Using Advanced Intrusion Detection Environment, AIDE
Server - CentOS

The Advanced Intrusion Detection Environment, AIDE, has replaced the free version of Tripwire. It works the same as Tripwire, and uses the same command switches. As is the case with the free version of Tripwire, AIDE works best for small-scale use. For taking care of larger networks, you'll want to try the commercial version of Tripwire.

The best time to install either Tripwire or AIDE is as soon as possible after you've just installed a new operating system. If you wait for any significant time afterward, you'll run the risk that someone might already have installed a rootkit by the time you do your first check. Since Tripwire and AIDE work by detecting changes in files, neither would be able to detect a rootkit that had been previously installed.

It's also recommended that you change the configuration of these programs so that the initialization database is stored on a floppy disk, instead of on the hard drive. That way, if someone does break in, he won't be able to tamper with your database. You can do this by opening the /etc/aide.conf file, and changing the second line in the file to:

@@define DBDIR /mnt/floppy/aide

If your system is using selinux you will see a lot of errors related to selinux settings. If selinux is disabled you will see hundreds of warnings. If you have selinux disabled you can avoid all of those warnings by eliminating the selinux file check, but you will need to make the following changes.

ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger

EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES

NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256

DIR = p+i+n+u+g+acl+xattrs

PERMS = p+i+u+g+acl

LOG = p+u+g+i+n+S+acl+xattrs

LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256

DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger

 

Initialize the database first. It will create a database in /var/lib/aide.

aide --init

 

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide/db.gz

 

aide --check

 

AIDE, version 0.13.1

 

### All files match AIDE database. Looks okay!

 

If you run aide and files have changed, review the files and then determine if they are legitimate changes. If they are update. Notice in this example you can see changed files and the sums for those that changed.

 

AIDE found differences between database and filesystem!!

Start timestamp: 2006-08-12 19:37:06

 

Summary:

Total number of files: 269108

Added files: 1

Removed files: 0

Changed files: 7

 

---------------------------------------------------

Added files:

---------------------------------------------------

added:/root/aide_init.png

--------------------------------------------------

Changed files:

---------------------------------------------------

changed:/root

changed:/root/.gconfd

changed:/root/.gconfd/saved_state

changed:/root/.rhn-applet.conf

changed:/root/.gnome2_private

changed:/root/.gconf/apps/gnome-settings/gnome-panel-screenshot

changed:/root/.gconf/apps/gnome-settings/gnome-panel-screenshot/%gconf.xml

--------------------------------------------------

Detailed information about changes:

---------------------------------------------------

 

Directory: /root

Mtime : 2006-08-12 18:45:08 , 2006-08-12 19:34:43

Ctime : 2006-08-12 18:45:08 , 2006-08-12 19:34:43

 

Directory: /root/.gconfd

Mtime : 2006-08-12 18:46:05 , 2006-08-12 19:35:05

Ctime : 2006-08-12 18:46:05 , 2006-08-12 19:35:05

 

File: /root/.gconfd/saved_state

Mtime : 2006-08-12 18:46:05 , 2006-08-12 19:35:05

Ctime : 2006-08-12 18:46:05 , 2006-08-12 19:35:05

Inode : 1296092 , 1295517

MD5 : v/qlqHmdeLNudHyU+uOTtQ== , 77GBQoTIaRoaGLe26HXbQA==

SHA1 : OH627hZUYx4qOLNQer+zIEhoxQY= , kuCBemwtfCWpoXy0yzfyiLO1nIw=

 

File: /root/.rhn-applet.conf

Mtime : 2006-08-12 18:45:27 , 2006-08-12 19:31:06

Ctime : 2006-08-12 18:45:27 , 2006-08-12 19:31:06

 

Directory: /root/.gnome2_private

Ctime : 2006-08-12 18:46:02 , 2006-08-12 19:34:20

 

Directory: /root/.gconf/apps/gnome-settings/gnome-panel-screenshot

Mtime : 2006-08-07 10:02:50 , 2006-08-12 19:35:43

Ctime : 2006-08-07 10:02:50 , 2006-08-12 19:35:43

 

File: /root/.gconf/apps/gnome-settings/gnome-panel-screenshot/%gconf.xml

Size : 948 , 1052

Mtime : 2006-08-07 10:02:50 , 2006-08-12 19:35:43

Ctime : 2006-08-07 10:02:50 , 2006-08-12 19:35:43

Inode : 1869108 , 1867936

MD5 : qJAU5QN5aLH48sn0kcRVSw== , Y2GEo7nfTOx+mR/0ApETcA==

SHA1 : Ul8ZUUFGe26pHHT38a/glP+CtDc= , u2I7euF7gggthDfw+Y8jWjf4mCE=

 

Now run an update.

aide --update

 

Once you have updated change to the database directory and copy the new database to the original.

cd /var/lib/aide

cp aide.db.new.gz aide.db.gz

 

You will need to constantly update so you do not see the same files that you have verified previously.