Introduction to the Advanced Intrusion Detection Environment (AIDE)

April 15, 2024

This introduction provides answers to the following questions:

  • What is an intrusion detection system?
  • What is AIDE?
  • How to install and configure it?
  • How to use AIDE?

For this introduction I used RHEL 9 as my operating system of choice, but AIDE is available for other Linux distributions as well.

In order to follow this introduction, you should be familiar with the basics of Linux system administration and at least know the following terms:

An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations.[1] Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.[2]

IDS types range in scope from single computers to large networks.[3] The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A system that monitors important operating system files is an example of an HIDS, while a system that analyzes incoming network traffic is an example of an NIDS.

https://en.wikipedia.org/wiki/Intrusion_detection_system

AIDE belongs to the host-based intrusion detection systems.

Use cases

It is known from the previous section that AIDE is a host-based system for attack and intrusion detection for Linux systems. It is a low-cost tool that can be used to check the integrity of a system.

It should help the administrator to recognize whether files or directories of a system have been changed with regard to their content and/or their properties, e.g. file-system permissions, SELinux context, extended attributes, etc.

How does it work?

  • The files and directories to be monitored are determined by regular expressions in the configuration file.
  • A database is created based on these rules.
  • After initializing the database, AIDE can be used to check the integrity of the files and directories.
    • The initially created database serves as a reference.
    • During subsequent checks, a new database is created and compared with the reference database.
  • Changes to monitored files and directories are logged in the log file /var/log/aide/aide.log.

Weaknesses of AIDE and similar host-based intrusion detection systems

  • Program, configuration file(s), database and log file are located locally on the respective host.
  • Attackers who can modify local files can potentially also modify the files belonging to AIDE.
  • There is a risk that the integrity checks are not reliable when the IDS itself has been compromised.

To minimize these weaknesses, administrators should consider the following measures:

  • Send the log files to a central log host.
  • Save the AIDE reference database separately from the host to be monitored.
  • Save the AIDE configuration separately from the host to be checked as well to be able to compare them.

I will describe how these measures can be implemented in an upcoming article.

How does AIDE impact the way you work?

If, for example, configuration files below /etc are monitored by AIDE, every intended change is also logged. The program cannot distinguish between legitimate and unauthorized changes.

Therefore, the reference database must be updated after every legitimate change to prevent false positives during integrity checks.

I recommend integrating this update as a step in the configuration management workflow and letting an automated system such as Ansible handle this task. To me this appears to be less error-prone than doing it manually, where that step is likely to be forgotten.

The installation

AIDE can be installed from your distribution’s repositories. Here is an example for RHEL 9:

$ sudo dnf in aide
[sudo] password for tronde: 
Updating Subscription Management repositories.
Last metadata expiration check: 2:26:44 ago on Fri 08 Sep 2023 08:16:28 PM CEST.
Dependencies resolved.
================================================================================
 Package Arch      Version            Repository                           Size
================================================================================
Installing:
 aide    x86_64    0.16-100.el9       rhel-9-for-x86_64-appstream-rpms    154 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 154 k
Installed size: 354 k
Is this ok [y/N]:Code language: JavaScript (javascript)

The configuration

The configuration is done in a single configuration file (/etc/aide.conf). It contains the runtime configuration aide uses to initialize or check the AIDE database.

From the manpage aide.conf(5):

FILE FORMAT
       aide.conf is similar in to Tripwire(tm)'s configuration file. With lit‐
       tle effort tw.conf can be converted to aide.conf.

       aide.conf  is case-sensitive. Leading and trailing white spaces are ig‐
       nored.

       There are three types of lines in aide.conf. First there are  the  con‐
       figuration lines which are used to set configuration parameters and de‐
       fine/undefine variables. Second, there are (restricted) selection lines
       that are used to indicate which files are added to the database. Third,
       macro lines define or undefine variables within the config file.  Lines
       beginning with # are ignored as comments.

AIDE can monitor the following attributes or elements of files for changes:

#p:      permissions
#i:      inode
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksumCode language: PHP (php)

The following code block shows the definition of the two groups NORMAL and DIR (from the /etc/aide.conf in RHEL 9), which specify what attributes are to be monitored when the respective group is used in a rule.

NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrsCode language: PHP (php)

Which files and directories are to be included or excluded in the AIDE database is determined by regular expressions. The next code block shows three examples:

/etc NORMAL
=/var/log/ DIR
=/home DIR
!/devCode language: PHP (php)
  • The /etc directory and all files and directories below it are included in the AIDE database and linked to the rules from the NORMAL group
  • Only the directory /var/log/ and the files and directories directly below it are included in the AIDE database and linked to the DIR group; the contents of the subdirectories are not included in the database
  • Only /home is included, but not its contents
  • The directory /dev and all files and directories below it are not included in the AIDE database

Initialization of the AIDE database

Security and trust is always a tricky thing. It is best if trust is not required for security. I would therefore strongly advise you to check the AIDE configuration and adapt it to your own needs if necessary… Having said that, here am I, going directly against my own advice.

The scope of rules in the default configuration is so large that I cannot explain them all individually in this introduction. For the purpose of this introduction, I therefore trust that the distribution will deliver a sensible configuration.

$ sudo aide --init
Start timestamp: 2023-09-18 20:50:06 +0200 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:      54290

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : xOf5Bs/Hb2Caa5i2K41fbg==
  SHA1     : KoCkqwfe+oZ2rlQTAU+AWQBrt2I=
  RMD160   : eM6IC68wq1VRhDbyHhRqy+63ldI=
  TIGER    : lQC+UTBqUm0iEDdKA0u7THqAPLNQxegH
  SHA256   : vdzjqIr/m7FgjXdZLQG+D1Pvf75WlF17
             WYiA6gU+4Pg=
  SHA512   : EdMB0I92j05zlfjXHcJFasZCAvkrK9br
             6zQEcDfD4IDM8D9c1Sz0r7A5tJTKGXVZ
             AFCOJR65j66ihKB0suFS6w==


End timestamp: 2023-09-18 20:50:19 +0200 (run time: 0m 13s)

$ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzCode language: PHP (php)

The database created is renamed by removing the ‘new’ from the file name.

The renamed file represents the reference database against which the aide --check command can be used to check whether there have been any changes to the file system.

In this article, I am content with the fact that the database is located on the host to be monitored and is therefore subject to the risk of being manipulated by an attacker (see section weaknesses above). I will address this in a follow-up article.

Integrity Check

The integrity check is initiated by running the command aide --check.

$ sudo aide --check
Start timestamp: 2023-09-26 19:54:59 +0200 (AIDE 0.16)                          
AIDE found differences between database and filesystem!!                        
                                                                                
Summary:                                                                        
  Total number of entries:      54290   
  Added entries:                0                                               
  Removed entries:              0                                               
  Changed entries:              3                                               
                                                                                
---------------------------------------------------                             
Changed entries:                                                                
---------------------------------------------------               
                                                                                
f = ...    . ..S : /var/log/insights-client/insights-client.log.3               
f < ...    . ... : /var/log/rhsm/rhsmcertd.log                                  
f < ...    . ... : /var/log/squid/cache.log                                     
                                                                                
---------------------------------------------------              
Detailed information about changes:
---------------------------------------------------                             
                                                                                
File: /var/log/insights-client/insights-client.log.3                            
  SELinux  : system_u:object_r:insights_clien | unconfined_u:object_r:insights_c
             t_var_log_t:s0                   | lient_var_log_t:s0
                                                                                
File: /var/log/rhsm/rhsmcertd.log                                               
  Size     : 1426                             | 1343                            
                                                                                
File: /var/log/squid/cache.log                                                  
  Size     : 6230                             | 334              
                                                                                
                                                                                
---------------------------------------------------
The attributes of the (uncompressed) database(s):                               
---------------------------------------------------                             
                                                                                
/var/lib/aide/aide.db.gz                                                        
  MD5      : xOf5Bs/Hb2Caa5i2K41fbg==   
  SHA1     : KoCkqwfe+oZ2rlQTAU+AWQBrt2I=                                       
  RMD160   : eM6IC68wq1VRhDbyHhRqy+63ldI=                                       
  TIGER    : lQC+UTBqUm0iEDdKA0u7THqAPLNQxegH                                   
  SHA256   : vdzjqIr/m7FgjXdZLQG+D1Pvf75WlF17                                   
             WYiA6gU+4Pg=                                                       
  SHA512   : EdMB0I92j05zlfjXHcJFasZCAvkrK9br                                   
             6zQEcDfD4IDM8D9c1Sz0r7A5tJTKGXVZ                     
             AFCOJR65j66ihKB0suFS6w==                                           
                                                                                
                                                                                
End timestamp: 2023-09-26 19:55:12 +0200 (run time: 0m 13s)Code language: JavaScript (javascript)

The integrity check in the above code block lists changes that were made to three files:

  • The SELinux label of a log file has been changed.
  • The size of two other log files has changed.
  • The changes are shown in a summary and in detail in the command output.
  • An explanation of the output under “Changed entries” can be found in the paragraph summarize_changes in aide.conf(5).
  • You receive information about what has changed, not why these changes have occurred

How to update the AIDE database

The aide --update command checks the database integrity and creates a new database /var/lib/aide/aide.db.new.gz. The existing reference database /var/lib/aide/aide.db.gz is not overwritten and is initially retained. If you want to keep it for a longer period, you can rename it and append a timestamp, for example. Then use

<code>mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</code>Code language: PHP (php)

to create a new reference database.

