Host-Based Intrusion system IDS

Host-Based Intrusion system IDS

CentOS for experimental Linux

Application Background: As system administrators, they need a security mechanism, such as file tampering detection.

So what exactly does it detect? File Content and attributes

AIDE: Short for Advanced Intrusion Detection System

How can this be achieved: AIDE builds a File Attribute Database by scanning a file system of a tampered linux Server

Convert the server file attributes to the database, and issue a warning on the index of the modified file!

We can know from the above: the initial installation of ADIE must keep the data clean'

After the system is installed, no service is exposed on the Internet or even on the LAN.

Step: After the system is installed ----- network disconnection ------ install AIDE service on the terminal ------ configure

Install server software aide

# Yum install aide

Default configuration file/etc/aide. conf

The main protection rules in the configuration file are: FIPSR NORMAL DIR DATAONLY

FIPSR = p + I + n + u + g + s + m + c + acl + selinux + xattrs + sha256

Permission: p index node: I link count: l User: u

GROUP: g size: s modification time: m Creation Time: c

ACL: acl SELINUX: selinux xattrs: xattr

SHA256/SHA512 monitoring and (sh256 and sh 512)

The exclamation point before the entry! Tell ADIE to ignore subdirectories or directory files

Run AIDE for the first time

First, initialize the ADIE database.

Aide -- init

The/var/lib/aide/aidedb.new.gz file generated according to the/etc/side. conf configuration file must be renamed to/var/lib/aide/aidedb.gz

First proofread

# Aide runs this command directly. If there is no parameter, the check option is used by default.

Update AIDE Database

# Aide -- update

Thank you ~~~~~

Configure a host-based Intrusion Detection System (IDS) on CentOS)

This article permanently updates the link address: