AIDE : IDS for Linux Ubuntu Installation and Configuration

We present an IDS Installation and Configuration Tutorial on Linux Ubuntu. AIDE is also known as a HIDS that acts very well to check the safety of your critical files.

Português

What is AIDE?

AIDE (Advanced Intrian Detection Environment) is a host-based intrusion detection system (HIDS) that acts as a “digital watchman” for your critical files.

AIDE creates a unique fingerprint of your system and warns of any unauthorized modification, from permissions changes to system binary tampering.

Table Of Contents

What is AIDE?
Installing Aide on Ubuntu
AIDE INITIAL CONFIGURATION
Initializing the AIDE database
Testing AIDE with a suspicious file
Check with AIDE
Updating the AIDE database
Why do you need Aide?

Installing Aide on Ubuntu

To install AIDE on Ubuntu, let’s use the command below.

sudo apt install aide -y

Then will appear the option to install Postfix. Postfix can be used by AIDE to send alert notification emails. Below is a suggestion of steps in postfix.

In this case, we will not configure Postfix because in this tutorial we will not send alert emails. If you want to correctly configure Postfix, you can use this tutorial: Postfix Tutorial.

AIDE INITIAL CONFIGURATION

Now that we have installed, we can start to configure AID. For this, we will edit the AIDA configuration file that is on the way “/etc/aide/aide.conf”.

Let’s use the command below to edit the AIDE configuration file.

sudo nano /etc/aide/aide.conf

In this file we can add folders that we want to monitor or delete folders from a monitoring by AIDE.

As an example, let’s imagine that I don’t want AIDE not to monitor the “/snap/firefox/common” directory of each user on my machine. For this, I would add the line below at the end of the “aide.conf” file.

!/home/[^/]+/snap/firefox/common

This line starts with the symbol “!” which indicates that we will deny monitoring to the specified directory.

The line “/home/[^/]+/snap/firefox/common” Indicates every directory “/snap/firefox/common/” that is within all users “/[^/]+” that are inside the directory “/home“.

We could have used another example as “!/var/log” and we would deny the monitoring of the directory “log” which is inside the directory “var“.

Initializing the AIDE database

To initialize the AIDE database and start generating hash of files, let’s use the command below.

sudo aideinit --force --config /etc/aide/aide.conf

Depending on your machine this may take a long time. Go get a snack.

In this case, we are ensuring that AIDE use the configuration file that is in “/etc/aide/aide.conf“.

If you want you can check the database files that were created with the command below.

sudo ls -alh /var/lib/aide/

Testing AIDE with a suspicious file

Now, let’s create a suspicious file within “/usr/bin/”.

In this case, we are simulating that someone has had access to the machine and inserted a suspicious file called “bad_file” within the directory “/usr/bin/”.

To create a suspicious file within “/usr/bin/” Let’s use the command below.

sudo touch /usr/bin/bad_file

Check with AIDE

Now, let’s run the AIDE check and see if it detects that we enter a suspicious file in “/usr/bin/”.

To perform the AIDE check we will use the command below.

sudo aide --check --config /etc/aide/aide.conf

Below we can see in the figure that the suspect file was detected and generated a warning showing the path and name of the file.

Updating the AIDE database

After a legitimate change in your files it is interesting to update the AIDE database. For this, let’s use the command below.

sudo aide --update --config /etc/aide/aide.conf

Why do you need Aide?

Proactive security
Detects backdoors, rootkits and malicious changes in time – before invaders cause greater damage.
Integrity Monitoring
Alert about:
Changes in sensitive file permissions (/etc/sudoers,/bin)
System Binaries (/USR/Bin,/sbin) modifications
Suspected file addition/removal
CONFORMITY AND AUDIT
Generates essential forensic reports for:
Meet Safety Standards
Infrastructure Audits
Post-ending investigation

See more:

Why use Kali Linux inside VirtualBox?

How to Install Kali Linux on VirtualBox: Step-by-Step Guide for Beginners

Tutorial: How to use WHOIS and RDAP

Tutorial how to Install and configure VNC on Ubuntu

Python get metadata from images and pdfs

https://askubuntu.com/questions/1507027/how-install-aide-on-ubuntu

Juliana Mascarenhas

Data Scientist and Master in Computer Modeling by LNCC.
Computer Engineer

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". O cookie é definido pelo consentimento do cookie GDPR para registrar o consentimento do usuário para os cookies na categoria "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". Este cookie é definido pelo plug-in GDPR Cookie Consent. Os cookies são usados para armazenar o consentimento do usuário para os cookies na categoria "Necessary",
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. O cookie é definido pelo plug-in GDPR Cookie Consent e é usado para armazenar se o usuário consentiu ou não com o uso de cookies. Ele não armazena nenhum dado pessoal.

Cookie	Duration	Description
_tccl_visit	30 minutes	This cookie is set by the web hosting provider GoDaddy. This is a persistent cookie used for monitoring the website usage performance.
_tccl_visitor	1 year	This cookie is set by the web hosting provider GoDaddy. This is a persistent cookie used for monitoring the website usage performance.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_199766752_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
FCCDCF	12 hours	No description available.
GoogleAdServingTest	session	No description