Posted by: kezhong | November 23, 2016

Building a Centralized AIDE Server on CentOS 6

AIDE (Advanced Intrusion Detection Environment) is a host-based intrusion detection system (HIDS) for checking the integrity of files and directories. It creates a database at the initial time, and then it run periodically to compare the current state with the initial database. If there are any discrepancies in those files such as permissions, ownerships, file size, MAC times, and checksums over the file contents, it will generate a report.

Since the database and binary are stored on the local root filesystem, attackers can easily tamper them if they compromise your system. A good way protecting the database is that stores it on another server which can access to this monitored server and cannot access reversely. We also need to consider another secure issue is the user running AIDE, the non-privileged user is more safer than the root. For the above reasons, I built a Centralized AIDE Server that it sends the binary to the non-privileged account of the monitored servers, run it, receives the reports, and removes the binary and its report.

The following is my test steps:

On the client(192.168.1.6):
Create a non-privileged account and grant sudo privileges to it
# useradd aideuser
# passwd aideuser
# visudo
aideuser ALL=(ALL) NOPASSWD: /home/aideuser/*/aide, /bin/chmod 644 /home/aideuser/*/aide.newdb

On the Centralized AIDE Server(192.168.1.4):
Install AIDE package
# yum install aide words -y

Create a non-privileged account
# useradd aideuser
# passwd aideuser

Make the non-privileged account access to its client by ssh without password
# su – aideuser
$ ssh-keygen -t rsa
$ ssh-copy-id -i ~aideuser/.ssh/id_rsa.pub 192.168.1.6
$ exit

Setup a tree for AIDE
# mkdir ~aideuser/bin
# mkdir ~aideuser/configs
# mkdir -p ~aideuser/clients/192.168.1.6
# cp /usr/share/doc/aide-0.14/contrib/sshaide.sh ~aideuser/bin/
# cp /usr/sbin/aide ~aideuser/bin/aide.CentOS6.8.x86_64
# ln -s ~aideuser/bin/aide.CentOS6.8.x86_64 ~aideuser/clients/192.168.1.54/aide
# cp /etc/aide.conf ~aideuser/configs/aide.conf.CentOS6.8.x86_64
# ln -s ~aideuser/configs/aide.conf.CentOS6.8.x86_64 ~aideuser/clients/192.168.1.54/aide.conf

Modify the script ~aideuser/bin/sshaide.sh
1. Modify the default mail at the line 205
2. Modify the content of line 276 as below:
ssh -t -l $userid $machine "(umask 077 ; cd ${remote_aidedir}; sudo ${remote_aidedir}/aide --init --config=${remote_aidedir}/aide.conf 2>&1 | tee ${remote_aidedir}/initoutput >> /dev/null)"
3. Before the line 286 “scp -q ${userid}@${machine}:${remote_aidedir}/aide.newdb ${clientdir}/${machine}/aide.db_${machine}”, insert the following line:
ssh -t -l $userid $machine "sudo chmod 644 /home/aideuser/*/aide.newdb"
4. Modify the content of line 292 as below:
ssh -t -l $userid $machine "umask 077 && cd ${remote_aidedir} && sudo ${remote_aidedir}/aide --config=${remote_aidedir}/aide.conf 2>&1 | tee ${remote_aidedir}/report >> /dev/null"

Modify the configuration file ~aideuser/configs/aide.conf.CentOS6.8.x86_64
3 @@define DBDIR /var/lib/aide ==> @@define DBDIR .
4 @@define LOGDIR /var/log/aide ==> @@define LOGDIR .
7 database=file:@@{DBDIR}/aide.db.gz ==> database=file:@@{DBDIR}/aide.db
12 database_out=file:@@{DBDIR}/aide.db.new.gz ==> database_out=file:@@{DBDIR}/aide.newdb
89 /bin NORMAL ==> /bin DIR
90 /sbin NORMAL ==> /sbin DIR
91 /lib NORMAL ==> /lib DIR
92 /lib64 NORMAL ==> /lib64 DIR
94 /usr NORMAL ==> /usr DIR
146 /var/log LOG
147 !/var/log/lastlog

Change the permissions and ownerships
# chown -R aideuser.aideuser ~aideuser/
# chmod 700 ~aideuser/bin/sshaide.sh

