Advaced Intrusion Detection Environment

Photo by Gwendal Cottin on Unsplash

Photo by Gwendal Cottin on Unsplash

How to check for unathorized changes in the filesystem
Updated 5. November 2021

Once a network or a system is compromised it's difficult to see what files have been altered by an unauthorized person. Most attackers are skilled at leaving no log entries of their activity and therefore making it hard to discover if any files have been modified by an unauthorized person. AIDE (Advanced Intrusion Detection Environment) for Linux is a great tool for having a watchful eye over the files on the system.

To prevent the attacker from removing logs you should implement remote logging of what commands are being executed in a terminal emulator or with a shell script. AIDE will never be able to replace good logs when investigating a security incident.

AIDE creates a database of the current state of the files and directories you decided to monitor. The intrusion detection is performed by comparing the current state of the files and directories with what was the last state of the files and directories saved in the AIDE database. This is both simple and effective.

In this guide, I will walk through the installation, configuration, and use of AIDE in Ubuntu 20.04. Any Debian-based Linux distro should be quite similar.

Installasjon

Start by installing AIDE on your system.

sudo apt install aide

When AIDE and the dependent packages are installed you can continue with the configuration for your detection environment.

Configuration

You must create a configuration file to narrow the scope of AIDE, and what you want to monitor. It's important to monitor only files that will not be dynamically altered, such as log directories or system directories such as /dev and /sys.

In this example, I will make AIDE monitor the content of the system-critical /etc directory. This is the directory where most of the configuration files on the system are stored. Changes to this directory will most likely change the way the system operates. Another good example of directories you want to monitor carefully are directories that contain web pages.

Start off by creating a simple config file in your home directory:

vim /home/stanley/aide.conf
/home/stanley/aide.conf
# Path to the created databases
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new

# AIDE rules
MYTEST=p+n+u+g+s+m+md5

# Directories to be monitored - and what rule to use
/etc MYTEST

Initialization

Initialize the new database containing the defined baseline

sudo aide --init -c /home/stanley/aide.conf

Set the newly created database as the current database

sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Test for changes

To test the functionality of AIDE we can run the test before making a change, and after making a change to the monitored directories.

We start with a test before the change:

sudo aide --check -c /home/stanley/aide.conf
Start timestamp: 2021-05-21 14:44:43 +0200 (AIDE 0.16.1)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	3145
...

Make some changes to files inside the monitored directory and run the test again:

sudo aide --check -c /home/stanley/aide.conf
Start timestamp: 2021-05-21 14:47:29 +0200 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	3145
  Added entries:		0
  Removed entries:		0
  Changed entries:		2
...

As you can see from the terminal dump above, it's very quick and easy to spot changes in the filesystem with AIDE.

AIDE spotted changes in 2 files.

For normal use, you rebuild the database after every authorized change to the files inside the directory being monitored. In this example, we used the /etc directory. It would be a good idea to update the AIDE database after a configuration change or a system update.