SysAdmins are responsible for installing and configuring software to support websites including those that run on DigitalOcean VPS. Unfortunately, as soon as your website is available on the internet, one or more malicious hackers will likely spend a great deal of time and effort trying to find some vulnerability in your system in order to gain unauthorized access and make changes that may take your system down completely. In extreme cases, these individuals could actually try to use your website to attack other systems, leaving you in a position where you have to explain how your IP was traced back as the source of an attack on another, likely more secure, system.
The good news is that you can secure your VPS using industry best practices, including establishing software configuration baselines that ensure that you can detect and track all changes to your droplet. One of the most popular tools for monitoring changes to a Unix or Linux system is known as Advanced Intrusion Detection Environment (AIDE) originally written by Rami Lehti and Pablo Virolainen in 1999. This article will help you get started by describing how to install, configure, and use Aide in an effective way.
Unix and Linux servers, including a DigitalOcean VPS, provide a robust platform for installing, configuring, and running software powering websites available on the internet. Industry standards such as the IEEE 828 Configuration Management Standard and the itSMF ITIL v3 framework provide well respected industry guidelines on how to record and maintain a stable operating system and application baselines which are essential for ensuring that these systems are secure and reliable.
Financial services firms including large banks, trading firms, and the exchanges themselves are required by Federal Regulatory authorities including Financial Industry Regulatory Authority (Finra), Office of the Comptroller of the Currency (OCC), and the Federal Reserve System (Fed) to implement these best practices. As a SysAdmin, you can use these same procedures to secure your DigitalOcean VPS and create a secure trusted application base using DevOps best practices. When I create a new Linux or Unix VPS, I always start by installing a tool such as Aide or Tripwire.
The first step is to run the command
yum install aide as shown in figure 1.0 to check for dependencies and verify that aide can be installed.
[root@myserver ~]# yum install aide
You will need to enter to proceed with the installation.
Is this ok [y/N]: y
After the installation is complete you should run the aide --help screen and verify the version of aide as shown below
[root@myserver ~]# aide --help
Next you should verify the version of aide that you are running. Make note of the location of the /etc/aide.conf that we will discuss at the end of this technote. [root@myserver ~]# aide -v
Aide 0.13.1 Compiled with the following options: WITH_MMAP WITH_POSIX_ACL WITH_SELINUX WITH_XATTR WITH_LSTAT64 WITH_READDIR64 WITH_GCRYPT WITH_AUDIT CONFIG_FILE "/etc/aide.conf"
Now that we have verified that Aide is installed we will create our first aide database.
Initialize the first aide database by issuing the command “aide init” as shown.
[root@myserver ~]# aide --init
Verify that the new aide database has been created
[root@myserver ~]# cd /var/lib/aide [root@myserver aide]# ls -lt total 1488 -rw------- 1 root root 1520639 Dec 8 16:57 aide.db.new.gz
The initial aide database (aide.db.new.gz) must be renamed (aide.db.gz) in order for aide to work successfully.
[root@myserver aide]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz [root@myserver aide]# ls -lt total 1488 -rw------- 1 root root 1520639 Dec 8 16:57 aide.db.gz
Next we will run the aide check just to demonstrate that no changes have occurred.
[root@myserver aide]# aide --check
Next we will create a file in the /usr/sbin directory to test that aide can detect and report the change.
Next we use the unix touch command to create a new file that we can then use to test aide and verify that the newly created file is detected by the aide check.
[root@myserver aide]# touch /usr/sbin/mytestfile.txt
[root@myserver aide]# aide --check
Once we have reviewed the changes detected by aide check, we likely do not want aide to report them again because these reports can get very long. The practical approach is to review the changes and then update the aide database so that they are not reported again on the next run of aide check.
Next you will create an updated aide database that ignores all previously made (and reviewed) changes.
[root@myserver aide]# aide --update
The new aide database is called aide.db.new.gz as shown below in figure 11.
[root@myserver aide]# ls -lt total 2976 -rw------- 1 root root 1520708 Dec 8 17:13 aide.db.new.gz -rw------- 1 root root 1520639 Dec 8 16:57 aide.db.gz
The next step is to rename the aide database again so that we are using the new version of the aide database to report only changes that occur from this point forward.
It is usually a good idea to save the old aide database by renaming it with a date as shown in figure 12 so that you can trace back any changes (if necessary). Eventually, the old versions of the aide databases can be archived and deleted. You also need to use the unix mv command to rename the newly create created aide database so that it can be used going forward.
