ProHoster > Blog > Administration > How to install and use AIDE (Advanced Intrusion Detection Environment) on CentOS 8

How to install and use AIDE (Advanced Intrusion Detection Environment) on CentOS 8

Before the start of the course "Linux Administrator" prepared a translation of interesting material.

How to install and use AIDE (Advanced Intrusion Detection Environment) on CentOS 8

AIDE stands for “Advanced Intrusion Detection Environment” (Advanced Intrusion Detection Environment) and is one of the most popular systems for monitoring changes in Linux based operating systems. AIDE is used to protect against malware, viruses and detect unauthorized activities. For file integrity checking and intrusion detection, AIDE creates a database of file information and compares the current state of the system against this database. AIDE helps reduce incident investigation time by focusing on files that have changed.

AIDE features:

  • Support for various file attributes, including: file type, inode, uid, gid, permissions, link count, mtime, ctime, and atime.
  • Support for Gzip compression, SELinux, XAttrs, Posix ACLs, and file system attributes.
  • Support for various algorithms, including, md5, sha1, sha256, sha512, rmd160, crc32, etc.
  • Sending email notifications.

In this article, we'll walk you through how to install and use AIDE for intrusion detection on CentOS 8.

Prerequisites

  • Server running CentOS 8 with at least 2 GB of RAM.
  • root access

Getting Started

It is recommended to update the system first. To do this, run the following command.

dnf update -y

After updating, restart the system for the changes to take effect.

AIDE Installation

AIDE is available in the default CentOS 8 repository. You can easily install it by running the following command:

dnf install aide -y

Once the installation is complete, you can view the AIDE version with the following command:

aide --version

You should see the following:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Available Options aide can be viewed as follows:

aide --help

How to install and use AIDE (Advanced Intrusion Detection Environment) on CentOS 8

Creating and initializing the database

The first thing you need to do after installing AIDE is to initialize it. Initialization consists in creating a database (snapshot) of all files and directories on the server.

Run the following command to initialize the database:

aide --init

You should see the following:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

The above command will create a new database aide.db.new.gz in the catalog /var/lib/aide. It can be seen using the following command:

ls -l /var/lib/aide

Result:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE will not use this new database file until it is renamed to aide.db.gz. This can be done like this:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

It is recommended that you periodically update this database to ensure that changes are monitored as needed.

You can change the location of the base by changing the parameter DBDIR in file /etc/aide.conf.

Running a check

AIDE is now ready to use the new database. Run the first AIDE check without making any changes:

aide --check

This command will take some time to complete depending on the size of your file system and the amount of RAM on your server. Once the verification is complete, you should see the following:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

The above output says that all files and directories match the AIDE database.

Testing AIDE

By default, AIDE does not track the default Apache root directory. /var/www/html. Let's set up AIDE to view it. To do this, you need to change the file /etc/aide.conf.

nano /etc/aide.conf

Add above line "/root/CONTENT_EX" following:

/var/www/html/ CONTENT_EX

Next, create a file aide.txt in the catalog /var/www/html/using the following command:

echo "Test AIDE" > /var/www/html/aide.txt

Now run an AIDE check and make sure the generated file is found.

aide --check

You should see the following:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

We see that the created file is found aide.txt.
After analyzing the detected changes, update the AIDE database.

aide --update

After the update, you will see the following:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

The above command will create a new database aide.db.new.gz in the catalog 

/var/lib/aide/

You can see it with the following command:

ls -l /var/lib/aide/

Result:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Now rename the new database again so that AIDE uses the new database to track further changes. You can rename like this:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run the check again to make sure AIDE is using the new database:

aide --check

You should see the following:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

We automate the check

It's a good idea to run an AIDE check every day and email the report. This process can be automated using cron.

nano /etc/crontab

To run an AIDE check every day at 10:15 am, add the following line to the end of the file:

15 10 * * * root /usr/sbin/aide --check

AIDE will now notify you by mail. You can check your mail with the following command:

tail -f /var/mail/root

The AIDE log can be viewed with the following command:

tail -f /var/log/aide/aide.log

Conclusion

In this article, you learned how to use AIDE to detect file changes and detect unauthorized server access. For additional settings, you can modify the /etc/aide.conf configuration file. For security reasons, it is recommended to store the database and configuration file on read-only media. More information can be found in the documentation AIDE Doc.

Learn more about the course.

Source: habr.com

Add a comment