Archive for the ‘Security’ Category

Securing Linux: Setting up AIDE

December 6th, 2011

Part of the process in creating a more secure Linux enviornment is tracking changes to sensative system files. The Advanced Intrusion Detection Environment (AIDE) was developed as a GPL replacement for Tripwire. Aide takes a “snapshot” of the state of the system, registering hashes, modification time and other data regarding specific files. This “snapshot” is used to build a database that can be checked against current file states to determine if modifications have taken place. The AIDE system is straight forward to setup and maintain, with a couple of caveats. The AIDE manual can be found here.

In general, you should install AIDE on a new system, before plugging it into the network. Once you take the initial system snapshot, you should archive a copy of that snapshot offline — to be used as a future integrity reference. Here are the general steps to setting up a new AIDE installation on CentOS 5.x:
1) Install: #yum install aide
2) Initialize: #/usr/sbin/aide –init
3) Archive the initial database snapshot: #cp /var/lib/aide/ /var/lib/aide/aide.db.gz
4) Copy the snaphot offline (using SFTP etc)
5) Run a check to ensure you have a clean setup: #/usr/sbin/aide –check

The last step runs a check of current files against your AIDE database. Assuming you run the check immediately after initialization, you should get a confirmation that your setup is good:
AIDE, version xx.xx.xx
### All files match AIDE database. Looks okay!

6) Create a cron job to run a check periodically (at least daily is recommended), and send the results to a monitored email:
-> create a file in /etc/cron.daily/aide.cron with the following contents:
/usr/sbin/aide –check | /bin/mail -s “Daily Aide Data”

The database, by default resides in /var/lib/aide, and the configuration file is /etc/aide.conf
Note that SELinux needs to be enabled (and in at least “permissive” mode) for AIDE to process correctly. If you see errors such as:
“lgetfilecon_raw failed for /usr/share/apps/…:No data available” during initialization it is probably related to SELinux. If you can’t (or won’t) turn on SELinux, you can edit the aide.conf file to remove all references to selinux as follows:

Add these lines (you are really changes R, L and > defaults):

Also, find and change these lines as follows (note these are default values, simply removing “+selinux”):
#DIR = p+i+n+u+g+acl+selinux+xattrs
DIR = p+i+n+u+g+acl+xattrs

#PERMS = p+i+u+g+acl+selinux
PERMS = p+i+u+g+acl

#DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger

  • Share/Save/Bookmark

jeff moore General, Productivity, Security