How to install Advanced Intrusion Detection Environment on CentOS

linuxsecurityhero.jpg

Image: Jack Wallen

If you deployed a CentOS server, you’ll want to ensure it’s as secure as possible. Because it’s Linux, there’s a lot you can do to further harden the platform. One layer of security you can add is by way of an intrusion detection tool, which will serve as an advanced file and folder integrity check.

More about IT Security

For CentOS, one of the most popular intrusion detection systems is AIDE. This particular system creates a database to be used to verify the integrity of files on your machine. The main features of AIDE are:

  • Supports md5, sha1, rmd160, tiger, crc32, sha256, sha512 digest algorithms
  • Supports these file types: permissions, Inode, UID, GID, link name, size, block count, number of links, mtime, ctime, and atime file attributes
  • Supports these file system attributes: Posix ACL, SELinux, XAttrs, and Extended
  • Supports regular expressions to selectively include or exclude files/directories
  • Supports GZIP database compression

Let’s install AIDE on CentOS 7 and see how to make it work.

SEE: Securing Linux Policy (Tech Pro Research)

Installing AIDE

Since AIDE can be found in the standard repositories, installation is as simple as this.

  1. Open a terminal window.
  2. Issue the command su and, when prompted, enter your admin password.
  3. Issue the command yum install aide.
  4. Accept the installation by typing y.
  5. Allow the installation to complete.

Now that AIDE is installed, you have to check and verify the AIDE version with the command aide -v. The command will report the version number, the options compiled, and the location of the config file (Figure A).

Figure A

Figure A

Figure A

Image: Jack Wallen

AIDE is installed and ready to go.

Generating the database

The first thing you must do with AIDE is generate a database. You can generate the database using the default configuration file (it is really well done). If you want to fine-tune the /etc/aide.conf file, open it in your favorite editor and check for the directory section, where you can add/remove directories to be monitored. Outside of that, I wouldn’t touch the configuration file.

The directory inclusion section will look like this:

/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL

That defines the directories to be be monitored, using a normal hash (R+rmd160+sha256+whirlpool) by AIDE. Below that you’ll find the /etc directory listed, monitored with the PERMS hash (p+i+u+g+acl+selinux); you can add or remove directories from that section. For more information on the AIDE hashes, read the top portion of the /etc/aide.conf configuration file.

With the configuration edited, now you must generate the database. To do this, issue the command aide —init. The database generation will take awhile. Once it completes, AIDE will report back to you that the database generation has completed.

Running a check

When you initialize the database, it will create /var/lib/aide/aide.bb.new.gz. This is done because you can initialize a database at any time. However, to run a check with AIDE, the database must be found at /var/lib/aide/aide.bb.gz. To resolve that, you must rename the newly created database with the command:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Once you’ve taken care of that, issue the command aide —check. The actual check will take a considerable amount of time, so step away and take care of some other task. When the AIDE check completes, it will generate a report that you can comb through (Figure B).

Figure B

Figure B

Figure B

Image: Jack Wallen

Viewing the AIDE report.

Testing AIDE

Let’s test the accuracy of AIDE. Create the dummy file /usr/bin/aidetest and rerun the command aide —check. In the resulting report, you should see the results of the addition (Figure C).

Figure C

Figure C

Figure C

Image: Jack Wallen

The dummy file reported.

After you review the report and verify the changes, it’s always good to create a new database; otherwise, that change will continue to be reported against the original database. So back to the aide —init command we go to create the new database. Once it’s complete, you’ll once again have to rename it with the command:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Regularly check

Unfortunately, AIDE does not include the ability to automate the task of running a check. You could create a bash script to run the check and set it as a cron job. To do this, you could have AIDE dump the results into a file that you could regularly check. A sample bash script would look like:

#!/bin/sh
​#aide checkDATE=`date +%Y-%m-%d`
​aide --check > /tmp/aidecheck_$DATE.txt

Save that file, give it executable permissions with the command chmod +x FILENAME (FILENAME is the name of your script), and then add a cron job to regularly run the script.

Whether you automate AIDE or not, it would behoove you to regularly run checks against the current state of your filesystem.

A must have

You need security for any Linux server; even if you have an incredibly hardened network, that doesn’t mean something could slip by. Install AIDE on your Linux machines and use it regularly and wisely to up your security game.

Also see