Configuring AIDE

AIDE, like many other Linux applications, operates using a configuration file. The configuration file is text-based and contains information that the program uses to determine the characteristics it will use when it runs. The first time you run AIDE you'll create and initialize the database that will be used for future checks of the filesystem's integrity. That database is then manually checked over for sanity, and you'll run an update process that will be used from then on to look for changes that occur on the filesystem.

Creating an AIDE Configuration File

After AIDE has been installed, the first thing you'll want to do is create a configuration file. Unlike most other software in Linux, AIDE doesn't include a default configuration file from which you can build a customized version. There is a sample configuration file in the <AIDE-source>/doc/ directory, but it explicitly states that you shouldn't use it as a system-wide configuration file. Therefore, you'll have to build one of your own. Don't worry, I'm here to help.

The AIDE configuration file is normally called aide.conf and is located in /etc/. Comments within the AIDE configuration file begin with a pound sign (#). There are three categories of lines within the AIDE configuration file: configuration lines, macro lines, and selection lines. The heart of the AIDE configuration file is the selection lines that you use to determine what objects on the filesystem will be monitored. Configuration lines are also important in determining how AIDE will operate, and macro lines are important for creating advanced configurations. AIDE uses a series of parameter=value directives to indicate the type of checking to perform on a given object. Table 12.1 lists those directives.

AIDE also enables the administrator to create custom groups containing the default groups. Doing so can save you time and improve the readability of the configuration file. You might use a custom group to combine other groups of commonly used checks. For example, to create a group called MyGroup with commonly used types of checks, it's as simple as this:

 MyGroup p+i+n+m+md5 

These groupings, whether default or custom, are used to determine the type of check that will be performed on a given selection. You also configure the files and directories to be checked using a selection line in the configuration file. Selection lines consist of the object to be checked together with the type of check to be performed. The object can be a file, a directory, a regular expression, or more commonly a combination of a file along with some regular expression syntax. I'll take a glance at regular expressions in a later section, but for now I'll show simple examples of the selection process.

The following selection line would examine everything in the /etc directory, specifically looking at the number of links, the user who owns a given file, the group who owns a given file, and the size of the file:

 /etc n+u+g+s 

A change to one of those attributes that occurs unexpectedly might indicate tampering. The next example uses a custom group called MyGroup as the check for the files within the /bin directory:

 /bin MyGroup 

Objects can be ignored or skipped by using an exclamation point (!), as in the following example, which causes AIDE to ignore everything in /var/log:

 !/var/log/.* 

Ignoring objects that change frequently can drastically reduce the number of irrelevant lines that appear in the AIDE report. However, you should be careful so as not to ignore too much; otherwise, you might miss important filesystem changes.

Rule lines in the configuration file use regular expressions to enable powerful matching capabilities. Don't worry if you're not familiar with the black magic involved in regular expressions; I'll go easy on you here.

A primary concern with matching files in AIDE is that you don't leave room for an attacker to circumvent the file integrity checker. This could occur if you specified a filename without fully qualifying the file. For example, if you wanted to skip checking a file in the /var/log/ directory because it changes, you might use this (seemingly correct) syntax:

 !/var/log/maillog 

However, due to the regular expression matching that occurs, an attacker could create a file called this:

 /var/log/maillog.crack 

Because you've excluded /var/log/maillog already, AIDE will not check anything that begins with /var/log/maillog. To solve this problem you add a dollar sign ($) to the end of the file. In regular expression syntax, a $ indicates the end-of-line. Therefore, by changing the syntax for the file you want to exclude and adding a $, you use the most specific match for that filesystem check:

 !/var/log/maillog$ 

By default, AIDE will create a file-based database in /usr/local/etc/ called aide.db.new. This file is then moved (manually) to /usr/local/etc/aide.db for future checks. Therefore, there's not really a need to alter this behavior within the context of the configuration file; however, you certainly can change the path and name of this file using the configuration options:

 database=file:<filename> database_out=file:<filename> 

AIDE can also use an SQL database server such as PostgreSQL to store database contents, although that configuration is beyond the scope of this book.

A Sample AIDE Configuration File

At the very least you need to tell AIDE what parts of the filesystem to check and what rules to use for those checks. You can also add numerous other bits to the configuration to alter how AIDE performs. For the purposes of this section, I'll show a very basic configuration file with the caveat that you should add to it as you see necessary for your Linux installation.

Open the file /usr/local/etc/aide.conf. If the file doesn't exist, create it. Place the following lines within the file:

 /bin R /sbin R /etc R+a /lib R /usr/lib R 

Initializing the AIDE DB

With a quick and basic configuration file in hand, it's time to initialize the AIDE database. This process can take a varying length of time depending on how many files you're checking and the amount of resources the computer has available. Initializing the AIDE database is as simple as running the following:

 /usr/local/bin/aide --init 

AIDE will now initialize the database based on the criteria you chose in the configuration file. When it's complete, you'll see a message similar to this:

 AIDE, version 0.10 ### AIDE database initialized. 

The next step is to rename (move) the newly created database to aide.db so that it becomes the default or master database:

 mv /usr/local/etc/aide.db.new /usr/local/etc/aide.db 

Now you should be able to run a check of the database to verify that everything is working okay:

 /usr/local/bin/aide --check 

If everything goes well, you'll see output similar to the following:

 AIDE, version 0.10 ### All files match AIDE database. Looks okay! 

With the AIDE database initialized, you should immediately copy the database to a disk, preferably a read-only media such as a CD-R, or you should securely copy it to another computer. If you leave the AIDE database on the computer, an attacker may be able to simply alter the AIDE database to cover her tracks after replacing system files with her own! Each time you update the AIDE database from this point forward, you should always copy the resulting database file to secure media.

Scheduling AIDE to Run Automatically

AIDE is best run using a cron job (scheduled task). Therefore, you should schedule AIDE to run automatically without your intervention. AIDE is commonly run once per day, but you should schedule it to run according to your security policy. The easiest and quickest method to have AIDE run daily is to create a crontab entry.

Creating a crontab entry is a matter of running this (as root):

 crontab -e 

To run AIDE nightly at 2:00 a.m., enter the following line into crontab:

 0 2 * * * /usr/local/bin/aide --check 

For more information on the format of crontab entries, see your distribution's documentation.