markus1982 |
05-25-2003 06:02 AM |
INFO: installing, configuring and adjusting AIDE for Debian
As a side note: this is just a thread part of my main thread which is destinated at securing debian!
AIDE is nice to detect ANY changes done to the system, it doesn't abuse resources and has a lot of checks that can be used and make it pretty flexible as this configuration might outline a bit:
Code:
----------------------------------------------------------------------
installed aide
----------------------------------------------------------------------
Initialize aide database: no
rm -f /etc/aide/aide.conf
rm -f /etc/cron.daily/aide
----------------------------------------------------------------------
----------------------------------------------------------------------
configured aide
----------------------------------------------------------------------
created /etc/aide/binlib.conf:
# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com
database=file:/var/lib/aide/binlib.db
database_out=file:/var/lib/aide/binlib.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Databases = p+n+u+g
Devices = p+i+n+u+g+s+b+md5+sha1
Logs = p+i+n+u+g+S
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir = p+i+n+u+g
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
/bin Binlib
/lib Binlib
/sbin Binlib
/usr/local/bin Binlib
/usr/local/lib Binlib
/usr/local/sbin Binlib
/usr/bin Binlib
/usr/lib Binlib
/usr/sbin Binlib
# --------------------------------------------------------------------
created /etc/aide/chroot.conf:
# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com
database=file:/var/lib/aide/chroot.db
database_out=file:/var/lib/aide/chroot.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Databases = p+n+u+g
Devices = p+i+n+u+g+s+b+c+md5+sha1
Logs = p+i+n+u+g+S
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir = p+i+n+u+g
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
/var/spool/postfix/etc ConfFiles
/var/spool/postfix/lib Binlib
# --------------------------------------------------------------------
created /etc/aide/etc.conf:
# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com
database=file:/var/lib/aide/etc.db
database_out=file:/var/lib/aide/etc.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Databases = p+n+u+g
Devices = p+i+n+u+g+s+b+c+md5+sha1
Logs = p+i+n+u+g+S
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir = p+i+n+u+g
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
!/etc/network/ifstate
!/etc/adjtime
!/etc/ioctl.save
!/etc/mtab
!/etc$
/etc ConfFiles
# --------------------------------------------------------------------
created /etc/aide/misc.conf:
# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com
database=file:/var/lib/aide/misc.db
database_out=file:/var/lib/aide/misc.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Databases = p+n+u+g
Devices = p+i+n+u+g+s+b+c+md5+sha1
Logs = p+i+n+u+g+S
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir = p+i+n+u+g
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
!/dev/core
!/dev/pts
/dev Devices
/home StaticDir
!/home
/proc$ StaticDir
!/proc
/usr/doc ManPages
/usr/man ManPages
/usr/share/doc ManPages
/usr/share/man ManPages
/usr/local/man ManPages
/var/log$ StaticDir
/var/run$ StaticDir
!/var/run
/var/spool/cron Databases
/var/spool/cron/crontabs Databases
# --------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
created script to check the databases
[ /usr/local/sbin/aide_check.sh ]
----------------------------------------------------------------------
#!/bin/sh
# --------------------------------------------------------------------
# purpose: check aide databases
# args: 1 = aide name (used for conf, database, logs)
# deps: aide, bash, GNU utils
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# configuration
# --------------------------------------------------------------------
test -f /etc/aide/$1.conf || exit 0
CONFFILE="/etc/aide/$1.conf"
DATABASE=`grep "^database=file:/" $CONFFILE | head -1 | cut -d: -f2`
DATE=`date +"at %X on %x"`
ERRORLOG="$LOGDIR/error.$1.log"
FQDN=`hostname --fqdn`
LINES=`grep "^@@define LINES" $CONFFILE | head -1 | \
awk '{ print $3 }'`
LOGDIR="/var/log/aide"
LOGFILE="$LOGDIR/aide.$1.log"
MAILTO=`grep "^@@define MAILTO" $CONFFILE | \
head -1 | awk '{ print $3 }'`
PROGNAME=$(basename $0)
export PATH="/bin:/sbin:/usr/bin:/usr/sbin"
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# checking
# --------------------------------------------------------------------
if [ ! -f $DATABASE ]; then
(
echo "Fatal error: The AIDE database (${DATABASE}) does"
echo "not exist! This may mean you haven't created it, or"
echo "it may mean that someone has removed it."
) | \
/usr/bin/mail -s "AIDE report for $FQDN (Part: $1)" $MAILTO
exit 0
fi
aide --check --config $CONFFILE >$LOGFILE 2>$ERRORLOG
(cat << EOF;
This is an automated report generated by the Advanced Intrusion
Detection Environment on ${FQDN} ${DATE}.
EOF
if [ -s $LOGFILE ]; then
loglines=`wc -l $LOGFILE | awk '{ print $1 }'`
if [ ${loglines:=0} -gt $LINES ]; then
echo
echo "TRUNCATED (!) output of the daily AIDE run:"
echo "Reported were ${loglines}, which has been"
echo "truncated to to ${LINES}!"
head -$LINES $LOGFILE
echo "The full output can be found in ${LOGFILE}."
else
echo "Output of the daily AIDE run:"
cat $LOGFILE
fi
else
echo "AIDE detected no changes."
fi
if [ -s $ERRORLOG ]; then
errorlines=`wc -l $ERRORLOG | awk '{ print $1 }'`
if [ ${errorlines:=0} -gt $LINES ]; then
echo "TRUNCATED (!) output of errors produced:"
echo "Reported were ${errorlines}, which has been"
echo "truncated to ${LINES}."
head -$LINES $ERRORLOG
echo "The full output can be found in ${ERRORLOG}."
else
echo "Errors produced:"
cat $ERRORLOG
fi
else
echo "AIDE produced no errors."
fi
) | /usr/bin/mail -s "AIDE report for $FQDN (Part: $1)" $MAILTO
# --------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
created job to check aide databases [ /etc/cron.d/aide_check ]
----------------------------------------------------------------------
00 00 * * 1 root /usr/local/sbin/aide_check.sh binlib
00 00 * * * root /usr/local/sbin/aide_check.sh chroot
00 00 * * * root /usr/local/sbin/aide_check.sh etc
01 00 * * 1 root /usr/local/sbin/aide_check.sh misc
----------------------------------------------------------------------
----------------------------------------------------------------------
initialized aide databases
----------------------------------------------------------------------
aide --init --config=/etc/aide/binlib.conf
mv /var/lib/aide/binlib.db.new /var/lib/aide/binlib.db
aide --init --config=/etc/aide/chroot.conf
mv /var/lib/aide/chroot.db.new /var/lib/aide/chroot.db
aide --init --config=/etc/aide/etc.conf
mv /var/lib/aide/etc.db.new /var/lib/aide/etc.db
aide --init --config=/etc/aide/misc.conf
mv /var/lib/aide/misc.db.new /var/lib/aide/misc.db
chmod 640 /var/lib/aide/*
chattr -R +i /var/lib/aide
----------------------------------------------------------------------
|