Formatting code for SecurityIDS
{{parent page="Security"}}
===Host based IDE===
[[AIDE IdsAIDE]]
[[OSSEC IdsOSSEC]]
===IDS with AIDE===
AIDE is a free replacement for TripWire.
==Install==
Download AIDE from sourceforge and do a source install. configure will tell you libgpg-error-devel, bison and flex are required if not already installed.
==Config==
Create a configuration file in /usr/local/etc/aide.conf
%%
/etc md5+p+u+g #check for checksun, permission, user, and group under /etc
database=file:/var/lib/aide.db
database_out=file:/var/lib/aide.db.new
report_url=file:/var/log/aide.out
%%
More examples
%%
#AIDE conf
# Here are all the things we can check - these are the default rules
#
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+l+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S+acl+selinux+xattrs
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattr: extended file attributes
# You can alse create custom rules - my home made rule definition goes like this
#
MyRule = p+i+n+u+g+s+b+m+c+md5+sha1
# Next decide what directories/files you want in the database
/etc p+i+u+g #check only permissions, inode, user and group for etc
/bin MyRule # apply the custom rule to the files in bin
/sbin MyRule # apply the same custom rule to the files in sbin
/var MyRule
!/var/log/.* # ignore the log dir it changes too often
!/var/spool/.* # ignore spool dirs as they change too often
!/var/adm/utmp$ # ignore the file /var/adm/utmp
%%
==Usage==
First initialize the database
%%
aide --init
cp /var/lib/aide.db.new /var/lib/aide.db
%%
Check for changes
%%
aide --check
less /var/log/aide.out
%%
Update database
%%
aide --update
cp /var/lib/aide.db.new /var/lib/aide.db
%%
Schedule check via crontab
%%
01 * * * * root aide --check || mutt -s AIDE_WARN_hostname someone@somewhere.com < /var/log/aide.out
%%
===Host based IDE===
[[AIDE IdsAIDE]]
[[OSSEC IdsOSSEC]]
===IDS with AIDE===
AIDE is a free replacement for TripWire.
==Install==
Download AIDE from sourceforge and do a source install. configure will tell you libgpg-error-devel, bison and flex are required if not already installed.
==Config==
Create a configuration file in /usr/local/etc/aide.conf
%%
/etc md5+p+u+g #check for checksun, permission, user, and group under /etc
database=file:/var/lib/aide.db
database_out=file:/var/lib/aide.db.new
report_url=file:/var/log/aide.out
%%
More examples
%%
#AIDE conf
# Here are all the things we can check - these are the default rules
#
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+l+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S+acl+selinux+xattrs
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattr: extended file attributes
# You can alse create custom rules - my home made rule definition goes like this
#
MyRule = p+i+n+u+g+s+b+m+c+md5+sha1
# Next decide what directories/files you want in the database
/etc p+i+u+g #check only permissions, inode, user and group for etc
/bin MyRule # apply the custom rule to the files in bin
/sbin MyRule # apply the same custom rule to the files in sbin
/var MyRule
!/var/log/.* # ignore the log dir it changes too often
!/var/spool/.* # ignore spool dirs as they change too often
!/var/adm/utmp$ # ignore the file /var/adm/utmp
%%
==Usage==
First initialize the database
%%
aide --init
cp /var/lib/aide.db.new /var/lib/aide.db
%%
Check for changes
%%
aide --check
less /var/log/aide.out
%%
Update database
%%
aide --update
cp /var/lib/aide.db.new /var/lib/aide.db
%%
Schedule check via crontab
%%
01 * * * * root aide --check || mutt -s AIDE_WARN_hostname someone@somewhere.com < /var/log/aide.out
%%
