The AIDE (Advanced Intrusion Detection Environment) software is included with the system to provide software integrity checking. It is designed to be a replacement for the well-known Tripwire integrity checker. Integrity checking cannot prevent intrusions into your system, but can detect that they have occurred. Any integrity checking software should be configured before the system is deployed and able to provides services to users. Ideally, the integrity checking database would be built before the system is connected to any network, though this may prove impractical due to registration and software updates.
Prerequisites: Just aide package.
Documentation for AIDE, including the quick-start on which this advice is based, is available in /usr/share/doc/aide-0.12.
Steps for Installing AIDE:
[root@unixlinux ~]# yum install aide -y
The main configuration file for aide is /etc/aide.conf, which contains, default path of Database Directory, Log Directory, from where the DB needs to be read, where the new DB needs to be created, which directories you need to include when you run a check initialize a DB via aide, And various other things.
Initialize the DB-
[root@unixlinux ~]# aide --init
Once your aide it initialized it will show you a message and the path of your new database.
=============================
AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
============================
So the database which is present on location /var/lib/aide/aide.db.new.gz, /usr/sbin/aide and /etc/aide.conf are very critical you need to save all these files to a safe location, Like as the conf. file contains everything and the DB which you just created created information about your machine before any changes have been made.
The expected name of the DB which aide can read from is aide.db.gz which should be there in /var/lib/aide/ directory, Like the full path would be: /var/lib/aide/aide.db.gz.
Now suppose that some changes are made in the machine in which aide was initialized, Like vsftpd was installed.
Now we need to check whether there is any inconsistency between the database and the machine or not ?
After running the check, you will get a output as below,
[root@unixlinux ~]# aide --check
File /etc/localtime in databases has different attributes, 340201bbd,300000bbf
File /var/log in databases has different attributes, 304200a1d,304000a1d
AIDE found differences between database and filesystem!!
Start timestamp: 2014-04-04 10:42:47
Summary:
Total number of files: 295853
Added files: 242349
Removed files: 1665
Changed files: 20910
---------------------------------------------------
Added files:
---------------------------------------------------
added: /etc/cron.daily/freshclam
added: /etc/sysconfig/iptables
added: /etc/default/useradd
added: /usr/sbin/clamd
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /usr/share/man/man8/amanda_selinux.8.gz
removed: /usr/share/man/man8/quantum_selinux.8.gz
removed: /usr/share/man/man8/cfengine_execd_selinux.8.gz
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/host.conf
changed: /etc/DIR_COLORS
changed: /etc/rc1.d
changed: /etc/selinux/restorecond_user.conf
changed: /etc/selinux/targeted/setrans.conf
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /etc/security
Mtime : 2013-12-22 18:00:52 , 2014-03-30 09:12:19
Ctime : 2013-12-22 18:00:52 , 2014-03-30 09:12:19
File: /etc/security/access.conf
Mtime : 2012-10-15 08:23:50 , 2013-10-07 12:06:06
Ctime : 2013-05-09 18:53:44 , 2013-12-23 22:01:59
Inode : 265386 , 265382
File: /etc/security/pam_winbind.conf
Mtime : 2012-12-17 10:48:10 , 2013-11-25 14:20:38
Ctime : 2013-05-09 18:53:44 , 2013-12-23 22:01:59
Inode : 270794 , 272706
You can check the differences in the DB in aide.log file like which files were changed, removed, total number of files etc.
If the changes are know then you can update your DB if not then you can take actions as required and again save that DB to a safe location.
[root@unixlinux ~]# aide --update
Prerequisites: Just aide package.
Documentation for AIDE, including the quick-start on which this advice is based, is available in /usr/share/doc/aide-0.12.
Steps for Installing AIDE:
The main configuration file for aide is /etc/aide.conf, which contains, default path of Database Directory, Log Directory, from where the DB needs to be read, where the new DB needs to be created, which directories you need to include when you run a check initialize a DB via aide, And various other things.
Initialize the DB-
[root@unixlinux ~]# aide --init
Once your aide it initialized it will show you a message and the path of your new database.
=============================
AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
============================
So the database which is present on location /var/lib/aide/aide.db.new.gz, /usr/sbin/aide and /etc/aide.conf are very critical you need to save all these files to a safe location, Like as the conf. file contains everything and the DB which you just created created information about your machine before any changes have been made.
The expected name of the DB which aide can read from is aide.db.gz which should be there in /var/lib/aide/ directory, Like the full path would be: /var/lib/aide/aide.db.gz.
Now suppose that some changes are made in the machine in which aide was initialized, Like vsftpd was installed.
Now we need to check whether there is any inconsistency between the database and the machine or not ?
After running the check, you will get a output as below,
[root@unixlinux ~]# aide --check
File /etc/localtime in databases has different attributes, 340201bbd,300000bbf
File /var/log in databases has different attributes, 304200a1d,304000a1d
AIDE found differences between database and filesystem!!
Start timestamp: 2014-04-04 10:42:47
Summary:
Total number of files: 295853
Added files: 242349
Removed files: 1665
Changed files: 20910
---------------------------------------------------
Added files:
---------------------------------------------------
added: /etc/cron.daily/freshclam
added: /etc/sysconfig/iptables
added: /etc/default/useradd
added: /usr/sbin/clamd
---------------------------------------------------
Removed files:
---------------------------------------------------
removed: /usr/share/man/man8/amanda_selinux.8.gz
removed: /usr/share/man/man8/quantum_selinux.8.gz
removed: /usr/share/man/man8/cfengine_execd_selinux.8.gz
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/host.conf
changed: /etc/DIR_COLORS
changed: /etc/rc1.d
changed: /etc/selinux/restorecond_user.conf
changed: /etc/selinux/targeted/setrans.conf
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /etc/security
Mtime : 2013-12-22 18:00:52 , 2014-03-30 09:12:19
Ctime : 2013-12-22 18:00:52 , 2014-03-30 09:12:19
File: /etc/security/access.conf
Mtime : 2012-10-15 08:23:50 , 2013-10-07 12:06:06
Ctime : 2013-05-09 18:53:44 , 2013-12-23 22:01:59
Inode : 265386 , 265382
File: /etc/security/pam_winbind.conf
Mtime : 2012-12-17 10:48:10 , 2013-11-25 14:20:38
Ctime : 2013-05-09 18:53:44 , 2013-12-23 22:01:59
Inode : 270794 , 272706
You can check the differences in the DB in aide.log file like which files were changed, removed, total number of files etc.
If the changes are know then you can update your DB if not then you can take actions as required and again save that DB to a safe location.
[root@unixlinux ~]# aide --update
No comments:
Post a Comment