Total de visualizações de página

terça-feira, 3 de maio de 2016

AIDE : Install


AIDE : Install
2015/06/21
 
Install and configure Host Based IDS (Intrusion Detection System) "AIDE" (Advanced Intrusion Detection Environment).
[1]Install AIDE.
[root@dlp ~]# 
yum -y install aide
[2]Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows. Setting rules are writen near 26-84 lines, refer to them.
[root@dlp ~]# 
vi /etc/aide.conf
# for example, change setting of monitoring /var/log

/var/log   
p+u+g+i+n+acl+selinux+xattrs
# initialize database

[root@dlp ~]# 
aide --init 

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

# copy generated DB to master DB

[root@dlp ~]# 
cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[3]Execute checking.
[root@dlp ~]# 
aide --check
# if thete is no unmatch, it displayed "Okay"

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

# try to change a file and check again

[root@dlp ~]# 
chmod 640 /root/anaconda-ks.cfg 

[root@dlp ~]# 
aide --check
# detected differences like follows

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2015-06-17 19:55:20

Summary:
  Total number of files:        39039
  Added files:                  0
  Removed files:                0
  Changed files:                1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root/anaconda-ks.cfg

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /root/anaconda-ks.cfg
 Perm     : -rw-------                       , -rw-r-----
 Ctime    : 2015-05-24 02:22:04              , 2015-06-19 11:55:15
 ACL      : old = A:
----
user::rw-
group::---
other::---
----
                  D: <NONE>
            new = A:
----
user::rw-
group::r--
other::---
----
                  D: <NONE>
[4]If there is no ploblem even if some differences are detected, then update database like follows.
[root@dlp ~]# 
aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2015-06-17 19:56:31

Summary:
  Total number of files:        39039
  Added files:                  0
  Removed files:                0
  Changed files:                1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root/anaconda-ks.cfg
.....
.....

# update database

[root@dlp ~]# 
cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[5]Add in Cron if check regulary. Log file [/var/log/aide/aide.log] is updated every time and if there is no difference, it is updated with zero byte, so if you's like to save log files, it needs to create a shell script or send results via email or others.
# for example, add daily check in Crontab and send results via email

[root@dlp ~]# 
vi /etc/cron.d/aide
00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root

Nenhum comentário:

Postar um comentário