AIDE, setup and usage on CentOS

**Fli** · 04-09-2014, 09:20 AM

Hi, do You have any experience with this linux software? AIDE - Advanced Intrusion Detection Environment

I installed it and used it, and this is my guide for CentOS (Community enterprise Operating System), but it will most probably work for other linux too.

What AIDE does: This SW basically create hashes for folders and files and result is saved into gzipped database file. Then admin can periodically run check of current linux files/folders against AIDE gzipped databaze file. Differencies are reported to admin. Admin can set which folders/files to monitor and which to skip.

Aide official page: http://aide.sourceforge.net/

Aide installation on CentOS:

Code:

yum install aide

(if its not found by yum, make sure to install EPEL repository (google it))

Move/backup default config file and create new one:

Code:

mv /etc/aide.conf /etc/aide.conf_orig;vi /etc/aide.conf

Copy & paste following code which dont use SElinux (default aide .conf use Selinux and it fails to work on CentOS where selinux is disabled, retunrs erros "lgetfilecon_raw failed for /:No data available", source of .conf):

Code:

# Example configuration file for AIDE.

@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz

# Whether to gzip the output to database
gzip_dbout=yes 

# Default.
verbose=5

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:[email protected]
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules.
#
#p: permissions
#i: inode: 
#n: number of links
#u: user
#g: group 
#s: size
#b: block count
#m: mtime 
#a: atime 
#c: ctime 
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum

#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)

#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

# You can create custom rules like this.
# With MHASH... 
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES

# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+xattrs

# Access control only
PERMS = p+i+u+g+acl

# Logfile are special, in that they often change
LOG = p+u+g+i+n+S+acl+xattrs

# Just do md5 and sha256 hashes
LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger

# Next decide what directories/files you want in the database.

/boot NORMAL 
/bin NORMAL 
/sbin NORMAL 
/lib NORMAL 
/opt NORMAL 
/usr NORMAL 
/root NORMAL 
# These are too volatile
!/usr/src
!/usr/tmp

# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL

/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL

/etc/sudoers NORMAL
/etc/skel NORMAL 

/etc/logrotate.d NORMAL

/etc/resolv.conf DATAONLY

/etc/nscd.conf NORMAL
/etc/securetty NORMAL

# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL 

# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL 
/etc/yum.repos.d/ NORMAL

/var/log LOG 
/var/run/utmp LOG

# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log

# LSPP rules... 
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP 
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP

/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP

/etc/hosts LSPP 
/etc/sysconfig LSPP

/etc/inittab LSPP
/etc/grub/ LSPP 
/etc/rc.d LSPP 

/etc/ld.so.conf LSPP

/etc/localtime LSPP

/etc/sysctl.conf LSPP

/etc/modprobe.conf LSPP

/etc/pam.d LSPP 
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP

/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP

/etc/stunnel LSPP

/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP 

/etc/issue LSPP 
/etc/issue.net LSPP

/etc/cups LSPP 

# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR

# Ditto /var/log/sa reason...
!/var/log/and-httpd

# Admins dot files constantly change, just check perms
/root/.* PERMS

Save file and quit (:wq and Enter)

-i initialize (create database of files/folders for future comparisons) - this is one time process

Code:

aide -i

Process can take 10minutes+. Database will be created in /var/lib/aide/aide.db.new.gz , rename this file into aide.db.gz so check command works:

Code:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

-C check - monitor/check file/folder changes regularly with aide:

Code:

aide -C

Note:
aide commands can be run with lower priority so it dont influence processes of higher importance, example:

Code:

nice -19 aide -C

Once you do first check, you may find some files was already changed, and if you want to exclude certain directory from checks, just edit /etc/aide.conf and add line with exclamation mark like:

Code:

!/usr/local/lxlabs/kloxo/

You can setup an cronjob like following one to check files regularly:

Code:

0 1 * * * nice -19 aide -C | mail you@domain -s "Aide Report"

(this one is run every midnight and following is an example email you receive on each run)

Name: 9cEed.jpg
Views: 563
Size: 107.5 KB

The thing that puzzles me is how to exclude some filetypes, example .swf, .tar.gz, .zip from monitoring in all monitored directories. Mainly want to exclude from /home/username/