Set up AIDE on Ubuntu 22.04: Best file and directory integrity checker

This article intends to teach you to Set up AIDE on Ubuntu 22.04. Advanced Intrusion Detection Environment (AIDE) is a file and directory integrity checker, which creates a database from the regular expression rules that it finds in the config files. Once this database is initialized it can be used to verify the integrity of the config files.

AIDE has several message digest algorithms that it uses to check the integrity of the config files, and it can also check file attributes for inconsistencies.

Running AIDE will have a performance impact. Therefore you may want to disable AIDE checks or schedule them to run at specific times. Mounted network and external file systems in /mnt are automatically excluded from the AIDE scans.

Now follow the guide steps below on the Orcacore website to complete the AIDE file system integrity setup on Ubuntu 22.04.

To complete the AIDE file system integrity setup for Ubuntu 22.04, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide on Initial Server Setup with Ubuntu 22.04 . Then, follow the steps below.

Install AIDE on Ubuntu 22.04

AIDE packages are available in the default Ubuntu repository. First, update your local package index with the following command:

sudo apt update

Then, use the following command to install AIDE:

sudo apt -y install aide

During the installation, you will be asked to choose general mail configuration, here we choose Internet Site and click ok. Then, you need to choose a system mail name and continue your installation.

When your installation is completed, verify it by checking its version:

aide -v

AIDE Configuration on Ubuntu 22.04

Configuring AIDE is easy because you only have to edit the configuration file. Open the config file with your favorite text editor, here we use the vi editor:

sudo vi /etc/aide/aide.conf

Here, you will find the various sections to modify the working of AIDE.

# AIDE conf

# set environment for executable config files included by x_include
@@x_include_setenv UPAC_settingsd /etc/aide/aide.settings.d

# The daily cron job depends on these paths
database_in=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes

# Set to no to disable report_summarize_changes option.
report_summarize_changes=yes

# Set to no to disable grouping of files in report.
report_grouped=yes

# Set verbosity of aide run and reports
log_level=warning
report_level=changed_attributes

# Ignore e2fs attributes that cannot be set manually
report_ignore_e2fsattrs=EhI
...

You can edit the given information as per your requirements and save this AIDE configuration file on Ubuntu 22.04.

How To Use AIDE File System Integrity?

At this point, you can create a new AIDE File System Integrity database by using the command below:

sudo aideinit

This command creates the AIDE database file /var/lib/aide/aide.db.new as per the currently available file system.

Then, to install the new AIDE database, you must copy it to your database file location:

sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Now you can start your AIDE scan process by using the command below:

sudo aide --check

Conclusion

AIDE helps detect unauthorized changes like modified or deleted files, which could indicate a security issue. This makes it useful for protecting systems from tampering or intrusions. At this point, you have learned to Set up AIDE on Ubuntu 22.04.

Hope you enjoy it. Please subscribe to us on Facebook and Twitter.

Also, you may like to read the following articles:

Use Artificial Intelligence in Homes

Zabbix LTS Setup on Ubuntu 24.04

Secure Remote Desktop Gateway: Guacamole on Ubuntu 24.04

Let’s Encrypt cPanel plugin install

---

Alternative Solutions for File and Directory Integrity Checking

While AIDE is a robust and reliable solution for file and directory integrity checking, other methods exist that offer different strengths and weaknesses. Let’s explore two alternative solutions: Tripwire and using a combination of find, sha256sum, and cron.

1. Tripwire

Tripwire is a commercial intrusion detection system that, like AIDE, provides file integrity monitoring. It’s a more mature and feature-rich solution, often used in enterprise environments. Tripwire maintains a database of file signatures and attributes. Periodically, it scans the system, compares the current state of files with the database, and reports any discrepancies.

Key Differences from AIDE:

• Commercial vs. Open Source: Tripwire is a commercial product, typically involving licensing costs. AIDE is open-source and free to use.
• Scalability and Centralized Management: Tripwire often comes with centralized management capabilities, making it easier to monitor multiple systems. AIDE typically requires configuration and management on each individual host.
• Ease of Use: While both require initial configuration, Tripwire often offers a more user-friendly interface, especially for large deployments.

Setting up Tripwire (Simplified Example):

Although a full Tripwire setup can be complex, here’s a simplified illustration of the key steps:

1. Installation: Tripwire installation varies depending on the operating system and the chosen version. Refer to the official Tripwire documentation for specific instructions. Typically, it involves downloading and installing a package from Tripwire.

2. Configuration: The configuration file (often twcfg.txt) defines which files and directories to monitor. It also specifies the properties to check (e.g., file size, modification time, checksum). You’ll need to learn Tripwire’s rule syntax.

3. Database Initialization: After configuring Tripwire, you create the initial database:

   tripwire --init

4. Running Integrity Checks: To check for changes:

   tripwire --check

5. Reporting: Tripwire generates reports detailing any detected changes.

Example Configuration Snippet (Illustrative):

# Sample Tripwire configuration (twcfg.txt)
# This is highly simplified and for illustrative purposes only.

(
  rulename = "Important Binaries";
  severity = 100;
)
{
  /usr/bin -> $(SECURE);
  /usr/sbin -> $(SECURE);
}

Explanation:

• rulename: A descriptive name for the rule.
• severity: A value indicating the importance of changes to these files.
• /usr/bin and /usr/sbin: The directories to monitor.
• $(SECURE): A pre-defined variable that includes specific file attributes (e.g., permissions, ownership, checksums). You can define custom variables to specify exactly which attributes to check.

Note: This is a very basic example. A real-world Tripwire configuration would be significantly more detailed and tailored to the specific security requirements of the system.

2. find, sha256sum, and Cron

A simpler, albeit less sophisticated, approach involves using standard Linux utilities to create a checksum database and schedule periodic checks using cron. This method is useful for smaller systems or for situations where a full-fledged integrity checker is not required.

How it Works:

1. Create a Checksum Database: Use find to locate the files you want to monitor, then use sha256sum (or another hashing algorithm) to generate checksums for each file. Store these checksums in a file.
2. Schedule Periodic Checks: Use cron to run a script that recalculates the checksums and compares them to the stored database. Report any changes.

Example Script (integrity_check.sh):

#!/bin/bash

# Configuration
MONITORED_DIRS="/etc /usr/bin /usr/sbin"
DATABASE_FILE="/var/lib/integrity.db"
LOG_FILE="/var/log/integrity_check.log"

# Create initial database if it doesn't exist
if [ ! -f "$DATABASE_FILE" ]; then
  echo "Creating initial database..."
  for dir in $MONITORED_DIRS; do
    find "$dir" -type f -print0 | xargs -0 sha256sum >> "$DATABASE_FILE"
  done
  echo "Database created at $DATABASE_FILE" | tee -a "$LOG_FILE"
  exit 0
fi

# Recalculate checksums
NEW_CHECKSUMS=$(mktemp)
for dir in $MONITORED_DIRS; do
  find "$dir" -type f -print0 | xargs -0 sha256sum >> "$NEW_CHECKSUMS"
done

# Compare checksums
diff "$DATABASE_FILE" "$NEW_CHECKSUMS" | while read line; do
  echo "Change detected: $line" | tee -a "$LOG_FILE"
done

# Update the database (optional - only if you want to track legitimate changes)
# cp "$NEW_CHECKSUMS" "$DATABASE_FILE"

# Clean up
rm "$NEW_CHECKSUMS"

echo "Integrity check completed. See $LOG_FILE for details."

Explanation:

• MONITORED_DIRS: A list of directories to monitor.
• DATABASE_FILE: The location of the checksum database.
• LOG_FILE: The log file for recording changes.
• The script first checks if the database file exists. If not, it creates it by calculating checksums for all files in the monitored directories.
• It then recalculates the checksums and stores them in a temporary file.
• The diff command compares the old and new checksums. Any differences are logged.
• The script then removes the temporary file.

Scheduling with Cron:

To run this script daily, add the following line to your crontab (using crontab -e):

0 0 * * * /path/to/integrity_check.sh

This will run the script every day at midnight.

Advantages:

• Simple: Easy to understand and implement using standard Linux tools.
• Lightweight: Minimal resource consumption compared to AIDE or Tripwire.
• Customizable: You have full control over the script and can modify it to suit your specific needs.

Disadvantages:

• Less Secure: Easier to tamper with the script and database compared to AIDE or Tripwire.
• Manual Management: Requires manual configuration and maintenance.
• No Advanced Features: Lacks the advanced features of AIDE or Tripwire, such as automatic reporting and centralized management.

Conclusion:

Choosing the right file integrity monitoring solution depends on your specific needs and security requirements. AIDE offers a good balance between security and ease of use for many situations, especially when you want to Set up AIDE on Ubuntu 22.04. Tripwire provides more advanced features and scalability but comes at a cost. The find/sha256sum/cron approach is a simple and lightweight alternative for smaller systems or specific use cases. Always consider the trade-offs between security, complexity, and cost when making your decision.