xkln.net

AIDE Installation on CentOS

Posted on April 09, 2014

AIDE (Advanced Intrusion Detection Environment) is an host based intrusion detection system written for Linux systems.

Installation

yum install aide

Configuration

Edit the config file at /etc/aide.conf if necessary. One important thing to add would be the location of the DocumentRoot for webservers. On CentOS + Apache2 this defaults to /var/www/html, and is exempt from the AIDE database by the default config as it is a child of /var which is considered too volatile.

Run the prelink program before creating to initial database to prevent a flood of false positives: prelink -a

Create the initial database

aide --init 
AIDE, version 0.13.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Rename and move the ‘new’ database to the database name aide is configured to use (default: aide.db.gz).

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run a test scan

aide --check 
AIDE, version 0.13.1 ### All files match AIDE database. Looks okay!

Next, create a cron.daily job to run an AIDE check and email the results

#!/bin/bash /usr/sbin/aide --check | /bin/mail -s "`hostname` AIDE Report" [email protected]

Don’t forget to +x it.

Ideally, the AIDE database, binaries, and configs should be moved to read-only media (ie. cdrom). The config and cron job will need to be modified to work with the new locations. Once a new package is installed or files are changed, the AIDE database will need to be updated else the new files will show up in the report. Even if the changed/added files are known, it’s a bad idea to use an outdated database, as it could be just those files which become compromised. This is especially true of webservers where updates to code could indicate a compromise

Updating the database

Prior to updating the database, remember to run prelink -a if any packages have been installed

To update the db run aide --update. This will create a new aide.db.new.gz, which will need to be renamed/moved to reflect the database location in the config.

More info is available at the AIDE manual

If you enjoyed this post consider sharing it on , , , or , and .

© 2008-2024, xkln.net