Project background:
AIDE ("Advanced Intrusion Detection Environment" abbreviation) is an open source host-based intrusion detection system. Aide checks the integrity of the system binaries and basic configuration files by examining the inconsistency of a large number of file attributes, including permissions, file types, index nodes, links, link names, users, groups, file size, block count, modification time, add time, creation time, ACL, Various features, including the SELinux security context, Xattrs, and Md5/sha checksum values.
Aide builds a file property database by scanning a file system of a (unmodified) Linux server, then proofreading the server file properties against the database, and then warns the modified indexed files when the server is running. For this reason, aide must re-index the protected file after the system has been updated or its configuration file has been legitimately modified.
Lab Environment:
VMware Workstation 11
Under the centos6.5 system
Server: ip:192.168.0.57
Aide-0.14-7.el6.x86_64
SECURECRT (SSH remote connection software)
Usually we need a clean environment on the newly installed system!
Experimental process
First, the software download
[email protected] ~]# Yum install aide-y
Second, the software downloaded successfully after the network shutdown
[[Email protected] ~]# service network stop
Third, aide database initialization
[email protected] desktop]# aide--init
AIDE, version 0.14
# # # AIDE Database at/var/lib/aide/aide.db.new.gz initialized.
Four, the database file rename, otherwise the words aide can't read out
[Email protected] desktop]# mv/var/lib/aide/aide.db.new.gz/var/lib/aide/aide.db.gz
V. Software inspection
Enter aide directly at the command line (input will wait a long time ~ ~ ~)
[email protected] desktop]# Aide
AIDE found differences between database and filesystem!!
Start timestamp:2016-03-22 03:09:05
Summary:
Total number of files:85618
Added files:0
Removed files:0
Changed files:39
---------------------------------------------------
Changed files:
---------------------------------------------------
Changed:/usr/sbin
Changed:/usr/libexec
Changed:/usr/libexec/openssh
Changed:/usr/libexec/gnome-screensaver
Changed:/usr/libexec/awk
Changed:/usr/libexec/gcc/x86_64-redhat-linux/4.4.4
Changed:/usr/libexec/gnome-applets
Changed:/usr/libexec/gstreamer-0.10
Changed:/usr/libexec/file-roller
Changed:/usr/libexec/polkit-1
Changed:/usr/libexec/utempter
Changed:/usr/libexec/pulse
Changed:/usr/libexec/getconf
Changed:/USR/LIBEXEC/WEBKITGTK
Changed:/usr/lib/cups/driver
Changed:/usr/lib/cups/filter
Changed:/usr/lib64
Changed:/usr/lib64/nspluginwrapper
Changed:/USR/LIB64/VTE
Changed:/usr/lib64/firefox
Changed:/usr/lib64/seahorse
Changed:/usr/lib64/pm-utils/bin
Changed:/usr/lib64/udev
Changed:/usr/lib64/gnome-session/helpers
Changed:/usr/lib64/nss/unsupported-tools
Changed:/usr/lib64/libv4l
Changed:/usr/lib64/libgphoto2
Changed:/USR/LIB64/FESTIVAL/ETC
Changed:/usr/lib64/perl5/core
Changed:/usr/lib64/sa
Changed:/usr/lib64/xulrunner
Changed:/usr/lib64/gthumb
Changed:/usr/lib64/hal/scripts
Changed:/usr/bin
Changed:/lib/udev
Changed:/lib64
Changed:/lib64/dbus-1
Changed:/bin
Changed:/sbin
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory:/usr/sbin
Mtime:2016-03-22 02:44:18, 2016-03-22 02:57:45
Ctime:2016-03-22 02:44:18, 2016-03-22 02:57:45
Directory:/usr/libexec
Mtime:2016-03-22 02:44:34, 2016-03-22 02:58:06
Ctime:2016-03-22 02:44:34, 2016-03-22 02:58:06
Directory:/usr/libexec/openssh
Mtime:2016-03-22 02:44:35, 2016-03-22 02:58:06
Ctime:2016-03-22 02:44:35, 2016-03-22 02:58:06
Directory:/usr/libexec/gnome-screensaver
Mtime:2016-03-22 02:44:35, 2016-03-22 02:58:07
Ctime:2016-03-22 02:44:35, 2016-03-22 02:58:07
Directory:/usr/libexec/awk
Mtime:2016-03-22 02:44:35, 2016-03-22 02:58:07
Ctime:2016-03-22 02:44:35, 2016-03-22 02:58:07
Directory:/usr/libexec/gcc/x86_64-redhat-linux/4.4.4
Mtime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Ctime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Directory:/usr/libexec/gnome-applets
Mtime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Ctime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Directory:/usr/libexec/gstreamer-0.10
Mtime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Ctime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Directory:/usr/libexec/file-roller
Mtime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Ctime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Directory:/usr/libexec/polkit-1
Mtime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Ctime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Directory:/usr/libexec/utempter
Mtime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Ctime:2016-03-22 02:44:36, 2016-03-22 02:58:08
Directory:/usr/libexec/pulse
Mtime:2016-03-22 02:44:36, 2016-03-22 02:58:09
Ctime:2016-03-22 02:44:36, 2016-03-22 02:58:09
Directory:/usr/libexec/getconf
Mtime:2016-03-22 02:44:36, 2016-03-22 02:58:09
Ctime:2016-03-22 02:44:36, 2016-03-22 02:58:09
Directory:/USR/LIBEXEC/WEBKITGTK
Mtime:2016-03-22 02:44:38, 2016-03-22 02:58:10
Ctime:2016-03-22 02:44:38, 2016-03-22 02:58:10
Directory:/usr/lib/cups/driver
Mtime:2016-03-22 02:44:38, 2016-03-22 02:58:11
Ctime:2016-03-22 02:44:38, 2016-03-22 02:58:11
Directory:/usr/lib/cups/filter
Mtime:2016-03-22 02:44:39, 2016-03-22 02:58:12
Ctime:2016-03-22 02:44:39, 2016-03-22 02:58:12
Directory:/usr/lib64
Mtime:2016-03-22 02:45:51, 2016-03-22 02:59:15
Ctime:2016-03-22 02:45:51, 2016-03-22 02:59:15
Directory:/usr/lib64/nspluginwrapper
Mtime:2016-03-22 02:45:52, 2016-03-22 02:59:16
Ctime:2016-03-22 02:45:52, 2016-03-22 02:59:16
Directory:/usr/lib64/vte
Mtime:2016-03-22 02:46:05, 2016-03-22 02:59:31
Ctime:2016-03-22 02:46:05, 2016-03-22 02:59:31
Directory:/usr/lib64/firefox
Mtime:2016-03-22 02:46:10, 2016-03-22 02:59:36
Ctime:2016-03-22 02:46:10, 2016-03-22 02:59:36
Directory:/usr/lib64/seahorse
Mtime:2016-03-22 02:46:12, 2016-03-22 02:59:39
Ctime:2016-03-22 02:46:12, 2016-03-22 02:59:39
Directory:/usr/lib64/pm-utils/bin
Mtime:2016-03-22 02:46:12, 2016-03-22 02:59:39
Ctime:2016-03-22 02:46:12, 2016-03-22 02:59:39
Directory:/usr/lib64/udev
Mtime:2016-03-22 02:46:12, 2016-03-22 02:59:39
Ctime:2016-03-22 02:46:12, 2016-03-22 02:59:39
Directory:/usr/lib64/gnome-session/helpers
Mtime:2016-03-22 02:46:13, 2016-03-22 02:59:40
Ctime:2016-03-22 02:46:13, 2016-03-22 02:59:40
Directory:/usr/lib64/nss/unsupported-tools
Mtime:2016-03-22 02:46:14, 2016-03-22 02:59:41
Ctime:2016-03-22 02:46:14, 2016-03-22 02:59:41
Directory:/usr/lib64/libv4l
Mtime:2016-03-22 02:46:15, 2016-03-22 02:59:42
Ctime:2016-03-22 02:46:15, 2016-03-22 02:59:42
Directory:/usr/lib64/libgphoto2
Mtime:2016-03-22 02:46:15, 2016-03-22 02:59:42
Ctime:2016-03-22 02:46:15, 2016-03-22 02:59:42
Directory:/usr/lib64/festival/etc
Mtime:2016-03-22 02:46:17, 2016-03-22 02:59:44
Ctime:2016-03-22 02:46:17, 2016-03-22 02:59:44
Directory:/usr/lib64/perl5/core
Mtime:2016-03-22 02:46:18, 2016-03-22 02:59:45
Ctime:2016-03-22 02:46:18, 2016-03-22 02:59:45
Directory:/usr/lib64/sa
Mtime:2016-03-22 02:46:20, 2016-03-22 02:59:47
Ctime:2016-03-22 02:46:20, 2016-03-22 02:59:47
Directory:/usr/lib64/xulrunner
Mtime:2016-03-22 02:46:27, 2016-03-22 02:59:53
Ctime:2016-03-22 02:46:27, 2016-03-22 02:59:53
Directory:/usr/lib64/gthumb
Mtime:2016-03-22 02:46:27, 2016-03-22 02:59:54
Ctime:2016-03-22 02:46:27, 2016-03-22 02:59:54
Directory:/usr/lib64/hal/scripts
Mtime:2016-03-22 02:46:27, 2016-03-22 02:59:54
Ctime:2016-03-22 02:46:27, 2016-03-22 02:59:54
Directory:/usr/bin
Mtime:2016-03-22 02:47:27, 2016-03-22 03:01:02
Ctime:2016-03-22 02:47:27, 2016-03-22 03:01:02
Directory:/lib/udev
Mtime:2016-03-22 02:54:03, 2016-03-22 03:07:19
Ctime:2016-03-22 02:54:03, 2016-03-22 03:07:19
Directory:/lib64
Mtime:2016-03-22 02:54:09, 2016-03-22 03:07:25
Ctime:2016-03-22 02:54:09, 2016-03-22 03:07:25
Directory:/lib64/dbus-1
Mtime:2016-03-22 02:54:10, 2016-03-22 03:07:26
Ctime:2016-03-22 02:54:10, 2016-03-22 03:07:26
Directory:/bin
Mtime:2016-03-22 02:54:13, 2016-03-22 03:07:30
Ctime:2016-03-22 02:54:13, 2016-03-22 03:07:30
Directory:/sbin
Mtime:2016-03-22 02:54:20, 2016-03-22 03:07:36
Ctime:2016-03-22 02:54:20, 2016-03-22 03:07:36
You can see that there will be a lot of output!
Summary: This is an open-source intrusion detection system, I believe you in your own production environment will be used!
Knowledge is about sharing Thank you all
This article is from the "Make a few" blog, be sure to keep this source http://9399369.blog.51cto.com/9389369/1754025
Configuring a host-based intrusion detection system (IDS) on CentOS6.5