`[root@myserver aide]# mv aide.db.gz aide.db.gz-Dec082013` `[root@myserver aide]# mv aide.db.new.gz aide.db.gz`
While these procedures are straightforward, they can become both tedious and time consuming. It is essential to write scripts to update the database and also run the aide check report to automatically report changes.
I usually create a crontab entry to run an
aide --check report on a daily basis that conveniently shows up on my handheld device. This makes using aide to monitor your filesystem much easier and more practical.
`06 01 * * 0-6 /var/log/aide/chkaide.sh`
Here is a simple example of a script that can be run from crontab to automate the
aide check and email the last 20 lines of the report, which is usually enough information for a daily summary.
[root@myserver ~]# cat /var/log/aide/chaide.sh #! /bin/sh #chkaide.sh - Bob Aiello MYDATE`date +%Y-%m-%d` MYFILENAME"Aide-"$MYDATE.txt /bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME /usr/sbin/aide --check > /tmp/myAide.txt /bin/cat /tmp/myAide.txt|/bin/grep -v failed >> /tmp/$MYFILENAME /bin/echo "**************************************" >> /tmp/$MYFILENAME /usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME /bin/echo "****************DONE******************" >> /tmp/$MYFILENAME /bin/mail -s"$MYFILENAME `date`" email@example.com < /tmp/$MYFILENAME
You can also modify the /etc/aide.conf to configure advanced settings such as including or excluding specific directories. Since the version of the /etc/aide.conf that gets installed automatically has the most common settings, it is relatively unusual for SysAdmins to modify this file.
Creating secure and robust websites using DigitalOcean VPS require a comprehensive approach to information security including tracking changes to system and application baselines. Using Aide is a great first step and will help you understand changes that are made to your system, as well as identify unauthorized changes which occur through malicious intent or human error. In future articles, we’ll describe additional steps that you can take to create a secure trusted base. Installing aide and using it daily will help you get started with managing your DigitalOcean VPS!
<div class=“author”><a href=“http://cmbestpractices.com”</a>By Bob Aiello</div>
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.Sign up now
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
This comment has been deleted
please fix the typo… 2 people commented about the typo…
Is there a typo here?
06 01 * * 0-6 /var/log/aide/chkaide.sh The script location referenced above is: /var/log/aide/chaide.sh
I wrote a simple script that can be run by a cron.
Store this script wherever you store your scripts on your server. I am just using example folder hierarchy. I also called my script cherryaide just for fun :)
Then once your script is open enter INSERT Mode by pressing the A key on your keyboard and enter the below. Remember to change the paths to the paths where your AIDE is located.
#Start Script #!/bin/bash -e
these should be the same as what’s defined in /etc/aide.conf
if [ ! -f “$database” ]; then echo “$database not found” >&2 exit 1 fi
aide -u || true
mv $database $database.back mv $database_out $database
Once complete save the file by pressing the ESC key on your keyboard and then the wq! and enter key on your keyboard.
Then make the executable by entering the below command in your terminal screen:
chmod +x name_of_file.sh
Then run the file by entering the below command:
sh name of file.sh
If all looks good the below message will display:
AIDE, version 0.14
All files match AIDE database. Looks okay!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Now you can setup a cron job by doing the following:
Once in the cron utility window enter the following cron. I have mine run every 6 hours but you could setup it differently.
0 */5 * * * /usr/sbin/aide --update | mail -s “AIDE UPDATE DB” firstname.lastname@example.org 0 */6 * * * /usr/sbin/aide --check | mail -s “AIDE ALERTs” email@example.com
I also have it do a DB update prior to a scan. Just remember to change your email address at the end of each line.
Hope this helps. If anyone has anything to add it would be great!
I happened to run an update prior to initializing AIDE and I got a very large number of errors with the string ‘prelink’ like:
The solution was to run prelink (as root) prior to running aide:
So… I did up to step 3… tells me db was initialized, but when I run ls -lt, returns 0 files…???
In the script in step 10, are there some equal signs that are missing?
@sianiosmarinos: This article is written for CentOS. Does this help? <a href=“http://www.snekul.com/wordpress/blog/2012/09/27/using-aide-on-ubuntu-12-04-lts-precise-pangolin-and-debian-7-wheezy/”>http://www.snekul.com/wordpress/blog/2012/09/27/using-aide-on-ubuntu-12-04-lts-precise-pangolin-and-debian-7-wheezy/</a>.
Running aide --init command I get this error: Couldn’t open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db.new for writing
Running aide 0.15.1 Debian 7