donderdag 28 maart 2013

Linux: Install AIDE on RedHat

AIDE is widely used to verify the integrity of the system/configuration files.

What AIDE basically does is take a "snapshot" of the state of the system, register hashes,
modification times and other data regarding the files defined by the administrator.
This "snapshot" is used to build a database that is saved and (usually) stored in an external

In this article I will describe how to configure and use AIDE on a RedHat system....

The installation can be done by using the YUM package manager:
yum install aide -y

 When finished open /etc/aide.conf

Somewhere in the file the rules are located that define on what object the hashes will be build. You can create one that fits your needs or  just use one out-of-the-box, which I will do....lazy me :)

# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)

Define which directories or files need to be monitored by AIDE(I added the bold ones) and the rules that needs to be applied.(The one created earlier).

# Next decide what directories/files you want in the database.
/boot NORMAL
/sbin NORMAL
/lib64 NORMAL
/root NORMAL
/etc/httpd EVERYTHING
/etc/sudoers EVERYTHING

/etc/sysconfig EVERYTHING
/var/lib/aide EVERYTHING
/etc/aide.conf EVERYTHING

AIDE doesn't like prelinking so disable that in /etc/prelink, it generates a lot of false positives when enabled and therefore unreliable.

vi /etc/sysconfig/prelinkprelinking=no

And run prelink -a

Now it's time to initialize the database:
aide --init
### AIDE database at /var/lib/aide/ initialized.
Now a new DB is created in /var/lib/ Now copy the new DB to the current DB with:

cp /var/lib/aide/ /var/lib/aide/aide.db.gz

Now its time to test our implementation. Run the following command:
aide -c /etc/aide.conf --check

Which will generate the next result if successfull implemented:
AIDE, version 0.14
### All Files match AIDE database. Look okay!

Now it's time to test if AIDE notices a change to a 'protected'  file.
I altered the iptables config file /etc/sysconfig/iptables

Run the check again, now it will display the next result(when implemented correct)

Detailed information about changes:

Directory: /etc/sysconfig
  Mtime    : 2013-03-28 15:11:16              , 2013-03-28 16:07:22
  Ctime    : 2013-03-28 15:11:16              , 2013-03-28 16:07:22

File: /etc/sysconfig/iptables
  Size     : 3479                             , 3487
  Mtime    : 2013-03-19 15:53:37              , 2013-03-28 16:07:22
  Ctime    : 2013-03-19 15:53:37              , 2013-03-28 16:07:22
  MD5      : BtqGdWL3CJeTiPOH/aIUkQ==         , Y3jdQkGEZQMpC6Y967iWcQ==
  SHA1     : JTS/Di3TE7saCk+VeKuvXaJtPmc=     , yJqNL9kQRmMgbn+j5kgPNYvDlZY=
  RMD160   : qdCRAfjNAcIpTrKzPy3gwXWVBP4=     , KCvJimwEVkoy24o6HKAhBM1RjWE=
  TIGER    : pJCdJzNm7UaRBFI7RCT9kjR02SK9X4xN , yNGEp+KOaNsxhby3TaIk+R0Dh4CjL8Es
  SHA256   : +4sNmDXiwyO19V7rmBpbv4AxuV+l4XqI , ZRvkPbVeIKRUWOQVplgPouSz0O2zj3fy
  SHA512   : nwi2dyXwGZFwfQq/3qvFa0CToAfhWqvf , i3p1lkTAcNnI4kYKagGeYuG1JpZ+nsxM


Geen opmerkingen:

Een reactie posten