CentOS installation and configuration host-based Intrusion Detection System (IDS)
One of the first security measures that system administrators want to deploy on their production servers is to detect file tampering-not only file content, but also their attributes.
AIDE (referred to as "Advanced Intrusion Detection Environment") is an open source host-based intrusion detection system. AIDE checks the integrity of system binary files and basic configuration files by checking the inconsistency of attributes of a large number of files, these file attributes include permission, file type, index node, number of links, Link name, user, group, file size, block count, modification time, addition time, creation time, acl, SELinux security context, xattrs, and various features including md5/sha checksum values.
AIDE builds a File Attribute Database by scanning the file system of a Linux server that has not been tampered with. In the future, the server file attributes will be proofread from the database, then, when the server is running, it issues a warning to the file with the modified index. For this reason, AIDE must re-index the protected files after the system is updated or its configuration files are legally modified.
Some customers may force some intrusion detection systems to be installed on their servers according to their security policies. However, whether or not the customer requires the system administrator to deploy an intrusion detection system, which is usually a good practice.
Install AIDE on CentOS or RHEL
The initial installation of AIDE (also the first operation) is best when the system is installed and no services are exposed on the Internet or even on the LAN. At this early stage, we can minimize the risk of intrusion and destruction from the outside. In fact, this is the only way to ensure that the system is clean when AIDE builds its initial database. (LCTT Note: Of course, if your installation source has security risks, you cannot create trusted data records)
For the above reason, after installing the system, we can run the following command to install AIDE:
#yuminstallaide
We need to disconnect our machine from the network and implement some basic configuration tasks described below.
Configure AIDE
The default configuration file is/etc/aide. conf. This file introduces several example protection rules (such as FIPSR, NORMAL, DIR, DATAONLY). Each rule is followed by an equal sign and a list of file attributes to be checked, or some predefined rules (separated by + ). You can also use this format to customize rules.
FIPSR=p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256NORMAL=FIPSR+sha512
For example, the preceding example shows that the NORMAL rule checks the inconsistency of the following attributes: permission (p), index node (I), number of links (n), user (u), group (g), size (s), modification time (m), Creation Time (c), ACL (acl), SELinux (selinux), xattrs (xattr), SHA256/SHA512 checksum (sha256 and sha512 ).
The defined rules can be flexibly used for different directories and files (expressed using regular expressions ).
The exclamation point before the entry (!) Tell AIDE to ignore sub-directories (or files in directories) and define rules for these sub-directories.
In the above example, PERMS is the default rule for/etc machine subdirectories and files. However, for backup files in/etc (such as/etc /.*~) The/etc/mtab file is used without applying any rules or rules. For other selected subdirectories or files in/etc, use the NORMAL rule to replace the default rule PERMS.
Defining and applying correct rules to the correct position in the system is the most difficult part of using AIDE, but making a good judgment is a good start. As the first rule, do not check unnecessary attributes. For example, checking the modification time of files in/var/log or/var/spool will result in a large number of false positives, because many applications and daemon often write content to this location, none of these questions. In addition, checking multiple check values may enhance security, but the AIDE running time increases accordingly.
Optional. If you use the MAILTO variable to specify the email address, you can send the check result to your mailbox. Place the following line in any location in/etc/aide. conf.
MAILTO=root@localhost
Run AIDE for the first time
Run the following command to initialize the AIDE database:
#aide--init
The/var/lib/aide/aide.db.new.gz file generated by/etc/aide. conf must be renamed to/var/lib/aide/aide.db.gz so that AIDE can read it:
<Pre class = "prettyprint <a href =" http: = "" www.ahlinux.com = "" java = "=" "target =" _ blank "style =" margin-top: 0px; margin-bottom: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; "> javascript"> # mv/var/lib/aide/aide.db.new.gz/var/lib/aide.db.gz
Now it is time to proofread our system and database for the first time. The task is simple, just run:
#aide
If no option is available, AIDE assumes that the -- check option is used.
If the system has not been modified after the database is created, AIDE will end the verification with OK information.
Manage AIDE in production environment
After building an initial AIDE database, you often need to update protected servers for some legitimate reasons as a constant system management activity. After each server update, you must re-build the AIDE database to update the database content. To complete this task, run the following command:
#aide--update
To use AIDE to protect production systems, it may be better to call AIDE through a task plan to periodically check for inconsistency. For example, to run AIDE once a day and send the result to the mailbox:
#crontab-e
00***/usr/sbin/aide--check|/usr/bin/mail-s"AIDErunfor$HOSTNAME"your@email.com
Test AIDE to check file tampering
The following test environment demonstrates how AIDE Checks file integrity.
Test Environment 1
Let's add a new file (such as/etc/fake ).
#cat/dev/null>/etc/fake
Test environment 2
Let's modify the File Permission and see if it is detected.
#chmod644/etc/aide.conf
Test environment 3
Finally, let's modify the file content (for example, add a comment line to/etc/aide. conf ).
echo"#Thisisacomment">>/etc/aide.conf
In the above, the first column shows the file attributes, the second column is the value in the AIDE database, and the third column is the updated value. The blank section in the third column indicates that this attribute has not been changed (such as ACL in this example ).
End
If you have discovered that you have a good reason to believe that the system has been intruded, but at first glance you are not sure what has been changed, A host-based intrusion detection system like AIDE will be very helpful, because it can help you quickly identify what has been changed, rather than wasting valuable time by making guesses.