+4 votes
456 views
How to verify file or directory integrity with AIDE on Linux

in Linux / Unix by (552k points)
reopened | 456 views

1 Answer

+5 votes
Best answer

1. Installing AIDE on Linux
2. Access to the AIDE Linux configuration file
3. How to manage and understand the rules of AIDE
4. How to define rules for viewing AIDE files and directories
5. How to use AIDE to verify files and directory integrity in Linux
6. How to evaluate AIDE

When using multiple operating systems, it is ideal to always have tools that allow us to maintain centralized and direct control over it. One of the most delicate issues is unquestionably the security and integrity of the files since this guarantees us the availability and reliability of this..

Today TechnoWikis will talk about a practical tool called AIDE through which it will be possible to check the integrity of a file or directory in the various Linux distributions and thus be sure of the complete reliability of the selected file .

What is AIDE?
AIDE ((Advanced Intrusion Detection Environment) is a file and directory integrity checker in Linux environments allowing us as administrators to maintain specific control over them.
Its operation consists in the creation of a database designed from the rules of regular expressions that are available in the configuration files. Once this database is initialized, it can be used to verify the integrity of the required files.
AIDE file attributes
AIDE is responsible for building the database of the files specified in aide.conf, which is the AIDE configuration file. The AIDE database stores several file attributes, within which we have:
  • type of file
  • permissions
  • user and group
  • file size
  • mtime, ctime and atime
  • growth size
  • number of links and link name.

Likewise, AIDE creates a cryptographic checksum or hash of each file using one or a combination of the following message summary algorithms: sha1, sha256, sha512, md5, rmd160, tiger, haval, crc32 and also, acl attributes, xattr, selinux and e2fsattrs can be used when explicitly enabled during compile time..

AIDE has several message summary algorithms which are used to verify the integrity of the file. All the usual file attributes can also be checked for inconsistencies within it. AIDE is able to read databases from older or newer versions.

AIDE features
When using this tool we have the following characteristics:
  • Algorithms compatible with message summary such as: md5, sha1, rmd160, tigger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
  • Supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block number, Number of links, Mtime, Ctime and Atime
  • It has support for Posix ACL, SELinux, XAttrs and extended file system attributes if the support is compiled into plain text and database configuration files to simplify
  • It has support for regular expressions to selectively include or exclude files and directories in order to be monitored
It is capable of compressing the gzip database if zlib support is compiled in a separate static binary for client / server monitoring configurations.
AIDE is included in the following UNIX distributions
  • Debian
  • Gentoo
  • MacPorts
  • FreeBSD
  • CentOS / RedHat
  • IPCop
  • OpenSUSE

It is important to clarify that AIDE cannot provide absolute security over the change in a file, since like any other system file, the AIDE database and / or binaries can also be altered using the appropriate tools..


1. Installing AIDE on Linux


AIDE is available in official repositories for the most popular Linux distributions, for this we can install it using a package manager according to the distro selected as follows:
 apt install aide (Debian / Ubuntu) yum install aide CRHEL / CentOS) dnf install aide (Fedora) zypper install aide (OpenSUSE) emerge aide (Gentoo) 

image

In this case we use Ubuntu. There we enter the letter S to accept the download and installation of AIDE. Once installed we will see the following:

image

As we can see, the main configuration file is /etc/aide/aide.conf. To visualize the installed version, as well as the compilation time parameters, we can execute the following:

 aide -v 

image


2. Access to the AIDE Linux configuration file


We can access the AIDE configuration file by executing the following line with the desired editor:
 nano /etc/aide/aide.conf 
We will see the following:

image

In this file we find directives that define the location of the database, the location of the report, the default rules, the directories or files that will be included in the database and many more.


3. How to manage and understand the rules of AIDE

AIDE manages rules such as:

p
Permissions - Permissions

n
Number of links

or
= User

g
Groups

s
Size

b
Block count

m
mtime

to
atime

C
ctime

selinux
Selinux security context

xattrs
Displays the extended attributes of a file

image

From these rules it will be possible to create custom rules in the AIDE configuration file. For example, we can create the following rule:

 PERMS = p + u + g + acl + selinux + xattrs 
In this case the PERMS rule is implemented for access control, which will detect any change in the file or directories according to file or directory permissions, user, group, access control permissions, file attributes and more.

Another rule that we can implement is one that only verifies the content of the file and the type of file selected, for example:

 CONTENT = sha256 + ftype 
If we want to verify the extended content, the file type and the access we can create a rule like:
 CONTENT_EX = sha256 + ftype + p + u + g + n + acl + selinux + xattrs 
A rule that helps us detect changes in the directory only at the data level is:
 DATAONLY = p + n + u + g + s + acl + selinux + xattrs + sha256 
These rules must be added at the bottom of the AIDE configuration file:

image

We save the changes using the Ctrl + O keys and exit using Ctrl + X.


4. How to define rules for viewing AIDE files and directories


With AIDE it will also be possible to create rules for certain files or directories to analyze. For this we access again the path /etc/aide/aide.conf and we can create the following rules:
 /root/\..* PERMS (This rule verifies permissions in the root directory) / root / CONTENT_EX (This rule verifies all root files for any changes) / etc / DATAONLY (This rule allows us to detect any change in the / etc directory) 

image

We can save the changes in the AIDE configuration file.


5. How to use AIDE to verify files and directory integrity in Linux


Once the rules to be used with AIDE have been defined, the next step will be to build the database against the checks that will be made using the --init parameter.

With the following command a database will be created that contains all the files that we define in the AIDE configuration file:

 Aide --init 

image

Once this is done, proceed to change the name of the database to /var/lib/aide/aide.db.gz before continuing, for this we can use the following command:

 mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db.gz 
It is recommended to move this database to a secure location but we must be sure to update the configuration file so that it can be read from there.

Next, we must compile a new Aide configuration file. We execute the following command:

 update-aide.conf 
Now we will copy this new file to the / etc / aide directory:
 cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf 
After the database is created, we can verify the integrity of the files and directories using the –check flag:
 aide --check 

image


6. How to evaluate AIDE


To test the operation of AIDE we will execute the following lines:
 mkdir / root / aide-test touch / root / aide-test / testsolvetic touch / root / aide-test / testsolvetic1 
With them we are creating a new directory and files in the system. Subsequently we execute the following line for validation and verification:
 Aide –check 
The result will be as follows:

image

There we can see that a difference is found in the file and indicates what type of action was, addition, deletion or change.
In this way, AIDE is a useful tool to determine in real time the changes that have occurred in the system.


by (3.5m points)
edited

Related questions

+5 votes
1 answer
+5 votes
1 answer
asked Aug 10, 2019 in Guides by backtothefuture (552k points) | 1.9k views
+4 votes
1 answer
asked Jun 12, 2020 in Linux / Unix by backtothefuture (552k points) | 307 views
+5 votes
1 answer
asked Nov 15, 2019 in Linux / Unix by backtothefuture (552k points) | 646 views
+5 votes
1 answer
asked Nov 2, 2019 in Linux / Unix by backtothefuture (552k points) | 278 views
Sponsored articles cost $40 per post. You can contact us via Feedback

Most popular questions within the last 30 days

10,659 questions
10,791 answers
510 comments
3 users