Linux system security-AIDE (Advanced Intrusion Detection Environment)

I. AIDE Introduction

AIDE (Adevanced Intrusion Detection Environment, Advanced Intrusion Detection Environment) is an Intrusion Detection tool used to check the integrity of documents.

AIDE can construct a database for a specified document. It uses aide. conf as its configuration document. The AIDE database can store various attributes of a document and uses the following algorithms: sha1, md5, rmd160, and tiger. The verification code or hash number of each document is created in the form of ciphertext. The system administrator should create a new AIDE database. The first AIDE database is a snapshot of the system and the principle of system upgrade in the future. This database should not store frequently changed document information, such as log documents, emails,/proc document systems, user start directories, and temporary directories.

Recommended reading:

AIDE-Linux Advanced Intrusion Detection

How to delete/restore log files after Linux Server intrusion

Network Intrusion Detection and Prevention engine Suricata

Snort + Base intrusion detection Configuration
 
Ii. Download and install AIDE
1.install mhash-0.9.9.9.tar.gz first
# Tar zxvf mhash. tgz
#./Configure
# Make
# Make install
 
2.install aide-0.15-rc1.tar.gz
# Tar zxvf aide-0.15-rc1.tar.gz
#./Configure -- prefix =/usr/local/aide -- with-mhash
# Make
# Make install
# Mkdir-p/usr/local/aide/etc
# Cp/root/aide-0.15-rc1/doc/aide. conf/usr/local/aide/etc/
# Cp/usr/local/aide/bin/
 
3. modify the configuration file
# Vim aide. conf
Modify the database generation path:

Database = file:/usr/local/aide. db # System Image
Database_out = file:/usr/local/aide. new. db # new System Image
 
Add the directory or file to be checked directly at the end of the file:

/Bin R
/Sbin R
/Usr/bin R
/Usr/sbin R
/Usr/local/eyou/mail/web/tpl R
/Dev/shm R
/Opt/apache/htdocs R
/Tmp/. ICE-unix R

Next, see:

1 2 Next Page