What is AIDE?

AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker.

It is a host-based intrusion detection system (HIDS) for checking the integrity of files. It does this by creating a baseline database of files on an initial run, and then checks this database against the system on subsequent runs. File properties that can be checked against include inode, permissions, modification time, file contents, etc.

Scenario: Detect changes in Zone files in such a way that it should report changes with the difference between old record and new record.

Step by Step Installation:

1. Install Mhash

Mhash is a free (under GNU Lesser GPL) library which provides a uniform interface to a large number of hash algorithms. These algorithms can be used to compute checksums, message digests, and other signatures.

  • wget http://sourceforge.net/projects/mhash/files/mhash/0.9.9/mhash-0.9.9.tar.gz
  • tar -xzvf mhash-0.9.9.tar.gz
  • cd mhash-0.9.9.9/
  • ./configure

If error occurs like “configure error: you don’t have zlib properly installed” then,

  • ./configure –without-zlib
  • make && make install

2. Install AIDE

3. Run rsync command for the Initial setup

  • mkdir /home/dnsbackup
  • rsync /var/named/* /home/dnsbackup/

4. copy below conf file and replace it with file under root/aide-0.15/doc/aide.conf

Note: Before that, cp /root/aide-0.15/doc/aide.conf  /root/ ….(Backup) 🙂

#
# AIDE 0.15
#
# example configuration file
#
# IMPORTANT NOTE!! PLEASE READ
#
# This configuration file checks the integrity of the
# AIDE package.
#
# This file is not intended to be used as the primary aide.conf file for
# your system. This file is intended to be a showcase for different
# features for aide.conf file.
#
# WRITE YOUR OWN CONFIGURATION FILE AND UNDERSTAND WHAT YOU ARE WRITING
#
#
# Default values for the parameters are in comments before the
# corresponding line.
#

@@define TOPDIR /root/aide-0.15
@@define LOGDIR /var/log/aide

@@ifndef TOPDIR
@@define TOPDIR /
@@endif

@@ifdef DEBUG
@@define DEBUG ison
@@undef NOT_DEBUG
@@else
@@define NOT_DEBUG true
@@undef DEBUG
@@endif

@@ifhost korppi
@@define KORPPI yes
@@endif

@@ifnhost ftp
@@define BUMMER true
@@endif

# The location of the database to be read.
#database=file:aide.db
database=file:/home/aide/aide.db

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{TOPDIR}/doc/aide.db.new

# Whether to gzip the output to database
#gzip_dbout=yes

#verbose=5
verbose=20

report_url=stdout
#other possibilities
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#report_url=file:/tmp/aide.txt
#report_url=file:@@{LOGDIR}/aide.log
#report_url=syslog:LOG_AUTH
#report_url=stdout

# @@{TOPDIR} is replaced with /root/aide-0.15 when
# read by aide.
#p: permissions
#ftype: file type
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+ftype+i+l+n+u+g+s+m+c+md5
#L: p+ftype+i+l+n+u+g
#E: Empty group
#>: Growing logfile p+ftype+l+u+g+i+n+S
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available and added to the default groups R, L and >
#only when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattrs: extended file attributes
#e2fsattrs: file attributes on a second extended file system

# Rule definition
All=R+a+sha1+rmd160+sha256+sha512+tiger+whirlpool

#Let Logfile grow

#LOG = >

# report_attributes is a special rule definition
# the attributes listed in it are alway displayed for changed files
# in the final report
report_attributes = u+g

# ignore_list is a special rule definition
# the attributes listed in it are not displayed in the
# final report, it overrules report_attributes where they conflict
#ignore_list = b

# Attributes that can be used to verify that aide in intact
# by people that have downloaded it from the web.
# Let’s be paranoid
Norm=l+s+n+b+u+g+a+m+c+ftype

# The commented rules are just examples the rest are used by
# make check

#AIDE check on following folders

/var/named Norm
!/var/named/data
!/var/named/chroot
!/var/named/slaves

#Selection regexp rule
@@{TOPDIR}/.* Norm
#Equals selection only the directory doc is checked and not it’s children
#=@@{TOPDIR}/doc L
#Negative selection no rule is necessary but ignored if there
!@@{TOPDIR}/.*~
!@@{TOPDIR}/src/.*\.o
!@@{TOPDIR}/src/(aide|core)$ L
!@@{TOPDIR}/.*RCS
!@@{TOPDIR}/.*CVS
!@@{TOPDIR}/.*aide\.db.*
!@@{TOPDIR}/.*\.cvsignore.*
# @@{TOPDIR}/doc/.* All

  • mkdir /home/aide
  • chown nobody:nobody /home/aide
  • /usr/local/bin/aide -c /root/aide-0.15/doc/aide.conf –init
  • echo yes | cp /root/aide-0.15/doc/aide.db.new /home/aide/aide.db
  • Check the permission of /home/aide/aide.db should be root:root, if not, use command:- chown root:root /home/aide/aide.db
  • Create file /root/aide_html.sh and copy below content in it.

