Red Hat Security: Linux in Physical, Virtual, and Cloud
Abstract
| Goal |
Detect and analyze changes to a server's file systems and their contents by using AIDE. |
| Sections |
|
| Lab |
|
Detect and identify changes to files on a system that has AIDE installed, and manage AIDE checks and the AIDE detection database.
On an operating server, files are commonly added, removed, and modified in its file systems. However, unexpected changes to certain files, such as executable programs and configuration files, might indicate unauthorized modifications or other security issues. Therefore, Red Hat recommends that you monitor those files for changes to their content, permissions, or other characteristics.
Red Hat Enterprise Linux provides Advanced Intrusion Detection Environment (AIDE), a user-space utility that can help with this monitoring. AIDE monitors files for various changes including permission or ownership changes, content changes, and time stamp changes (modification or access time stamps).
The aide package is typically not installed by default.
AIDE must be installed and configured, and its initial database built, before it can verify file systems.
The following command installs AIDE on the system:
[root@host]# dnf install aideThe configuration file for AIDE is the /etc/aide.conf file.
This file controls which files AIDE monitors for changes, and what characteristics are monitored for each file.
For example, by default, AIDE monitors most files in the /etc directory for permission changes only, but specific files are monitored more closely.
As the security administrator, you might want to adjust exactly what AIDE monitors for different parts of your computer's file system.
Important
AIDE ships with a reasonably well-configured default /etc/aide.conf file that you might use to build an initial database.
If you want or need to adjust exactly what AIDE monitors, you should modify the file before building or updating your AIDE database.
You can edit the /etc/aide.conf file to adjust the operational behavior of AIDE.
Each line in the file is a directive.
The file contains three types of lines: configuration lines, selection lines, and macro lines.
Any line that starts with a number sign (#) is a comment and has no effect.
The configuration lines adjust the configuration parameters of AIDE. These lines either adjust the functional behavior of AIDE globally or set a group definition. Group definitions are used by selection lines to specify what characteristics of a file AIDE should monitor when detecting file-system changes.
The syntax of a configuration line is parameter = value.
Configuration parameters include the following examples:
-
database This configuration sets the location from which AIDE reads its database when it runs checks. This database is typically a local file.
-
database_out This configuration sets the location to which AIDE writes its database when it is updated. This database is also usually a local file, and must be different from the input database.
-
gzip_dbout If this parameter is set to
yes, then AIDE creates a new database and compresses it withgzipcompression.
A configuration line can also create a group definition.
Group definitions are used with selection lines to set the characteristics of the file to monitor.
For example, the default /etc/aide.conf file has the following group definition:
PERMS = p+u+g+acl+selinux+xattrs
This group definition creates the PERMS group.
If a selection line uses this group definition, then files selected by that line are monitored for changes to permissions (p), user (u), group (g), Access Control List permissions (acl), SELinux context (selinux), and file system Extended Attributes (xattrs).
The default configuration file has other important predefined group definitions.
For example, the NORMAL group definition also monitors for changes in the SHA256 and SHA512 checksums, the size of the file, the inode or number of links to the file, the time stamp, and whether the file is growing.
The default configuration file and the aide.conf(5) man page have more details on the built-in groups that are available for group definitions.
The selection lines specify the files and directories that AIDE monitors, and the changes for which AIDE watches. Selection lines can be regular, equals, or negative.
A regular selection line is a regular expression that matches the absolute path to a file or directory, followed by the name of a group definition.
Files and directories that match that regular expression are added to the AIDE database, with checks performed as specified by the line's group definition.
This effectively means that if the regular expression (regex) is /etc, then regex also recursively matches all files and directories in the /etc directory.
An equals selection line starts with an equal sign (=) followed by a regex and a group definition.
AIDE records the files that match the regular expression, considering all the checks that the line's group definition mentions.
However, an equals selection line only matches the children of directories if the regex ends with a forward slash (/).
The children of subdirectories are not recursively matched.
A negative selection line starts with an exclamation point (!) followed by a regular expression that matches the absolute path to a file or directory.
AIDE does not monitor files or directories that match a negative selection line.
The following lines are examples of selection lines:
/etc PERMS =/testdir PERMS !/etc/mtab
The first line is a regular selection line that matches the /etc directory and recursively matches all files and directories in the /etc directory.
This line applies the group definition PERMS to those files.
The second line is an equals selection line that matches exactly the /testdir directory, but does not match its subdirectories.
This line also applies the group definition PERMS to that directory, but not to the files or subdirectories in that directory.
The third line is a negative selection line that tells AIDE not to monitor the /etc/mtab file.
Macro lines set or clear variables that are useful for referring to lengthy URLs or file-system paths in multiple occurrences throughout the AIDE configuration file.
The following snippet from the AIDE configuration file shows sample macro lines:
@@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide
These macro lines define the DBDIR and LOGDIR variables that substitute the /var/lib/aide and /var/log/aide directories, respectively.
The following example shows how to use a macro line to expand the variable.
database=file:@@{DBDIR}/aide.db.gzThis macro line sets the database parameter to the file:/var/lib/aide/aide.db.gz value.
After installing AIDE, ensure that AIDE is aware of the current status of the file system.
AIDE uses the known state of the file system as a reference point to detect and report on file-system changes.
Use the aide --init command to generate an initial AIDE database.
[root@host]# aide --initImportant
Ideally, build your AIDE database as soon as you can after installation, possibly as part of the provisioning process.
AIDE operates by comparing the current state of files to information about their expected state that is stored in the AIDE database. If there is no baseline database, AIDE has nothing it can use to determine the expected state of the system.
After you initialize AIDE, it can detect file-system changes (if any) by comparing against the known status.
To manually perform an integrity check, run the following command as the root user:
[root@host]# aide --checkThis command uses the AIDE configuration to compare the state of the system's files to the saved database.
A report is printed on standard output and to the /var/log/aide/aide.log file by default.
In production environments, you should periodically run AIDE checks.
If the AIDE database is kept on the local system, you might choose to use a cron job, a systemd timer unit, or another system to automatically run the AIDE checks.
For example, you can set a cron job to run the AIDE integrity check every day at 5:00 PM by adding a file that contains the following line to the /etc/cron.d directory:
0 17 * * * root /usr/sbin/aide --check
You can additionally configure the crontab file to email the report to an administrator.
You must update the AIDE database after expected changes are made to the system. For example, a package update or an authorized change to a configuration file might change time stamps, permissions, or checksums on monitored files. To prevent AIDE from reporting false positives, you must update the database to reflect these authorized changes. After confirming that all remaining changes reported by AIDE are authorized, run the following command to update the AIDE database:
[root@host]# aide --updateImportant
Do not forget to replace the earlier database file with the updated file. Otherwise, AIDE continues to use the earlier database file as its baseline for checks.
The locations of these files are specified in your /etc/aide.conf file, as discussed earlier in this section.
The database that is used for checks defaults to the /var/lib/aide/aide.db.gz file.
By default, the --update option writes an updated database to the /var/lib/aide/aide.db.new.gz file.
References
aide(1) and aide.conf(5) man pages
For more information, refer to the Checking Integrity with Aide chapter in the Red Hat Enterprise Linux 9 Security Hardening guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/checking-integrity-with-aide_security-hardening
