Using AIDE to ensure Linux server integrity

In this brief article we look at AIDE which is a host intrusion detection system. AIDE provides an additional layer to your server security not by keeping intruders out but by notifying you as the sysadmin of a possible intrusion or system compromise.

What is AIDE?

AIDE stands for Advanced Intrusion Detection Environment, it is a host-based IDS that tracks and checks file integrity. It works by creating a database of system file information and checks the files against this database periodically, notifying an administrator of any changes to the file. AIDE checks not just the file size and modification times, but also can keep track of inode numbers, user and group permissions, and various file checksums.

The purpose of this checking is to notify the administrator when any system file changes. A hacker intrusion can result in the modification of system files in order to install a backdoor to the system, and AIDE can help detect this. Ideally an attacker will never penetrate this far, but if it happens AIDE can be a lifesaver, enabling you to know in a timely manner that your machine has been compromised.

Configuring AIDE

Packages for AIDE exist for all major distributions, and installing AIDE should not pose a problem. Compiling from source involves a typical configure, make, make install procedure and should also be relatively trouble free.

The key to using AIDE effectively is in the construction of your AIDE configuration file, /etc/aide/aide.conf. The configuration file allows you to set some typical options such as file paths for the file integrity database and generated reports, but the heart of it is a list of regular expressions that are matched to file paths and the specific attributes of those files that should be checked.

The default available attributes are as follows:

p:      permissions
i:      inode
n:      number of links to the file
u:      user
g:      group
s:      size
b:      block count
m:      last modification time (mtime)
a:      last access time (atime)
c:      last inode/permission change time (ctime)
S:      size may only grow, not shrink
md5:    md5 checksum
sha1:   sha1 checksum
rmd160: rmd160 checksum
tiger:  tiger checksum
R:      p+i+n+u+g+s+m+c+md5
L:      p+i+n+u+g
E:      Empty group
>:      Growing logfile p+u+g+i+n+S

You can create your own combinations of these attributes for shorthand use within the configuration file. EnGarde Secure Linux, which includes AIDE in the default install, defines the following rules in it's default configuration file:

SEC_BIN = p+i+n+u+g+s+b+m+crc32+md5     # Read only
SEC_CONFIG = p+i+n+u+g                  # Changing file
SEC_CRIT = p+i+n+u+g+s+b+m+c+crc32+md5
SEC_LOG = p+i+n+u+g+S                   # Can grow but not shrink
SEC_DEV = p+u+g+s
SEC_RUN = p+u+g

For example, a typical configuration file located in /etc would be assigned the SEC_CONFIG attribute, which would track changes to the file's permissions, inode, number of links, owner, and group, but not content changes since the file may be changed. A logfile would be assigned SEC_LOG and would track the same attributes but also alert if the file shrunk in size, a suspicious sign of log entries being removed.

The rest of the configuration file is a list of regular expressions that assign a desired attribute to any files whose paths match the regexp. Files can be ignored by prefixing the regexp with a ! character. A trailing $ must be used to prevent matching more than just the desired path, for example /etc$ would match only the /etc directory, while having just /etc in your config file would match the /etc directory and everything within it as well.

Using AIDE

Once your configuration file is completed and you have the files you would like to track listed in it, you can generate the AIDE database by running the command aide --init. This creates the database and stores the initial accounting information about each file in your configuration file to be checked against later. The truly paranoid should burn this database to a CD or other read only media to prevent it being modified by an attacker and change the config file to point to this location. Alternatively, SELinux permissions could restrict access to the database as well. As with any security implementation, you must balance your need for security against usability. A perfectly secured offline AIDE database that requires you to perform manual checking may eventually be neglected and therefore not as useful as a possibly compromisable online database that automatically checks the system daily. It depends on your specific security requirements.

Now that the database is created, you can check for violations of the AIDE policy by running aide --check. This will create an AIDE report in the location specified in the configuration file, listing all the differences between the accounting information in the database and the current state of the monitored files. The checking can be run as often as necessary depending on your needs, and if automated by a cron job it is a simple matter to have the report emailed to a recipient of your choice for review.

Periodically as changes accumulate in the report you should refresh the database to eliminate these old results using the command aide --update. This regenerates the database with the current state of the system and should be done whenever the report becomes unwieldy and cluttered with old changes that no longer are a concern.

AIDE can be a very useful addition to your security toolbox. Maintaining an eye on your machine's system file integrity warns you of possible outside intrusion as well as allows you to record when internal changes were made to the system. AIDE and other host-based intrusion detection tools can be a valuable last line of defense behind your firewall and network IDS to notify you of possible trouble.