RH415 - ch07s02

Bookmark this page

Guided Exercise: Detecting File-system Changes with AIDE

Install AIDE, perform an initial baseline scan, and then changes files on a monitored file system to explore how AIDE detects and reports those changes.

Outcomes

Install the aide package.
Modify the /etc/aide.conf configuration file.
Perform an initial baseline scan.
Detect changes made to files after the baseline scan with a subsequent scan.
Update the AIDE database to accept approved changes to the file system.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start aide-detecting

Instructions

From the workstation machine, log in to the servera machine as the student user.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$
```

Change to the root user and install the aide package.

Change to the root user. Use student as the password.

[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#

Install the aide package.

[root@servera ~]# dnf install aide
Last metadata expiration check: 2:09:21 ago on Fri Oct 13 16:30:57 2023.
Dependencies resolved.
========================================================================
 Package    Architecture Version               Repository          Size
========================================================================
Installing:
 aide  x86_64  0.16-100.el9  rhel-9.2-for-x86_64-appstream-rpms    154 k

Transaction Summary
========================================================================
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

Edit the /etc/aide.conf configuration file so that AIDE monitors the existing /etc/ directory and a new /testdir/ directory for changes to permissions or file content. Use regular selection lines so that the contents of those directories are also monitored. Remove all other selection lines that are not associated with the mentioned directories.
The CONTENT_EX group definition is provided in the default /etc/aide.conf file. Any selection line that uses the CONTENT_EX definition monitors the selected files for any change in content, Linux file type, number of links, ownership, permissions, SELinux context, and extended attributes.
The two selection lines configure AIDE to monitor any object that is within the hierarchy of the /etc and /testdir directories in the file system by using the checks specified by the CONTENT_EX group definition.
Note
You remove the other selection lines to speed up preparation of the AIDE database for this exercise. With this configuation change, AIDE analyzes only a handful of the files on the system. In practice, you might decide to keep or adjust the default selection lines, rather than remove them.
```
[root@servera ~]# cat /etc/aide.conf
...output omitted...
# Extended content + file type + access.
CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

