From Gentoo Wiki
Jump to: navigation, search
Other languages:
English • ‎italiano • ‎日本語 • ‎한국어 • ‎русский

AIDE (Advanced Intrusion Detection Environment) is a host-based intrusion detection system. AIDE scans files and other resources and stores information about these files in a database. Stored information includes key file attributes such as file hash output, file size, ownership, modification time, creation time, and more. After the initial database has been created, AIDE then rescans the system and compares new scan results with previously stored values. If values differ then the file has been changed and the change will be reported. The idea behind using AIDE is to create a snapshot of a system then compare the snapshot to another created snapshot to find compromised files.


USE flags

It is easy to install app-forensics/aide after setting the USE flags accordingly.

Optional USE flags for app-forensics/aide:
USE flag (what is that?) Default Recommended Description
acl Yes Add support for Access Control Lists
audit No Yes Enable support for sys-process/audit
curl No Add support for client-side URL transfer library
mhash No Yes Add support for the mhash library
nls Yes Add Native Language Support (using gettext - GNU locale utilities)
postgres No Add support for the postgresql database
prelink No Enable support for sys-devel/prelink
static No  !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
xattr No Yes Add support for extended attributes (filesystem-stored metadata)
zlib Yes Add support for zlib (de)compression

USE flag changes specific to a certain package should be defined in the /etc/portage/package.use file, or a text file inside a directory called /etc/portage/package.use. For example, when using a /etc/portage/package.use file:

FILE /etc/portage/package.useEnable zlib support for AIDE
app-forensics/aide zlib


After the USE flags have been set, install the software:

root #emerge --ask app-forensics/aide


The configuration file for app-forensics/aide is not as daunting as it might seem at first sight. The default file is stored at /etc/aide/aide.conf but administrators can easily create multiple configuration files if necessary. Besides a few variables, the configuration file contains short-hand notations for what aspects of files to scan for (only hashes, or also inode information, etc.) and which files to scan.

Take look at the database variables:

FILE aide.confAIDE database configuration variables

The first line in the example above (database) defines where the location of database that contains the known values. The second line (database_out) defines where to store new databases when another is generated. It is generally recommended against having these variables point to the same database (having the same paths for each variable). If one database is to overwrite another, the best method is to manually copy over the generated database from one location to the other. For example, to overwrite the first database with the second, this command could be used:

root #cp /var/lib/aide/ /var/lib/aide/aide.db

For now, leave the database variables as they are; they will be covered in more detail later in the article.

The next file to consider is the aide.conf file. The values of the variable are short-hand notations for what information to record in the database.

FILE aide.confAIDE configuration using shorthand notation
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
It should be obvious that md5 and sha1 mean that MD5 and SHA-1 checksums are taken (respectively).

The letters are described in the default aide.conf file, but for convenience the following table provides an overview of the most common options:

Short Description
p Permissions
i inode number
n Number of (hard)links
u User information
g Group information
s Size
S Size (only report when the size is suddenly smaller - growing is allowed)
b Block count
m Modification time

Next is an overview of which directories to scan, and what to scan for. In three line example to follow, AIDE is instructed to scan the /bin and /sbin directories via the measures identified in the Binlib short-hand notation variable. The /var/log file will display the scan measures defined in the Logs variable defined above.

FILE aide.confScan target options
/bin Binlib
/sbin Binlib
/var/log Logs

AIDE supports regular expressions and users are allowed to "remove" matches. For instance, to scan /var/log but not /var/log/portage then make an exclusion set by using the ! (exclamation point) before the excluded path(s):

FILE aide.confOther scan targets
/var/log Logs

Initialization and frequent scanning

For a basic AIDE setup, a database must be initialized. This is performed using the --init option. To make sure AIDE uses the configuration settings defined in the sections before, be sure to pass the --config option pointed to the correct configuration file:

root #aide --init --config=/etc/aide/aide.conf
AIDE, version 0.14.2
### AIDE database at /var/lib/aide/ initialized.

Once initialized, any pre-existing database files can be copied over:

root #cd /var/lib/aide; cp aide.db

With a new database available, the entries can be scanned again (now or at a later date) using the --check option. This will create another database containing any modifications that have made to the file system since the first database has been created. Be sure to use the --config option pointed to the same configuration file that the first database was created with:

root #aide --check --config=/etc/aide/aide.conf
AIDE, version 0.14.2
### All files match AIDE database. Looks okay!

If file modification(s) occurred, a notification will be sent out:

root #aide --check --config=/etc/aide/aide.conf
AIDE found differences between database and filesystem!!
Start timestamp: 2013-04-11 15:31:02
  Total number of files:        318
  Added files:                  0
  Removed files:                0
  Changed files:                2
Changed files:
changed: /etc/pam.d
changed: /etc/pam.d/run_init
Detailed information about changes:
Directory: /etc/pam.d
  Mtime    : 2013-04-09 22:11:18              , 2013-04-11 15:31:01
  Ctime    : 2013-04-09 22:11:18              , 2013-04-11 15:31:01
File: /etc/pam.d/run_init
  Size     : 205                              , 208
  Mtime    : 2013-04-09 22:11:18              , 2013-04-11 15:31:00
  Ctime    : 2013-04-09 22:11:18              , 2013-04-11 15:31:01
  Inode    : 394203                           , 394053
  MD5      : Mm0KPzpPt63eqGClTJ/KaQ==         , eLUrP2BsIq25f3AZX+dlBA==
  SHA1     : NrQtsUeOsXS4RHUq+ejYBne5V6E=     , 5A6ef6VJCcMiqEjKQ7e9xkBNZB8=

Best practices

Be clear on what to scan

The default AIDE configuration is useful, but it needs to be fine-tuned to suit the users' needs. It is important to know which files to scan and why.

For instance, to scan for all authentication-related files but not for other files, use a configuration like so:

FILE aide.confauthentication-related scan targets
# SELinux policy and settings
/etc/selinux ConfFiles
# Authentication databases
/etc/passwd ConfFiles
/etc/shadow ConfFiles
/etc/nsswitch.conf ConfFiles
# Authentication configuration
/etc/pam.d ConfFiles
/etc/securetty ConfFiles
/etc/security ConfFiles
# PAM libraries
/lib(64)?/security Binlib

Keep the database offline and read-only

A second important aspect is that the result database should be stored offline when not needed and should be used in read-only mode when the database is needed. This gives some protection against a malicious user that might have compromised the machine to modify the results database. For instance, provide the result database on a read-only NFS mount (for servers) or read-only medium (when physical access to the machine is possible) such as a CD/DVD or a read-only USB drive.

After storing the database on a read-only location, update the aide.conf file to have database point to this new location.

Do offline scanning

If applicable, try using offline scanning methods for the system. In case of virtual platforms, it might be possible to take a snapshot of the system, mount this snapshot (read-only) and then run the aide scan on the mounted file system.

root #losetup /dev/loop0 /srv/virt/gentoo.img
root #vgscan
root #vgchange -ay
root #mount -o ro /dev/volgrpX/volumeY /mnt/image
root #chroot /mnt/image
root #aide --check --config=/path/to/aide.conf
root #exit
root #umount /mnt/image
root #vgchange -an /dev/volgrpX
root #losetup -d /dev/loop0

The above approach uses chroot. This is only needed when the initial file system has been scanned from the live system and the administrator wants to perform an offline validation. If the initial scan was done offline, then the aide.conf file will point to the mount point already and the database will use these paths immediately, so then there is no need for chrooting.

See also

External resources