AIDE Installation and Configuration

Greeting, 
We will be looking at installation of Host-Based Intrusion Detection System (HIDS)

The Advance Intrusion Detection Environment (AIDE) has a specific purpose and it is file and directory integrity check. Originally, host-based intrusion detection systems were developed for only one purpose and it was integrity check of an OS. Since its development there have not been many changes within aide functionality except for its security patches and updates.

Installation of AIDE

Download AIDE from AIDE 

# tar -zxvf aide-0.15.1.tar.gz

# cd aide-0.15.1

# ./configure

# make

# make install

The important configuration files are located in "/etc" directory. Aide has two configuration file which can be found in “/etc/default/aide” (general configuration files) and “/etc/aide/aide.conf” (main configuration files with rules). Its database is located in “/var/lib/aide/aide.db” and “/var/lib/aide/aide.db.new”. The aide.db.new is created every time we initialise the database it generates aide.db.new. The log file is always stored in "/var/log/aide/aide.log" directory but can it can be modified and kept way from "var/log" directory. 

 

 

The aide.conf file reads the rules and according to those rules it monitors the system. The rules can be modified according to the necessary requirements to protect the system from malicious attackers. The default groups are permissions, inode, link name, number of links, user, group, size, block count, mtime, atime, ctime, check for growing size, ignore changed filename, allow new files, allow removed files, md5 and sha1 checksum (p+b+l+u+n+g+i+c+m+S+I+sha1+md5).  

 

The rules are modified and it can be written in various ways to monitor files and directory. A sample for aide configuration:

###Aide Conf#### Checksum = md5+sha1 OwnerMode = p+g+u Size = s Log = OwnerMode+s+n Full = Log+Checksum+m+c+i+b ###Rules set to monitor the system### /bin                     Full /sbin                   Full /usr                     Full !/etc/mtab /etc                     Full /var/log$             Log /var/run$            Full /var/lib/aide.*     OwnerMode

 

Here, in this sample we can see that various rules and regular expression are manipulating these rules which are being applied to the directory. Once the rules are set it will monitor for any changes made within the system files and directory. The /bin directory has been set to Full, that means it will have to monitor every files and folder residing within /bin directory. The “!/etc/mtab” states that it should not monitor “/etc/mtab” directory. The “!” is a negative selection line and it means to ignore files and directory therefore, it will not monitor that particular directory and move on. The “/var/log$” and “$” regular expression states that aide must not recursive beneath children directory; it should monitor only the parents directory. The rule for “/var/log$” means that it is going to monitor OwnerMode, size and number of link. Finally, we have “/var/lib/aide.*” and “.*” states that it should monitor everything inside that directory.  

   Aide Implementation

Once the process of installing and configuring is completed we need to activate aide to monitor the system for any suspicious behaviour or system compromise. Therefore, to being with this process first we need to initialise database

# aide --init --config=/etc/aide/aide.conf ( or we can use “aideinit”)

This command will start initialising the database and store it in (/var/lib/aide) directory. At the end it shows:

### AIDE database initialized.

But if we initialise the second time then it shows:

### AIDE database at /var/lib/aide/aide.db.new initialized

When it creates “aide.db.new” it must be moved to “aide.db” so that it can compare with new database while performing file integrity check.

#  mv /var/lib/aide.db.new /var/lib/aide.db

Now, the database is created we can perform initial check to see how it works.

# aide –c /etc/aide/aide.conf --check     

For the first time if it doesn’t detect any behaviour then aide gives following output:

### All files match AIDE database. Looks okay!

Testing AIDE

Now, to test the effectiveness of aide we will add news users and passwords, add, modify, delete files, install rootkit, perform false login through ssh server, bruteforce attack using hydra. 

# aide –c /etc/aide/aide.conf --check

 

So here you go, everything depends upon your configuration but know this that this is very old and its hardly being maintained. 

Enjoy Thanks