Linux Advanced Intrusion Detection Platform – AIDE
AIDE (Advanced Intrusion Detection Environment) on Linux reflects the concept that “everything is a file“. It is a program focused on file and directory integrity comparison and checking.
How AIDE Linux Works
This tool has been around for quite some time and is simpler to operate compared to similar tools like Tripwire. It requires taking a snapshot of the system, recording the HASH values, modification times, and pre-processing done by the administrator. This snapshot allows the administrator to build a database that can then be stored on external devices for safekeeping. When the administrator wants to perform an integrity check on the system, they place the previously constructed database in an accessible area and use AIDE to compare the current system state with the database. Afterwards, AIDE reports any detected changes in the current system to the admin. Additionally, AIDE can be configured to run periodically, using scheduling tools like cron, to report daily checks on the system. This system is mainly used for operations security detection, and AIDE will report any malicious alternations found in the system to the administrator.
Features
Supports message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool Supports file attributes: file type, file permissions, inode, UID, GID, link name, file size, block size, link count, Mtime, Ctime, Atime Supports Posix ACL, SELinux, XAttrs, extended file system attributes Plain text configuration files, minimalist database Powerful regular expressions for easily filtering files and directories to monitor Supports Gzip database compression Standalone binary statically compiled client/server monitoring configuration
Download Address http://aide.sourceforge.net
Installation Configuration
yum install aide
vi /etc/aide.conf
MyRule = p+u+g
/www MyRule
!/www/uploads/
!/www/cache/
!/www/tmp/
#Add attention to file permissions and attributes; (!) is to ignore directories.
#AIDE parameters: permissions (p), index nodes (i), number of links (n), users (u), groups (g), size (s), modification time (m), creation time (c), ACL (acl), SELinux (selinux), xattrs (xattr), SHA256/SHA512 checksums (sha256 and sha512).
Initialize Base Database
/usr/sbin/aide -c /etc/aide.conf -i
# Initialize the database
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz -f
# Use the currently initialized database as the basic database, so it's all right
Routine Maintenance
1. Method to Rebuild Database (Normal changes incorporate updates to the base database)
aide --update
#or aide -u
cd /var/lib/aide/ &&mv aide.db.new.gz aide.db.gz -f
#Overwrite and replace the old database
2. Manual Security Verification Method
aide --check
Email Notification
/home/aide.sh
#!/bin/bash
MAILUSER='[email protected] [email protected]'
#Define the email address to be sent
log=/home/report-`date +%Y%m%d`.txt
#Define the log storage path
aide -C --report=file:$log >/dev/nell 2>&1
grep differences $log
#Verification comparison
if [ $? -eq 0 ];then
cat $log| /bin/mail -s "Security report IP:$(ip add |grep global |awk '{print $2}'|cut -d / -f 1 |grep $(route |grep default |awk '{print $2}'|cut -d "." -f 1,2)) [$(uname -n)] at $(date +'%b %e %H:%M')" $MAILUSER
aide -u
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz -f
#Compare with the basic database, send a report to the administrator if there is a change, and update the basic database at the same time.
fi
find /home/ -name "aide-report-*.txt" -mtime +60 -exec rm -rf {} \;
#Delete the logs 60 days ago
Loop Script (Prevent attackers from discovering scheduled tasks) /home/defend
#!/bin/bash
while true ;do
/home/aide.sh >/dev/null 2>&1
sleep 7200
done
Start Command
chmod +x aide.sh
chmod +x defend
nohup ./defend & >/dev/nell 2>&1
#Background run
External Email Configuration /etc/mail.rc
set [email protected]
set smtp=smtp.163.com
set [email protected]
set smtp-auth-password=xxxxxxx
set smtp-auth=login
I use 163 for external emails, qq or new 163 accounts using SSL might cause failures in sending emails, you could also try sendEmail