Shulou(Shulou.com)06/01 Report--

This article mainly introduces the methods and steps of configuring host-based intrusion detection system on CentOS. In daily operation, it is believed that many people have doubts about the methods and steps of configuring host-based intrusion detection system on CentOS. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the question of "how to configure a host-based intrusion detection system on CentOS". Next, please follow the editor to study!

One of the first security measures that all system administrators want to deploy on their production servers is to detect file tampering mechanisms-not only the contents of the files, but also their properties.

AIDE (the abbreviation of Advanced intrusion Detection Environment) is an open source host-based intrusion detection system. AIDE checks the integrity of system binaries and basic configuration files by checking a large number of file attributes, including permissions, file type, Inode, number of links, link name, user, group, file size, block count, modification time, add time, creation time, acl, SELinux security context, xattrs, and md5/sha check values.

AIDE builds the file properties database by scanning the file system of a (untampered) Linux server, later proofreading the server file properties with those in the database, and then warning the indexed files that have been modified while the server is running. For this reason, AIDE must re-index protected files after the system has been updated or after its configuration files have been legally modified.

For some customers, they may force some kind of intrusion detection system to be installed on their servers according to their security policy. However, whether the customer requires it or not, the system administrator should deploy an intrusion detection system, which is usually a good practice.

Install AIDE on CentOS or RHEL

The initial installation of AIDE (and running for the first time) is best after the system has been installed and no services are exposed to the Internet or even the local area network. At this early stage, we can minimize the risk of intrusion and destruction from the outside. In fact, this is the only way to ensure that the system stays clean when AIDE builds its initial database. (LCTT translation note: of course, if your installation source itself has a security risk, you cannot establish a credible data record.)

For the above reasons, after installing the system, we can execute the following command to install AIDE:

# yum install aide

We need to disconnect our machines from the network and implement some of the basic configuration tasks described below.

Configure AIDE

The default configuration file is / etc/aide.conf, which describes several sample protection rules, such as FIPSR,NORMAL,DIR,DATAONLY, followed by an equal sign and a list of file attributes to check, or some predefined rules (separated by +). You can also use this format to customize the rules.

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256NORMAL = FIPSR+sha512

For example, the above example shows that the NORMAL rule checks for inconsistencies in the following attributes: permissions (p), Inode (I), number of links (n), user (u), group (g), size (s), modification time (m), creation time (c), ACL (acl), SELinux (selinux), xattrs (xattr), SHA256/SHA512 checksum (sha256 and sha512).

The defined rules can be flexibly applied to different directories and files (represented by regular expressions).

The exclamation point (! Tells AIDE to ignore subdirectories (or files in directories), and additional rules can be defined for these.

In the above example, PERMS is the default rule for / etc machine subdirectories and files. However, no rules are applied to backup files in / etc, such as / etc/.*~, and there are no rules for / etc/mtab files. For some other selected subdirectories or files in / etc, use the NORMAL rule instead of the default rule PERMS.

Defining and applying the right rules to the right place in the system is the hardest part of using AIDE, but making a good judgment is a good start. As a first rule, do not check for unnecessary properties. For example, checking the modification time of files in / var/log or / var/spool will result in a large number of false positives, because many applications and daemons often write content to that location, and there is nothing wrong with it. In addition, checking multiple check values may enhance security, but this is followed by an increase in the elapsed time of AIDE.

Optionally, if you use the MAILTO variable to specify an e-mail address, you can send the check results to your mailbox. Just put the following line anywhere in / etc/aide.conf.

MAILTO=root@localhost

Run AIDE for the first time

Run the following command to initialize the AIDE database:

# aide-init

The / var/lib/aide/aide.db.new.gz file generated according to / etc/aide.conf needs to be renamed to / var/lib/aide/aide.db.gz so that AIDE can read it:

# mv / var/lib/aide/aide.db.new.gz / var/lib/aide.db.gz

Now, it's time to proofread our system with the database for the first time. The task is simple, just run:

# aide

When there is no option, AIDE assumes that the-- check option is used.

If no changes have been made to the system after the creation of the database, AIDE will end the proofreading with OK information.

Manage AIDE in production environment

After building an initial AIDE database, as an ongoing system administration activity, you often need to update the protected server for some legitimate reason. After each server update, you must rebuild the AIDE database to update the database contents. To complete this task, execute the following command:

# aide-update

To protect your production system with AIDE, it may be best to call AIDE through task scheduling to periodically check for inconsistencies. For example, to have AIDE run once a day and send the results to the mailbox:

# crontab-e00 * / usr/sbin/aide-- check | / usr/bin/mail-s "AIDE run for $HOSTNAME" your@email.com

Test AIDE to check for file tampering

The following test environment will demonstrate how AIDE checks the integrity of files.

Test Environment 1

Let's add a new file (such as / etc/fake).

# cat / dev/null > / etc/fake

Test Environment 2

Let's modify the file permissions and see if it is detected.

# chmod 644 / etc/aide.conf

Test Environment 3

Finally, let's modify the contents of the file (for example, add a comment line to / etc/aide.conf).

Echo "# This is a comment" > > / etc/aide.conf

In the screenshot above, the first column shows the properties of the file, the second column shows the values in the AIDE database, and the third column shows the updated values. The blank space in the third column indicates that the property has not changed (such as ACL in this example).

At this point, the study on "the methods and steps of configuring host-based intrusion detection system on CentOS" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.