LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   INFO: installing, configuring and adjusting AIDE for Debian (https://www.linuxquestions.org/questions/linux-software-2/info-installing-configuring-and-adjusting-aide-for-debian-61689/)

markus1982 05-25-2003 06:02 AM
INFO: installing, configuring and adjusting AIDE for Debian
 
As a side note: this is just a thread part of my main thread which is destinated at securing debian!

AIDE is nice to detect ANY changes done to the system, it doesn't abuse resources and has a lot of checks that can be used and make it pretty flexible as this configuration might outline a bit:
Code:
----------------------------------------------------------------------
installed aide
----------------------------------------------------------------------
        Initialize aide database:        no

        rm -f /etc/aide/aide.conf
        rm -f /etc/cron.daily/aide
----------------------------------------------------------------------




----------------------------------------------------------------------
configured aide
----------------------------------------------------------------------

created /etc/aide/binlib.conf:

# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com

database=file:/var/lib/aide/binlib.db
database_out=file:/var/lib/aide/binlib.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib                                = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles                        = p+i+n+u+g+s+b+m+c+md5+sha1
Databases                        = p+n+u+g
Devices                                = p+i+n+u+g+s+b+md5+sha1
Logs                                = p+i+n+u+g+S
ManPages                        = p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir                        = p+i+n+u+g
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
/bin                                Binlib
/lib                                Binlib
/sbin                                Binlib
/usr/local/bin                        Binlib
/usr/local/lib                        Binlib
/usr/local/sbin                        Binlib
/usr/bin                        Binlib
/usr/lib                        Binlib
/usr/sbin                        Binlib
# --------------------------------------------------------------------



created /etc/aide/chroot.conf:

# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com

database=file:/var/lib/aide/chroot.db
database_out=file:/var/lib/aide/chroot.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib                                = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles                        = p+i+n+u+g+s+b+m+c+md5+sha1
Databases                        = p+n+u+g
Devices                                = p+i+n+u+g+s+b+c+md5+sha1
Logs                                = p+i+n+u+g+S
ManPages                        = p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir                        = p+i+n+u+g
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
/var/spool/postfix/etc                ConfFiles
/var/spool/postfix/lib                Binlib
# --------------------------------------------------------------------



created /etc/aide/etc.conf:

# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com

database=file:/var/lib/aide/etc.db
database_out=file:/var/lib/aide/etc.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib                                = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles                        = p+i+n+u+g+s+b+m+c+md5+sha1
Databases                        = p+n+u+g
Devices                                = p+i+n+u+g+s+b+c+md5+sha1
Logs                                = p+i+n+u+g+S
ManPages                        = p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir                        = p+i+n+u+g
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
!/etc/network/ifstate
!/etc/adjtime
!/etc/ioctl.save
!/etc/mtab
!/etc$
/etc                                ConfFiles
# --------------------------------------------------------------------



created /etc/aide/misc.conf:

# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com

database=file:/var/lib/aide/misc.db
database_out=file:/var/lib/aide/misc.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib                                = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles                        = p+i+n+u+g+s+b+m+c+md5+sha1
Databases                        = p+n+u+g
Devices                                = p+i+n+u+g+s+b+c+md5+sha1
Logs                                = p+i+n+u+g+S
ManPages                        = p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir                        = p+i+n+u+g
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
!/dev/core
!/dev/pts
/dev                                Devices
/home                                StaticDir
!/home
/proc$                                StaticDir
!/proc
/usr/doc                        ManPages
/usr/man                        ManPages
/usr/share/doc                        ManPages
/usr/share/man                        ManPages
/usr/local/man                        ManPages
/var/log$                        StaticDir
/var/run$                        StaticDir
!/var/run
/var/spool/cron                        Databases
/var/spool/cron/crontabs        Databases
# --------------------------------------------------------------------

----------------------------------------------------------------------




----------------------------------------------------------------------
created script to check the databases
                                    [ /usr/local/sbin/aide_check.sh ]
----------------------------------------------------------------------


#!/bin/sh

# --------------------------------------------------------------------
# purpose:        check aide databases
# args:                1 = aide name (used for conf, database, logs)
# deps:                aide, bash, GNU utils
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# configuration
# --------------------------------------------------------------------
test -f /etc/aide/$1.conf || exit 0

CONFFILE="/etc/aide/$1.conf"
DATABASE=`grep "^database=file:/" $CONFFILE | head -1 | cut -d: -f2`
DATE=`date +"at %X on %x"`
ERRORLOG="$LOGDIR/error.$1.log"
FQDN=`hostname --fqdn`
LINES=`grep "^@@define LINES" $CONFFILE | head -1 | \
      awk '{ print $3 }'`
LOGDIR="/var/log/aide"
LOGFILE="$LOGDIR/aide.$1.log"
MAILTO=`grep "^@@define MAILTO" $CONFFILE | \
        head -1 | awk '{ print $3 }'`
PROGNAME=$(basename $0)
export PATH="/bin:/sbin:/usr/bin:/usr/sbin"
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# checking
# --------------------------------------------------------------------
if [ ! -f $DATABASE ]; then
      (
        echo "Fatal error: The AIDE database (${DATABASE}) does"
        echo "not exist! This may mean you haven't created it, or"
        echo "it may mean that someone has removed it."
        ) | \
        /usr/bin/mail -s "AIDE report for $FQDN (Part: $1)" $MAILTO
        exit 0
fi

aide --check --config $CONFFILE >$LOGFILE 2>$ERRORLOG

(cat << EOF;
This is an automated report generated by the Advanced Intrusion
Detection Environment on ${FQDN} ${DATE}.

