Deployment Of AIDE (Advance intrusion detection system) on CentOS system

Introduction:  An intrusion detection system (IDS) is a device or software application  that monitors a network or systems for malicious activity or policy violations. Any changes  typically reported either to an administrator or collected centrally using a security information  and event management (SIEM)  system.

Classification:

Intrusion prevention systems can be classified into four different types:

  1. Network-based intrusion prevention system (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity.
  2. Wireless intrusion prevention system (WIPS): monitor a wireless network for suspicious traffic by analyzing wireless networking protocols.
  3. Network behavior analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware and policy violations.
  4. Host-based intrusion prevention system (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

Features:

  • supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
  • supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
  • support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
  • plain text configuration files and database for simplicity
  • powerful regular expression support to selectively include or exclude files and directories to be monitored
  • gzip database compression if zlib support is compiled in
  • stand alone static binary for easy client/server monitoring configurations
  • and many more

Installation & Configuration Steps:

  1. Install the package ‘aide’
              [root@box-code]# yum  install  aide

 

  1. It’s possible to use AIDE with default config but if you’d like to customize settings, change configuration file like follows. Setting rules are writen near 26-84 lines, refer to them.

Open the configuration file and write rule as

Change setting of monitoring  “/var/log”

              [root@box-code]#  vi  /etc/aide.conf

              [root@box-code]#  /var/log  p+u+i+n+acl+selinux+xattrs

and save.

  1. Initialize the database
              [root@box-code]# aide --init

              Response:  AIDE, version 0.14

              ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

 

  1. Copy generated database to master database.
              [root@box-code]# cd /var/lib/aide

              [root@box-code]#cp  aide.db.new.gz   aide.db.gz

 

  1. Check the database changes;

If there is no unmatch, it displayed  “okay”.

              [root@box-code]# aide –check

              Response:  AIDE, version 0.14

              ### All files match AIDE database. Looks okay!
  1. Try to change a file and check again.
              [root@box-code]# chmod 600 /root/install.log

              [root@box-code]# aide –check

              Response: Detected difference like follows

              AIDE found differences between database and filesystem!!

              Start timestamp: 2018-05-02 06:18:07

              Summary:              Total number of files:        18935

              Added files:                       1

              Removed files:                     0

              Changed files:                     2

              --------------------------------------------------
             Added files:        added: /root/my.log     

              Changed files:        changed: /root, /root/my.log

              --------------------------------------------------

              Detailed information about changes:

              Directory: /root

              Mtime    : 2018-05-02 05:20:41   , 2018-05-02 06:16:54

              Ctime    : 2018-05-02 05:20:41   , 2018-05-02 06:16:54
                     

              File: /root/file.sql

              Permissions: -rw-r--r--          , -rwx------

              Ctime    : 2018-05-02 04:49:54   , 2018-05-02 06:34:55

 

  1. If there is no ploblem even if some differences are detected, then update database like follows
              [root@box-code]# aide –update

              Response: 

              AIDE found differences between database and filesystem!!

              Start timestamp: 2018-05-02 06:41:15

              Summary:

              Total number of files:        18935

              Added files:                  1

              Removed files:                0

              Changed files:                2

              Detailed information about changes:

              ---------------------------------------------------

              Directory: /root

              Mtime    : 2018-05-02 05:20:41     , 2018-05-02 06:16:54

              Ctime    : 2018-05-02 05:20:41     , 2018-05-02 06:16:54

              File: /root/file.sql

              Permissions: -rw-r--r--            , -rwx------

              Ctime    : 2018-05-02 04:49:54     , 2018-05-02 06:34:55

 

  1. Update the database by Copy the database file.

 

              [root@box-code]# cd  /var/lib/aide

              [root@box-code]# cp  aide.db.new.gz   aide.db.gz

 

  1. Add in Cron if check regulary. Log file [/var/log/aide/aide.log] is updated every time and if there is no difference, it is updated with zero byte, so if you’s like to save log files, it needs to create a shell script or send results via email or others.

 

Example: add daily check in crontab and send results via email

                         [root@box-code]# crontab  -e

                          00 01 * * * /usr/sbin/aide  --update | mail –s ‘check by AIDE’  root

Leave a Reply

Your email address will not be published. Required fields are marked *