linux poison RSS
linux poison Email

Quick Configuration of AIDE (Advanced Intrusion Detection Environment)

AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire(tm). It generates a database that can be used to check the integrity of files on server. It uses regular expressions for determening which files get added to the database. You can use several message digest algorithms to ensure that the files have not been tampered with.

Default configuration of aide is quite fine. But we are going to tweak it slightly more.

Send the report

Reports which are created once a day can be sent to a custom address. you need to change the variable MAILTO to which ever address you like. Default is to send them to root on localhost.
To change it, open and edit /etc/default/aide

Configuring aide

Most AIDE configuration is in file /etc/aide/aide.conf. This file is pretty well documented and default rules are descent but we are going to make some slight changes.

AIDE aims at reporting files that changed since the last snapshot (/var/lib/aide/aide.db). A good security measure is to keep that file on a read-only device such as a floppy disk or a cdrom. If your machine has such a device, you could use the snapshot from that device. So let say that you have a copy of aide.db on a cdrom.

To use that snapshot, you could change:
database=file:/var/lib/aide/aide.db
to
database=file:/media/cdrom/aide.db 
instead. That way, if an intruder get into your machine, he won’t be able to modify aide.db.

By default, AIDE checks for changes in Binaries and Libraries directories. Those changes are matched to the BinLib rule, which basically check for any changes in permissions, ownership, modification, access and creation date, size change, md5 and sha1 signature, inode, number of links and block count. Then, it also check for modifications in the log files against the rule Logs. Because log files tends to grow, you cannot use a signature there and you also have to asked aide not to check for size modification (S). Okie, this should be enough to get to understand how aide works. Reading through /etc/aide/aide.conf is a good place to learn more.

To make aide /etc/. To do so, added: /etc ConfFiles in /etc/aide/aide.conf, this will check for changes in /etc/.

Updating aide

aide is run on a daily basis through the script /etc/cron.daily/aide. Default settings in /etc/default/aide tells aide to update it’s database. Using database_out value in /etc/aide/aide.conf, aide is going to output a new database any time it runs in /var/lib/aide/aide.db.new if you kept the default settings.

Any time you will install new packages, change some configuration settings… it will be worth using an up-to-date database so aide won’t report any changes or addition in /etc/mynewsoft, /bin/mynewsoft …
So, when you install new softwares, make some configuration changes …, run:
# /etc/cron.daily/aide
Then, check in the report that modifications were only brought to the files you intended to modify and that added files are only coming from packages you have just installed.

Once you are sure that everything is fine, copy the new database to whatever place your database points to (cdrom, floppy, somewhere on you filesystem….).This way, you will get lighter reports next time aide runs.


0 comments:

Post a Comment

Related Posts with Thumbnails