aide intrusion detection centos 7

A guide to installing and configuring aide intrusion detection on RHEL/CentOS 7 Linux. To become Red Hat Certified Specialist in Security: Linux you will need to know how to use the aide intrusion detection system for Red Hat or derivative Os’s.

Double hyphens – are not showing for an unknown reason at this time so if you see -flag i.e ssh rot@server -p 999 thats ok but if you see a COMMAND NEEDS DOUBLE HYPHEN it will need another – prefixed to the arguments.

To install aide on a CentOS server you will first need to install the EPEL repo which is the Extra Packages For Enterprise Linux.

yum install epel-release

yum install aide

To create the initial aide database to check against when changes occur.

aideĀ  –init COMMAND NEEDS DOUBLE HYPHEN

You will need to then replace the old database with the new one.

mv -v /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Add a cronjob to make aide check for changes every 24 hours.

crontab -e

add to run at midnight see man cron for more instructions.

MAILFROM=cron@myserver

MAILTO=email@example.com

0 0 * * * /usr/sbin/aide –check COMMAND NEEDS DOUBLE HYPHEN

You will then get a mail report from cron every time aide detects changes and maybe everyday due to the default verbose level, I tried redirecting 1> /dev/null but this suppressed all output from cron emails as nothing was going to stderr.

Every time there is an update required on the aide database you will need to run this assuming you have already run a /usr/sbin/aide –check COMMAND NEEDS DOUBLE HYPHEN

/usr/sbin/aide –update COMMAND NEEDS DOUBLE HYPHEN

Once the aide update has completed run the following to update the aide database.

mv -v /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

 

Linux, red hat certification, rhcsa, Security , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

15 − 9 =