# Next decide what directories/files you want in the database.

/etc           CONTENT_EX
/testdir       CONTENT_EX
```
Create the /testdir directory.
```
[root@servera ~]# mkdir /testdir
```

Initialize the AIDE database by using the aide --init command. The command performs an initial baseline scan, which generates a new AIDE database that records the current state of the file-system hierarchy.

[root@servera ~]# aide --init
Start timestamp: 2023-10-16 16:19:50 -0400 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	969

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : ABeCgEmptsRtz8E9ATuD5Q==
  SHA1     : iPFfNp932eaD8ZzN6YKJEi6SNqU=
  RMD160   : 3p7OYvccf1dpF/dT0LeYJ2LGWNE=
  TIGER    : YveonafhD6gSwiZ2mCs+3iv/j5HplTny
  SHA256   : dU6dXIsP556LyrqirQWfw8WSJb+r/N2L
             eAl47C37qXU=
  SHA512   : ir/ETdTvPy/ctA+vNCSyddQ1c/yP8nh5
             nrl34sYPAmVbvah6bETZfCVSACbE1+WI
             MBBN4CSLlzSAXiqJXswIlQ==


End timestamp: 2023-10-16 16:19:51 -0400 (run time: 0m 1s)

Rename the new AIDE database file from /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz so that AIDE uses the newly generated file as the current database. The file name of any new database that is generated, and that of the database used by AIDE, are set in the /etc/aide.conf configuration file by default.
```
[root@servera ~]# mv /var/lib/aide/aide.db.new.gz \
/var/lib/aide/aide.db.gz
```

Determine the current status of the machine's file systems.

AIDE reports that there are no changes to the files and directories that it monitors.

[root@servera ~]# aide --check
Start timestamp: 2023-10-16 16:21:42 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	969

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : ABeCgEmptsRtz8E9ATuD5Q==
  SHA1     : iPFfNp932eaD8ZzN6YKJEi6SNqU=
  RMD160   : 3p7OYvccf1dpF/dT0LeYJ2LGWNE=
  TIGER    : YveonafhD6gSwiZ2mCs+3iv/j5HplTny
  SHA256   : dU6dXIsP556LyrqirQWfw8WSJb+r/N2L
             eAl47C37qXU=
  SHA512   : ir/ETdTvPy/ctA+vNCSyddQ1c/yP8nh5
             nrl34sYPAmVbvah6bETZfCVSACbE1+WI
             MBBN4CSLlzSAXiqJXswIlQ==


End timestamp: 2023-10-16 16:21:42 -0400 (run time: 0m 0s)

Create the /testdir/testfile file.

[root@servera ~]# touch /testdir/testfile

View the changed status of the machine's file systems.

AIDE reports that the /testdir/testfile file has been added. No files have been removed or changed.

[root@servera ~]# aide --check
Start timestamp: 2023-10-16 16:24:59 -0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	970
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

 ---------------------------------------------------
Added entries:
 ---------------------------------------------------

f++++++++++++++++: /testdir/testfile

 ---------------------------------------------------
The attributes of the (uncompressed) database(s):
 ---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : ABeCgEmptsRtz8E9ATuD5Q==
  SHA1     : iPFfNp932eaD8ZzN6YKJEi6SNqU=
  RMD160   : 3p7OYvccf1dpF/dT0LeYJ2LGWNE=
  TIGER    : YveonafhD6gSwiZ2mCs+3iv/j5HplTny
  SHA256   : dU6dXIsP556LyrqirQWfw8WSJb+r/N2L
             eAl47C37qXU=
  SHA512   : ir/ETdTvPy/ctA+vNCSyddQ1c/yP8nh5
             nrl34sYPAmVbvah6bETZfCVSACbE1+WI
             MBBN4CSLlzSAXiqJXswIlQ==

Modify the permissions of the /etc/shadow file to 644 (which is read and write for the user, and read-only for the group and other).
```
[root@servera ~]# chmod 644 /etc/shadow
```

Determine the current status of the machine's file systems.

AIDE reports that the permissions of the /etc/shadow file have changed and indicates what those changes are. AIDE still reports about the newly created /testdir/testfile file.

[root@servera ~]# aide --check
Start timestamp: 2023-10-16 16:27:35 -0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	970
  Added entries:		1
  Removed entries:		0
  Changed entries:		1

 ---------------------------------------------------
Added entries:
 ---------------------------------------------------

f++++++++++++++++: /testdir/testfile

 ---------------------------------------------------
Changed entries:
 ---------------------------------------------------

f   p..    ..A.. : /etc/shadow

 ---------------------------------------------------
Detailed information about changes:
 ---------------------------------------------------

File: /etc/shadow
  Perm     : ----------                       | -rw-r--r--
  ACL      : A: user::---                     | A: user::rw-
             A: group::---                    | A: group::r--
             A: other::---                    | A: other::r--


