LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-25-2003, 06:02 AM   #1
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
INFO: installing, configuring and adjusting AIDE for Debian


As a side note: this is just a thread part of my main thread which is destinated at securing debian!

AIDE is nice to detect ANY changes done to the system, it doesn't abuse resources and has a lot of checks that can be used and make it pretty flexible as this configuration might outline a bit:
Code:
----------------------------------------------------------------------
installed aide
----------------------------------------------------------------------
	Initialize aide database:	no

	rm -f /etc/aide/aide.conf
	rm -f /etc/cron.daily/aide
----------------------------------------------------------------------




----------------------------------------------------------------------
configured aide
----------------------------------------------------------------------

created /etc/aide/binlib.conf:

# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com

database=file:/var/lib/aide/binlib.db
database_out=file:/var/lib/aide/binlib.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib				= p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles			= p+i+n+u+g+s+b+m+c+md5+sha1
Databases			= p+n+u+g
Devices				= p+i+n+u+g+s+b+md5+sha1
Logs				= p+i+n+u+g+S
ManPages			= p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir			= p+i+n+u+g
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
/bin				Binlib
/lib				Binlib
/sbin				Binlib
/usr/local/bin			Binlib
/usr/local/lib			Binlib
/usr/local/sbin			Binlib
/usr/bin			Binlib
/usr/lib			Binlib
/usr/sbin			Binlib
# --------------------------------------------------------------------



created /etc/aide/chroot.conf:

# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com

database=file:/var/lib/aide/chroot.db
database_out=file:/var/lib/aide/chroot.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib				= p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles			= p+i+n+u+g+s+b+m+c+md5+sha1
Databases			= p+n+u+g
Devices				= p+i+n+u+g+s+b+c+md5+sha1
Logs				= p+i+n+u+g+S
ManPages			= p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir			= p+i+n+u+g
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
/var/spool/postfix/etc		ConfFiles
/var/spool/postfix/lib		Binlib
# --------------------------------------------------------------------



created /etc/aide/etc.conf:

# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com

database=file:/var/lib/aide/etc.db
database_out=file:/var/lib/aide/etc.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib				= p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles			= p+i+n+u+g+s+b+m+c+md5+sha1
Databases			= p+n+u+g
Devices				= p+i+n+u+g+s+b+c+md5+sha1
Logs				= p+i+n+u+g+S
ManPages			= p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir			= p+i+n+u+g
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
!/etc/network/ifstate
!/etc/adjtime
!/etc/ioctl.save
!/etc/mtab
!/etc$
/etc				ConfFiles
# --------------------------------------------------------------------



created /etc/aide/misc.conf:

# --------------------------------------------------------------------
# base configuration
# --------------------------------------------------------------------
@@define LINES 1000
@@define MAILTO linux-admins@example.com

database=file:/var/lib/aide/misc.db
database_out=file:/var/lib/aide/misc.db.new
gzip_dbout=yes
warn_dead_symlinks=yes
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# custom rules
# --------------------------------------------------------------------
Binlib				= p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles			= p+i+n+u+g+s+b+m+c+md5+sha1
Databases			= p+n+u+g
Devices				= p+i+n+u+g+s+b+c+md5+sha1
Logs				= p+i+n+u+g+S
ManPages			= p+i+n+u+g+s+b+m+c+md5+sha1
StaticDir			= p+i+n+u+g
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# defining what should be checked
# --------------------------------------------------------------------
!/dev/core
!/dev/pts
/dev				Devices
/home				StaticDir
!/home
/proc$				StaticDir
!/proc
/usr/doc			ManPages
/usr/man			ManPages
/usr/share/doc			ManPages
/usr/share/man			ManPages
/usr/local/man			ManPages
/var/log$			StaticDir
/var/run$			StaticDir
!/var/run
/var/spool/cron			Databases
/var/spool/cron/crontabs	Databases
# --------------------------------------------------------------------

----------------------------------------------------------------------




----------------------------------------------------------------------
created script to check the databases
				     [ /usr/local/sbin/aide_check.sh ]
----------------------------------------------------------------------


#!/bin/sh

# --------------------------------------------------------------------
# purpose:	check aide databases
# args:		1 = aide name (used for conf, database, logs)
# deps:		aide, bash, GNU utils
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# configuration
# --------------------------------------------------------------------
test -f /etc/aide/$1.conf || exit 0

CONFFILE="/etc/aide/$1.conf"
DATABASE=`grep "^database=file:/" $CONFFILE | head -1 | cut -d: -f2`
DATE=`date +"at %X on %x"`
ERRORLOG="$LOGDIR/error.$1.log"
FQDN=`hostname --fqdn`
LINES=`grep "^@@define LINES" $CONFFILE | head -1 | \
      awk '{ print $3 }'`
LOGDIR="/var/log/aide"
LOGFILE="$LOGDIR/aide.$1.log"
MAILTO=`grep "^@@define MAILTO" $CONFFILE | \
	head -1 | awk '{ print $3 }'`
PROGNAME=$(basename $0)
export PATH="/bin:/sbin:/usr/bin:/usr/sbin"
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# checking
# --------------------------------------------------------------------
if [ ! -f $DATABASE ]; then
       (
	 echo "Fatal error: The AIDE database (${DATABASE}) does"
	 echo "not exist! This may mean you haven't created it, or"
	 echo "it may mean that someone has removed it."
	) | \
	/usr/bin/mail -s "AIDE report for $FQDN (Part: $1)" $MAILTO
        exit 0
fi

aide --check --config $CONFFILE >$LOGFILE 2>$ERRORLOG

(cat << EOF;
This is an automated report generated by the Advanced Intrusion
Detection Environment on ${FQDN} ${DATE}.

