# Intrusion detection on Gentoo with AIDE

Tags: linux security

Reading time: 2 minutes

Description: Local intrusion detection with AIDE (Advanced Intrusion Detection Environment) on Gentoo Linux

# AIDE Setup

Reference:

Gentoo Wiki

Checking Integrity with AIDE (Red Hat)

## 1. Installation

### 1.1 Available USE flags (as of 20.09.2023):

Flag	Description
acl	Add support for Access Control Lists
audit	Enable support for Linux audit subsystem using sys-process/audit
curl	Use curl for http,https and ftp backends
e2fs	Enable support for checking file attributes on ext2/ext3/ext4 filesystems
mhash	Add support for the mhash library
xattrs	Add support for extended attributes (filesystem-stored metadata)

### 1.2 emerge aide

1

emerge -av app-forensics/aide

## 2. Configuration

Reference: Gentoo Wiki (config section)

The best thing would be to read either the Gentoo Wiki, man page of aide or the actual documentation, since AIDE is heavily dependant of the individual system.

But the default config should be enough if you just want a quick setup to poke around.

### Adding custom rules

As a quick reference:

Short	Description
p	Permissions
i	inode number
n	Number of (hard)links
u	User information
g	Group information
s	Size
S	Size (only report when the size is suddenly smaller - growing is allowed)
b	Block count
m	Modification time
sha256	sha256 checksum
rmd160	rmd169 checksum
	<more available, check the man page and default config>

The default ruleset on Gentoo is:

1
2
3
4
5
6
7


Binlib = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha256+rmd160
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160

This weird p+i+... string essentialy defines what options AIDE should check in each rule. So for example, every folder tagged with the Logs rule would be checked against it’s:

file permissions (p)
inode number (i)
number of links (n)
user information (u)
group information (g)
size (S)

To add a new folder, simply append the following to the configuration file:

1

/folder/to/check Rule

Again taking a log folder as example, which would check /var/log against the Logs rule:

1

/var/log Logs

# Hooking into the emerge process

Create/Edit the following file to automatically update AIDE’s database after each portage install, update or removal job.

/etc/portage/bashrc

1
2
3
4
5


if [ "${EBUILD_PHASE}" == "postinst" ] || [ "${EBUILD_PHASE}" == "postrm" ];
then
  echo "AIDE: updating database"
  aide --update --config=/etc/aide/aide.conf
fi