SysAdmins are responsible for installing and configuring software to support websites including those that run on DigitalOcean VPS. Unfortunately, as soon as your website is available on the internet, one or more malicious hackers will likely spend a great deal of time and effort trying to find some vulnerability in your system in order to gain unauthorized access and make changes that may take your system down completely. In extreme cases, these individuals could actually try to use your website to attack other systems, leaving you in a position where you have to explain how your IP was traced back as the source of an attack on another, likely more secure, system.
The good news is that you can secure your VPS using industry best practices, including establishing software configuration baselines that ensure that you can detect and track all changes to your droplet. One of the most popular tools for monitoring changes to a Unix or Linux system is known as Advanced Intrusion Detection Environment (AIDE) originally written by Rami Lehti and Pablo Virolainen in 1999. This article will help you get started by describing how to install, configure, and use Aide in an effective way.
Unix and Linux servers, including a DigitalOcean VPS, provide a robust platform for installing, configuring, and running software powering websites available on the internet. Industry standards such as the IEEE 828 Configuration Management Standard and the itSMF ITIL v3 framework provide well respected industry guidelines on how to record and maintain a stable operating system and application baselines which are essential for ensuring that these systems are secure and reliable.
Financial services firms including large banks, trading firms, and the exchanges themselves are required by Federal Regulatory authorities including Financial Industry Regulatory Authority (Finra), Office of the Comptroller of the Currency (OCC), and the Federal Reserve System (Fed) to implement these best practices. As a SysAdmin, you can use these same procedures to secure your DigitalOcean VPS and create a secure trusted application base using DevOps best practices. When I create a new Linux or Unix VPS, I always start by installing a tool such as Aide or Tripwire.
The first step is to run the command yum install aide
as shown in figure 1.0 to check for dependencies and verify that aide can be installed.
[root@myserver ~]# yum install aide
You will need to enter to proceed with the installation.
Is this ok [y/N]: y
After the installation is complete you should run the aide --help screen and verify the version of aide as shown below
[root@myserver ~]# aide --help
Next you should verify the version of aide that you are running. Make note of the location of the /etc/aide.conf that we will discuss at the end of this technote. [root@myserver ~]# aide -v
Aide 0.13.1
Compiled with the following options:
WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_LSTAT64
WITH_READDIR64
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE "/etc/aide.conf"
Now that we have verified that Aide is installed we will create our first aide database.
Initialize the first aide database by issuing the command “aide init” as shown.
[root@myserver ~]# aide --init
Verify that the new aide database has been created
[root@myserver ~]# cd /var/lib/aide
[root@myserver aide]# ls -lt
total 1488
-rw------- 1 root root 1520639 Dec 8 16:57 aide.db.new.gz
The initial aide database (aide.db.new.gz) must be renamed (aide.db.gz) in order for aide to work successfully.
[root@myserver aide]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[root@myserver aide]# ls -lt
total 1488
-rw------- 1 root root 1520639 Dec 8 16:57 aide.db.gz
Next we will run the aide check just to demonstrate that no changes have occurred.
[root@myserver aide]# aide --check
Next we will create a file in the /usr/sbin directory to test that aide can detect and report the change.
Next we use the unix touch command to create a new file that we can then use to test aide and verify that the newly created file is detected by the aide check.
[root@myserver aide]# touch /usr/sbin/mytestfile.txt
[root@myserver aide]# aide --check
Once we have reviewed the changes detected by aide check, we likely do not want aide to report them again because these reports can get very long. The practical approach is to review the changes and then update the aide database so that they are not reported again on the next run of aide check.
Next you will create an updated aide database that ignores all previously made (and reviewed) changes.
[root@myserver aide]# aide --update
The new aide database is called aide.db.new.gz as shown below in figure 11.
[root@myserver aide]# ls -lt
total 2976
-rw------- 1 root root 1520708 Dec 8 17:13 aide.db.new.gz
-rw------- 1 root root 1520639 Dec 8 16:57 aide.db.gz
The next step is to rename the aide database again so that we are using the new version of the aide database to report only changes that occur from this point forward.