EOF

if [ -s $LOGFILE ]; then
	loglines=`wc -l $LOGFILE | awk '{ print $1 }'`
	if [ ${loglines:=0} -gt $LINES ]; then
		echo
		echo "TRUNCATED (!) output of the daily AIDE run:"
		echo "Reported were ${loglines}, which has been"
		echo "truncated to to ${LINES}!"
		head -$LINES $LOGFILE
		echo "The full output can be found in ${LOGFILE}."
	else
		echo "Output of the daily AIDE run:"
		cat $LOGFILE
	fi
else
	echo "AIDE detected no changes."
fi
if [ -s $ERRORLOG ]; then
	errorlines=`wc -l $ERRORLOG | awk '{ print $1 }'`
	if [ ${errorlines:=0} -gt $LINES ]; then
		echo "TRUNCATED (!) output of errors produced:"
		echo "Reported were ${errorlines}, which has been"
		echo "truncated to ${LINES}."
		head -$LINES $ERRORLOG
		echo "The full output can be found in ${ERRORLOG}."
	else
		echo "Errors produced:"
		cat $ERRORLOG
	fi
else
	echo "AIDE produced no errors."
fi
) | /usr/bin/mail -s "AIDE report for $FQDN (Part: $1)" $MAILTO

# --------------------------------------------------------------------


----------------------------------------------------------------------




----------------------------------------------------------------------
created job to check aide databases	    [ /etc/cron.d/aide_check ]
----------------------------------------------------------------------

00	00	*  * 1	root	/usr/local/sbin/aide_check.sh binlib
00	00	*  * *	root	/usr/local/sbin/aide_check.sh chroot
00	00	*  * *	root	/usr/local/sbin/aide_check.sh etc
01	00	*  * 1	root	/usr/local/sbin/aide_check.sh misc

----------------------------------------------------------------------




----------------------------------------------------------------------
initialized aide databases
----------------------------------------------------------------------
	aide --init --config=/etc/aide/binlib.conf
	mv /var/lib/aide/binlib.db.new /var/lib/aide/binlib.db

	aide --init --config=/etc/aide/chroot.conf
	mv /var/lib/aide/chroot.db.new /var/lib/aide/chroot.db

	aide --init --config=/etc/aide/etc.conf
	mv /var/lib/aide/etc.db.new /var/lib/aide/etc.db

	aide --init --config=/etc/aide/misc.conf
	mv /var/lib/aide/misc.db.new /var/lib/aide/misc.db

	chmod 640 /var/lib/aide/*
	chattr -R +i /var/lib/aide
----------------------------------------------------------------------
 
Old 05-25-2003, 11:51 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,354
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Excellent. Maybe you should clear some up tho.
Why use that many config files?
Why does ConfFiles have p+i+n+u+g+s+b+m+c+md5+sha1 and Databases p+n+u+g?
Is this chmod 640 /var/lib/aide/*; chattr -R +i /var/lib/aide the ultimate solution? If not, what is?
 
Old 05-25-2003, 12:14 PM   #3
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Quote:
Excellent. Maybe you should clear some up tho. Why use that many config files?
Like you can see from the cron job above I decided to use different config files for the frequency of checks. The real critical areas (chroot, configs) are checked more frequently than the rest of the system (binlib, misc).
Quote:
Why does ConfFiles have p+i+n+u+g+s+b+m+c+md5+sha1 and Databases p+n+u+g?
For Databases this has been the default setting. I'm considering to make that more strict though ... like with the ConfFiles. I'm also considering removing the growing size check from the logfiles due to logrotation.
Quote:
Is this chmod 640 /var/lib/aide/*; chattr -R +i /var/lib/aide the ultimate solution? If not, what is? [/B]
The best solution would be putting the database on a RO media like a floppy disk which has write protection in. In that case you can drop the immutable attribute.
 
Old 05-26-2003, 12:10 PM   #4
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Well I have adjusted my configuration. AIDE and my netfilter fw are now on a RO media (floppy). RO by hardware. My /etc/fstab has a entry:

/dev/fd0 /floppy auto ro,nodev,nosuid,noexec,umask=137 0 2
 
Old 05-26-2003, 12:18 PM   #5
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
Quote:
Originally posted by markus1982
AIDE and my netfilter fw are now on a RO media (floppy).
Personally I like the idea of a CD-R better, it's like 500 times bigger so can hold more then just aide and netfilter fw.
You could write all sorts logs to it, it's pretty cheap and won't fail if suddenly a magnet passes it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Installing and Configuring Debian-based distros Defenestrator Linux - Newbie 4 02-24-2005 03:52 PM
adjusting the time in debian Drayven Linux - General 5 04-16-2004 01:33 AM
configuring AIDE on Fedora core 1 clothor Linux - Security 3 01-05-2004 09:32 AM
INFO: configuring logcheck markus1982 Linux - Software 1 05-26-2003 11:54 AM
INFO: configuring monit (process monitoring) markus1982 Linux - Software 0 05-25-2003 05:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration