Applicable to Centos Versions:
- Centos 5.x
- Centos 6.x
Requirements
Explanation of requirements.
- Root or appropriate sudo access to the system
- Properly configured yum and internet access
Doing the Work
Basic description of what will be done and what is expected.
- Install AIDE from the Base repository:
- Configuring AIDE:
- Database Initialization & Checking:
- Updating the Database:
- Configuration Lexicon:
- Directories or files prefixed with ! are ignored (ie. in the above, we completely ignore /usr/src and /usr/local/src)
- Directories prefixed with = are added alone; none of its children are added. However, AIDE will first do a depth-first search
- Directories and files are always treated as a regular expression; ie. /usr/bin is identical to /usr/bin.
- Suffixing a directory or file with $ restricts the check to that directory or file alone.
yum install aide At the time of writing this we'll be using AIDE version 0.13.1-4.el5 from Centos Base.
The configuration file is located in /etc/aide.conf The purpose of AIDE is to keep track of files on your system to make sure they aren't altered by an intrusion. The database created can be compared to a pristine copy stored offsite in the case of a suspected or confirmed intrusion for forensic analysis. IMPORTANT: AIDE does not guard or protect against attack or intrusion, it is a security auditing forensic tool only. AIDE should be installed on a "known good" or fresh system and configured as per this howto and any modifications you need to make to fit your situation or needs. It should then be included as part of a regular security audit process. Legend: Green = Default configuration options Blue = Suggestions # Example configuration file for AIDE. @@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide # The location of the database to be read. database=file:@@{DBDIR}/aide.db.gz # The location of the database to be written. #database_out=sql:host:port:database:login_name:passwd:table #database_out=file:aide.db.new database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes # Default. verbose=5 report_url=file:@@{LOGDIR}/aide.log report_url=stdout#report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com (defaults) #NOT IMPLEMENTED report_url=syslog:LOG_AUTH (defaults) report_url=mailto:you@example.com report_url=syslog:LOG_AUTH # You can create custom rules like this. # With MHASH... # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. all changes) EVERYTHING = R+ALLXTRAHASHES # Sane, with multiple hashes # NORMAL = R+rmd160+sha256+whirlpool NORMAL = R+rmd160+sha256 # For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+selinux+xattrs # Access control only PERMS = p+i+u+g+acl+selinux # Logfile are special, in that they often change LOG = > # Just do md5 and sha256 hashes LSPP = R+sha256 # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger # Next decide what directories/files you want in the database. /boot NORMAL /bin NORMAL /sbin NORMAL /lib NORMAL /opt NORMAL /usr NORMAL /root NORMAL # These are too volatile !/usr/src !/usr/tmp # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ /etc/exports NORMAL /etc/fstab NORMAL /etc/passwd NORMAL /etc/group NORMAL /etc/gshadow NORMAL /etc/shadow NORMAL /etc/security/opasswd NORMAL /etc/hosts.allow NORMAL /etc/hosts.deny NORMAL /etc/sudoers NORMAL /etc/skel NORMAL /etc/logrotate.d NORMAL /etc/resolv.conf DATAONLY /etc/nscd.conf NORMAL /etc/securetty NORMAL # Shell/X starting files /etc/profile NORMAL /etc/bashrc NORMAL /etc/bash_completion.d/ NORMAL /etc/login.defs NORMAL /etc/zprofile NORMAL /etc/zshrc NORMAL /etc/zlogin NORMAL /etc/zlogout NORMAL /etc/profile.d/ NORMAL /etc/X11/ NORMAL # Pkg manager /etc/yum.conf NORMAL /etc/yumex.conf NORMAL /etc/yumex.profiles.conf NORMAL /etc/yum/ NORMAL /etc/yum.repos.d/ NORMAL /var/log LOG /var/run/utmp LOG # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log # LSPP rules...# AIDE produces an audit record, so this becomes perpetual motion. # /var/log/audit/ LSPP /etc/audit/ LSPP /etc/libaudit.conf LSPP /usr/sbin/stunnel LSPP /var/spool/at LSPP /etc/at.allow LSPP /etc/at.deny LSPP /etc/cron.allow LSPP /etc/cron.deny LSPP /etc/cron.d/ LSPP /etc/cron.daily/ LSPP /etc/cron.hourly/ LSPP /etc/cron.monthly/ LSPP /etc/cron.weekly/ LSPP /etc/crontab LSPP /var/spool/cron/root LSPP /etc/login.defs LSPP /etc/securetty LSPP /var/log/faillog LSPP /var/log/lastlog LSPP /etc/hosts LSPP /etc/sysconfig LSPP /etc/inittab LSPP /etc/grub/ LSPP /etc/rc.d LSPP /etc/ld.so.conf LSPP /etc/localtime LSPP /etc/sysctl.conf LSPP /etc/modprobe.conf LSPP /etc/pam.d LSPP /etc/security LSPP /etc/aliases LSPP /etc/postfix LSPP /etc/ssh/sshd_config LSPP /etc/ssh/ssh_config LSPP /etc/stunnel LSPP /etc/vsftpd.ftpusers LSPP /etc/vsftpd LSPP /etc/issue LSPP /etc/issue.net LSPP /etc/cups LSPP # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # #=/lost\+found DIR #=/home DIR # Ditto /var/log/sa reason... !/var/log/and-httpd # Admins dot files constantly change, just check perms /root/.* PERMS
aide -init or: /usr/sbin/aide -init aide -check or: /usr/sbin/aide -check
aide -update or: /usr/sbin/aide -update
| Group | Check |
|---|---|
| p | permissions |
| i | inode |
| n | number of links |
| u | user |
| g | group |
| s | size |
| b | block count |
| m | mtime |
| a | atime |
| c | ctime |
| S | check for growing size |
| acl | Access Control Lists |
| selinux | SELinux security context |
| xattrs | Extended file attributes |
| md5 | md5 checksum |
| sha1 | sha1 checksum |
| sha256 | sha256 checksum |
| sha512 | sha512 checksum |
| rmd160 | rmd160 checksum |
| tiger | tiger checksum |
| haval | haval checksum (only if mhash enabled) |
| gost | gost checksum (only if mhash enabled) |
| crc32 | crc32 checksum (only if mhash enabled) |
| whirlpool | whirlpool checksum (MHASH only) |
| R | p+i+n+u+g+s+m+c+md5 |
| L | p+i+n+u+g |
| E | empty group |
| > | growing logfile (p+u+g+i+n+S) |
Troubleshooting / How To Test
Explanation troubleshooting basics and expectations.
- If you cannot install or edit AIDE or /etc/aide.conf then you are not root or do not have proper sudo privileges:
- Other problems:
Use su - (the dash is important) to elevate to root or sudo yum install aide or sudo vi /etc/aide.conf to install or edit the necessary files.
If you're having problems that aren't addressed here, make sure to collect basic information such as: The output of uname -a Any yum error output And post it on a pastebin such as fpaste.org before visiting #centoshelp on Freenode and engaging others.
Common Problems & Fixes
Description of common problems here, including links to known common problems if located on another site
More Information
Any additional information or notes.
Disclaimer
We test this stuff on our own machines, really we do. But you may run into problems, if you do, come to #centoshelp on irc.freenode.net
Added Reading
RSS Feed
© 2012 CentosHelp.org