It is usually a good idea to save the old aide database by renaming it with a date as shown in figure 12 so that you can trace back any changes (if necessary). Eventually, the old versions of the aide databases can be archived and deleted. You also need to use the unix mv command to rename the newly create created aide database so that it can be used going forward.
`[root@myserver aide]# mv aide.db.gz aide.db.gz-Dec082013`
`[root@myserver aide]# mv aide.db.new.gz aide.db.gz`
While these procedures are straightforward, they can become both tedious and time consuming. It is essential to write scripts to update the database and also run the aide check report to automatically report changes.
I usually create a crontab entry to run an aide --check
report on a daily basis that conveniently shows up on my handheld device. This makes using aide to monitor your filesystem much easier and more practical.
`06 01 * * 0-6 /var/log/aide/chkaide.sh`
Here is a simple example of a script that can be run from crontab to automate the aide check
and email the last 20 lines of the report, which is usually enough information for a daily summary.
[root@myserver ~]# cat /var/log/aide/chaide.sh
#! /bin/sh
#chkaide.sh - Bob Aiello
MYDATE`date +%Y-%m-%d`
MYFILENAME"Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/sbin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME
/bin/mail -s"$MYFILENAME `date`" bob.aiello@ieee.org < /tmp/$MYFILENAME
You can also modify the /etc/aide.conf to configure advanced settings such as including or excluding specific directories. Since the version of the /etc/aide.conf that gets installed automatically has the most common settings, it is relatively unusual for SysAdmins to modify this file.
Creating secure and robust websites using DigitalOcean VPS require a comprehensive approach to information security including tracking changes to system and application baselines. Using Aide is a great first step and will help you understand changes that are made to your system, as well as identify unauthorized changes which occur through malicious intent or human error. In future articles, we’ll describe additional steps that you can take to create a secure trusted base. Installing aide and using it daily will help you get started with managing your DigitalOcean VPS!
[Aide] (http://aide.sourceforge.net/)
<div class=“author”><a href=“http://cmbestpractices.com”</a>By Bob Aiello</div>
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
To exclude a all directories in directory would I use this? !/var/directory/.*
@dirk2099: Correct.
Thanks Kamal! - The aide.conf file does indeed allow you to ignore directories. Here is a link to the manual which shows several examples and lists other possible configuration changes http://www.cs.tut.fi/~rammer/aide/manual.html
Hi, is this equally (of-course relatively such as apt-get in place of yum) applicable to ubuntu servers? the confusing part for me is when I run the --check after having done the fresh install and still get the aide reporting as there are possible file / directory changes, :-P did it a number of times and then decided to trouble you guys. another strange thing is at times when I update it (in the hope of clearing out any possible differences) with --update the process finishes instantly and aide.db.new file gets created with very very low size, 130 kbytes i guess. any clues?? appreciate it, thanks.
@niranjan81: I’ve never used Aide but I’d guess it’s a no. The packages are different most of the time.
Running aide --init command I get this error: Couldn’t open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db.new for writing
Running aide 0.15.1 Debian 7
@sianiosmarinos: This article is written for CentOS. Does this help? <a href=“http://www.snekul.com/wordpress/blog/2012/09/27/using-aide-on-ubuntu-12-04-lts-precise-pangolin-and-debian-7-wheezy/”>http://www.snekul.com/wordpress/blog/2012/09/27/using-aide-on-ubuntu-12-04-lts-precise-pangolin-and-debian-7-wheezy/</a>.
In the script in step 10, are there some equal signs that are missing?
So… I did up to step 3… tells me db was initialized, but when I run ls -lt, returns 0 files…???
Great tutorial.
I happened to run an update prior to initializing AIDE and I got a very large number of errors with the string ‘prelink’ like:
The solution was to run prelink (as root) prior to running aide: