Configure a host-based Intrusion Detection System (IDS) on CentOS)
One of the first security measures that system administrators want to deploy on their production servers is to detect file tampering-not only file content, but also their attributes.
AIDE (referred to as "Advanced Intrusion Detection Environment") is an open source host-based intrusion detection system. AIDE checks the integrity of system binary files and basic configuration files by checking the inconsistency of attributes of a large number of files, these file attributes include permission, file type, index node, number of links, Link name, user, group, file size, block count, modification time, addition time, creation time, acl, SELinux security context, xattrs, and various features including md5/sha checksum values.
AIDE builds a File Attribute Database by scanning the file system of a Linux server that has not been tampered with. In the future, the server file attributes will be proofread from the database, then, when the server is running, it issues a warning to the file with the modified index. For this reason, AIDE must re-index the protected files after the system is updated or its configuration files are legally modified.
Some customers may force some intrusion detection systems to be installed on their servers according to their security policies. However, whether or not the customer requires the system administrator to deploy an intrusion detection system, which is usually a good practice.
AIDE-Linux Advanced Intrusion Detection
Linux system security-AIDE (Advanced Intrusion Detection Environment)
Install AIDE on CentOS or RHEL
The initial installation of AIDE (also the first operation) is best when the system is installed and no services are exposed on the Internet or even on the LAN. At this early stage, we can minimize the risk of intrusion and destruction from the outside. In fact, this is the only way to ensure that the system is clean when AIDE builds its initial database. (LCTT Note: Of course, if your installation source has security risks, you cannot create trusted data records)
For the above reason, after installing the system, we can run the following command to install AIDE:
- # Yum install aide
We need to disconnect our machine from the network and implement some basic configuration tasks described below.
Configure AIDE
The default configuration file is/etc/aide. conf. This file introduces several example protection rules (such as FIPSR, NORMAL, DIR, DATAONLY). Each rule is followed by an equal sign and a list of file attributes to be checked, or some predefined rules (separated by + ). You can also use this format to customize rules.
- FIPSR = p + I + n + u + g + s + m + c + acl + selinux + xattrs + sha256
- NORMAL = FIPSR + sha512
For example, the preceding example shows that the NORMAL rule checks the inconsistency of the following attributes: permission (p), index node (I), number of links (n), user (u), group (g), size (s), modification time (m), Creation Time (c), ACL (acl), SELinux (selinux), xattrs (xattr), SHA256/SHA512 checksum (sha256 and sha512 ).
The defined rules can be flexibly used for different directories and files (expressed using regular expressions ).
The exclamation point before the entry (!) Tell AIDE to ignore sub-directories (or files in directories) and define rules for these sub-directories.
In the preceding example, PERMS is the default rule for/etc machine subdirectories and files. However, for backup files in/etc (such as/etc /.*~) No rules are applied, and no rules are applied to the/etc/mtab file. For other selected subdirectories or files in/etc, use the NORMAL rule to replace the default rule PERMS.
Defining and applying correct rules to the correct position in the system is the most difficult part of using AIDE, but making a good judgment is a good start. As the first rule, do not check unnecessary attributes. For example, checking the modification time of files in/var/log or/var/spool will result in a large number of false positives, because many applications and daemon often write content to this location, all of these contents are correct. In addition, checking multiple check values may enhance security, but the AIDE running time increases accordingly.
Optional. If you use the MAILTO variable to specify the email address, you can send the check result to your mailbox. Place the following line in any location in/etc/aide. conf.
- MAILTO = root @ localhost
Run AIDE for the first time
Run the following command to initialize the AIDE database:
- # Aide -- init
The/var/lib/aide/aide.db.new.gz file generated by/etc/aide. conf must be renamed to/var/lib/aide/aide.db.gz so that AIDE can read it:
- # Mv/var/lib/aide/aide.db.new.gz/var/lib/aide.db.gz
Now it is time to proofread our system and database for the first time. The task is simple, just run:
- # Aide
If no option is available, AIDE assumes that the -- check option is used.
If the system has not been modified after the database is created, AIDE will end the verification with OK information.
For more details, please continue to read the highlights on the next page: