Advanced Intrusion Detection Environment - AIDE

Intrusion Detection Systems monitor devices or networks for malicious activity or policy violations.  AIDE, or Advanced Intrusion Detection Environment, allows systems administrators the ability to keep an eye on files and detect when a file is created, modified, or altered in any way.  AIDE can be used to let you know when a malicious file has been uploaded to your application, or when a script has been injected with malicious code.  If can be used to identify nearly any change you can imagine to your system.

AIDE works by taking an inventory of your server's files and directories, including a list of predefined values to track such as permissions, inodes, ownership, access control lists, selinux contexts, and even modified time.  It then stores this information into a database file at /var/lib/aide/aide.db.gz (by default).  AIDE can also be configured to store the inventory into a database such as MySQL for centralized control.

Once the database has been created with an inventory of your system, you can run a check against the database to find changes.  This will then tell you what has changed based on what you configure to watch in the server.

Keeping an eye on changes in the server can be a very powerful tool in preventing bad situations.  For example, you otherwise may not know that a malicious PHP script is spamming from your website until you get reports that your server blacklisted and email is not sending.

Installation

Installing AIDE is very simple, the package name is aide.x86_64.  AIDE is not a running service, so after installation, there is nothing to start.

# Ubuntu / Debian based systems
apt-get install aide
# Red Hat / CentOS Based systesms
yum install aide

Configuration

The default AIDE configure file can be found at /etc/aide.conf.  This file contains what will be inventoried and what values to store to compare against later.  The file itself is commented well, so if you take a few minutes to read it over you should get a good idea of what is possible.

There are default 'rules' that you can store in your inventory to compare against later.  You can create custom rules to watch certain areas of the filesystem closer than other areas.  The following are the available rules, pulled from the configuration file

# These are the default rules.
#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum

#haval:  haval checksum (MHASH only)
#gost:   gost checksum (MHASH only)
#crc32:  crc32 checksum (MHASH only)
#whirlpool:     whirlpool checksum (MHASH only)

#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L:             p+i+n+u+g+acl+selinux+xattrs
#E:             Empty group
#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

You can then create custom lines using the default rules.  The configuration file includes a few custom lines for you to use as well.

NORMAL = R+rmd160+sha256

Based on the default liens guide, we can see that Normal includes the following rules

#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
(R includes the following. Spelling it out for visibility)
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#rmd160: rmd160 checksum
#sha512:        sha512 checksum

So any directory that is watched via the 'NORMAL' line, you will know when just about anything changes.  If a file is added, removed, or edited in any way.  That's some pretty powerful information to have!

There are a few additional custom lines, as the NORMAL line is pretty comprehensive.  Fortunately they are commented for what they are geared to do.

# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only
PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change
LOG = >

# Just do md5 and sha256 hashes
LSPP = R+sha256

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

The rest of the file configures what lines to use when you inventory the system.  This part of the file gets a bit long, but this is the meat and potatoes of the inventory.  By default, you could leave the remaining configuration the way that it is, and it will be watching your applications and let you know when files are changed and altered, however out of the box, when you run a check against the inventory, you will get quite the verbose output given that filesystems do change.

This is where you need to decide what is important.  Do you want to monitor the entire system for all changes?  If you are on a locked point Operating System that does not receive automatic updates, then maybe you do want to inventory the entire server.  If an application binary changes and you did not run an update, you can imagine that would be important to know.  For many systems that do automatic updates, you will be notified of every change made on the server.  Maybe that is too much information.

When making changes on what directories to inventory, you can use the following as a guide

/dir1 NORMAL     = perform normal line check on /dir1 and all files and directories below
=/dir2 NORMAL    = perform normal line checks on /dir2, where the '=' symbol excludes all subdirectories
!/dir3          = exclude /dir3 and all files below it from any checks

This way you can exclude your applications cache directory, or any other volatile location on the filesystem.  There are few places in the configuration that are disabled by default.

!/usr/src
!/usr/tmp
!/etc/mtab
!/etc/.*~
!/var/log/sa
!/var/log/aide.log
!/var/log/and-httpd

One last configuration option worth sharing is what aide considers macros.  Honestly, it seams to make more sense to consider these variables, regardless, these macros allows some flexibility when configuring aide for your systems

 # define a new macro/variable
@@define VAR value

# reference to a macro define previously
@@{VAR}

The following are some example macros that are included in the default configuration

@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
database=file:@@{DBDIR}/aide.db.gz
database_out=file:@@{DBDIR}/aide.db.new.gz

Once your configuration file is all setup, you can tell AIDE to create the inventory

aide --init

This will create a new database wherever you configured it to do so, by default at /var/lib/aide/aide.db.new.gz.  Its important to note that the default database is not the 'database_out' file defined in the configuration.  So once it is created, you need to move it into place.

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

This is to avoid overwriting an already created inventory database.  This file should also be copied to another machine, as this file could be edited, removed or destroyed should the server become compromised.

Finally, to check for changes, run aide with the -- check option

aide --check

This will give you nice output with what has changed, then specifically what about it changed.  The following is a small exert of example output.

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/aide.conf
changed: /var/log/audit/audit.log.4
changed: /var/log/audit/audit.log.3
changed: /var/log/audit/audit.log
changed: /var/log/audit/audit.log.1
changed: /var/log/audit/audit.log.2
changed: /var/log/lastlog

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/aide.conf
  Inode    : 1178854                          , 1178858

File: /var/log/audit/audit.log.4
  Size     : 6291536                          , 6291531
  Inode    : 1569850                          , 1569827

File: /var/log/audit/audit.log.3
  Size     : 6291655                          , 6291527
  Inode    : 1569819                          , 1569848

File: /var/log/audit/audit.log
  Size     : 2085144                          , 715050
  Inode    : 1569833                          , 1569819

File: /var/log/audit/audit.log.1
  Size     : 6291527                          , 6291660
  Inode    : 1569848                          , 1569850

File: /var/log/audit/audit.log.2
  Size     : 6291531                          , 6291694
  Inode    : 1569827                          , 1569833

File: /var/log/lastlog
  Mtime    : 2017-08-04 14:00:58              , 2017-08-05 14:34:05
  Ctime    : 2017-08-04 14:00:58              , 2017-08-05 14:34:05
  MD5      : X1ty05DneyrbuoSprdx0Fw==         , MGp2/ABkYVuB5gCoO0drsw==
  SHA256   : ipotDKp4pLx+iDWY+w+KXtMLhvI85Dvk , JrK65aDlt7aXFxghCxPVMQLgti9zGoVO

In conclusion, the Advanced Intrusion Detection Environment or AIDE, can be a powerful tool in your arsenal to ensure servers that should not be changing, are not.  When properly implemented, you should never have a file out of place or modified in any way without you knowing

AIDE Homepage - http://aide.sourceforge.net/

OpenSuse AIDE Documentation - https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.aide.html