AIDE (Advanced Intrusion Detection Environment) is a host-based intrusion detection system (HIDS) for checking the integrity of files and directories. It creates a database at the initial time, and then it run periodically to compare the current state with the initial database. If there are any discrepancies in those files such as permissions, ownerships, file size, MAC times, and checksums over the file contents, it will generate a report.
Since the database and binary are stored on the local root filesystem, attackers can easily tamper them if they compromise your system. A good way protecting the database is that stores it on another server which can access to this monitored server and cannot access reversely. We also need to consider another secure issue is the user running AIDE, the non-privileged user is more safer than the root. For the above reasons, I built a Centralized AIDE Server that it sends the binary to the non-privileged account of the monitored servers, run it, receives the reports, and removes the binary and its report.
The following is my test steps:
On the client(192.168.1.6):
Create a non-privileged account and grant sudo privileges to it
# useradd aideuser
# passwd aideuser
# visudo
aideuser ALL=(ALL) NOPASSWD: /home/aideuser/*/aide, /bin/chmod 644 /home/aideuser/*/aide.newdb
On the Centralized AIDE Server(192.168.1.4):
Install AIDE package
# yum install aide words -y
Create a non-privileged account
# useradd aideuser
# passwd aideuser
Make the non-privileged account access to its client by ssh without password
# su – aideuser
$ ssh-keygen -t rsa
$ ssh-copy-id -i ~aideuser/.ssh/id_rsa.pub 192.168.1.6
$ exit
Setup a tree for AIDE
# mkdir ~aideuser/bin
# mkdir ~aideuser/configs
# mkdir -p ~aideuser/clients/192.168.1.6
# cp /usr/share/doc/aide-0.14/contrib/sshaide.sh ~aideuser/bin/
# cp /usr/sbin/aide ~aideuser/bin/aide.CentOS6.8.x86_64
# ln -s ~aideuser/bin/aide.CentOS6.8.x86_64 ~aideuser/clients/192.168.1.54/aide
# cp /etc/aide.conf ~aideuser/configs/aide.conf.CentOS6.8.x86_64
# ln -s ~aideuser/configs/aide.conf.CentOS6.8.x86_64 ~aideuser/clients/192.168.1.54/aide.conf
Modify the script ~aideuser/bin/sshaide.sh
1. Modify the default mail at the line 205
2. Modify the content of line 276 as below:
ssh -t -l $userid $machine "(umask 077 ; cd ${remote_aidedir}; sudo ${remote_aidedir}/aide --init --config=${remote_aidedir}/aide.conf 2>&1 | tee ${remote_aidedir}/initoutput >> /dev/null)"
3. Before the line 286 “scp -q ${userid}@${machine}:${remote_aidedir}/aide.newdb ${clientdir}/${machine}/aide.db_${machine}”, insert the following line:
ssh -t -l $userid $machine "sudo chmod 644 /home/aideuser/*/aide.newdb"
4. Modify the content of line 292 as below:
ssh -t -l $userid $machine "umask 077 && cd ${remote_aidedir} && sudo ${remote_aidedir}/aide --config=${remote_aidedir}/aide.conf 2>&1 | tee ${remote_aidedir}/report >> /dev/null"
Modify the configuration file ~aideuser/configs/aide.conf.CentOS6.8.x86_64
3 @@define DBDIR /var/lib/aide ==> @@define DBDIR .
4 @@define LOGDIR /var/log/aide ==> @@define LOGDIR .
7 database=file:@@{DBDIR}/aide.db.gz ==> database=file:@@{DBDIR}/aide.db
12 database_out=file:@@{DBDIR}/aide.db.new.gz ==> database_out=file:@@{DBDIR}/aide.newdb
89 /bin NORMAL ==> /bin DIR
90 /sbin NORMAL ==> /sbin DIR
91 /lib NORMAL ==> /lib DIR
92 /lib64 NORMAL ==> /lib64 DIR
94 /usr NORMAL ==> /usr DIR
146 /var/log LOG
147 !/var/log/lastlog
Change the permissions and ownerships
# chown -R aideuser.aideuser ~aideuser/
# chmod 700 ~aideuser/bin/sshaide.sh
Remove AIDE package
# yum remove aide -y
Initialize the database for the client
# su – aideuser
$ cd bin
$ ./sshaide.sh -init 192.168.1.6
Test
Login the client 192.168.1.6 as the root account, backup the ps command to the /tmp directory for recovery, and then copy an any file to replace the ps command. Go back the server 192.168.1.4, run the command to check:
$ ./sshaide.sh -check 192.168.1.6
AIDE found differences between database and filesystem!!
Start timestamp: 2016-11-20 14:14:05
Summary:
Total number of files: 21948
Added files: 0
Removed files: 0
Changed files: 1
—————————————————
Changed files:
—————————————————
changed: /bin/ps
————————————————–
Detailed information about changes:
—————————————————
File: /bin/ps
Inode : 1949793 , 1949792
Make the AIDE run periodically
$ crontab -e
1 * * * * /home/aideuser/bin/sshaide.sh -check ALL > /dev/null 2>&1
Prevent aideuser from login into the system
# usermod -s /sbin/nologin aideuser
If you use the source code of sshaide.sh, you may meet the permission problem, because the non-privileged account run aide command without the root privilege.
do_md(): open() for /etc/securetty failed: Permission denied
do_md(): open() for /etc/shadow- failed: Permission denied
do_md(): open() for /etc/cron.deny failed: Permission denied
do_md(): open() for /etc/gshadow- failed: Permission denied
do_md(): open() for /etc/libaudit.conf failed: Permission denied
do_md(): open() for /etc/shadow failed: Permission denied
do_md(): open() for /etc/gshadow failed: Permission denied
do_md(): open() for /etc/sudoers failed: Permission denied
do_md(): open() for /etc/security/opasswd failed: Permission denied
open_dir():Permission denied: /etc/audit
…
Reference
File Integrity Assessment Via SSH