Your IP-address is: 3.236.237.61 this Sunday 24, Sep 2023, 01:50:52
­Top Banner Advertisement

Search form

Latest News

  • Falkon Web Browser For Linux

    Falkon Web Browser For Linux

    Falkon Web Browser For Linux. Falkon web browser is actually a KDE web browser using QtWebEngine rendering engine, previously known as QupZilla.

Published content

Home >Blogs >admin's blog >AIDE - Advanced Intrusion Detection Environment

AIDE - Advanced Intrusion Detection Environment

AIDE - Advanced Intrusion Detection Environment.

AIDE is a file and directory integrity checker and is available in Debian 11 "Bullseye" repository and LMDE5.

Advanced Intrusion Detection Environment - static binary AIDE is an intrusion detection system that detects changes to files on the local system.

It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies.

License: GNU/GPLv2

Features:

  • supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
  • supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
  • support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
  • plain text configuration files and database for simplicity
  • powerful regular expression support to selectively include or exclude files and directories to be monitored
  • gzip database compression if zlib support is compiled in
  • stand alone static binary for easy client/server monitoring configurations
  • and many more...

The current stable version of AIDE is 0.17.4, but you need to download it here.

If you don't want to, you can install from Debians repository and get Version: 0.17.3-4+deb11u1.

How to install via a terminal window from Debian's repository:

sudo apt-get install aide

Press Enter.

Other supported distributions:

  • Debian: sudo apt install aide
  • Ubuntu: sudo apt install aide
  • LMDE5:  sudo apt install aide
  • FreeBSD: pkg install aide
  • Gentoo: emerge aide
  • Homebrew: brew install aide
  • MacPorts: port install aide
  • NixOS: nix-env -iA nixos.aide
  • OpenBSD: pkg_add aide
  • openSUSE: zypper install aide
  • Red Hat | CentOS | Fedora: yum install aide

Run this command: 

sudo aide -v

Press Enter.

Result:

user@computer:~$ aide -v
Aide 0.17.3

Compiled with the following options:

  • WITH_MMAP
  • WITH_PCRE
  • WITH_POSIX_ACL
  • WITH_SELINUX
  • WITH_XATTR
  • WITH_CAPABILITIES
  • WITH_E2FSATTRS
  • WITH_ZLIB
  • WITH_MHASH
  • WITH_AUDIT

Default config values:

config file: <none>
database_in: <none>
database_out: <none>

Available hashsum groups:

  • md5: yes
  • sha1: yes
  • sha256: yes
  • sha512: yes
  • rmd160: yes
  • tiger: yes
  • crc32: yes
  • crc32b: yes
  • haval: yes
  • whirlpool: yes
  • gost: yes
  • stribog256: no
  • stribog512: no

Default compound groups:

R: l+p+u+g+s+c+m+i+n+md5+acl+selinux+xattrs+ftype+e2fsattrs+caps
L: l+p+u+g+i+n+acl+selinux+xattrs+ftype+e2fsattrs+caps
>: l+p+u+g+i+n+acl+S+selinux+xattrs+ftype+e2fsattrs+caps
H: md5+sha1+rmd160+tiger+crc32+haval+gost+crc32b+sha256+sha512+whirlpool
X: acl+selinux+xattrs+e2fsattrs+caps

You should open the configuration using your favorite editor:

sudo gedit /etc/aide.conf

Press Enter.

It has directives that define the database location, report location, default rules, the directories/files to be included in the database.

You should research recommended settings:

PERMS = p+u+g+acl+selinux+xattrs

The PERMS rule is used for access control only, it will detect any changes to file or directories based on file/directory permissions, user, group, access control and permissions.

To check file content and file type:

CONTENT = sha256+ftype

An extended version of the previous rule, that checks extended content, file type and access:

CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs

DATAONLY rule below will detect any changes in data inside all files/directories:

DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

Now that you have defined rules, you can specify the file and directories to watch. The following definition will check permissions for all files in root directory.

/root/\..*  PERMS

Check all files in the /root directory for any changes.

/root/   CONTENT_EX

Will help you detect any changes in data inside all files/directory under /etc/

To detect any changes in data inside all files/directory under /etc/:

/etc/   DATAONLY

Use AIDE to Check File and Directory Integrity in Linux:

sudo aide --init

Now rename the database to /var/lib/aide/aide.db.gz before proceeding.

sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

I recommended you move the database to a secure location.

Once the database is created, you can check the integrity of the files and directories:

sudo aide --check

It will comprare the snapshot in the database to the files/directories found on your system disk. If it finds changes,that you might not expect, it generates a report which you can then review.

Developers website

Posted by admin at 6:15 AM
Top