Remove AIDE package
# yum remove aide -y

Initialize the database for the client
# su – aideuser
$ cd bin
$ ./sshaide.sh -init 192.168.1.6

Test
Login the client 192.168.1.6 as the root account, backup the ps command to the /tmp directory for recovery, and then copy an any file to replace the ps command. Go back the server 192.168.1.4, run the command to check:

$ ./sshaide.sh -check 192.168.1.6

AIDE found differences between database and filesystem!!
Start timestamp: 2016-11-20 14:14:05

Summary:
Total number of files: 21948
Added files: 0
Removed files: 0
Changed files: 1

—————————————————
Changed files:
—————————————————

changed: /bin/ps

————————————————–
Detailed information about changes:
—————————————————

File: /bin/ps
Inode : 1949793 , 1949792

Make the AIDE run periodically
$ crontab -e
1 * * * * /home/aideuser/bin/sshaide.sh -check ALL > /dev/null 2>&1

Prevent aideuser from login into the system
# usermod -s /sbin/nologin aideuser

If you use the source code of sshaide.sh, you may meet the permission problem, because the non-privileged account run aide command without the root privilege.
do_md(): open() for /etc/securetty failed: Permission denied
do_md(): open() for /etc/shadow- failed: Permission denied
do_md(): open() for /etc/cron.deny failed: Permission denied
do_md(): open() for /etc/gshadow- failed: Permission denied
do_md(): open() for /etc/libaudit.conf failed: Permission denied
do_md(): open() for /etc/shadow failed: Permission denied
do_md(): open() for /etc/gshadow failed: Permission denied
do_md(): open() for /etc/sudoers failed: Permission denied
do_md(): open() for /etc/security/opasswd failed: Permission denied
open_dir():Permission denied: /etc/audit

Reference
File Integrity Assessment Via SSH

Advertisements

My company wanted me to combine the projects from the old GitLab servers to the new one. There are many ways on the internet, I tried several ways, finally I found this method worked well.

Download projects from the old server, for example:
# git clone –mirror git@gitlab1.example.com:group1/project1.git

Create new projects on the new GitLab server through the website

Modify the config file, change the url to the new one
# cd project1.git/
# vi config
[core]
repositoryformatversion = 0
filemode = true
bare = true
[remote “origin”]
url = git@gitlab2.example.com:group1/project1.git
fetch = +refs/*:refs/*
mirror = true

Upload the project to the new GitLab server
# git push origin –mirror

Reference

Import an existing git project into GitLab?

Posted by: kezhong | March 20, 2014

CloudStack: Statistics Report for Load Balancing

After creating load balancing, and real servers, how to monitor the stats of these servers? I’ll give an answer as below.

First, you should open port 8081 to your company’s IP.

Then launch with your web browser.
http://PUBLICIP:8081/admin?stats
username: admin1
password: AdMiN123

haproxy

Posted by: kezhong | March 10, 2014

CloudStack: Configure Fedora 20 for VPN Access

1. Open the “Settings”
vpn1 2. Click “Network”
vpn2 3. Click “+” vpn3 4. Click “VPN” vpn4 5. Click “Layer 2 Tunneling Protocol (L2TP). Enter the IP address in “Gateway”, enter your username and password, and then Click “IPsec Settings” vpn5 6. Click the checkbox “Enable IPsec tunnel to L2TP host”, paste “Pre-shared key” and Click “OK”, and then click “Add” vpn6 7. Click “ON” vpn7 If you want to know how to use Windows 7 for CloudStack VPN access, you can read Derek Black’s blog CloudStack: Configure Windows 7 for VPN Access

I found that radiusd cannot start at boot time after reboot the server on Fedora 17, but I can start it manually. I checked the log files, and found that mysqld start later than radiusd. So radiusd cannot start, because it needs to connect to mysql.

How to set the sequence of boot services, and make radiusd start after mysqld? After researching and testing, I find the way.

Edit the file /lib/systemd/system/radiusd.service, add mysqld.service at the end of “After” line in “Unit” section, and then reboot the server. The detailed file is as below.

[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network.target mysqld.service

[Service]
Type=forking
PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

Older Posts »

Categories