Friday, January 21, 2011

Installing AIDE (Advanced Intrusion Detection Environment) on CentOS 5.x

AIDE (Advanced Intrusion Detection environment) is a great approach to layered security on a Linux Server. This covers a basic install and configuration to run once per day with a report to your email account(or not).
It is recommended to run this on a "Clean" system - i.e one that is perhaps freshly installed and configured before deployment on the web.
Any updates to software or system on the server after this point will trigger false positives, so be sure to update the database after any such work is done.

0. Log in as root

1. Install the package
yum install aide

2. Edit the config file to be able to send to your email address
NOTE: If you do not wish to receive a daily report or you want to inspect the logs manually, skip this section ang go to step 3.


nano /etc/aide.conf
look for the following lines and comment out via # at the beginning of the line
report_url=file:@@{LOGFIR}/aide.log
report_url=stdout
 it should now read:
#report_url=file:@@{LOGFIR}/aide.log

#report_url=stdout
add the following lines immediately below the commented out section as mentioned above:
report_url=mailto:youremail@yourdomain.com
report_url=syslog:LOG_AUTH
save and exit /etc/aide.conf

3. Run AIDE to create the initial database
Steps 3 and 4 will need to be repeated each time you do a system update or modify any configuration files, so be warned. Security and convenience are mutually exclusive.

aide --init

4. Copy the database to default setting - this is the baseline database.
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz


5.  Run the AIDE first check
aide --check
Expected output in a perfect world:
AIDE, version 0.13.1


### All files match AIDE database. Looks okay!

6. Setup a daily job (in this case to run at 11pm) to run
nano /etc/crontab
if you wish to receive the email as configured in step 2, add to end of file
00 23 * * * /usr/sbin/aide --check /bin/mail -s "$HOSTNAME - Daily AIDE integrity check" youremail@yourdomain.com
if you do not wish to receive any email modify the crontab as indicated below
00 20 * * * /usr/sbin/aide --check

the default logs can be accessed at:
/var/log/aide/aide.log
There will be a list of modified files and or filesystem.

Further information on AIDE as well as troubleshooting can be found here: http://www.cs.tut.fi/~rammer/aide/manual.html

Cheers,
-n

5 comments:

  1. Hi

    Thank you for your tutorial, it is really helpful.

    However I always have issues getting the email alerts successfully because when I run aide --check it gives me the following error:

    Unknown URL-type:mailto
    Unsupported output URL-type:mailto:myname@hotmail.com

    I hope that I get a response from you and I know this an old post but still optimistic.

    Thanks regards
    Sam

    ReplyDelete
    Replies
    1. I never had that problem, perhaps it could be related to how your server sends mail, or perhaps the AIDE default mechanism for mail sending is not installed in your environment.

      Try commenting out the AIDE mail config, and use the mail -s function as described in Step 6 to receive the email.

      Good luck!

      Delete
    2. Dear noveck

      Thank you very much for your reply, I really appreciated it.

      I would like to get the cron job setup for this and I have commented out the lines in the aide.conf file as in below:

      #report_url=file:@@{LOGFIR}/aide.log
      #report_url=stdout
      #report_url=mailto:youremail@yourdomain.com
      #report_url=syslog:LOG_AUTH

      And then, I have put your command line below in the crontab::

      00 23 * * * /usr/sbin/aide --check /bin/mail -s "$HOSTNAME - Daily AIDE integrity check" myname@hotmail.com

      But still no emails unfortunately.

      Could please kindly suggest to me any more ways that I can get this working.

      Thanks.

      Delete
    3. You will need to uncomment the
      #report_url=stdout
      line to get it to work.

      Delete
  2. Also, don't forget to add the pipe between the aide command and the /bin/mail command.

    ReplyDelete