RH: AIDE (Advanced Intrusion Detection Environment)
AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker.
In an enterprise environment it is very important that changes on file or dorectorys on a system must be recognized as valid changes. To keep track on all changes AIDE can be implemented on (RedHat) Linux systems.
Install AIDE on your RedHat system :
[root@unixinfo ~]# yum install aide
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* extras: mirror.widexs.nl
* updates: mirror.widexs.nl
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package aide.x86_64 0:0.13.1-6.el5_8.2 set to be updated
–> Finished Dependency ResolutionDependencies Resolved
=======================================================================================
Package Arch Version Repository Size
=======================================================================================
Installing:
aide x86_64 0.13.1-6.el5_8.2 updates 125 kTransaction Summary
=======================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)Total download size: 125 k
Is this ok [y/N]: y
Downloading Packages:
aide-0.13.1-6.el5_8.2.x86_64.rpm | 125 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : aide 1/1Installed:
aide.x86_64 0:0.13.1-6.el5_8.2Complete!
A sample configuration of AIDE [ /etc/aide.conf ] :
[root@unixinfo ~]# cat /etc/aide.conf
# Example configuration file for AIDE.@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz# Whether to gzip the output to database
gzip_dbout=yes# Default.
verbose=5report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs# You can create custom rules like this.
# With MHASH…
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
#NORMAL = R+rmd160+sha256
NORMAL = p+u+g+acl+xattrs+sha256+rmd160+md5+tiger# For directories, don’t bother doing hashes
#DIR = p+i+n+u+g+acl+selinux+xattrs
DIR = p+u+g+acl+xattrs# Access control only
# PERMS = p+i+u+g+acl+selinux
PERMS = p+u+g+acl+xattrs# Logfile are special, in that they often change
LOG = ># Just do md5 and sha256 hashes
LSPP = R+sha256# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger
/ NORMAL
/root/.bashrc NORMAL
/root/.bash_logout NORMAL
/root/.bash_profile NORMAL
/root/.bashrc NORMAL
/var/log/messages PERMS
/var/log/secure PERMS
/root/.bash_history PERMS
/var/lib/logrotate.status PERMS
/var/lib/samba/gencache_notrans.tdb PERMS
/var/lib/samba/gencache.tdb PERMS
/var/lib/samba/private/secrets.tdb PERMS
/var/lib/random-seed PERMS
/var/lib/mlocate/mlocate.db PERMS
/var/lib/nocpulse/.ssh/nocpulse-identity.pub PERMS
/var/lib/nocpulse/.ssh/nocpulse-identity PERMS
/var/lib/misc/prelink.full PERMS
/var/lib/misc/prelink.quick PERMS
/var/lib/dbus/machine-id PERMS
/etc/sssd/sssd.conf PERMS
/etc/aliases.db PERMS
/etc/blkid/blkid.tab PERMS
/etc/blkid/blkid.tab.old PERMS
/etc/hosts PERMS
/etc/adjtime PERMS
/etc/postfix/sasl_passwd PERMS
/etc/postfix/client.key PERMS
/etc/postfix/client.crt PERMS
/etc/postfix/main.cf PERMS
/etc/sudoers.d/system PERMS
/etc/modprobe.conf PERMS
/etc/prelink.cache PERMS
/etc/mtab PERMS
/etc/ssh/ssh_host_key PERMS
/etc/ssh/ssh_host_dsa_key.pub PERMS
/etc/ssh/ssh_host_dsa_key PERMS
/etc/ssh/ssh_host_key.pub PERMS
/etc/ssh/ssh_host_rsa_key PERMS
/etc/ssh/ssh_host_rsa_key.pub PERMS
/etc/shadow PERMS
/etc/fstab PERMS
/etc/selinux/targeted/contexts/files/file_contexts.homedirs PERMS
/etc/sysconfig/rhn/systemid PERMS
/etc/sysconfig/rhn/osad-auth.conf PERMS
/etc/sysconfig/networking/profiles/default/hosts PERMS
/etc/sysconfig/networking/profiles/default/ifcfg-* PERMS
/etc/sysconfig/networking/profiles/default/network PERMS
/etc/sysconfig/networking/devices/ifcfg-* PERMS
/etc/sysconfig/network PERMS
/boot/initrd-* PERMS
/boot/grub/stage2 PERMS
/boot/grub/grub.conf PERMS
/boot/initrd-*.img PERMS
/etc/ld-nails.so.cache PERMS
/etc/ld-mfert.so.cache PERMS
/usr/lib/libfreebl3.chk PERMS
/usr/lib/locale/locale-archive PERMS
/usr/lib/libsoftokn3.chk PERMS
/usr/lib64/libfreebl3.chk PERMS
/usr/lib64/libsoftokn3.chk PERMS
/lib/modules/2.6.18-238.19.1.el5/modules.symbols PERMS
/lib/modules/2.6.18-238.el5/modules.symbols PERMS
/lib/modules/2.6.18-274.18.1.el5/modules.symbols PERMS
/etc/krb5.keytab PERMS
/var/lib/samba/group_mapping.ldb PERMS
/var/lib/sss/pubconf/kdcinfo.INSIM.BIZ PERMS
/etc/sysconfig/iptables PERMS
/etc/lvm/cache/.cache PERMS
/etc/iscsi/initiatorname.iscsi PERMS
/var/lib/ntp/drift PERMS!/sys/*
!/proc/*
!/dev/*
!/selinux/*
!/var/tmp/*
!/tmp/*
!/home/*
!/var/*
After the installation of AIDE you need to make an initial fingerprint ( database ) of the system so you can compair this with future fingerprints
[root@unixinfo ~]# aide –init
AIDE, version 0.13.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
This will save the database as /var/lib/aide/aide.db.new.gz, this file needs to be moved to /var/lib/aide/aide.db.gz
to use the file.
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
It is very advisable to save this file to a different system to insure all databases remain as they are. You never know if people are capable of changing the initial database file.
Now, as a test to show you it will detect changes I will change the permissions and ownership of the file
[ /etc/hosts ] . I also created the dummy file [ /etc/aide_dummy ]
# chgrp bin /etc/hosts ( originally root )
# chmod 664 /etc/hosts ( originally 644 )
# touch /etc/aide_dummy
[root@unixinfo ~]# aide –check
AIDE found differences between database and filesystem!!
Start timestamp: 2012-05-08 14:27:43Summary:
Total number of files: 32096
Added files: 1
Removed files: 0
Changed files: 1—————————————————
Added files:
—————————————————added: /etc/aide_dummy
—————————————————
Changed files:
—————————————————changed: /etc/hosts
————————————————–
Detailed information about changes:
—————————————————File: /etc/hosts
Permissions: -rw-r–r– , -rw-rw-r–
Gid : 0 , 1
Leave a comment