Defending your Ubuntu Linux System with AIDE
As we have already seen RPM can be used to test file integrity, but this is limited to RPM based systems and is not very customizable. As a quick check it is alright but for targeted defence then you should look at AIDE. AIDE, or Advanced Intruder Detection Environment, allows you to specify which directory and files and monitored and run on most Linux distributions. We install it on Ubuntu in the demonstration.
$ sudo apt get install -y aide
If the email system Postfix is not instaled it will be added. Although not strictly required by AIDE it will be added so email notifications can be configured. You can configure Postfix how you wish but we setup for a local only system.
Once installed we can test the version number. We have the stable release 0.16 from the Ubuntu 18.04 repos installed:
$ aide -v
AIDE maitains a database of the current baseline system. This is normally run with sudo aide –init; however, on Ubuntu system the first run requires that the aideinit command is used:
$ sudo aideinit
The database will need to be populated with the state of many files, 69K in my case, so it can take a little while. The runtime shows in the demo as 1m 30s. The output is written to /var/lib/aide/aide.db.new, the aideinit command also copies this to the baseline database /var/lib/aide/aide.db.new.
Next, we need to update the configuration file used by AIDE.
$ sudo cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
We can now test AIDE by adding a new user. With the useradded we can check the filesystem against the baseline stored in the database.
$ sudo useradd -m bob
$ sudo -c /etc/aide/aide.conf --check
Again the check shold take a similar time to before. Once completed we will see the the new home directory was added for the user and that the password related files in /etc had changed.
Checking user home directories may not be a great idea and it is possible that we need to target less directories in general. If, we are concerned about rootkits then we want to keep an eye on the /etc directory and /bin, but not everything. We can create our own configuration files with custom rules checking exactly what we need. This file can also be tuned over time and with experience.
As a simple test we will create and new configuration for AIDE in the tux user’s home directory, we name it aide.conf but the name could be anything:
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new
MYRULE=p+n+u+g+s+m+md5
/etc MYRULE
/bin MYRULE
/usr/bin MYRULE
database The path to the reference database. These database names can vary so you can supply uniques database names for each configuration used. For simplicity we stick with the standard names and overwrite the exiting databases.
database_out The path to the database generated when executing a check
database_new The path to the database to compare with the baseline
p Permissions
n Number of links
u User owner
g Group owner
s Size
m Last modified time
md5 Checksum of the file
We now initialize the baseline in the standard way, ensuring we use our own configuration:
$ sudo aide --init -c ~tux/aide.conf
This has just about 2K files to check so should run very quickly. Now that we have the baseline, we can add the new user as before:
$ sudo useradd -m joe $ sudo aide --check -c ~tux/aide.conf
We will now see the the changes to the /etc directory without seeing the addition of the new directory and files below /home.