AIDE : Install2019/12/16 |
Install and configure Host Based IDS (Intrusion Detection System) [AIDE] (Advanced Intrusion Detection Environment).
|
|
[1] | Install AIDE. |
[root@dlp ~]# dnf -y install aide
|
[2] | Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows. Setting rules are writen near 26-84 lines, refer to them. |
[root@dlp ~]#
vi /etc/aide.conf # line 26: description for setting rules # These are the default rules. # #p: permissions #i: inode: #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #acl: Access Control Lists #selinux SELinux security context #xattrs: Extended file attributes #md5: md5 checksum #sha1: sha1 checksum #sha256: sha256 checksum # initialize database [root@dlp ~]# aide --init Start timestamp: 2019-12-15 19:20:52 +0900 (AIDE 0.16) AIDE initialized database at /var/lib/aide/aide.db.new.gz Number of entries: 39208 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.new.gz ..... ..... # copy generated DB to master DB [root@dlp ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
[3] | Execute checking. |
[root@dlp ~]#
aide --check # if there is no unmatch, it displayed [Looks okay] Start timestamp: 2019-12-15 19:22:29 +0900 (AIDE 0.16) AIDE found NO differences between database and filesystem. Looks okay!! Number of entries: 39208 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.gz ..... ..... # try to change a file and check again [root@dlp ~]# chmod 640 /root/anaconda-ks.cfg [root@dlp ~]# aide --check # detected differences like follows Start timestamp: 2019-12-15 19:24:31 +0900 (AIDE 0.16) AIDE found differences between database and filesystem!! Summary: Total number of entries: 39208 Added entries: 0 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Changed entries: --------------------------------------------------- f = p.. .c...A.. : /root/anaconda-ks.cfg --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /root/anaconda-ks.cfg Perm : -rw------- | -rw-r----- Ctime : 2019-10-12 22:40:01 +0900 | 2019-12-15 19:24:23 +0900 ACL : A: user::rw- | A: user::rw- A: group::--- | A: group::r-- A: other::--- | A: other::--- --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.gz ..... ..... |
[4] | If there is no ploblem even if some differences are detected, then update database like follows. |
[root@dlp ~]#
aide --update Start timestamp: 2019-12-15 19:25:59 +0900 (AIDE 0.16) AIDE found differences between database and filesystem!! New AIDE database written to /var/lib/aide/aide.db.new.gz Summary: Total number of entries: 39208 Added entries: 0 Removed entries: 0 Changed entries: 1 --------------------------------------------------- Changed entries: --------------------------------------------------- ..... ..... # update database [root@dlp ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
[5] | Add in Cron if check regulary. Log file [/var/log/aide/aide.log] is updated every time, so if you's like to save log files, it needs to create a shell script or send results via email or others. |
# for example, add daily check in Crontab and send results via email
[root@dlp ~]# vi /etc/cron.d/aide
00 01 * * * root /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root
|
Sponsored Link |
|