How to Set Up File Integrity Monitoring with AIDE on Debian 12 Bookworm
Categories:
3 minute read
Introduction
File Integrity Monitoring (FIM) is an essential security practice that helps detect unauthorized modifications to files on a system. One of the most commonly used tools for FIM is the Advanced Intrusion Detection Environment (AIDE). AIDE is an open-source, host-based intrusion detection system that creates a snapshot of file attributes and monitors changes over time.
In this guide, we will walk through setting up AIDE on a Debian 12 Bookworm system, configuring it for file integrity monitoring, and automating its scans for proactive security.
Prerequisites
Before proceeding, ensure you have:
- A Debian 12 Bookworm system
- Root or sudo access to install and configure software
- Basic knowledge of Linux command-line operations
Step 1: Install AIDE
The first step is to install AIDE using the package manager. Open a terminal and run:
sudo apt update && sudo apt install aide
Once the installation is complete, verify the installation:
aide --version
This command should return the installed AIDE version, confirming that it is correctly installed.
Step 2: Initialize the AIDE Database
AIDE works by maintaining a baseline database of file attributes. Before using AIDE, you need to initialize this database.
sudo aideinit
This process will generate a database file located at:
/var/lib/aide/aide.db.new
Once initialized, rename this file to the active database:
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Step 3: Configure AIDE
The configuration file for AIDE is located at /etc/aide/aide.conf. This file determines which directories and file attributes AIDE monitors.
Modifying Configuration
Open the configuration file with a text editor:
sudo nano /etc/aide/aide.conf
Here are some commonly monitored directories:
# Monitor system binaries and libraries
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/usr/bin NORMAL
/usr/sbin NORMAL
# Monitor configuration files
/etc NORMAL
# Monitor home directories
/home NORMAL
# Ignore temporary files
!/tmp
!/var/tmp
You can also define custom rules. For example, to monitor /var/www for web-related files:
/var/www FIPSR+sha256
Where:
F: File typeI: InodeP: PermissionsS: File sizeR: Modification timesha256: SHA-256 checksum for integrity verification
Save and exit the file when done.
Step 4: Run an Integrity Check
To check for file changes, execute:
sudo aide --check
If this is the first run, and no modifications have occurred, you should see output indicating that no changes were detected.
Step 5: Automate AIDE Checks with Cron
To ensure AIDE runs regular checks, schedule it using a cron job. Open the crontab file:
sudo crontab -e
Add the following line to run AIDE every night at 2 AM:
0 2 * * * /usr/bin/aide --check | mail -s "AIDE Integrity Check Report" root@localhost
This will execute AIDE and email the results to the system administrator.
Step 6: Updating the AIDE Database
When legitimate system updates or modifications occur, update the AIDE database to reflect these changes. Run:
sudo aide --init
Then, replace the old database:
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Step 7: Reviewing AIDE Reports
After an integrity check, review the logs for any anomalies:
sudo cat /var/log/aide/aide.log
If you receive alerts about unauthorized modifications, investigate further and take necessary security actions.
Conclusion
Setting up AIDE on Debian 12 Bookworm provides a robust method to monitor critical system files for unauthorized changes. By configuring AIDE properly, scheduling automated checks, and updating its database as needed, you can enhance your system’s security and detect potential intrusions promptly.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.