SH
SHELL
AI Powered Learning Portal
The Silent Watchman: Intrusion Detection with AIDE
·TechSoftware Development

The Silent Watchman: Intrusion Detection with AIDE

Detect the invisible intruder. Master 'AIDE' (Advanced Intrusion Detection Environment). Learn to take a 'Snapshot' of your system's integrity and use file hashes to detect even the slightest unauthorized change to critical system binaries like 'ls' or 'ssh'.

linuxsecurityaideintrusion-detectionintegritysysadmin

Intrusion Detection: The Art of Integrity

Imagine a professional hacker breaks into your server. They don't just delete files; they are much smarter. They replace your standard /bin/ls command with a modified version that hides their secret files from you. Or they add a single line to /etc/passwd that gives them a back door.

If you don't know exactly what your files looked like yesterday, how can you know if they've changed today?

You use AIDE (Advanced Intrusion Detection Environment).

AIDE creates a "Digital Fingerprint" (a hash) of every important file on your system. It saves these fingerprints in a secure database. Later, you can run AIDE to compare the current system against the database. If even a single bit has changed in a file, AIDE will scream.

1. The Workflow of File Integrity

  1. Initialization: You run AIDE on a clean, fresh system. It records the hashes of everything.
  2. Protection: You move the AIDE database to a read-only location (or another server) so a hacker can't "Update" it to hide their tracks.
  3. The Audit: Once a day, AIDE scans your files and compares them to the database.
  4. The Update: When you intentionally update the system (e.g., apt upgrade), you tell AIDE to update its database to accept the new fingerprints.

2. Practical: Your First Integrity Scan

# 1. Install AIDE
sudo apt install aide

# 2. Initialize the database
# This takes a few minutes as it hashes thousands of files
sudo aideinit

# 3. Put the new database into place
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# 4. Run a check manually
sudo aide --check

3. Configuring the Watchlist

You don't want to hash your entire hard drive. You don't care if the logs change (they change every second!). You only care about the System Core.

Config is in /etc/aide/aide.conf.

# Example rules:
/etc    L      # Watch only for changes to the Link (permissions)
/bin    R      # Watch for changes to the Content (Read-only binaries)
/sbin   R
/var/log/!     # The '!' means IGNORE this folder

4. The Result: Identifying the "Rootkit"

If AIDE reports: Number of entries: 12345 Changed entries: 1 File: /usr/sbin/sshd

...and you didn't just update your SSH server, Panic. This is a classic sign that someone has replaced your SSH server with a malicious version.

5. Practical: Automating the Audit

In a professional environment, AIDE should run at 3 AM and email the report to the security team.

# Example crontab entry
0 3 * * * /usr/bin/aide --check | /usr/bin/mail -s "Daily Integrity Report" admin@company.com

6. Example: An AIDE Report Parser (Python)

AIDE's output is long and technical. Here is a Python script that simplifies the report, showing only the names of files that have been "Added" or "Modified."

import subprocess

def simplify_aide_check():
    """
    Runs an AIDE check and summarizes only the changed files.
    """
    print("--- System Integrity Summary ---")
    
    try:
        # We run the check and capture output
        res = subprocess.run(["sudo", "aide", "--check"], capture_output=True, text=True)
        content = res.stdout
        
        # Look for the 'Changed files:' section
        print("Detected Changes:")
        changed_files = 0
        for line in content.splitlines():
            if line.startswith("f +"):
                print(f"  [+] New File: {line.split()[-1]}")
                changed_files += 1
            elif line.startswith("f ."):
                print(f"  [*] Modified File: {line.split()[-1]}")
                changed_files += 1
                
        if changed_files == 0:
            print("[OK] No unauthorized changes detected.")
            
    except Exception as e:
        print(f"Error running AIDE: {e}")

if __name__ == "__main__":
    simplify_aide_check()

7. Professional Tip: The "ReadOnly" Paradox

If a hacker gains root access, they can just delete your AIDE database or run aide --update themselves. To prevent this, professional sysadmins store the AIDE database on a Write-Once medium (like a finalized CD-R) or on a remote "Audit Server" where the compromised machine has no permission to write.

8. Summary

AIDE is your witness to unauthorized change.

  • Hashing is the "DNA" of your system files.
  • aideinit creates the baseline.
  • aide --check compares the present to the past.
  • Exclusions (!) are necessary for high-noise folders like /var/log.
  • Integrity is a "Post-Compromise" detection tool.

In the next lesson, we will move from the file system to the deep engine: Kernel Hardening with sysctl.

Quiz Questions

  1. Why shouldn't you store the AIDE database on the same hard drive that it is auditing?
  2. What happens to the AIDE results after you run a system update like apt upgrade?
  3. What is a "File Hash" and why is it better than just checking the file size?

Continue to Lesson 5: Deep Defense—Kernel Hardening with sysctl.

Previous LessonThe Path-Based Guardian: Mastering AppArmor
Next LessonThe Heart of the Engine: Kernel Hardening

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn