Advanced Intrusion Detection Environment (AIDE)
Security is becoming ever more important, especially with the increasing number of online threats. Advanced Intrusion Detection Environment (AIDE) is a package which monitors for file changes, including modifications to contents of files and attributes. It will also alert on the addition and deletion of files when the relevant path is monitored. This tool can highlight possible intrusions on a Linux servers.
To install aide on Redhat or CentOS, simply use the yum package manager
yum install aide
The relevant configuration for AIDE is located in /etc/aide.conf. The default configuration is suitable for a basic server, however, to add files/directories and also remove them from monitoring this is the config file of interest. For example, the below shows how the sshd_config file is monitored
/etc/ssh/sshd_config$ CONTENT_EXTo remove a location from being monitored this can be achieved as below
!/var/log/httpd/Once the relevant configuration is in place, the AIDE database needs to be initialised.
aide --init
The database will be created upon completion. Move the database to the correct location so that it is active
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To check for changes on the server run aide with the check option
aide --check
This will display whether or not any changes have been made to the server. It is advised to run this daily via a cron job. CottonLinux currently do this daily via cron and push notifications to Slack for any changes.
Files will get updated when routine activities are performed, such as applying security patches. AIDE will display what files have been modified, added, deleted when the check option is run.
When this occurs the database needs to be updated to include the modifications – if they are genuine. Run aide again using the update option and overwrite the database.
aide --update
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
That is all there is to know. AIDE is a great tool in the security realm for Linux and one that should certainly be used in small environments.