• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Urban Penguin

The Urban Penguin - Linux Training

  • Home
  • About
  • Live Online Courses
  • Shop
  • RHCSA Guide
  • Programming
    • Master Editing Text Files Using VIM
    • Learn Shell Scripting with BASH
    • PERL Scripting in Linux
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • Learn C Programming using Linux and the Raspberry Pi
    • General Java Tutorials
    • Java 7 OCA Exam 1ZO-803
  • OS Tutorials
    • Red Hat and CentOS Training
      • Red Hat Enterprise Linux System Administration 1 – RH124
      • RHCSA – System Admin 2 – RH134
      • RHCE – EX294 – Automation With Ansible
    • Learning Ubuntu
    • LPI Training
      • LPI Linux Essentials
      • LPIC-1 Linux Administrator
      • LPIC-2 Certified Linux Engineer
      • LPIC-3 Senior Level Certification
        • LPIC-3 Exam 300 : Mixed Environments
        • LPIC-3 Exam 303 : Security
        • LPIC-3 Exam 304 : Virtualization and High Availability
    • Linux Technologies
      • Apache HTTPD Server
      • Learning PHP
      • Learning PUPPET
      • Learning SAMBA
      • Linux File-Systems
      • Monitoring with Nagios Core
      • MYSQL
      • openLDAP Directories on Linux
You are here: Home / Linux / LPIC-3 Exam 303 / Securing Ubuntu with AIDE

Securing Ubuntu with AIDE

August 16, 2018 by The Urban Penguin

Defending your Ubuntu Linux System with AIDE

As we have already seen RPM can be used to test file integrity, but this is limited to RPM based systems and is not very customizable. As a quick check it is alright but for targeted defence then you should look at AIDE. AIDE, or Advanced Intruder Detection Environment, allows you to specify which directory and files and monitored and run on most Linux distributions. We install it on Ubuntu in the demonstration.

$ sudo apt get install -y aide

If the email system Postfix is not instaled it will be added. Although not strictly required by AIDE it will be added so email notifications can be configured. You can configure Postfix how you wish but we setup for a local only system.

Once installed we can test the version number. We have the stable release 0.16 from the Ubuntu 18.04  repos installed:

$ aide -v

AIDE maitains a database of the current baseline system. This is normally run with sudo aide –init; however, on Ubuntu system the first run requires that the aideinit command is used:

$ sudo aideinit

The database will need to be populated with the state of many files, 69K in my case, so it can take a little while. The runtime shows in the demo as 1m 30s. The output is written to /var/lib/aide/aide.db.new, the aideinit command also copies this to the baseline database /var/lib/aide/aide.db.new.

Next, we need to update the configuration file used by AIDE.

$ sudo cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

We can now test AIDE by adding a new user. With the useradded we can check the filesystem against the baseline stored in the database.

$ sudo useradd -m bob
$ sudo -c /etc/aide/aide.conf --check

Again the check shold take a similar time to before. Once completed we will see the the new home directory was added for the user and that the password related files in /etc had changed.

Checking user home directories may not be a great idea and it is possible that we need to target less directories in general. If, we are concerned about rootkits then we want to keep an eye on the /etc directory and /bin, but not everything. We can create our own configuration files with custom rules checking exactly what we need. This file can also be tuned over time and with experience.

As a simple test we will create and new configuration for AIDE in the tux user’s home directory, we name it aide.conf but the name could be anything:

database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new
MYRULE=p+n+u+g+s+m+md5
/etc MYRULE
/bin MYRULE
/usr/bin MYRULE

database The path to the reference database. These database names can vary so you can supply uniques database names for each configuration used. For simplicity we stick with the standard names and overwrite the exiting databases.

database_out The path to the database generated when executing a check

database_new The path to the database to compare with the baseline

p Permissions

n Number of links

u User owner

g Group owner

s Size

m Last modified time

md5 Checksum of the file

We now initialize the baseline in the standard way, ensuring we use our own configuration:

$ sudo aide --init -c ~tux/aide.conf

This has just about 2K files to check so should run very quickly. Now that we have the baseline, we can add the new user as before:

$ sudo useradd -m joe
$ sudo aide --check -c ~tux/aide.conf

We will now see the the changes to the /etc directory without seeing the addition of the new directory and files below /home.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: LPIC-3 Exam 303

Primary Sidebar

Newest Video

The Urban Penguin On Youtube

Products

  • Complete RHCSA 8 Study Guide Complete RHCSA 8 Study Guide £5.99
  • SELinux Guide SELinux Fundamentals in Red Hat Enterprise Linux 8 £1.99
  • Managing POSIX ACLS in Linux £0.99
  • Managing Linux File Permissions £0.99
  • Kernel Module Administration in Linux £0.99

Categories

Pages

  • About The Urban Penguin
  • Contact Us
  • Shop
    • Basket
    • Checkout
    • My Account
  • LPI Training from The Urban Penguin
    • Live and Pluralsight hosted courses
    • Complete Linux Essentials
    • LPIC-3 Senior Level Certification
      • LPIC-3 Exam 300 : Mixed Environments
      • LPIC-3 Exam 303 : Security
      • LPIC-3 Exam 304 : Virtualization and High Availability
    • LPIC-2 Certified Linux Engineer
    • LPIC-1 Linux Administrator
    • LPI Linux Essentials for Raspberry Pi
    • LPI Linux Essentials
  • Operating System Tutorials
    • Linux Foundation Training
    • Solaris 11 OCA 1ZO-821
    • Learning Ubuntu
    • Learning SUSE
    • Red Hat and CentOS Training
      • RHCE – EX294 – Automation With Ansible
      • RHCSA – System Admin 1 – RH124
      • RHCSA – System Admin 2 – RH134
  • Scripting – the power of repetition!
    • Java 7 OCA Exam 1ZO-803
    • General Java Tutorials
    • Learn C Programming using Linux and the Raspberry Pi
    • Ruby Scripting in Linux
    • Scripting with PowerShell
    • PERL Scripting in Linux
    • Learn Shell Scripting with BASH
    • Master Editing Text Files Using VIM
  • Linux Technologies
    • Learning PUPPET
    • openLDAP Directories on Linux
    • Monitoring with Nagios Core
    • Linux File-Systems
    • Learning SAMBA
    • Apache HTTPD Server
    • Learning PHP
    • MYSQL
  • OpenStack
    • Pluralsight
    • Udemy
    • Raspberry Pi Tutorials
    • Citrix Videos
  • Online Instructor-led Courses
    • Red Hat Enterprise Linux System Administration 1 – RH124
    • SELinux Masterclass
    • Bash Scripting Masterclass
    • Nftables Masterclass

© 2021 The Urban Penguin · All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok