AIDE : Install
2015/04/06 |
Install and configure Host Based IDS (Intrusion Detection System) "AIDE" (Advanced Intrusion Detection Environment).
|
|
[1] | Install AIDE. |
[root@dlp ~]# yum -y install aide
|
[2] | Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows. Setting rules are writen near 26-84 lines, refer to them. |
[root@dlp ~]#
vi /etc/aide.conf # for example, change setting of monitoring /var/log
/var/log
p+u+g+i+n+acl+selinux+xattrs
# initialize database [root@dlp ~]# aide --init AIDE, version 0.14 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. # copy generated DB to master DB [root@dlp ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
[3] | Execute checking. |
[root@dlp ~]#
aide --check # if thete is no unmatch, it displayed "Okay" AIDE, version 0.14 ### All files match AIDE database. Looks okay! # try to change a file and check again [root@dlp ~]# chmod 640 /root/install.log [root@dlp ~]# aide --check # detected differences like follows AIDE found differences between database and filesystem!! Start timestamp: 2015-04-06 20:35:38 Summary: Total number of files: 33119 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /root/install.log -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /root/install.log Permissions: -rw-r--r-- , -rw-r----- Ctime : 2012-04-11 11:54:44 , 2015-04-07 10:35:15 ACL: old = A: ---- user::rw- group::r-- other::r-- ---- D:<NONE> new = A: ---- user::rw- group::r-- other::--- ---- D:<NONE> |
[4] | If there is no ploblem even if some differences are detected, then update database like follows. |
[root@dlp ~]#
aide --update AIDE found differences between database and filesystem!! Start timestamp: 2015-04-06 20:35:38 Summary: Total number of files: 33119 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /root/install.log ..... ..... # update database [root@dlp ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
|
[5] | Add in Cron if check regulary. Log file [/var/log/aide/aide.log] is updated every time and if there is no difference, it is updated with zero byte, so if you's like to save log files, it needs to create a shell script or send results via email or others. |
00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root
|