Just because Linux is an incredibly secure platform out of the box doesn’t mean that you don’t need to take extra steps to lock it down even tighter. With every distribution, there are different ways you can harden the operating system. No matter what flavor you use for your servers, an intrusion detection system should be considered a must-have.
One intrusion detection system that works great on CentOS 7 is Advanced Intrusion Detection Environment, aka AIDE. AIDE works by taking a snapshot of the host, any modification times, all register hashes, and other important file-related data. From this snapshot, a database is created that checks and verifies file integrity. With AIDE watching over your CentOS 7 system, you will be kept apprised of any malicious change within the server.
SEE: Securing Linux policy (Tech Pro Research)
Let’s get AIDE installed and working.
What you need
The only things you’ll need for this is a working CentOS 7 server and an account with sudo privileges.
Installation
AIDE can be installed from the standard repositories. Before you install, make sure CentOS 7 is up to date. Remember, the update process can include the kernel. Should that happen, a reboot will be required, so it’s best to run the update at a time when a reboot is possible.
Open a terminal window and issue the command:
sudo yum update
When prompted, accept the update by typing y. When the update completes, reboot (if necessary). You can now install AIDE with the command:
sudo yum install aide
Once the installation completes, you need to generate a database for AIDE with the command:
sudo aide --init
Once the database is created, you’ll have your bash prompt return to you (Figure A).
Figure A
The newly created database must be renamed. To do that, issue the command:
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
With the database renamed, check to make sure AIDE can see it with the command:
sudo aide --check
The database should check out at this point (Figure B).
Figure B
Let’s add a crontab to run a check every midnight. Do this with the commands:
su
echo "0 0 * * * root /usr/sbin/aide --check" >> /etc/crontab
Once you set the cron job, exit out of the root user with the command exit.
Testing AIDE
Let’s create a file and see if AIDE detects it. Issue the command:
sudo touch /usr/bin/testing
Run the AIDE test again with the command:
sudo aide --check
AIDE will report on the newly created file (Figure C).
Figure C
After reviewing the report, make sure to update the AIDE database (so it won’t continue to report the same newly created file) with the command:
sudo aide --update
Viewing output from cron job
Since we set AIDE up as a standard cron job, you need to manually check the AIDE log file. To do that, you must su to the root user and issue the command:
less /var/log/aide/aide.log
You can then comb through that log file to see if anything untoward has happened with your CentOS 7 server. If you want to get creative, you could even write a bash script that runs an AIDE check and then mails the output to you, and then set that script to run as the cron job (instead of the regular aide–check command).
One thing to remember, if you see AIDE report something that isn’t malicious (such as the installation of a necessary piece of software or a configuration change you made), make sure to run the update command again, so it won’t continue reporting on that same issue.
And that’s the gist of getting the Advanced Intrusion Detection Environment up and running. Your CentOS 7 server will thank you for the added security.
