Enhancing Linux security with Advanced Intrusion Detection Environment (AIDE)

AIDE and security

This article is part two of a series of articles on Linux security. In part one, I discuss the Pluggable Authentication Modules (PAM) concept with an example of setting strong password conditions for a regular user to enhance that user's security. In this part, I discuss the Advanced Intrusion Detection Environment (AIDE). 

In Linux security, it is very important to keep track of data. As a sysadmin, you should know how to check the integrity of files and directories. You can do this with the AIDE tool.

[ You might also like: Securing an inherited Linux system ]

The AIDE tool also helps you in file monitoring in terms of permissions, ownerships, and Security-Enhanced Linux (SELinux). If anyone tries to modify any specific file then you can check that file using AIDE. 

Introduction of AIDE

Advanced Intrusion Detection Environment (AIDE) is a powerful open source intrusion detection tool that uses predefined rules to check the integrity of files and directories in the Linux operating system. AIDE has its own database to check the integrity of files and directories.

AIDE helps monitor those files that are recently changed or modified. You can keep track of files or directories when someone tries to modify or change them. But the question arises: Is AIDE secure?

AIDE is secured by SELinux. SElinux secures the AIDE process with mandatory access control. It defines process types (domains) for each process running on the system. SELinux AIDE policy is very flexible, allowing users to set up their AIDE processes in as secure a method as possible. 

AIDE Installation

There is a possibility that in some of the Linux distributions, AIDE is not installed. To install AIDE on your system, use the following command:

#  yum install aide -y

You can check the version of AIDE using:

# aide -v

In AIDE, the path of the configuration file is /etc/aide.conf. This configuration can initialize or check the database. In this configuration, some rules are already predefined such as PERMS, NORMAL, LSPP, DATAONLY, and so on. These custom rules contain many defaults related to permissions, inodes, numbers of links, acl, selinux, etc. One example of a custom rule is :

$ PERMS= p+i+n+u+g+acl+selinux

 Where:

• p: permission
• i : inode
• N : number of links
• g : group
• acl : access control list
• selinux : SELinux security context

These rules help in tracking and detecting files. If you put PERMS rules on any directory or files, then all these rules are implemented for tracking and monitoring. Using all these declared rules, you can also create your custom rules, which are a combination of multiple rules.

Before initializing the AIDE database, it is important to set rules for directories or files. You can do this in the /etc/aide.conf file itself. Suppose you want to keep track of the /etc/passwd file so that you can put rules like PERMS on that file to check the integrity of the file using an AIDE database.

AIDE Implementation

To implement AIDE on your system, you need to initialize the database. Using this AIDE database, an integrity check is run on all the files and directories. The AIDE database generates in the /var/lib/aide directory. You can also check the context of this directory using:

$ ls -ldZ /var/lib/aide

drwx------. 2 root root system_u:object_r:aide_db_t:s0 4096 Jul 31  2019 /var/lib/aide/

This directory has aide_db_t context set by SELinux. This context is used when you want to treat the files as AIDE database content. AIDE logs are stored in the /var/log/aide directory and this directory also has aide_log_t context.

To initialize the AIDE database, use the command: 

$ aide --init

This command generates a gzipped file of the database. You can use the zipped file for integrity checking purposes.
Suppose you need to monitor the /etc/hosts file. So that if someone tries to enter a file or tries to modify it in your absence, then you can check that file using AIDE. 

After installing AIDE on your system, make an entry in the /etc/aide.conf file with customized rules. You need to monitor files for changes in permissions, groups, ownership, and file access time. You can then select any customized rules that contain all these points.

Here I put the FIPSR ruleset because these custom rules contain the maximum normal rules.

FIPSR= p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

NOTE: Before writing anything to the aide.conf file, always make a backup. 

# cp /etc/aide.conf /etc/aide`date +%F`.conf

In the /etc/aide.conf file, you can write filename with this custom rule:

/etc/hosts       FIPSR

After this, you can initialize the database using the aide --init command. This generates a gzip file with the name of aide.db.new.gz. Move this file inside the default directory of the AIDE database with the name of aide.db.gz

$ mv aide.db.new.gz  /var/lib/aide/aide.db.gz

 In this way, you can set the database in the proper location. 

After AIDE is made aware of the current file system status, it can detect file system changes by comparing against the known status. To verify the integrity, use:

$ aide --check

This command gives you output in detail. If the /etc/hosts file is modified, then it clearly prompts you with the last modified file. 

If you want to update the AIDE database after doing new entries in aide.conf , use:

$ aide --update

[ Thinking about security? Check out this free guide to boosting hybrid cloud security and protecting your business. ] 

Wrap up

In this article, you learned about the Advanced Intrusion Detection Environment (AIDE) and how it can be used to enhance Linux security. You can monitor files and directories and also check their integrity. The AIDE database helps you detect changes that occur on any files or directories.