Ubuntu Linux AIDE Setup – Advanced Intrusion Detection Environment

Having anti-virus software and a rigorous firewall as your first line of defense is considered a bare necessity nowadays. But what happens when somehow the malicious code or intent somehow gets past your protection? That is where an Intrusion Detection System (IDS) comes into play.

AIDE is one such tool among others (like Tripwire) – it builds an initial local database of the files you specify it to monitor using the verification and checksum methods you set, after which if you run a check against this database AIDE will show you what files have been changed since the build of the database. Essentially, when you run it periodically you’ll be able to tell what, when and how has been changed since the last check had been run.

First, let’s install the base package:

apt-get install aide

Now using your editor of choice we should define some basic configuration for aide:

nano /etc/aide/aide.conf

As per usual you should change everything to your liking, but now this – you can never be too paranoid and security always comes with a trade-off at comfort. For demonstrational purposes the checksums used here provide an acceptable ratio of calculation speed/efficiency, however, in a production environement a more robust checksum combination is preferred.

Example contents of aide.conf:

database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.old
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes
Checksums = sha512+crc32
database_attrs = Checksums

Finally, you can include the directories to be monitored at the end of this config file, so for instance should you only want to keep an eye on your www folder, then this is what you should put at the end of aide.conf:

/var/www Full

Now we have to build the initial database by running:

aideinit

Also don’t forget to set your email address over here:

nano /etc/default/aide

After that we are good to go! To test it, create a file using for example, touch /var/www/test.txt and do a manual check by using:

aide -c /etc/aide/aide.conf --check

A cron job is added automagically to the cron.daily jobs.

About the author

Gábor Hargitai

View all posts