EOF

if [ -s $LOGFILE ]; then
        loglines=`wc -l $LOGFILE | awk '{ print $1 }'`
        if [ ${loglines:=0} -gt $LINES ]; then
                echo
                echo "TRUNCATED (!) output of the daily AIDE run:"
                echo "Reported were ${loglines}, which has been"
                echo "truncated to to ${LINES}!"
                head -$LINES $LOGFILE
                echo "The full output can be found in ${LOGFILE}."
        else
                echo "Output of the daily AIDE run:"
                cat $LOGFILE
        fi
else
        echo "AIDE detected no changes."
fi
if [ -s $ERRORLOG ]; then
        errorlines=`wc -l $ERRORLOG | awk '{ print $1 }'`
        if [ ${errorlines:=0} -gt $LINES ]; then
                echo "TRUNCATED (!) output of errors produced:"
                echo "Reported were ${errorlines}, which has been"
                echo "truncated to ${LINES}."
                head -$LINES $ERRORLOG
                echo "The full output can be found in ${ERRORLOG}."
        else
                echo "Errors produced:"
                cat $ERRORLOG
        fi
else
        echo "AIDE produced no errors."
fi
) | /usr/bin/mail -s "AIDE report for $FQDN (Part: $1)" $MAILTO

# --------------------------------------------------------------------


----------------------------------------------------------------------




----------------------------------------------------------------------
created job to check aide databases            [ /etc/cron.d/aide_check ]
----------------------------------------------------------------------

00        00        *  * 1        root        /usr/local/sbin/aide_check.sh binlib
00        00        *  * *        root        /usr/local/sbin/aide_check.sh chroot
00        00        *  * *        root        /usr/local/sbin/aide_check.sh etc
01        00        *  * 1        root        /usr/local/sbin/aide_check.sh misc

----------------------------------------------------------------------




----------------------------------------------------------------------
initialized aide databases
----------------------------------------------------------------------
        aide --init --config=/etc/aide/binlib.conf
        mv /var/lib/aide/binlib.db.new /var/lib/aide/binlib.db

        aide --init --config=/etc/aide/chroot.conf
        mv /var/lib/aide/chroot.db.new /var/lib/aide/chroot.db

        aide --init --config=/etc/aide/etc.conf
        mv /var/lib/aide/etc.db.new /var/lib/aide/etc.db

        aide --init --config=/etc/aide/misc.conf
        mv /var/lib/aide/misc.db.new /var/lib/aide/misc.db

        chmod 640 /var/lib/aide/*
        chattr -R +i /var/lib/aide
----------------------------------------------------------------------

unSpawn 05-25-2003 11:51 AM
Excellent. Maybe you should clear some up tho.
Why use that many config files?
Why does ConfFiles have p+i+n+u+g+s+b+m+c+md5+sha1 and Databases p+n+u+g?
Is this chmod 640 /var/lib/aide/*; chattr -R +i /var/lib/aide the ultimate solution? If not, what is?

markus1982 05-25-2003 12:14 PM
Quote:
Excellent. Maybe you should clear some up tho. Why use that many config files?
Like you can see from the cron job above I decided to use different config files for the frequency of checks. The real critical areas (chroot, configs) are checked more frequently than the rest of the system (binlib, misc).
Quote:
Why does ConfFiles have p+i+n+u+g+s+b+m+c+md5+sha1 and Databases p+n+u+g?
For Databases this has been the default setting. I'm considering to make that more strict though ... like with the ConfFiles. I'm also considering removing the growing size check from the logfiles due to logrotation.
Quote:
Is this chmod 640 /var/lib/aide/*; chattr -R +i /var/lib/aide the ultimate solution? If not, what is? [/B]
The best solution would be putting the database on a RO media like a floppy disk which has write protection in. In that case you can drop the immutable attribute.

markus1982 05-26-2003 12:10 PM
Well I have adjusted my configuration. AIDE and my netfilter fw are now on a RO media (floppy). RO by hardware. My /etc/fstab has a entry:

/dev/fd0 /floppy auto ro,nodev,nosuid,noexec,umask=137 0 2

iceman47 05-26-2003 12:18 PM
Quote:
Originally posted by markus1982
AIDE and my netfilter fw are now on a RO media (floppy).
Personally I like the idea of a CD-R better, it's like 500 times bigger so can hold more then just aide and netfilter fw.
You could write all sorts logs to it, it's pretty cheap and won't fail if suddenly a magnet passes it.


All times are GMT -5. The time now is 08:24 AM.