Advanced Intrusion Detection Environment (AIDE) and JSON

I have always liked AIDE as a file integrity monitoring tool. It’s a simple tool, but does what it does very well.

One downside I have always felt it has is its poor ability to integrate with other monitoring solutions. Its output is multiline text block which is quite annoying to process automatically and it requires some effort to parse this with a SIEM solution.

Version 0.18 adds report_format option that supports JSON and this makes AIDE much more integrable with other tools.

Here’s an example output in JSON format.

{
  "start_time": "2023-04-23 13:18:56 +0000",
  "aide_version": "0.18.2",
  "outline": "AIDE found differences between database and filesystem!!",
  "number_of_entries": {
    "total": 1539,
    "added": 1,
    "removed": 1,
    "changed": 1
  },
  "added": {
    "/etc/test2.txt": "f++++++++++++"
  },
  "removed": {
    "/etc/test.txt": "f------------"
  },
  "changed": {
    "/etc/passwd": "f =.... mc..."
  },
  "details": {
    "/etc/passwd": {
      "modify_time": {
        "old": "2023-04-23 11:09:12 +0000",
        "new": "2023-04-23 13:11:22 +0000"
      },
      "change_time": {
        "old": "2023-04-23 11:09:12 +0000",
        "new": "2023-04-23 13:11:22 +0000"
      }
    }
  },
  "databases": {
    "./aide.db": {
      "sha256": "uljZlzpFlMd7sPWJQxNcO8FNdGhX2c0d8qyvZ9i2cgs=",
      "sha512": "zuRPEas5+qgDUhn9MqliWrVu/wpRJjJdATGotrNNiVzZ0GmfO7b9JqttMVNJEu3PxAZh68S/szwje4/w2vGEMw==",
      "rmd160": "aQrZKQusc33Vsp/WUI1FaX6LQyM=",
      "tiger": "bWb7uH1HazAYNizhoLNgjeRaWKHPVjal",
      "crc32": "b+veSA==",
      "haval": "3jvjVcoTmRjSbgb9nbD2quJnhLNZQ/d1x1ZqZ9B/EiI=",
      "whirlpool": "rrKhMqrIEZzxLjs0/QJM0pG6jUKERvVcoEsgR44N7EZZoZcbeUcc1jkMfaTNvAIpUyPHeGyoheUh11xUdfX1Xw==",
      "gost": "OLh+Ls9KrfivrFiJPPhIe5zZrQwt3C3IW25QxPpf5Aw="
    }
  },
  "end_time": "2023-04-23 13:18:57 +0000",
  "run_time_seconds": 1
}

One annoying thing with this is that it outputs the JSON in pretty print by default. Meaning that it’s multiline once again. This, however, is quite easy to fix with a tool like jq. Piping aide --check to jq -c makes it output single line.

You could create a cron job that runs a command like this:

aide -c aide.conf --check|jq -c >> /var/log/aide.json

Now, you could use something like Filebeat to read /var/log/aide.json line by line without doing any multiline pattern matching. An example Filebeat configuration would be something like this:

filebeat.inputs:
- type: filestream
  id: aide-fs
  enabled: true
  paths:
    - /var/log/aide.json
  parsers:
    - ndjson:
      target: ""
      fields_under_root: true
  processors:
    - copy_fields:
        fields:
          - from: outline
            to: message
        fail_on_error: false
        ignore_missing: true

You can check which AIDE version you have by running aide --version. You need to compile it yourself if it’s older than version 0.18.