Setting up Advanced Intrusion Detection Environment (AIDE)

Could you possible help me with edit the /etc/aide.conf so I can setup AIDE ?

Dear @fedoranewbie , welcome to ask.fedora. Please take a minute and go through the #start-here category to get an understand on how to use the forum.
One thing we are trying to do here is ‘One topic per topic’. Please start a new post for each question you want help with.
That helps others to find solution in short and consise topics witout reading through too many posts.

I am using this article https://www.redhat.com/sysadmin/linux-security-aide to setup AIDE. I have followed the article but I am presented with this message when I run the command aide in the terminal.; Cannot access config file: /etc/aide.conf: Permission denied
No config defined
Configuration error

You see how each command line in the guide starts with a #?

That is the symbol for a root shell.

So either you prefix each command with sudo - this will ask for your password. Or you need to change user to root in your shell (su -). If you don’t have a root password set yet, you can run sudo passwdto define one. remember, sudo asks for your user password.

See

What’s wrong with the default aide.conf? If you know which dictories to watch, just add them.

I have just run $ aide --init and still I am presented with the same message :
Cannot access config file: /etc/aide.conf: Permission denied
No config defined
Configuration error

I just implemented the premis mentioned in the text : Suppose you want to keep track of the /etc/passwd file so that you can put rules like PERMS.

sudo, whenever permission denied.

I’d recommend staying far away from /etc/passwd, you don’t need to touch that at all.

how does your current aide.conf look like?

sudo cat /etc/aide.conf

Just tried aide, just for fun, on a fresh vm, works just fine out of the box.

[florian@fedora ~]$ sudo aide --init

Start timestamp: 2021-11-30 14:51:28 +0200 (AIDE 0.16)

AIDE initialized database at /var/lib/aide/aide.db.new.gz



Number of entries:	187628



---------------------------------------------------

The attributes of the (uncompressed) database(s):

---------------------------------------------------



/var/lib/aide/aide.db.new.gz

  MD5      : BmhiusK7sdk8pzLHvvo9kg==

  SHA1     : 6uECGNlk0Lvnoc3I9wvyyNnsRWI=

  RMD160   : J2lvC4HkHdsIhaRFhzRbtkX97zw=

  TIGER    : 0hZwfI7xmonUcUoJxA1IZScetmxuyjpg

  SHA256   : ZDEF8fHYB8FXOo+1UfIj+IrQFW6LLR4M

             0AHar3VXx6Y=

  SHA512   : PryeX36Gzc6X0XdBq/U8ra3GzWjBkfjk

             8hkmzy0aUMA60Egvu1p2MyzeX5LNQMqU

             +g6WpNYGOcgJimCiXnXCSg==





End timestamp: 2021-11-30 14:54:49 +0200 (run time: 3m 21s)

OK, I am new to Fedora so I am super carefull not to do anything wrong.
/etc/passwd is set to PERMS , I can copy the example configuration file for AIDE.

not sure what you mean with that. On my system:

ls -lZ /etc/passwd

Output: -rw-r--r--. 1 root root system_u:object_r:passwd_file_t:s0 2635 Nov 12 15:30 /etc/passwd

As said before, best would be not to touch /etc/passwdat all, leave as is.

You should have one already, the default one, check with:

sudo cat /etc/aide.conf

I’ll be very honest and direct with you. If you are new to Fedora and maybe Linux, AIDE isn’t for you.
Imagine after each system update, you need to check the integrity of the altered files manually and update your database. Are you ready for that?

Well , I am not new to Linux but I get teh point and I would be open to suggestions if you have any on the topic of AIDE alternatives which don’t need too much work.

This text is intended to help my self and future readers learn how to install and use Advanced Intrusion Detection Environment (AIDE) .
Myself I am having a problem editing the /etc/aide.conf file so AIDE can use the database with-out any errors. Furthermore, I don’t want to make any unneeded changes to the file so I am asking for help from the expert.

Can you please note what errors you are getting and so on? Without specific information it’s quite hard for folks on the forum to provide any suggestions.

It may also be worth posting to the AIDE forums in parallel, since they’re more likely to have AIDE experts (whereas this forum is more likely to have Fedora experts :))

Thank you for the advice, I am using this article https://www.redhat.com/sysadmin/linux-security-aide to setup AIDE. I have followed the article but I am presented with this message when I run the command aide in the terminal.;

Cannot access config file: /etc/aide.conf: Permission denied
No config defined
Configuration error

Have you made a config file as the post asks?

Before initializing the AIDE database, it is important to set rules for directories or files. You can do this in the /etc/aide.conf file itself. Suppose you want to keep track of the /etc/passwd file so that you can put rules like PERMS on that file to check the integrity of the file using an AIDE database.

and

After installing AIDE on your system, make an entry in the /etc/aide.conf file with customized rules. You need to monitor files for changes in permissions, groups, ownership, and file access time. You can then select any customized rules that contain all these points.

Sorry, I don’t know any alternatives. I personally don’t use AIDE or anything similar, I think it’s complete overkill for a desktop.

Maybe get to know your system a little bit, including SELinux, which is installed and enabled by default, and in one of the next steps you can fiddle with aide.

Maybe some other people can talk about their experiences with aide…

Note: I’ve merged the other AIDE related topic here too.

Well , the file is setup like this:

# Example configuration file for AIDE.

@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz

# Whether to gzip the output to database
gzip_dbout=yes

# Default.
verbose=5

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules.
#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum

#haval:  haval checksum (MHASH only)
#gost:   gost checksum (MHASH only)
#crc32:  crc32 checksum (MHASH only)
#whirlpool:     whirlpool checksum (MHASH only)

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L:             p+i+n+u+g+acl+selinux+xattrs
#E:             Empty group
#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES

# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = FIPSR+sha512

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only
PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change
LOG = >

# Just do sha256 and sha512 hashes
LSPP = FIPSR+sha512

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

# Next decide what directories/files you want in the database.

/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
/lib    NORMAL
/lib64  NORMAL
/opt    NORMAL
/usr    NORMAL
/root   NORMAL
# These are too volatile
!/usr/src
!/usr/tmp

# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc    PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports  NORMAL
/etc/fstab    NORMAL
/etc/passwd   NORMAL
/etc/group    NORMAL
/etc/gshadow  NORMAL
/etc/shadow   NORMAL
/etc/security/opasswd   NORMAL

/etc/hosts.allow   NORMAL
/etc/hosts.deny    NORMAL

/etc/sudoers NORMAL
/etc/skel NORMAL

/etc/logrotate.d NORMAL

/etc/resolv.conf DATAONLY

/etc/nscd.conf NORMAL
/etc/securetty NORMAL

# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL

# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL

/var/log   LOG
/var/run/utmp LOG

# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log

# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP

/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP

/etc/hosts LSPP
/etc/sysconfig LSPP

/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP

/etc/ld.so.conf LSPP

/etc/localtime LSPP

/etc/sysctl.conf LSPP

/etc/modprobe.conf LSPP

/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP

/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP

/etc/stunnel LSPP

/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP

/etc/issue LSPP
/etc/issue.net LSPP

/etc/cups LSPP

# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found    DIR
#=/home           DIR

# Ditto /var/log/sa reason...
!/var/log/and-httpd

# Admins dot files constantly change, just check perms
/root/\..* PERMS

So I am waiting on suggestions what to do with the file.

Those defaults look pretty good. Leave /etc/passwd on NORMAL. (sorry I had completely misunderstood your previous comment about PERMS).

 NORMAL = FIPSR+sha512 = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256+sha512

that’s quite a bit of checking, access control and checksuming, …

If there are files or directories that you want to be watched and checked, you need to add them…

OK, thank you.

No need to apologize , everythings alright.

I don’t have any at the moment becasue I am just setting up the system at the moment.

To understanding how aide work, lets create a test.

1. First backup your current aide.conf file as suggested on Enhancing Linux security with Advanced Intrusion Detection Environment (AIDE) article with $ sudo cp /etc/aide.conf /etc/aide`date +%F`.conf. It will make a copy of configuration file with adding current date as name so we can easily track in the future. You could check it with $ ls /etc and you will find our backup file like aide2021-11-30.conf.

2. Create file test.txt on home directory $ touch /home/username/test.txt. We will monitor the change made on this file along with other default configuration on aide.conf.

3. Open aide.conf with $ sudo nano /etc/aide.conf and add the full path our test.txt on the last line and save it.

   ...
   # Admins dot files constantly change, just check perms
   /root/\..* PERMS
   
   /home/username/test.txt FIPSR
   

4. Initiate aide with $ sudo aide --init. It will create file aide.db.new.gz on /var/lib/aide directory. You could check it with $ sudo ls /var/lib/aide.

5. Renameaide.db.new.gz to aide.db.gz (without new part) with $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz.

6. Make a change on test.txt by adding any text inside it. Let say $ echo change > /home/username/test.txt.

7. After that run $ sudo aide --check. At this time, it will check each file monitored on /etc/aide.conf. When it’s done, it will give you a report.

8. If you could identified the changes reported after running $ sudo aide --check, you could update it with $ sudo aide --update. This will create another aide.db.new.gz on /var/lib/aide. You could delete old aide.db.gz and rename new created aide.db.new.gz to aide.db.gz.

My understanding it’s only create a database and then check it if there any modification made. It should not broke your system if you miss configure it.