Fli
04-09-2014, 09:20 AM
Hi, do You have any experience with this linux software? AIDE - Advanced Intrusion Detection Environment
I installed it and used it, and this is my guide for CentOS (Community enterprise Operating System), but it will most probably work for other linux too.
What AIDE does: This SW basically create hashes for folders and files and result is saved into gzipped database file. Then admin can periodically run check of current linux files/folders against AIDE gzipped databaze file. Differencies are reported to admin. Admin can set which folders/files to monitor and which to skip.
Aide official page: http://aide.sourceforge.net/
Aide installation on CentOS:
yum install aide
(if its not found by yum, make sure to install EPEL repository (google it))
Move/backup default config file and create new one:
mv /etc/aide.conf /etc/aide.conf_orig;vi /etc/aide.conf
Copy & paste following code which dont use SElinux (default aide .conf use Selinux and it fails to work on CentOS where selinux is disabled, retunrs erros "lgetfilecon_raw failed for /:No data available", source of .conf (http://pengruin.blogspot.com/2010/04/centos-aide-lgetfileconraw.html)):
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:pa sswd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
verbose=5
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:[email protected]
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+go st+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change
LOG = p+u+g+i+n+S+acl+xattrs
# Just do md5 and sha256 hashes
LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL
/var/log LOG
/var/run/utmp LOG
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
/etc/hosts LSPP
/etc/sysconfig LSPP
/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP
/etc/ld.so.conf LSPP
/etc/localtime LSPP
/etc/sysctl.conf LSPP
/etc/modprobe.conf LSPP
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
/etc/stunnel LSPP
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
/etc/issue LSPP
/etc/issue.net LSPP
/etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR
# Ditto /var/log/sa reason...
!/var/log/and-httpd
# Admins dot files constantly change, just check perms
/root/.* PERMS
Save file and quit (:wq and Enter)
-i initialize (create database of files/folders for future comparisons) - this is one time process
aide -i
Process can take 10minutes+. Database will be created in /var/lib/aide/aide.db.new.gz , rename this file into aide.db.gz so check command works:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-C check - monitor/check file/folder changes regularly with aide:
aide -C
Note:
aide commands can be run with lower priority so it dont influence processes of higher importance, example:
nice -19 aide -C
Once you do first check, you may find some files was already changed, and if you want to exclude certain directory from checks, just edit /etc/aide.conf and add line with exclamation mark like:
!/usr/local/lxlabs/kloxo/
You can setup an cronjob like following one to check files regularly:
0 1 * * * nice -19 aide -C | mail you@domain -s "Aide Report"
(this one is run every midnight and following is an example email you receive on each run)
82
The thing that puzzles me is how to exclude some filetypes, example .swf, .tar.gz, .zip from monitoring in all monitored directories. Mainly want to exclude from /home/username/
I installed it and used it, and this is my guide for CentOS (Community enterprise Operating System), but it will most probably work for other linux too.
What AIDE does: This SW basically create hashes for folders and files and result is saved into gzipped database file. Then admin can periodically run check of current linux files/folders against AIDE gzipped databaze file. Differencies are reported to admin. Admin can set which folders/files to monitor and which to skip.
Aide official page: http://aide.sourceforge.net/
Aide installation on CentOS:
yum install aide
(if its not found by yum, make sure to install EPEL repository (google it))
Move/backup default config file and create new one:
mv /etc/aide.conf /etc/aide.conf_orig;vi /etc/aide.conf
Copy & paste following code which dont use SElinux (default aide .conf use Selinux and it fails to work on CentOS where selinux is disabled, retunrs erros "lgetfilecon_raw failed for /:No data available", source of .conf (http://pengruin.blogspot.com/2010/04/centos-aide-lgetfileconraw.html)):
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:pa sswd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
verbose=5
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:[email protected]
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+go st+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change
LOG = p+u+g+i+n+S+acl+xattrs
# Just do md5 and sha256 hashes
LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL
/var/log LOG
/var/run/utmp LOG
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
/etc/hosts LSPP
/etc/sysconfig LSPP
/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP
/etc/ld.so.conf LSPP
/etc/localtime LSPP
/etc/sysctl.conf LSPP
/etc/modprobe.conf LSPP
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
/etc/stunnel LSPP
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
/etc/issue LSPP
/etc/issue.net LSPP
/etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR
# Ditto /var/log/sa reason...
!/var/log/and-httpd
# Admins dot files constantly change, just check perms
/root/.* PERMS
Save file and quit (:wq and Enter)
-i initialize (create database of files/folders for future comparisons) - this is one time process
aide -i
Process can take 10minutes+. Database will be created in /var/lib/aide/aide.db.new.gz , rename this file into aide.db.gz so check command works:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-C check - monitor/check file/folder changes regularly with aide:
aide -C
Note:
aide commands can be run with lower priority so it dont influence processes of higher importance, example:
nice -19 aide -C
Once you do first check, you may find some files was already changed, and if you want to exclude certain directory from checks, just edit /etc/aide.conf and add line with exclamation mark like:
!/usr/local/lxlabs/kloxo/
You can setup an cronjob like following one to check files regularly:
0 1 * * * nice -19 aide -C | mail you@domain -s "Aide Report"
(this one is run every midnight and following is an example email you receive on each run)
82
The thing that puzzles me is how to exclude some filetypes, example .swf, .tar.gz, .zip from monitoring in all monitored directories. Mainly want to exclude from /home/username/