It’s sometimes useful to know, what’s happening on your server, if you install a new package or run a update. There are many solutions for this case, but a simple one is to use aide, which is available on the most linux distributions.Aide is a simple intrusion detection program that creates a database from your system to check the integrity of the files. In this blog post, we show you an easy-to-use guide to compare the changes on your system; for example, after an installation / update. This is useful to analyse a package on a test system for the later usage on a prod system. You should take a snapshot of your server to repeat the steps for further analyses.
Installation and Configuration of aide
First step, install the package.
# on RHEL yum install aide # on Debian apt-get install aide
After that, you can change the existing configuration or create your own. It’s possible to define your own rules with options, which should be used for a directory / filesystem. The available options and other configuration parameters are listed on this page. For a simple comparison of a system, you can just take this short config, which contains the most useful rule options.
cat > /etc/aide.conf << EOF # define the path for creating the databases. database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new database_new=file:/var/lib/aide/aide.db.new # define your own aide rule. MYRULE = p+n+u+g+s+m+c+xattrs+md5+sha1 # choose your directories/files you want in the database and which rule should be used. / MYRULE # define your exceptions. !/proc # ignore /proc filesystem !/sys # ignore /sys filesystem EOF
p = permission, n = number of links, u = user, g = group, s = size, m = mtime, c = ctime, xattrs = extended file attributes, md5 = md5 checksum, sha1 = sha1 checksum
To check your configuration, run the following command.
# configuration check without an error. aide -c /etc/aide.conf --config-check echo $? 0 # configuration check with an error. aide -c /etc/aide.conf --config-check 2:Error in expression:ha1 Configuration error echo $? 17
Initialisation
Before you start your custom installation or update, you have to create an initial database as reference of your system. This step can take some time and depends on the selected options in your configuration.
aide -c /etc/aide.conf --init
After the initialisation of the database, there will be a success message printed out with the path to your defined database.
AIDE 0.16a2-19-g16ed855 initialised AIDE database at /var/lib/aide/aide.db.new
Custom Part (Installation / Update)
Now you can start the installation, update, or other steps you would like to compare.
Comparison
After your installation or update, you have two opportunities to compare the changes. For a quick comparison, just compare the actual state of the system with the initialised database. If you’re on a system that is used by other people and a lot of other tasks running on it, you should initialise another database to compare with. It’s also better to create a new database, if you like to have an history, so you can compare other installation versions of the package and see which part of the package changed in which version.
We recommend you to save the output in a file, because depending on your custom part, there will be a lot of informations.
Solution #1 – quick comparison:
aide -c /etc/aide.conf --check > /tmp/compare.txt
Solution #2 – create a new database:
# save database name.
DBNAME=/var/lib/aide/aide.db.$(date +%Y-%m-%d-%H-%M)
# rename the created database.
mv /var/lib/aide/aide.db.new ${DBNAME}
# change the config file for the later comparison.
sed -i '/^database=/d' /etc/aide.conf
echo "database=file:${DBNAME}" >> /etc/aide.conf
# create a new database.
aide -c /etc/aide.conf --init
After the creation of the new database, just compare these two databases. They must be defined in the configfile with database=file:<path> and database_new=file:<path>.
aide -c /etc/aide.conf --compare > /tmp/compare.txt
Output
Here’s a sample output of a comparison between two databases. You’ll get a summary and the details with the differences.
AIDE 0.16a2-19-g16ed855 found differences between the two databases!! Start timestamp: 2015-09-04 20:08:14 +0200 Summary: Total number of entries: 37322 Added entries: 1 Removed entries: 1 Changed entries: 11
All removed, changed and added entries will be listed.
--------------------------------------------------- Removed entries: --------------------------------------------------- f----------------: /tmp/confirm.txt
In the detail you see the changes on a file (size, mtime, ctime).
File: /tmp/confirm.txt Size : 0 | 16 Mtime : 2015-09-04 17:13:20 +0200 | 2015-09-04 21:02:15 +0200 Ctime : 2015-09-04 17:13:20 +0200 | 2015-09-04 21:02:15 +0200 MD5 : 1B2M2Y8AsgTpgAmY7PhCfg== | SklFYxLeLQdN5bMXqNWZlA== SHA1 : 2jmj7l5rSw0yVb/vlWAYkK/YBwk= | XFEPuYMW7xLBt445mkRZmgU/1tw=
Conclusion
With aide you’ve got a simple to use tool, which can be used for file comparisons. It can also be used for other stuff and it’s worth a view. The steps above are tested on a debian 8 system, so if you run this instruction on a RHEL / Fedora server, the configuration and command part can be a little bit different, so you should check the man page for further help. Have you got other solutions or hints for a compare, so feel free to share your thoughts in the comments.
6 Comments