pingofdeath.io

Install AIDE on Debian 10 (buster)

#intrusion detection #security #Linux #HIDS

If you wanna check the integrity of your Linux system, you have many open source options. One of them is AIDE (Advanced Intrusion Detection Environment). It’s a Host-Based IDS which checks the file integrity on a regular basis and informs you if something changed. That can be an indicator for a problem.

First let me say that this kind of tools only makes sense if you install them in a known clean state. That means directly after you setup your system or at least at a point where you can reasonably assume that your system is not compromised. If you do it after you suspect something bad has happened, its already too late because AIDE can’t tell how a “clean system” looks like. It just monitors changes in file check sums.

AIDE is available in the Debian repositories, so you can just install it by typing:

 

# apt-get install aide

 

Next open the file:

/etc/default/aide

and change the following options:

 

CRON_DAILY_RUN=yes

MAILTO=<YOUR_EMAIL>

COPYNEWDB=yes

 

The option COPYNEWDB tells AIDE to overwrite the internal DB with the updated file check sums if he found changes in the system. This means if he finds a changed file, he will inform you and then takes that change into his DB. In the next run you will not be notified again about that file because this is now the “clean state” for aide. If you don’t want that, you can leave that option on “no”, but then you have to manually overwrite the AIDE database file /var/lib/aide/aide.db yourself, otherwise you will keep get notified about the same changed file. In the end this setting depends on the thread level of your system, for my projects usually setting this to “yes” is fine.

Then you need to run the following command to create the configuration:

 

# update-aide.conf

 

And finally, build the initial database of checksums:

 

# aideinit -y -f

 

(That might take a while)

After that it makes sense to copy the db file /var/lib/aide/aide.db to save space. In case an attacker gets access to the file on the system, you still have a backup for a “clean state”. Depending on your thread level, it might be a good idea to do that regulary, maybe a daily cron job that sends it to your git/mail account/fax.