CentOS configure host-based Intrusion Detection System

Any system administrator wants in its security was first deployed on the production server is one of the mechanisms to detect file tampering – criminals tampered with more than just the contents of the file, and file attributes.

AIDE (full name “Advanced intrusion detection environment”) is an open source intrusion detection system based on host. AIDE through check many file property of inconsistency to check System II into business file and basic configuration file of integrity, these file property including permission, and file type, and index node (inode), and links number, and links name, and user, and user group, and file size, and block count, and modified time, and access time, and created time, and access control list (ACL), and SELinux security context, and xattrs and MD5/Sha check and.

AIDE by scanning one (has not been tampered with) Linux to build the file attributes of the file system of the server database. It then controls the database, check the properties of a file server, and then when the server is running, and if any changes in the index file, it warned. It is for this reason, whenever an update system due to legitimate reasons or after changing the configuration file, AIDE must index the protected files again.

For some customers, their security policy might require a intrusion detection system it is installed on the server (IDS). But regardless of whether customers ask for IDS, system administrators deploy IDS are a good idea.

Installation on CentOS or RHEL AIDE

AIDE’s initial installation (as well as first-run) it is best to just install the operating system on the system, no service is exposed to the Internet, or even exposed in front of the local area network. At this early stage, we can be everything from an external intrusion and tampering of this risk to a minimum. In fact, this is to ensure that when building the initial database system AIDE is the only way to clean.

For this reason, we use the command # yum install aide after AIDE is installed, our machines need to be disconnected from the network, and perform some basic configuration tasks, as described below.

Configuring AIDE

The default configuration file is located in/etc/aide.CONF. Provides several examples of the file protection rules (like FIPSR, NORMAL, DIR and DATAONLY) that each rule is followed by an equals sign and the list to check the file attributes, or any of the predefined rules (separated by a +). You can also use this format to define any custom rules.

How to configure a host-based intrusion detection on CentOS systems?

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

NORMAL = FIPSR+sha512

Like, above example means with, NORMAL rules will check following property aspects of inconsistency: permission (p), and index node (I), and links number (n), and user (u), and user group (g), and size (s), and modified time (m), and created time (c), and access control list (ACL), and SELinux (SELinux), and xattrs (xattr) and SHA256/SHA512 check and (SHA256 and SHA512 )。

Defined rules can be flexible in different directories and files (with regular expressions).

How to configure a host-based intrusion detection on CentOS systems?

Entry in front of the exclamation point (!) Told the AIDE to ignore subdirectories (or the files inside a directory), you can define another subdirectory rules.

In this case, the PERMS are/etc and its subdirectories and files of the default rules. However, no rules apply to the backup file in the/etc (/etc/.*~), will not apply to the/etc/MTAB file. For some selective subdirectories or files in/etc, but the NORMAL rules apply, instead of the default rule PERMS.

Define the appropriate rules, and apply it to the appropriate location in the system, this is the most difficult part of the AIDE, but use good judgment is a good place to start. A rule of thumb is, don’t check unnecessary properties. For example, check/var/log or/var/spool the file modification time will certainly lead to a large number of false positives, because many of the applications and daemons will often write to these locations. In addition, check multiple checksums may enhance security, but AIDE running longer is the price.

In addition, if you use MAILTO variable to specify an e-mail address, test results can be sent to your mailbox. Put the following line into anywhere in the/etc/aide.CONF.

MAILTO=root@localhost

First run AIDE

Run the following command to initialize the AIDE database:

# aide –init

According to/etc/aide.conf build/var/lib/aide/aide.DB.new.gz files need to be renamed to/var/lib/aide/aide.DB.gz, so the AIDE can read it:

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide.db.gz

Now, it’s time to control database, execute our system checks for the first time. To do this, just run:

# aide

When there is no option called, AIDE assume the use of–check.

If database was created without doing any changes to AIDE in the OK message will be returned after inspection.

How to configure a host-based intrusion detection on CentOS systems?

Managing in a production environment AIDE

After building the initial AIDE database, you often need to be updated due to various reasons the protected server, which is part of the daily system management activities. Each time the server is updated, you must rebuild the AIDE database, so you can add the changes to the database. To do this, use this command:

# aide –update

In order to protect production system with AIDE, it’s probably best to arrange a schedule task to regularly use AIDE checks for any inconsistencies. For example, scheduling AIDE to run once a day, and sends the result to email address:

# crontab -e

0 0 * * * /usr/sbin/aide –check | /usr/bin/mail -s “AIDE run for $HOSTNAME” your@email.com

Test AIDE checks the file tampering functionality

The following test scenario demonstrates how the AIDE checks the integrity of the file.

Test scene 1

We may wish to add a new file (such as/etc/fake).

# cat /dev/null > /etc/fake

How to configure a host-based intrusion detection on CentOS systems?

Test scene 2

We may wish to change file permissions, and see if it could be detected.

# chmod 644 /etc/aide.conf

Test scenario 3

Finally, we may wish to change the file’s contents (such as add a comment line to/etc/aide.conf).

echo “#This is a comment” >> /etc/aide.conf

How to configure a host-based intrusion detection on CentOS systems?

In the screenshot above, the first column shows the file properties, the value in the second column shows the AIDE database, and the third column shows the updated values for those properties. Blank part indicates that the attribute in the third column does not change (in the case of ACL).

Concluding remarks

If you find yourself in a situation where there are substantial grounds for believing that the system has been tampered with, but at first glance and can not find out what might be changed, host-based intrusion detection system such as the AIDE will go a long way because it helps you to find out what has been changed as soon as possible, rather than Hu Jia guessing, wasting valuable time.

Leave a Reply

Your email address will not be published. Required fields are marked *