System integrity is put at risk when configuration files are deleted or modified without authorization or careful supervision. How can a change to an important file or directory be detected  ? This problem is solved by using AIDE.
AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker.It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. I am going to demonstrate how AIDE can be used to monitor the changes in Linux.
To configure AIDE, you need to install the AIDE package into your server. install package using yum or rpm commands.
 
Once the software is installed, it needs to be configured. The /etc/aide.conf file is the primary configuration file for AIDE. it has 3 types of configuration directives: configuration lines, selection lines, and macro lines.
Configuration lines take the form, param=value. when param is not a build-in AIDE setting. then this is a group definition that list which changes to look for. For example , the following group definition can be found in the /etc/aide.conf installed by default.
PERMS = p+i+u+g+acl+selinux
The line above defines a group called PERMS that looks for changes in the file permission(p) , inode (i) ,user ownership (u) , group ownership (g), ACLs (acl), or SELinux context (selinux).
Selection lines define which checks are performed on matched directories. The following lines are examples of selection lines:
/dir1 group
=/dir2 group
!/dir3 group
The first line performs the group of checks on /dir1 and all of the files and directories below it. The second line performs the group checks specified on /dir2. The equal sign specifies the check is to be done the directory only and does not recurse below it. The third line in the example above excludes /dir3 and all of the files below it from any checks.
The third type of directives are macro lines. They define variables and their definition has the following syntax
@@define VAR value
@@{VAR} is the reference to the macro defined above.
Now let us configure the AIDE to monitor change. for making it simple i just removed few lines from the aide.conf . I just want to monitor only the changes in /etc directory. That's my requirement for now.
Execute the aide --init command to initialize the AIDE database. AIDE will scan the file system and record all of the current information about the files and directories specified in the /etc/aide.conf configuration file.
The above command create the database in a file called /var/lib/aide/aide.db.new.gz. This file has to be renamed to /var/lib/aide/aide.db.gz because this is where AIDE expects the database to be when performing file system checks.
It is recommended to copy /var/lib/aide/aide.db.gz to another system or location. as this is the reference file which is used to check the changes.
To check how the AIDE track and monitor the changes. lets change the permission of /etc/passwd file and check how AIDE check
Now lets check the changes using the following command. aide --check this will check the current permission in the system with the recorded permission in the AIDE database file. You could see that AIDE found a differences between database and filesystem, and it also tell you what changes has been done and what was the original permission. Its pretty useful right, Now we dont have to break our heads or check with the similar system to know what the original permission associated with this file.

That's all friends, Using this tool you could track all the changes in the Linux. and Its pretty easy too.!
I will be coming up with few more interesting articles on Linux, till then stay tuned to Learn linux and don’t forget to add your valuable comments.
AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker.It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. I am going to demonstrate how AIDE can be used to monitor the changes in Linux.
To configure AIDE, you need to install the AIDE package into your server. install package using yum or rpm commands.
Once the software is installed, it needs to be configured. The /etc/aide.conf file is the primary configuration file for AIDE. it has 3 types of configuration directives: configuration lines, selection lines, and macro lines.
Configuration lines take the form, param=value. when param is not a build-in AIDE setting. then this is a group definition that list which changes to look for. For example , the following group definition can be found in the /etc/aide.conf installed by default.
PERMS = p+i+u+g+acl+selinux
The line above defines a group called PERMS that looks for changes in the file permission(p) , inode (i) ,user ownership (u) , group ownership (g), ACLs (acl), or SELinux context (selinux).
Selection lines define which checks are performed on matched directories. The following lines are examples of selection lines:
/dir1 group
=/dir2 group
!/dir3 group
The first line performs the group of checks on /dir1 and all of the files and directories below it. The second line performs the group checks specified on /dir2. The equal sign specifies the check is to be done the directory only and does not recurse below it. The third line in the example above excludes /dir3 and all of the files below it from any checks.
The third type of directives are macro lines. They define variables and their definition has the following syntax
@@define VAR value
@@{VAR} is the reference to the macro defined above.
Now let us configure the AIDE to monitor change. for making it simple i just removed few lines from the aide.conf . I just want to monitor only the changes in /etc directory. That's my requirement for now.
Execute the aide --init command to initialize the AIDE database. AIDE will scan the file system and record all of the current information about the files and directories specified in the /etc/aide.conf configuration file.
The above command create the database in a file called /var/lib/aide/aide.db.new.gz. This file has to be renamed to /var/lib/aide/aide.db.gz because this is where AIDE expects the database to be when performing file system checks.
It is recommended to copy /var/lib/aide/aide.db.gz to another system or location. as this is the reference file which is used to check the changes.
To check how the AIDE track and monitor the changes. lets change the permission of /etc/passwd file and check how AIDE check
Now lets check the changes using the following command. aide --check this will check the current permission in the system with the recorded permission in the AIDE database file. You could see that AIDE found a differences between database and filesystem, and it also tell you what changes has been done and what was the original permission. Its pretty useful right, Now we dont have to break our heads or check with the similar system to know what the original permission associated with this file.

That's all friends, Using this tool you could track all the changes in the Linux. and Its pretty easy too.!
I will be coming up with few more interesting articles on Linux, till then stay tuned to Learn linux and don’t forget to add your valuable comments.



 
Just go through with your blog. Really you are masters of Linux. Very well defines about advanced intrusion detection environment to monitor changes in linux server.
ReplyDeleteThank you M Jason.. There are more updates coming soon.. stay tuned !
DeleteI really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful.
ReplyDeleteThank you Hamza !
Delete