One of the security measures that any system administrator wants to deploy first on their production servers is the mechanism for detecting file tampering-criminals tamper with more than just the file content, as well as file attributes. AIDE (full name "Advanced Intrusion Detection Environment") is a host-based open source intrusion detection system. Aide checks the integrity of the system binaries and basic configuration files by examining the inconsistencies of many file attributes, including permissions, file types, index nodes (inode), number of links, link names, users, user groups, file size, block count, modification time, access time, creation time, Access control lists (ACLs), SELinux security contexts, Xattrs, and Md5/sha checksums. Aide Build a file property database by scanning the file system of a Linux server that has not been tampered with. It then checks the server's file properties against the database, and then warns when the server is running, as soon as any changes to the index file occur. It is for this reason that aide must re-index the protected file whenever the system is updated or the configuration file is changed for legitimate reasons. For some customers, their security policy may require the installation of some kind of intrusion detection system (IDS) on the server. However, it is a good practice for system administrators to deploy IDs regardless of whether the customer is asking for IDs. The initial installation of aide aide on CentOS or Rhel (and first run) is best done on systems that have just installed the operating system, and no services are exposed to the Internet or even exposed to local area networks. At this early stage, we can minimize the risk of all intrusion and tampering from the outside. In fact, this is the only way to ensure that the system is clean when aide builds its initial database. For this reason, after installing aide using the # Yum installaide command, we need to disconnect our machine from the network and perform some basic configuration tasks as described below. Configuration aide Default configuration file is located in/etc/aide.conf. The file provides several example protection rules, such as FIPSR, NORMAL, dir, and DataOnly, followed by an equal sign and a list of file attributes to check, or any predefined rules (separated by +). You can also use this format to define any custom rules. FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 Normal = fipsr+sha512 For example, the above example means that the normal rule willCheck for inconsistencies in the following properties: Permissions (p), index node (i), number of links (n), User (U), user group (g), size (s), modification Time (m), creation time (c), access control list (ACL), SELinux (SELinux), Xattrs (xattr) and sha256/sha512 checksum (SHA256 and sha512). The rules defined by can be flexibly used for different directories and files (represented by regular expressions).
Exclamation point in front of entry (!) Tell aide to ignore subdirectories (or files within the directory) and define another rule for subdirectories.
In the above example, perms is the default rule for/etc and its subdirectories and files. However, no rules are applied to the backup file in/etc (that is,/etc/.*~) and not to the/etc/mtab file. For some selective subdirectories or files in/etc, the normal rule is applied instead of the default rule perms.
Defining the right rules and applying them to the right place in the system is the hardest part of using aide, but using good judgment is a good start. One rule of thumb is not to check for unnecessary attributes. For example, checking the modification time of files inside/var/log or/var/spool will certainly lead to a large number of false positives, as many applications and daemons often write content to these locations. Additionally, checking for multiple checksums may enhance security, but at the expense of aide uptime.
Also, if you use the mailto variable to specify an e-mail address, you can send the check results to your mailbox. Place the following line anywhere in the/etc/aide.conf.
How do I configure a host-based intrusion detection system on CentOS?
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
