AIDE, also called “Advanced Intrusion Detection Environment,” is a free and open-source file integrity monitoring tool for Linux-based systems. It monitors changes in your Linux system and notifies you of them via email. It uses several algorithms, including md5, sha1, rmd160, and tiger, to check file integrity. Generally, AIDE checks file permissions, inodes, modification time, file contents, user, group, file size, and more.
In this post, we will explain how to install and use AIDE on Oracle Linux 8.
Step 1 – Install AIDE
By default, the AIDE package is included in the Oracle Linux 8 default repository. You can install it by just running the following command:
dnf install aide -y
After the successful installation, you can see the AIDE package information using the following command:
rpm -qi aide
You should see the AIDE package information in the following output:
Name : aide Version : 0.16 Release : 14.el8_5.1 Architecture: x86_64 Install Date: Thursday 01 September 2022 08:39:20 AM EDT Group : Unspecified Size : 374719 License : GPLv2+ Signature : RSA/SHA256, Monday 07 February 2022 05:50:45 AM EST, Key ID 82562ea9ad986da3 Source RPM : aide-0.16-14.el8_5.1.src.rpm Build Date : Monday 07 February 2022 05:14:29 AM EST Build Host : build-ol8-x86_64.oracle.com Relocations : (not relocatable) Vendor : Oracle America URL : http://sourceforge.net/projects/aide Summary : Intrusion detection environment Description : AIDE (Advanced Intrusion Detection Environment) is a file integrity checker and intrusion detection program.
Step 2 – Initialize the AIDE Database
After installing AIDE, you will need to create a database for your current system state. You can create it with the following command:
aide --init
Once the AIDE database is created, you will get the following output:
Start timestamp: 2022-09-01 08:41:55 -0400 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 120136
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : HrRHisua7lg4j9+Age/DDA==
SHA1 : E96LC//yREmtEYUbjhI3Q5I//r8=
RMD160 : bxdClGATptUZyMcmMOk/yiOWAbY=
TIGER : YPZ5DlnYs1b1rlAfL9XXou7d4VwxsNyJ
SHA256 : Ys9VwAjaNQweueE8q8K276T16o/y9GY/
jUhvHS68IOg=
SHA512 : Ra6uKNRCCvXc3NRQvPcARkaGaEvF6qr9
1qOZtJUsw24ksp416FX1FYVgN3r6Yo+3
52IebFgabo6s7pDuJvv2Fg==
End timestamp: 2022-09-01 08:42:25 -0400 (run time: 0m 30s)
Next, copy your newly created database to the master database with the following command:
cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Next, verify the AIDE configuration using the following command:
aide -D
Next, check the database against your system baseline with the following command:
aide --check
You will get the following output:
Start timestamp: 2022-09-01 08:44:04 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
Number of entries: 120136
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : HrRHisua7lg4j9+Age/DDA==
SHA1 : E96LC//yREmtEYUbjhI3Q5I//r8=
RMD160 : bxdClGATptUZyMcmMOk/yiOWAbY=
TIGER : YPZ5DlnYs1b1rlAfL9XXou7d4VwxsNyJ
SHA256 : Ys9VwAjaNQweueE8q8K276T16o/y9GY/
jUhvHS68IOg=
SHA512 : Ra6uKNRCCvXc3NRQvPcARkaGaEvF6qr9
1qOZtJUsw24ksp416FX1FYVgN3r6Yo+3
52IebFgabo6s7pDuJvv2Fg==
End timestamp: 2022-09-01 08:44:27 -0400 (run time: 0m 23s)
Step 3 – Verify AIDE
At this point, AIDE is installed and initialized. Next, create some files and directories for your system, then check whether AIDE detects your changes or not.
First, create some files and a directory:
touch file1.txt file2.txt mkdir test
aide --check
You should get detailed information about changes in the following output:
---------------------------------------------------
Directory: /root
Linkcount: 3 | 4
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/file1.txt
f++++++++++++++++: /etc/fil2.txt
f++++++++++++++++: /etc/test
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : HrRHisua7lg4j9+Age/DDA==
SHA1 : E96LC//yREmtEYUbjhI3Q5I//r8=
RMD160 : bxdClGATptUZyMcmMOk/yiOWAbY=
TIGER : YPZ5DlnYs1b1rlAfL9XXou7d4VwxsNyJ
SHA256 : Ys9VwAjaNQweueE8q8K276T16o/y9GY/
jUhvHS68IOg=
SHA512 : Ra6uKNRCCvXc3NRQvPcARkaGaEvF6qr9
1qOZtJUsw24ksp416FX1FYVgN3r6Yo+3
52IebFgabo6s7pDuJvv2Fg==
/var/lib/aide/aide.db.new.gz
MD5 : 5wuA8hCUYqQCrMwlx6/nYg==
SHA1 : JTt9qJDtIG6/qHa3eVuB1nXz6Kw=
RMD160 : 4GFuJ9U31dq5dXX9v4L6AhhrJMk=
TIGER : mZY55DEZQ5QnIhf7g8U4CimJ+uv/CmOT
SHA256 : VNySUFAutZ1+PADn7gWjdogwo2vsAbb2
Xw5Q/9lvU2A=
SHA512 : u2KrVpQjk0YNg1uUcnzvqyhpX30UwyOH
Vq6oIFAaLfs6trdwSp/ZymoVIsw4U+d7
VLnngfdYUcihoDMLPsj5qA==
End timestamp: 2022-09-01 08:45:56 -0400 (run time: 0m 26s)
You can then update your AIDE database using the following command:
aide --update
Step 4 – Setup AIDE Cron and Email Notification
AIDE also provides a pre-configured script that notifies you via email whenever any changes occur in your system. You can download the AIDE script with the following command:
wget https://rfxn.com/downloads/cron.aide -O aide_cron.sh
Next, set execution permissions on the downloaded script with the following command:
chmod +x aide_cron.sh
Next, edit the downloaded script file and define your email address to receive the email notification:
nano aide_cron.sh
Change the following line:
email="root@localhost,[email protected]"
Save and close the file, then edit the Cron file:
crontab -e
Define your script path to create a new Cron job:
00 01 * * * /root/aide_cron.sh
Save and close the file when you finish.
Conclusion
In this post, we explained how to install AIDE on Oracle Linux 8. We also showed you how to use AIDE to monitor system changes and receive an email notification. You can now try AIDE on dedicated hosting from Atlantic.Net!