 

Script:

##Starts Here##

#!/bin/bash
#echo “<body bgcolor=”#6D7B8D”>” >> /tmp/aide.log
echo “<h2><center><i>AIDE Report on changes done</i></center></h2>” >> /tmp/aide.log
echo “<HR ALIGN=”CENTER” SIZE=”3″ WIDTH=”70%” NOSHADE>” >> /tmp/aide.log
echo “<br>” >> /tmp/aide.log
echo “<pre>” >> /tmp/aide.log
/usr/local/bin/aide -c /root/aide-0.15/doc/aide.conf –check >> /tmp/aide.log
echo “</pre>” >> /tmp/aide.log
echo “</body>” >> /tmp/aide.log
sleep 10
grep -wi “All files match AIDE database” /tmp/aide.log
if [ $? -eq 1 ]
then
cat /tmp/aide.log | mail -s “$(echo -e “AIDE Changes under /var/named/ on $HOSTNAME\nContent-Type: text/html”)” youremailaddress@domain.com — -f AIDE@domain.com
grep ‘File’ /tmp/aide.log | awk ‘{ print $2 }’ | awk -F ‘/’ ‘{ print $4 }’ > /tmp/grep.txt
if [ -s /tmp/grep.txt ]
then
#echo “<body bgcolor=”#6D7B8D”>” >> /tmp/domains.txt
echo “<h2><center><i>Detailed AIDE Report</i></center></h2>” >> /tmp/domains.txt
echo “<HR ALIGN=”CENTER” SIZE=”3″ WIDTH=”70%” NOSHADE>” >> /tmp/domains.txt
for i in $(cat /tmp/grep.txt)
do
echo “<br>” >> /tmp/domains.txt
echo “<i><b>AIDE Report for $i</b></i>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<pre>” >> /tmp/domains.txt
sed -n “/File: \/var\/named\/$i/,/Ctime/p” /tmp/aide.log >> /tmp/domains.txt
echo “</pre>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<b><i><center>Difference found for $i under /var/named/</center></i></b>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
minus=$(diff -u –expand-tabs –ignore-all-space –ignore-blank-lines –ignore-space-change /home/dnsbackup/$i /var/named/$i | grep “^-” | grep -iv “cPanel” | grep -iv “serial number”)
plus=$(diff -u –expand-tabs –ignore-all-space –ignore-blank-lines –ignore-space-change /home/dnsbackup/$i /var/named/$i | grep “^+” |grep -v “cPanel” | grep -iv “serial number”)
echo “<TABLE BORDER=7 ALIGN=”center” CELLPADDING=”8″>” >> /tmp/domains.txt
echo “<caption>$i</caption>” >> /tmp/domains.txt
echo “<TR>” >> /tmp/domains.txt
echo “<TH WIDTH=”20%”>Before</TH>” >> /tmp/domains.txt
echo “<TH WIDTH=”20%”>After</TH>” >> /tmp/domains.txt
echo “</TR>” >> /tmp/domains.txt
echo “<TR>” >> /tmp/domains.txt
echo “<TD ALIGN=”char”><PRE>$minus</PRE></TD>” >> /tmp/domains.txt
echo “<TD ALIGN=”char”><PRE>$plus</PRE></TD>” >> /tmp/domains.txt
echo “</TR>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “</table>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
echo “<b><i><center>Difference ends for $i</center></i></b>” >> /tmp/domains.txt
echo “<br>” >> /tmp/domains.txt
done


(echo -e “From: aideReport@domain.com \nTo: youremailaddress@domain.com \nCc:youremailaddress@domain.com \nMIME-Version: 1.0 \nSubject: AIDE Report for $HOSTNAME \nContent-Type: text/html \n”; cat /tmp/domains.txt) | sendmail -t
fi
fi
rm -f /tmp/domains.txt
rm -f /tmp/aide.log
/usr/local/bin/aide -c /root/aide-0.15/doc/aide.conf –update
echo yes | cp /root/aide-0.15/doc/aide.db.new /home/aide/aide.db
rsync /var/named/* /home/dnsbackup

##Script Ends here##

Results:

aide

 

 

Cheers!!!!