Simple file comparison with aide

It’s sometimes useful to know, what’s happening on your server, if you install a new package or run a update. There are many solutions for this case, but a simple one is to use aide, which is available on the most linux distributions.Aide is a simple intrusion detection program that creates a database from your system to check the integrity of the files. In this blog post, we show you an easy-to-use guide to compare the changes on your system; for example, after an installation / update. This is useful to analyse a package on a test system for the later usage on a prod system. You should take a snapshot of your server to repeat the steps for further analyses.

Installation and Configuration of aide

First step, install the package.

# on RHEL
yum install aide

# on Debian
apt-get install aide

After that, you can change the existing configuration or create your own. It’s possible to define your own rules with options, which should be used for a directory / filesystem. The available options and other configuration parameters are listed on this page. For a simple comparison of a system, you can just take this short config, which contains the most useful rule options.

cat > /etc/aide.conf << EOF
# define the path for creating the databases.
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new

# define your own aide rule.
MYRULE =  p+n+u+g+s+m+c+xattrs+md5+sha1

# choose your directories/files you want in the database and which rule should be used.
/ MYRULE

# define your exceptions.
!/proc   # ignore /proc filesystem
!/sys    # ignore /sys filesystem
EOF

p = permission, n = number of links, u = user, g = group, s = size, m = mtime, c = ctime, xattrs = extended file attributes, md5 = md5 checksum, sha1 = sha1 checksum

To check your configuration, run the following command.

# configuration check without an error.
aide -c /etc/aide.conf --config-check
echo $?
0

# configuration check with an error.
aide -c /etc/aide.conf --config-check
2:Error in expression:ha1
Configuration error
echo $?
17

Initialisation

Before you start your custom installation or update, you have to create an initial database as reference of your system. This step can take some time and depends on the selected options in your configuration.

aide -c /etc/aide.conf --init

After the initialisation of the database, there will be a success message printed out with the path to your defined database.

AIDE 0.16a2-19-g16ed855 initialised AIDE database at /var/lib/aide/aide.db.new

Custom Part (Installation / Update) 

Now you can start the installation, update, or other steps you would like to compare.

Comparison

After your installation or update, you have two opportunities to compare the changes. For a quick comparison, just compare the actual state of the system with the initialised database. If you’re on a system that is used by other people and a lot of other tasks running on it, you should initialise another database to compare with. It’s also better to create a new database, if you like to have an history, so you can compare other installation versions of the package and see which part of the package changed in which version.
We recommend you to save the output in a file, because depending on your custom part, there will be a lot of informations.

Solution #1 – quick comparison:

aide -c /etc/aide.conf --check > /tmp/compare.txt

Solution #2 – create a new database:

# save database name.
DBNAME=/var/lib/aide/aide.db.$(date +%Y-%m-%d-%H-%M)

# rename the created database.
mv /var/lib/aide/aide.db.new ${DBNAME}

# change the config file for the later comparison.
sed -i '/^database=/d' /etc/aide.conf
echo "database=file:${DBNAME}" >> /etc/aide.conf

# create a new database.
aide -c /etc/aide.conf --init

After the creation of the new database, just compare these two databases. They must be defined in the configfile with database=file:<path> and database_new=file:<path>.

aide -c /etc/aide.conf --compare > /tmp/compare.txt

Output

Here’s a sample output of a comparison between two databases. You’ll get a summary and the details with the differences.

AIDE 0.16a2-19-g16ed855 found differences between the two databases!!
Start timestamp: 2015-09-04 20:08:14 +0200

Summary:
  Total number of entries: 37322
  Added entries: 1
  Removed entries: 1
  Changed entries: 11

All removed, changed and added entries will be listed.

---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /tmp/confirm.txt

In the detail you see the changes on a file (size, mtime, ctime).

File: /tmp/confirm.txt
  Size     : 0                                | 16
  Mtime    : 2015-09-04 17:13:20 +0200        | 2015-09-04 21:02:15 +0200
  Ctime    : 2015-09-04 17:13:20 +0200        | 2015-09-04 21:02:15 +0200
  MD5      : 1B2M2Y8AsgTpgAmY7PhCfg==         | SklFYxLeLQdN5bMXqNWZlA==
  SHA1     : 2jmj7l5rSw0yVb/vlWAYkK/YBwk=     | XFEPuYMW7xLBt445mkRZmgU/1tw=

Conclusion

With aide you’ve got a simple to use tool, which can be used for file comparisons. It can also be used for other stuff and it’s worth a view. The steps above are tested on a debian 8 system, so if you run this instruction on a RHEL / Fedora server, the configuration and command part can be a little bit different, so you should check the man page for further help. Have you got other solutions or hints for a compare, so feel free to share your thoughts in the comments.

One Comment

  • Ivan Reply

    I’ve used aide for several years as a way to prove file integrity for PCI DSS systems, much simpler than shamhain (http://www.la-samhna.de/samhain) even though samhain has very nice features.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.