How to install AIDE intrusion detection system on CentOS 7

Your CentOS 7 servers are rock solid, but could still use a bit of help. Find out how to install an easy to use intrusion detection system in less than five minutes.

centoshero.jpg
Image: CentOS

Just because Linux is an incredibly secure platform out of the box doesn't mean that you don't need to take extra steps to lock it down even tighter. With every distribution, there are different ways you can harden the operating system. No matter what flavor you use for your servers, an intrusion detection system should be considered a must-have.

One intrusion detection system that works great on CentOS 7 is Advanced Intrusion Detection Environment, aka AIDE. AIDE works by taking a snapshot of the host, any modification times, all register hashes, and other important file-related data. From this snapshot, a database is created that checks and verifies file integrity. With AIDE watching over your CentOS 7 system, you will be kept apprised of any malicious change within the server.

SEE: Securing Linux policy (Tech Pro Research)

Let's get AIDE installed and working.

What you need

The only things you'll need for this is a working CentOS 7 server and an account with sudo privileges.

Installation

AIDE can be installed from the standard repositories. Before you install, make sure CentOS 7 is up to date. Remember, the update process can include the kernel. Should that happen, a reboot will be required, so it's best to run the update at a time when a reboot is possible.

Open a terminal window and issue the command:

sudo yum update

When prompted, accept the update by typing y. When the update completes, reboot (if necessary). You can now install AIDE with the command:

sudo yum install aide

Once the installation completes, you need to generate a database for AIDE with the command:

sudo aide --init

Once the database is created, you'll have your bash prompt return to you (Figure A).

Figure A

Figure A

The AIDE database has been initialized.


The newly created database must be renamed. To do that, issue the command:

sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

With the database renamed, check to make sure AIDE can see it with the command:

sudo aide --check

The database should check out at this point (Figure B).

Figure B

Figure B

All is well with our database.


Let's add a crontab to run a check every midnight. Do this with the commands:

su
echo "0 0 * * * root /usr/sbin/aide --check" >> /etc/crontab

Once you set the cron job, exit out of the root user with the command exit.

Testing AIDE

Let's create a file and see if AIDE detects it. Issue the command:

sudo touch /usr/bin/testing

Run the AIDE test again with the command:

sudo aide --check

AIDE will report on the newly created file (Figure C).

Figure C

Figure C

Our newly created file reported by AIDE.

After reviewing the report, make sure to update the AIDE database (so it won't continue to report the same newly created file) with the command:

sudo aide --update

Viewing output from cron job

Since we set AIDE up as a standard cron job, you need to manually check the AIDE log file. To do that, you must su to the root user and issue the command:

less /var/log/aide/aide.log

You can then comb through that log file to see if anything untoward has happened with your CentOS 7 server. If you want to get creative, you could even write a bash script that runs an AIDE check and then mails the output to you, and then set that script to run as the cron job (instead of the regular aide—check command).

One thing to remember, if you see AIDE report something that isn't malicious (such as the installation of a necessary piece of software or a configuration change you made), make sure to run the update command again, so it won't continue reporting on that same issue.

And that's the gist of getting the Advanced Intrusion Detection Environment up and running. Your CentOS 7 server will thank you for the added security.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.