 ---------------------------------------------------
The attributes of the (uncompressed) database(s):
 ---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : ABeCgEmptsRtz8E9ATuD5Q==
  SHA1     : iPFfNp932eaD8ZzN6YKJEi6SNqU=
  RMD160   : 3p7OYvccf1dpF/dT0LeYJ2LGWNE=
  TIGER    : YveonafhD6gSwiZ2mCs+3iv/j5HplTny
  SHA256   : dU6dXIsP556LyrqirQWfw8WSJb+r/N2L
             eAl47C37qXU=
  SHA512   : ir/ETdTvPy/ctA+vNCSyddQ1c/yP8nh5
             nrl34sYPAmVbvah6bETZfCVSACbE1+WI
             MBBN4CSLlzSAXiqJXswIlQ==


End timestamp: 2023-10-16 16:27:35 -0400 (run time: 0m 0s)

Restore the file permissions of the /etc/shadow file to 000 (which is no access for the user, group, or other).
```
[root@servera ~]# chmod 000 /etc/shadow
```

Determine the current status of the file system.

After restoring the file permissions of the /etc/shadow file, AIDE no longer reports that it has changed. AIDE still reports about the newly created /testdir/testfile file, because that change has not been reverted.

Note

If the CONTENT_EX group definition included the c group to monitor ctime (status change time stamp) updates, then the /etc/shadow file would still report a change, because ctime is updated when permissions are changed.

That time stamp is separate from the mtime (modification time stamp) that AIDE monitors with the m group, and which shows up in default ls -l listings to indicate when the contents of the file last changed.

[root@servera ~]# aide --check
Start timestamp: 2023-10-16 16:32:10 -0400 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	970
  Added entries:		  1
  Removed entries:		0
  Changed entries:		0

 ---------------------------------------------------
Added entries:
 ---------------------------------------------------

f++++++++++++++++: /testdir/testfile

 ---------------------------------------------------
The attributes of the (uncompressed) database(s):
 ---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : ABeCgEmptsRtz8E9ATuD5Q==
  SHA1     : iPFfNp932eaD8ZzN6YKJEi6SNqU=
  RMD160   : 3p7OYvccf1dpF/dT0LeYJ2LGWNE=
  TIGER    : YveonafhD6gSwiZ2mCs+3iv/j5HplTny
  SHA256   : dU6dXIsP556LyrqirQWfw8WSJb+r/N2L
             eAl47C37qXU=
  SHA512   : ir/ETdTvPy/ctA+vNCSyddQ1c/yP8nh5
             nrl34sYPAmVbvah6bETZfCVSACbE1+WI
             MBBN4CSLlzSAXiqJXswIlQ==


End timestamp: 2023-10-16 16:32:10 -0400 (run time: 0m 0s)

Implement a cron job to automatically run AIDE to check the current status of the file systems and to log the results. The job should run as the root user at midnight weekly, and log to the /var/log/aide.log file. Create a file named /etc/cron.d/aide file that contains the following entry.
Use the automated approach for verifying the file system's current status, which allows administrators to periodically monitor the file system for changes and to merge the accepted changes with the AIDE database.
Note
Alternatively, you can use a systemd timer unit to automate AIDE checks. This guided exercise uses a cron job for simplicity.
```
[root@servera ~]# cat /etc/cron.d/aide
0 0 */7 * * root /sbin/aide --check >> /var/log/aide.log
```
Generate an updated AIDE database to accept the changes that you made to the machine's file systems. Rename the newly generated aide.db.new.gz file to aide.db.gz to ensure that AIDE uses the correct database to detect file-system changes.
```
[root@servera ~]# aide --update
...output omitted...
[root@servera ~]# mv /var/lib/aide/aide.db.new.gz \
    /var/lib/aide/aide.db.gz
mv: overwrite '/var/lib/aide/aide.db.gz'? y
```

Confirm that you successfully updated the AIDE database to reflect the changes to the machine's file systems.

[root@servera ~]# aide --check
Start timestamp: 2023-10-16 17:07:04 -0400 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	970

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : y9vF6r0VgqjaXGoR6GBkZQ==
  SHA1     : hoxPWkyBmq5p4eJkpV0fGtObOns=
  RMD160   : hABCAxJLUYb8EkniRLV3yNKz/CQ=
  TIGER    : Nnm8ZtrSDOlnJWQ2ee1hH/3/mreszTo3
  SHA256   : LPRnIC4br2m+9fNBYiZnQd3p3X2cFSIz
             Hsav+nIsrbg=
  SHA512   : 6JEfse5zl37j9f4J57h/GNfUXVq1+3dp
             YAWGM6oU8xy26CX7y5Sja+YDzA8ojMeH
             wPcvQm97nrudBhB51ZdCCw==


End timestamp: 2023-10-16 17:07:04 -0400 (run time: 0m 0s)

Return to the workstation machine as the student user.

[root@servera ~]# logout
[student@servera ~]$ logout
Connection to servera closed.
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish aide-detecting

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-9.2-a821299