The following code block shows the output of aide --update on a RHEL 9 host.

~]# aide --update                                            
Start timestamp: 2023-09-26 20:13:52 +0200 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
                                                                                
Summary:                                
  Total number of entries:      54290
  Added entries:                0
  Removed entries:              0    
  Changed entries:              3                                               
                                                                                
---------------------------------------------------
Changed entries:                                                                
---------------------------------------------------
                                                                                
f = ...    . ..S : /var/log/insights-client/insights-client.log.3
f < ...    . ... : /var/log/rhsm/rhsmcertd.log
f < ...    . ... : /var/log/squid/cache.log

---------------------------------------------------        
Detailed information about changes:                                             
---------------------------------------------------

File: /var/log/insights-client/insights-client.log.3                     [0/100]
  SELinux  : system_u:object_r:insights_clien | unconfined_u:object_r:insights_c
             t_var_log_t:s0                   | lient_var_log_t:s0
                                                                                
File: /var/log/rhsm/rhsmcertd.log                                               
  Size     : 1426                             | 1343                            
                                                                                
File: /var/log/squid/cache.log                                                  
  Size     : 6230                             | 334                             
                                        
                                                                                
---------------------------------------------------                             
The attributes of the (uncompressed) database(s):
---------------------------------------------------         
                                        
/var/lib/aide/aide.db.gz       
  MD5      : xOf5Bs/Hb2Caa5i2K41fbg==                                           
  SHA1     : KoCkqwfe+oZ2rlQTAU+AWQBrt2I=                                       
  RMD160   : eM6IC68wq1VRhDbyHhRqy+63ldI=              
  TIGER    : lQC+UTBqUm0iEDdKA0u7THqAPLNQxegH                                   
  SHA256   : vdzjqIr/m7FgjXdZLQG+D1Pvf75WlF17         
             WYiA6gU+4Pg=                                                       
  SHA512   : EdMB0I92j05zlfjXHcJFasZCAvkrK9br            
             6zQEcDfD4IDM8D9c1Sz0r7A5tJTKGXVZ                                   
             AFCOJR65j66ihKB0suFS6w==   
                                        
/var/lib/aide/aide.db.new.gz     
  MD5      : Dgoc1/L5F1UfXPAQRvMdTg==
  SHA1     : 23RFwEBIh0kw/3TiiVAh39Fzx0Q=                                       
  RMD160   : 1szie2CW1dyLmaKFg01j48Fr+Us=                                       
  TIGER    : TgdG3zNAOSZH2D9jkyvBves8PtjC0lCR      
  SHA256   : hjn9vxFxg4KoVwT3YvgU347EhvTCg5ey                                   
             lfktpr/OrcA=                                                       
  SHA512   : x6E3YPa0eILD3nZqDt6N755KSmPRFOz8                                   
             lhKD9CimYScSpxyoVxJAVWiozR8KUwkt                    
             Ao7mgy3BgtUA0MZuNMv43w==                                           
                                                                                

End timestamp: 2023-09-26 20:14:03 +0200 (run time: 0m 11s)
~]# ls -l /var/lib/aide                                      
total 6184                                                                      
-rw-------. 1 root root 3163359 Sep 18 20:50 aide.db.gz                         
-rw-------. 1 root root 3163384 Sep 26 20:14 aide.db.new.gzCode language: PHP (php)

The End

This is where the introduction to the Advanced Intrusion Detection Environment (AIDE) ends.

In this introduction, I have described what intrusion detection systems in general, and AIDE in particular, are. I have discussed their benefits and identified the weaknesses of AIDE as a host-based IDS. Installation, configuration, integrity check and updating the database were explained and illustrated with examples.

So what should we make of AIDE?

Well, it’s better than nothing. It is a tool that can be used to detect changes in the file system. However, you have to be aware of the weaknesses of host-based IDS. An attacker with local root access rights can render this tool harmless or conceal their own changes with little effort.

It is certainly possible to carry out an automated integrity check every 5 minutes and set up an e-mail notification for changes. But this seems a bit hacky. I will therefore take up this topic in a later article and show how AIDE can be integrated with Ansible.