Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

share on:
Install aide on CentOS 7

AIDE stands for Advanced Intrusion Detection Environment. AIDE is a file and directory integrity checker written by Rami Lehti and Pablo Virolainen in 1999.

AIDE supports several message digest algorithms, for example, md5, sha1, rmd160, tiger, crc32, sha256, sha512 to check the integrity of the files.

How AIDE works.

AIDE scans the filesystem and stores the attributes of files, directories in its database. Every time when we run AIDE, it compares the new changes against its previous database and if some file has been altered then it notifies the user.

With this in mind, AIDE should be the first thing you should install after buying a new VPS.

This article a Linux Aide tutorial about how to configure, and use Aide on CentOS 7 in an effective way.

Here’s a what you will find in this Guide.

 

 Install AIDE on CentOS 7.

AIDE runs on almost any modern Unix. for example, Linux, Solaris, Mac OS, Unix, OpenBSD, HP-UX etc. We will install AIDE on CentOS 7 in this article. To install AIDE on CentOS 7, we can use this simple command:

shell> yum install aide -y

 

Check the version of aide by using this command:

shell>  aide -v
Aide 0.15.1

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

 

Also, we can see here the location of AIDE CentOS 7 configuration file /etc/aide.conf.

Now that we have installed AIDE in CentOS 7, we will create our first AIDE database.

 

Step 2 – Create/Initialize first aide database

We can initialize the first aide database by using the following command:

shell> aide --init

 

The new AIDE database will be in /var/lib/aide directory.

shell> cd /var/lib/aide
[[email protected] aide]# ls -lt
total 1352
-rw------- 1 root root 1170228 Dec 5 12:28 aide.db.new.gz

 

To use this database in AIDE we need to rename it as AIDE only recognizes a database if its name is aide.db.gz.

Now, we will rename the AIDE database by using mv command.

[[email protected] aide]# mv /var/lib/aide/aide.db.new.gz  /var/lib/aide/aide.db.gz
[[email protected] aide]# ls -lt
total 1352
-rw------- 1 root root 1170228 Dec 5 12:28 aide.db.gz

 

Next, we will test the working of the aide.

 

Step 3 – Test the working of AIDE.

Run the first aide –check without making any changes.

[[email protected] aide]# aide --check

 

install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

Everything Looks Okay. Now we will create a new file. Now, run this check again to see whether AIDE will detect the presence of the new file or not.

Create a new file in /usr/bin/ directory named test.sh.

[[email protected] aide]# touch /usr/bin/test.sh

 

(DELETE test.sh After setting up AIDE.)

 

Now we will run aide –check to detect new file.

[[email protected] aide]# aide --check

 

install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

AIDE has detected the new file and it shows that AIDE is working fine. Now we don’t want AIDE to report this change, again and again, on the next run of AIDE check. So we will update our AIDE database to absorb this change.

Update the AIDE database.

To update the AIDE database with the new changes we will use the aide –update command.

This command will update the new file (test.sh that we created for verification) in  AIDE database. After that, it will not report it in the next AIDE check.

Next, create an updated aide database.

[[email protected] aide]# aide  --update

 

Verify the new database.

[[email protected] aide]# ls -lt
total 2976
-rw------- 1 root root1170310 Dec 5 12:35  aide.db.new.gz
-rw------- 1 root root 1170228 Dec 5 12:28  aide.db.gz

 

Again, The new aide database created is aide.db.new.gz. To use it with AIDE, we need to again rename it to aide.db.gz.

It’s good practice to save the old database (aide.db.gz) before renaming the new database.  This way, we can trace back any changes in the future.

[[email protected] aide]# ls  -lshrt
total 2.2M
1.1M -rw------- 1 root root 1.1M Dec 5 12:28 aide.db.gz
1.1M -rw------- 1 root root 1.1M Dec 5 12:35 aide.db.new.gz
[[email protected] aide]# mv   aide.db.gz    aide.db.gz.$(date +%Y-%m-%d)
[[email protected] aide]# mv   aide.db.new.gz   aide.db.gz
[[email protected] aide]# 
[[email protected] aide]# ls  -lshrt
total 2.2M
1.1M -rw------- 1 root root 1.1M Dec 5 12:28   aide.db.gz.2016-12-05
1.1M -rw------- 1 root root 1.1M Dec 5 12:35   aide.db.gz

 

We can and should automate all these steps to reduce our workload by using a cronjob and a simple script.

 

Automate the AIDE email reporting process by setting up a Cron Job.

 

Install Sendmail and Mailx on CentOS 7.

First of all, we need to Install Sendmail and Mailx package.

shell> yum install mailx sendmail -y

 

Make sure your hostname is a fully qualified domain name(FQDN). server1.domain.com is usually a good choice.

 

Configure SELinux for  Sendmail in CentOS 7.

Check if httpd_can_sendmail boolean is on or off.

shell> getsebool -a | grep sendmail
gitosis_can_sendmail --> off
httpd_can_sendmail --> off   # set this on
logging_syslogd_can_sendmail --> off

 

Now, set httpd_can_sendmail boolean to on (Permanently) by this command:

shell> setsebool -P httpd_can_sendmail=on

 

Also, Start Sendmail service and enable it to start automatically after reboot.

shell> systemctl enable sendmail.service
shell> systemctl start sendmail.service

 

 

Create a Script for automatic AIDE email reporting.

Now, we will create a simple script to automate the aide check and email the full report to us on daily basis.

shell> vi /var/log/aide/aide_report.sh


#!/bin/sh
#DebYum Server report.
DATE=`date +%Y-%m-%d`
echo $DATE
REPORT="Aide-Report-"$DATE.txt
echo $REPORT
echo "System check !! `date`" > /tmp/$REPORT
/usr/sbin/aide --check > /tmp/aide_report.txt
cat /tmp/aide_report.txt|/bin/grep -v failed >> /tmp/$REPORT
echo "**************************************" >> /tmp/$REPORT
/usr/bin/tail -20 /tmp/aide_report.txt >> /tmp/$REPORT
echo "****************DONE******************" >> /tmp/$REPORT
mail -s "$REPORT `date`" [email protected] < /tmp/$REPORT

 

Do replace the email address with your own email address.

 

Finally, set cron job to automate the Aide email reporting process.

shell> crontab -e

06 01 * * 0-6 /var/log/aide/aide_report.sh

 

For security, change the attributes of this AIDE script.

shell> chattr +i /var/log/aide/aide_report.sh

 

Don’t forget to restart the Crond Service.

shell> systemctl restart crond.service

 

Here’s a sample Report sent to my Gmail account by AIDE script.

install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

 

Create a label and filter to manage AIDE mail reports in Gmail.

The email your server will send as report will most likely end up as a spam in you Email account. To store these reports in a structured way you should create a Label in Gmail. Also, create a filter that will catch those reports and store them under the new label and not as spam.

This is how you can create a new label and filter in Gmail.

Login to your Gmail account and go to Settings.

install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

Under the  labels tab, click on Create a new label.

install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

Give the label a new name and click create.

Install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

Again, under the Filters and Blocked Addresses tab, click on Create a new filter.

Install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

Create a filter by using the most common words that you will expect to find in your AIDE mail report’s subject. Next, click on Create filter with this search.

Install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

Add this filter to a label.

Install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

Final result.

Install aide on CentOS 7
Configure AIDE-Advanced Intrusion Detection Environment on CentOS 7/RHEL7.

 

 

Summary

Security of your website should always be your first priority. AIDE can help you in detecting authorized and unauthorized changes made in your system. One more time, AIDE should be the first package you should install after buying a new VPS.

If possible, configure AIDE before connecting your system to any network.

I hope this Linux Aide tutorial is useful for you! If I have missed anything, please update us through comment box. I will keep updating the same based on feedback’s received. Thank you! Have a Good day 🙂

 

share on:
engy

engy

Hello there, My name is Rishi Guleria and I work as a Linux system administrator. I have created this blog to share what I have learned so far and to learn new things. Don't forget to leave the feedback. Have a great day. :)

Leave a Response

share on: