Secure Your Ubuntu Server with AIDE: A Step-by-Step Guide to File Integrity Monitoring
In the world of server security, threats can be subtle. An unauthorized change to a critical system file or a configuration being quietly altered can be the first sign of a compromise. To defend against these silent threats, you need a vigilant watchdog for your filesystem. This is where the Advanced Intrusion Detection Environment, or AIDE, becomes an indispensable tool.
AIDE is a powerful host-based intrusion detection system (HIDS) that acts as a security camera for your server’s files. It works by creating a cryptographic “snapshot” or baseline of your system’s critical files. By regularly comparing the current state of your files to this trusted baseline, AIDE can immediately alert you to any unauthorized additions, deletions, or modifications.
This guide will walk you through the complete process of installing, configuring, and effectively using AIDE to harden your Ubuntu server.
What is AIDE and Why Do You Need It?
At its core, AIDE is a file integrity checker. When you first set it up, it scans specified directories and records a detailed database of file characteristics, including:
- Permissions (read, write, execute)
- File owner and group
- File size and modification times
- Cryptographic hashes (like SHA256 or SHA512)
- Inode numbers
Once this initial database is built and secured, AIDE can perform checks to see if anything has changed. If a binary in /usr/bin is replaced with a malicious version, its hash will change. If a hacker alters /etc/passwd to add a new user, AIDE will detect it. This makes AIDE an essential layer in a proactive security strategy, helping you detect a breach early before significant damage occurs.
Step 1: Installing AIDE on Ubuntu
Getting AIDE onto your system is straightforward using the default package manager. First, ensure your package list is up to date, then install the aide package.
Open your terminal and run the following command:
sudo apt update && sudo apt install aide
During the installation, you may be prompted to configure Postfix for mail server notifications. You can configure this if you wish to receive email alerts or simply select “No configuration” to proceed.
Step 2: Understanding and Customizing the AIDE Configuration
Before you can create your baseline, you need to tell AIDE what to monitor and how closely to watch it. The main configuration file is located at /etc/aide/aide.conf.
This file contains predefined rules that specify which file attributes to check. Some of the most important default rules include:
- PERMS: Tracks permissions, owner, group, and inode details.
- NORMAL: Includes everything in PERMS plus file type, size, modification times, and SHA512 hash. This is a great general-purpose rule for most system files.
- ALL: Tracks every possible attribute AIDE can check. This is highly sensitive and should be used for critical configuration files like those in
/etc.
You then apply these rules to specific files and directories. For example, the default configuration might have lines like this:
/bin NORMAL
/sbin NORMAL
/etc ALL
This tells AIDE to apply the NORMAL rule set to the /bin and /sbin directories and the highly sensitive ALL rule set to the /etc directory. You can customize this file to match your server’s needs, adding rules for your web root (/var/www/html) or excluding volatile log directories to reduce false positives.
Step 3: Initializing the AIDE Database
With the configuration tailored to your needs, the next step is to generate the initial baseline database. This is the most critical step, as this database will become your single source of truth. Ensure your system is in a clean, known-good state before running this command.
To initialize the database, execute:
sudo aideinit
This command will run for several minutes as it scans your entire filesystem according to the rules in aide.conf and builds a new database. It will create a compressed file named aide.db.new.gz in the /var/lib/aide/ directory.
To activate this new baseline, you must rename it to be the official database:
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
This command makes your newly created snapshot the active database that future checks will compare against.
Step 4: Running Your First Integrity Check
Now that your baseline is established, you can test AIDE by running a manual check. This command will re-scan the system and compare the current state of your files against the aide.db.gz database.
sudo aide --check
If no changes have occurred, you will see a success message indicating that all files match the database. If any files have been modified, added, or deleted, AIDE will produce a detailed report outlining every discrepancy.
Step 5: Managing Legitimate Changes and Updating the Database
A server is not a static environment. You will perform system updates, install new software, and edit configuration files. These are legitimate changes that will cause AIDE to raise an alert. When this happens, you need a process to update the baseline.
- Verify the Changes: First, carefully review the report from
aide --checkto ensure all the flagged changes were intentional and legitimate (e.g., from a package update you just ran). - Generate an Updated Database: To accept these changes, run the update command:
bash
sudo aide --update
This creates a new database, aide.db.new.gz, which incorporates the recent legitimate changes. - Activate the New Baseline: Just like during initialization, you must replace the old database with the new one to make it the active baseline.
bash
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
This update process should become a standard part of your server maintenance routine after any planned software installation or configuration change.
Step 6: Automating AIDE Checks with Cron
Running manual checks is useful, but the real power of AIDE comes from automated, regular monitoring. You can easily set up a cron job to run AIDE checks daily and alert you to any issues.
Open the cron table for the root user:
sudo crontab -e
Add the following line to schedule a check to run every day at 3:00 AM:
0 3 * * * /usr/bin/aide.wrapper --config /etc/aide/aide.conf --check
Using aide.wrapper is recommended for cron jobs as it intelligently handles outputs and integrates with the system’s configuration defaults. This simple automation ensures your system is being watched around the clock.
Security Best Practices for AIDE
- Secure Your Baseline Database: The
aide.db.gzfile is the key to your entire setup. If an attacker can modify it, they can hide their tracks. It is highly recommended to copy the initial database to a secure, offline, or read-only location (like a separate USB drive or a remote storage server). - Tune Your Configuration: A noisy report is an ignored report. Take time to exclude directories that change frequently and are low-risk, such as
/tmp,/var/log, or cache directories, to ensure your reports only contain meaningful alerts. - Regularly Review Reports: Don’t just set up the cron job and forget it. Make it a habit to review the AIDE reports. Unexplained changes are a serious red flag that requires immediate investigation.
Source: https://kifarunix.com/install-and-configure-aide-on-ubuntu-18-04/
