Host Based IDS (Intrusion Detection System) "AIDE" (Advanced Intrusion Detection Environment).
AIDE otherwise called as Advanced Intrusion Detection Environment. AIDE is one of the most popular tools for monitoring the server changes in a LINUX based system. It is used as a files/folders integrity checker. The installation of this Software is much simple. This is originally written by Rami Lehti and Pablo Virolainen in 1999. The system check is initialized by database. This database is created from a regular expresssion rules in the configuration files. Once the database is initialized, it can be further used to verify the server integrity. Several digest algorithms are incorporated to serve this purpose. It can be also used to check the file attributes for inconsistencies.
MAIN features:
Support several digest algorithms like md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool and several others
Support file attributes like file type, permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
Supports Posix ACL, SELinux, XAttrs and Extended file system attributes
Support regular expression to include or exclude files/directories selectively.
Support GZIP database compression.
Standalone Static binary for easy client/server monitoring configurations.
In this article, I'm discussing about installing and configuring the current stable version 0.15.1 of AIDE on a CentOS 7 server. Let's walk through the procedures.
Step 1: Installation
We can use yum command to install the AIDE software.
[root@lnx_r00t ~]# yum install aide -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: ftp.iitm.ac.in
* extras: ftp.iitm.ac.in
* updates: ftp.iitm.ac.in
Resolving Dependencies
--> Running transaction check
---> Package aide.x86_64 0:0.15.1-13.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================
Installing:
aide x86_64 0.15.1-13.el7 base 133 k
Transaction Summary
==========================================================================================================================
Install 1 Package
Total download size: 133 k
Installed size: 311 k
Downloading packages:
aide-0.15.1-13.el7.x86_64.rpm | 133 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : aide-0.15.1-13.el7.x86_64 1/1
Verifying : aide-0.15.1-13.el7.x86_64 1/1
Installed:
aide.x86_64 0:0.15.1-13.el7
Complete!
[root@lnx_r00t ~]#
Step 2: Check and verify the AIDE version
We can run this command to confirm the AIDE version and locate the configuration file.
[root@lnx_r00t ~]# aide -v
Aide 0.15.1
Compiled with the following options:
WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"
[root@lnx_r00t ~]#
Step 3: Create the database
Once the installation of the AIDE is done, we need to create the primary database which is initialized from the set of rules/expressions in the configuration files.
[root@lnx_r00t ~]# aide -v
Aide 0.15.1
AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
[root@lnx_r00t ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[root@lnx_r00t ~]# cd /var/lib/aide
[root@lnx_r00t aide]# ls
aide.db.gz
[root@lnx_r00t aide]#
[root@lnx_r00t aide]# ls -lt
total 8
-rw------- 1 root root 8192 Nov 30 15:28 aide.db.gz
[root@lnx_r00t aide]#
Step 4: Run the AIDE check
[root@lnx_r00t aide]# aide --check
AIDE, version 0.15.1
### All files match AIDE database. Looks okay!
Step 5 : Confirm its functionality and create an updated AIDE database
Create a binary file manually and check if AIDE detects that.
[root@lnx_r00t ~]# touch /root/{1..5}demo-lnx
[root@lnx_r00t ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2017-11-30 16:43:30
Summary:
Total number of files: 154
Added files: 5
Removed files: 0
Changed files: 0
---------------------------------------------------
Added files:
---------------------------------------------------
added: /root/1demo-lnx
added: /root/2demo-lnx
added: /root/3demo-lnx
added: /root/4demo-lnx
added: /root/5demo-lnx
[root@lnx_r00t ~]#
We can verify the presence of the new file from the AIDE check reports. We can even identify any file attribute changes too from these checks.
Once we've reviewed these changes, it is always better to update the aide database so that it's not reported again on the next AIDE check.
[root@lnx_r00t ~]# aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2017-11-30 16:46:18
Summary:
Total number of files: 154
Added files: 5
Removed files: 0
Changed files: 0
---------------------------------------------------
Added files:
---------------------------------------------------
added: /root/1demo-lnx
added: /root/2demo-lnx
added: /root/3demo-lnx
added: /root/4demo-lnx
added: /root/5demo-lnx
[root@lnx_r00t ~]#
It is always advised to keep the old AIDE database untouched and re-name the updated database on daily basics to keep track.
[root@lnx_r00t ~]# cd /var/lib/aide/
[root@lnx_r00t aide]# ls
aide.db.gz aide.db.new.gz
[root@lnx_r00t aide]# mv aide.db.gz aide.db.gz.NOV
[root@lnx_r00t aide]# ls
aide.db.gz.NOV aide.db.new.gz
[root@lnx_r00t aide]# mv aide.db.new.gz aide.db.gz
[root@lnx_r00t aide]# ls
Step 6 : Set cronjob to run AIDE check and report automatically
Add in Cron if check regulary. Log file [/var/log/aide/aide.log] is updated every time and if there is no difference, it is updated with zero byte, so if you's like to save log files, it needs to create a shell script or send results via email or others.
[root@lnx_r00t ~]# cat /etc/cron.d/aide
## add daily check in Crontab and send results via email
00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' dinesh.d@linuxr00t.com
[root@lnx_r00t ~]#
By:- L!nx_r00t
AIDE otherwise called as Advanced Intrusion Detection Environment. AIDE is one of the most popular tools for monitoring the server changes in a LINUX based system. It is used as a files/folders integrity checker. The installation of this Software is much simple. This is originally written by Rami Lehti and Pablo Virolainen in 1999. The system check is initialized by database. This database is created from a regular expresssion rules in the configuration files. Once the database is initialized, it can be further used to verify the server integrity. Several digest algorithms are incorporated to serve this purpose. It can be also used to check the file attributes for inconsistencies.
MAIN features:
Support several digest algorithms like md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool and several others
Support file attributes like file type, permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
Supports Posix ACL, SELinux, XAttrs and Extended file system attributes
Support regular expression to include or exclude files/directories selectively.
Support GZIP database compression.
Standalone Static binary for easy client/server monitoring configurations.
In this article, I'm discussing about installing and configuring the current stable version 0.15.1 of AIDE on a CentOS 7 server. Let's walk through the procedures.
Step 1: Installation
We can use yum command to install the AIDE software.
[root@lnx_r00t ~]# yum install aide -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: ftp.iitm.ac.in
* extras: ftp.iitm.ac.in
* updates: ftp.iitm.ac.in
Resolving Dependencies
--> Running transaction check
---> Package aide.x86_64 0:0.15.1-13.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================
Installing:
aide x86_64 0.15.1-13.el7 base 133 k
Transaction Summary
==========================================================================================================================
Install 1 Package
Total download size: 133 k
Installed size: 311 k
Downloading packages:
aide-0.15.1-13.el7.x86_64.rpm | 133 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : aide-0.15.1-13.el7.x86_64 1/1
Verifying : aide-0.15.1-13.el7.x86_64 1/1
Installed:
aide.x86_64 0:0.15.1-13.el7
Complete!
[root@lnx_r00t ~]#
Step 2: Check and verify the AIDE version
We can run this command to confirm the AIDE version and locate the configuration file.
[root@lnx_r00t ~]# aide -v
Aide 0.15.1
Compiled with the following options:
WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"
[root@lnx_r00t ~]#
Step 3: Create the database
Once the installation of the AIDE is done, we need to create the primary database which is initialized from the set of rules/expressions in the configuration files.
[root@lnx_r00t ~]# aide -v
Aide 0.15.1
AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
[root@lnx_r00t ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[root@lnx_r00t ~]# cd /var/lib/aide
[root@lnx_r00t aide]# ls
aide.db.gz
[root@lnx_r00t aide]#
[root@lnx_r00t aide]# ls -lt
total 8
-rw------- 1 root root 8192 Nov 30 15:28 aide.db.gz
[root@lnx_r00t aide]#
Step 4: Run the AIDE check
[root@lnx_r00t aide]# aide --check
AIDE, version 0.15.1
### All files match AIDE database. Looks okay!
Step 5 : Confirm its functionality and create an updated AIDE database
Create a binary file manually and check if AIDE detects that.
[root@lnx_r00t ~]# touch /root/{1..5}demo-lnx
[root@lnx_r00t ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2017-11-30 16:43:30
Summary:
Total number of files: 154
Added files: 5
Removed files: 0
Changed files: 0
---------------------------------------------------
Added files:
---------------------------------------------------
added: /root/1demo-lnx
added: /root/2demo-lnx
added: /root/3demo-lnx
added: /root/4demo-lnx
added: /root/5demo-lnx
[root@lnx_r00t ~]#
We can verify the presence of the new file from the AIDE check reports. We can even identify any file attribute changes too from these checks.
Once we've reviewed these changes, it is always better to update the aide database so that it's not reported again on the next AIDE check.
[root@lnx_r00t ~]# aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2017-11-30 16:46:18
Summary:
Total number of files: 154
Added files: 5
Removed files: 0
Changed files: 0
---------------------------------------------------
Added files:
---------------------------------------------------
added: /root/1demo-lnx
added: /root/2demo-lnx
added: /root/3demo-lnx
added: /root/4demo-lnx
added: /root/5demo-lnx
[root@lnx_r00t ~]#
It is always advised to keep the old AIDE database untouched and re-name the updated database on daily basics to keep track.
[root@lnx_r00t ~]# cd /var/lib/aide/
[root@lnx_r00t aide]# ls
aide.db.gz aide.db.new.gz
[root@lnx_r00t aide]# mv aide.db.gz aide.db.gz.NOV
[root@lnx_r00t aide]# ls
aide.db.gz.NOV aide.db.new.gz
[root@lnx_r00t aide]# mv aide.db.new.gz aide.db.gz
[root@lnx_r00t aide]# ls
Step 6 : Set cronjob to run AIDE check and report automatically
Add in Cron if check regulary. Log file [/var/log/aide/aide.log] is updated every time and if there is no difference, it is updated with zero byte, so if you's like to save log files, it needs to create a shell script or send results via email or others.
[root@lnx_r00t ~]# cat /etc/cron.d/aide
## add daily check in Crontab and send results via email
00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' dinesh.d@linuxr00t.com
[root@lnx_r00t ~]#
By:- L!nx_r00t
No comments:
Post a Comment