"
/bin/echo "Aide Report for $now" > /tmp/$filename
/usr/sbin/aide --check > /tmp/aide-check.txt
/bin/cat /tmp/aide-check.txt >> /tmp/$filename
/usr/bin/tail -n20 /tmp/aide-check.txt >> /tmp/$filename
/bin/echo "--- End of report ---------------------------------------------------" > /tmp/$filename
/bin/mail -s"$filename $now" my-email@my-domain.com < /tmp/$filename

Now, let's install this in the crontab.

sudo crontab -e

For example, if you like to run every day at 5 am, you can use this:

0 5 * * * /var/log/aide/chaide.sh