Context: Why is File Integrity Monitoring (FIM) Necessary?
When managing Linux servers, security is always my top priority. We cannot anticipate every attack or unauthorized change on the system. Malicious actors can install malware, modify configurations, or inject rootkits to hide themselves.
I still remember the time my server was brute-forced via SSH and I had to handle it urgently in the middle of the night. That stressful feeling is truly indescribable. From that experience, I’ve always made it a principle to establish security from the start, and File Integrity Monitoring (FIM) is one of the indispensable layers of defense. FIM not only helps detect unusual changes but also provides crucial evidence when investigating security incidents.
Relying solely on firewalls or network intrusion detection/prevention systems (IDS/IPS) is often not enough. Once attackers bypass external defenses and gain access to a server, they can silently modify system files. This creates backdoors without anyone knowing. That’s when FIM proves most effective. This tool helps us “scan” every corner of the file system, detecting any signs of tampering or intrusion.
When it comes to FIM on Linux, AIDE (Advanced Intrusion Detection Environment) is the name I trust. AIDE is a very effective open-source software that allows you to create a “snapshot” of the desired state of the file system. AIDE then continuously compares this with the current state to detect unwanted changes.
Installing AIDE on Popular Linux Distributions
Installing AIDE is quite simple and quick on most Linux distributions.
Installation on Ubuntu/Debian
For Debian or Ubuntu-based systems, you can install AIDE using the following commands:
sudo apt update
sudo apt install aide aide-common
aide-common contains default scripts and configurations. aide is the actual tool that performs the checks.
Installation on CentOS/RHEL/Fedora
For Red Hat Enterprise Linux, CentOS, or Fedora systems, use yum or <a href="https://itfromzero.com/en/centos-vi-en/saving-a-server-at-2-am-a-detailed-guide-to-dnf-package-manager-on-rhel-rocky-linux.html">dnf</a>:
sudo yum install aide
# Or for newer versions:
sudo dnf install aide
Once the installation is complete, we are ready to configure AIDE.
Detailed AIDE Configuration: Building the “Golden Rules” for Your System
AIDE’s power lies in its high configurability. The main configuration file is usually /etc/aide/aide.conf. I recommend backing up this file before making any changes:
sudo cp /etc/aide/aide.conf /etc/aide/aide.conf.bak
Understanding the Rules
In aide.conf, you will see many lines starting with Perms, Normal, Static, Log… These are sets of rules defining the attributes of files or directories that AIDE will monitor. I often use the following rules:
Perms = p+i+u+g+acl+selinux+xattrs: Monitors permissions, inode, user/group owner, ACLs, SELinux context, and extended attributes. This rule is ideal for directories where content changes frequently but access permissions do not.Static = p+i+u+g+s+b+md5+sha256+rmd160+tgr+m+c+acl+selinux+xattrs: This is the most comprehensive rule. It checks everything from permissions and ownership to size, block count, and especially hash functions (checksums) like MD5, SHA256, RMD160, TIGER. This rule is extremely useful for critical system files, especially binaries that should not change.Log = p+u+g+s+grow: Used for log files. It only monitors permissions, owner, size (s), and especially the growth of the file size (grow). I don’t want AIDE to alert every time new data is written to a log file. Instead, I’m only concerned if permissions or ownership change, or if the file is suddenly shrunk/deleted.Databases = p+u+g+acl+xattrs: This rule typically applies to directories containing databases or application data. I’m only concerned with permissions and ownership, not the content, as it changes frequently.
I usually define custom rules at the beginning of the aide.conf file for easier management.
Selecting Directories to Monitor and Exclude
The most crucial part is specifying which directories AIDE should monitor and which it should ignore. You will use the following syntax:
# Important system directories, applying Static rule
/boot Static
/bin Static
/sbin Static
/usr/bin Static
/usr/sbin Static
# Configuration directory, where many important files are stored
/etc Static
# Directory containing kernel libraries and modules
/lib Static
/lib64 Static
/usr/lib Static
/usr/lib64 Static
# Log files, only monitor permissions and size growth
/var/log Log
# Exclude virtual, temporary, and unneeded directories
!/proc
!/sys
!/dev
!/tmp
!/var/tmp
!/var/run
!/var/spool
!/var/cache
# Example of excluding a specific subdirectory in /etc if it's too dynamic
!/etc/mtab
!/etc/ssh/ssh_host_*
Note the ! sign to exclude directories. I usually exclude /proc, /sys, /dev because they are virtual file systems and constantly change. Similarly, /tmp and /var/tmp contain temporary files, so there’s no need to monitor them.
In /etc, sometimes files like mtab or temporary SSH host keys (ssh_host_*) change frequently, causing false alarms. I usually exclude them if detailed monitoring isn’t strictly necessary.
Initializing the Database for the First Time
After configuring aide.conf, the next step is to create the initial database. This is the first “snapshot” of the system, serving as AIDE’s baseline for comparison.
sudo aide --init
This command will scan all files and directories specified in the configuration, then create the aide.db.new.gz file (usually in /var/lib/aide/). Once this process is complete, you need to rename it to aide.db.gz for AIDE to use in subsequent checks.
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Extremely Important: This aide.db.gz file must be strictly protected. If attackers can modify this file, they will be able to hide their tracks. I often consider storing a copy of this database on a read-only storage device or an encrypted partition, or at least ensuring extremely restricted file access permissions.
Checking and Monitoring AIDE: Always Ready
Once the database has been initialized, AIDE is ready to begin its monitoring tasks.
Manual Check
To run a single check and view the report, simply use the command:
sudo aide --check
AIDE will compare the current state of the file system with the aide.db.gz database. It then prints a detailed report of any changes:
# Example output when changes are detected
Start timestamp: 2024-03-21 09:00:00
AIDE found differences between database and filesystem.
Summary:
Total number of entries: 123456
Added entries: 2
Removed entries: