HomePage » Security » SecurityIDS

Host based IDE

IdsAIDE
IdsOSSEC

IDS with AIDE

AIDE is a free replacement for TripWire.

Install
Download AIDE from sourceforge and do a source install. configure will tell you libgpg-error-devel, bison and flex are required if not already installed.

Config
Create a configuration file in /usr/local/etc/aide.conf
/etc md5+p+u+g #check for checksun, permission, user, and group under /etc

database=file:/var/lib/aide.db
database_out=file:/var/lib/aide.db.new
report_url=file:/var/log/aide.out


More examples
#AIDE conf

   # Here are all the things we can check - these are the default rules 
   #
   #p:      permissions
   #i:      inode
   #n:      number of links
   #l:      link name
   #u:      user
   #g:      group
   #s:      size
   #b:      block count
   #m:      mtime
   #a:      atime
   #c:      ctime
   #S:      check for growing size
   #I:      ignore changed filename
   #md5:    md5 checksum
   #sha1:   sha1 checksum
   #sha256: sha256 checksum
   #sha512: sha512 checksum
   #rmd160: rmd160 checksum
   #tiger:  tiger checksum
   #haval:  haval checksum
   #crc32:  crc32 checksum
   #R:      p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
   #L:      p+i+l+n+u+g+acl+selinux+xattrs
   #E:      Empty group
   #>:      Growing logfile p+l+u+g+i+n+S+acl+selinux+xattrs
   #The following are available if you have mhash support enabled:
   #gost:   gost checksum
   #whirlpool: whirlpool checksum
   #The following are available when explicitly enabled using configure:
   #acl:    access control list
   #selinux SELinux security context
   #xattr:  extended file attributes

   # You can alse create custom rules - my home made rule definition goes like this 
   #
   MyRule = p+i+n+u+g+s+b+m+c+md5+sha1 

   # Next decide what directories/files you want in the database

   /etc p+i+u+g     #check only permissions, inode, user and group for etc
   /bin MyRule      # apply the custom rule to the files in bin 
   /sbin MyRule     # apply the same custom rule to the files in sbin 
   /var MyRule		
   !/var/log/.*     # ignore the log dir it changes too often
   !/var/spool/.*   # ignore spool dirs as they change too often
   !/var/adm/utmp$  # ignore the file /var/adm/utmp


Usage
First initialize the database
aide --init
cp /var/lib/aide.db.new /var/lib/aide.db


Check for changes
aide --check
less /var/log/aide.out


Update database
aide --update
cp /var/lib/aide.db.new /var/lib/aide.db


Schedule check via crontab
01 * * * * root aide --check || mutt -s AIDE_WARN_hostname  someone@somewhere.com < /var/log/aide.out
Comments [Hide comments/form]
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki