AIDE-Linux Advanced Intrusion Detection

1. aide Overview
Adevanced Intrusion Detection Environment (Advanced Intrusion Detection Environment) is an Intrusion Detection tool used to check the integrity of text.

AIDE can construct a database for a specified document. It uses aide. conf as its configuration document. The AIDE database can store various attributes of a document, including permission, inode number, user, and group), document size, last modification time (mtime), Creation Time (ctime), last access time (atime), increased size, and number of connections. AIDE can also use the following algorithms: sha1, md5, rmd160, and tiger. The verification code or hash number of each document is created in the form of ciphertext.

Recommended reading:

How to delete/restore log files after Linux Server intrusion

Network Intrusion Detection and Prevention engine Suricata

Snort + Base intrusion detection Configuration

Common Intrusion detection software:
1. tripwire-complicated operations
2. aide-a new product used to replace tripwire

Principle of file system Intrusion Detection:
1. When the system is healthy, all the files in the system are checked for fingerprints to obtain a benchmark database.
2. Not all files need to store fingerprints, temporary file (/var/log |/tmp |/var/tmp |/proc |/sys |/dev/shm ...)
3. Check whether the file has been changed. You only need to compare the fingerprint value of the benchmark data to know which files have been changed.
4. Send the inspection results to the Administrator by email or other means every day.

2. aide deployment
1. obtain the latest src rpm package from the final hat official website.
# Wget ftp://ftp.RedHat.com/redhat/linux/enterprise/5Server/en/ OS /SRPMS/aide-0.13.1-6.el5.src.rpm
# Rpm-ivh aide-0.13.1-6.el5.src.rpm
# Rpmbuild-bb/usr/src/redhat/SPEC/aide. spec
# Rpm-ivh/usr/src/redhat/RPMS/i386/aide-0.13.1-6.el5.src.rpm
Or directly use yum for installation.
# Yum-y install aide

3. basic use of aide
1) create a directory with some test files in it
# Mkdir/aide_test_check
# Cp/etc/hosts */aide_test_check
# Grep-v ^ #/etc/aide. conf | grep-v ^ $>/etc/aide2.conf
# Mv/etc/aide2.conf/etc/aide. conf
Mv: overwrite '/etc/aide. conf '? Y

2) define the configuration file and the on-site directory
# Cp/etc/aide. conf/etc/aide. conf. bak
# Vim/etc/aide. conf
@ Define DBDIR/var/lib/aide -- baseline database directory
@ Define LOGDIR/var/log/aide
Database = file: {DBDIR}/aide.db.gz -- baseline database file
Database_out = file: {DBDIR}/aide.db.new.gz -- update the database file
Gzip_dbout = yes
Verbose = 5
Report_url = file: {LOGDIR}/aide. log
Report_url = stdout
R = p + I + n + u + g + s + m + c + acl + xattrs + md5
L = p + I + n + u + g + acl + xattrs
> = P + u + g + I + n + S + acl + xattrs
ALLXTRAHASHES = sha1 + rmd160 + sha256 + sha512 + tiger
EVERYTHING = R + ALLXTRAHASHES
NORMAL = R + rmd160 + sha256
DIR = p + I + n + u + g + acl + xattrs
PERMS = p + I + u + g + acl
LOG =>
LSPP = R + sha256
DATAONLY = p + n + u + g + s + acl + xattrs + md5 + sha256 + rmd160 + tiger

/Aide_check_test NORMAL

3) initialize the database:
#/Usr/sbin/aide-c/etc/aide. conf -- init

AIDE, version 0.13.1

### AIDE database at/var/lib/aide/aide.db.new.gz initialized.

Next, see page 2nd:

1 2 Next Page