AIDE/en

AIDE (Advanced Intrusion Detection Environment) is a host-based intrusion detection system. AIDE scans files and other resources and stores information about these files in a database. Stored information includes key file attributes such as file hash output, file size, ownership, modification time, creation time, and more. After the initial database has been created, AIDE then rescans the system and compares new scan results with previously stored values. If values differ then the file has been changed and the change will be reported. The idea behind using AIDE is to create a snapshot of a system then compare the snapshot to another created snapshot to find compromised files.

USE flags
It is easy to install aide after setting the USE flags accordingly.

USE flag changes specific to a certain package should be defined in the file, or a text file inside a directory called. For example, when using a file:

Emerge
After the USE flags have been set, install the software:

Configuration
The configuration file for aide is not as daunting as it might seem at first sight. The default file is stored at but administrators can easily create multiple separate configuration files if necessary. Besides a few variables, the configuration file contains a few short-hand notations for what aspects of files to scan for (only hashes, or also inode information, etc.) and then which files to scan.

Let's first look at the variables.

These parameters define where the database is stored that contains the known values and where to store a new database when a new one  is created. It is generally recommended to not have these variables point to the same, instead manually copying over the generated database from one location to the other.

For now, leave those variables as-is, we'll get back to them later.

The next file to consider is the file. The values of the variable are short-hand notations for what information to record in the database.

These are short-hand notations for what to measure. The letters are described in the default file, but the next table gives an overview of the most common ones.

Next is an overview of which directories to scan, and what to scan for. In three line example to follow, AIDE is instructed to scan the and  directories via the measures identified in the   short-hand notation variable. The file will display the scan measures defined in the   variable defined above.

AIDE supports regular expressions and users are allowed to "remove" matches. For instance, to scan but not  then include an exclusion set like so:

Initialization and frequent scanning
First we need to initialize the database once.

Once initialized, we can copy over the database file.

With the database now available, we can scan the entries again for potential modifications:

When a file modification occurred, a notification will be sent out:

Be clear with what to scan
The default AIDE configuration is useful, but it needs to be fine-tuned to suit the users' needs. It is important to know which files to scan and why.

For instance, to scan for all authentication-related files but not for other files, use a configuration like so:

Keep the database offline and read-only
A second important aspect is that the result database should be stored off-line when not needed, and use it in read-only modus when the database is needed. This gives some protection against a malicious user, that might already have compromised the machine, to also modify the results database. For instance, provide the result database on a read-only NFS mount (for servers) or read-only medium (when physical access to the machine is possible) such as CD/DVD or read-only USB sticks.

After storing the database on such location, update the file to have   point to this new location.

Do offline scanning
If applicable, try using offline scanning methods for the system. In case of virtual platforms, it might be possible to take a snapshot of the system, mount this snapshot (read-only) and then run the aide scan on the mounted file system.

The above approach uses a chroot. This is only needed when the initial file system has been scanned from the live system and the administrator wants to perform an offline validation. If the initial scan was done offline, then the file will point to the mount point already and the database will use these paths immediately, so then there is no need for chrooting.

External resources

 * Tutorial on how to use AIDE (Linux.com)
 * Securing Linux with AIDE article (Symantec.com)