webcp.hostinghacks.net/slackware | aide

home   ·.   download   ·.   install   ·.   faq   ·.   forums   ·.   contribute   ·.   change log   ·.   toolbox
SYNOPSIS
AIDE (Advanced Intrusion Detection Environment) was written as a replacement / extension for Tripwire. Offers multiple integrity checking algorithms with mhash support. The mhash library provides an easy way to access strong hashes such as MD5, SHA1 and other algorithms.

PREREQUISITES: source packages

INSTALLS: AIDE with mhash support

MHASH

The mhash library provides an easy way to access strong hashes such as MD5, SHA1 and other algorithms. Check to see which version of mhash you currently have installed:

man mhash

If it is not installed or you wish to upgrade get it here:

cd /usr/src 
wget http://easynews.dl.sourceforge.net/sourceforge/mhash/mhash-0.9.2.tar.gz
# wget http://hostinghacks.net/dist/mhash-0.9.2.tar.gz

tar -zxf mhash-0.9.2.tar.gz 
cd mhash-0.9.2 
./configure --enable-static=yes --enable-shared=no 

make && 
make install
BISON

check if bison is already installed 

bison -V

If it is not installed or you wish to upgrade get it here:

cd /usr/src
wget http://ftp.gnu.org/gnu/bison/bison-2.0.tar.gz
tar -zxf bison-2.0.tar.gz
cd /usr/src/bison-2.0

./configure --prefix=/usr

make &&
make install
AIDE 
cd /usr/src 
wget http://easynews.dl.sourceforge.net/sourceforge/aide/aide-0.10.tar.gz
# wget http://hostinghacks.net/dist/aide-0.10.tar.gz 

tar -zxf aide-0.10.tar.gz 
cd /usr/src/aide-0.10 
./configure 
make && make install

cat > /etc/aide.conf << "EOF" 

MyRule = p+i+n+u+g+s+b+m+c+md5+sha1 

/etc p+i+u+g     #check only permissions, inode, user and group for etc 
/bin MyRule      # apply the custom rule to the files in bin 
/sbin MyRule     # apply the same custom rule to the files in sbin 
/var MyRule       
/tmp MyRule       
!/var/log/.*     # ignore the log dir it changes too often 
!/var/run/.*     # ignore the pid dir it changes too often 
!/var/lib/.*     # ignore mysql, mod_watch, tripwire changes
!/var/lock/.*    # ignore lock files
!/var/cache/.*   # ignore cash files
!/var/spool/.*   # ignore spool dirs as they change too often 
!/home/.*        # ignore the /home dir it changes too often 
!/var/lib/tripwire/report/.* # ignore daily tripwire reports

EOF

initialize:

/usr/local/bin/aide --init --config=/etc/aide.conf 
mv /usr/local/etc/aide.db.new /usr/local/etc/aide.db -f
/usr/local/bin/aide --config=/etc/aide.conf
DAILY AIDE REPORTS 
cat > /etc/cron.daily/watch.aide << "EOF"
#!/bin/bash
/usr/local/bin/aide --config=/etc/aide.conf | mail -s "aide results" servadmin@localhost
EOF

chmod +x /etc/cron.daily/watch.aide
/etc/cron.daily/watch.aide
NOTES 

# Here are all the things we can check - these are the default rules 
# 
#p:      permissions 
#i:      inode 
#n:      number of links 
#u:      user 
#g:      group 
#s:      size 
#b:      block count 
#m:      mtime 
#a:      atime 
#c:      ctime 
#S:      check for growing size 
#md5:    md5 checksum 
#sha1:   sha1 checksum 
#rmd160: rmd160 checksum 
#tiger:  tiger checksum 
#R:      p+i+n+u+g+s+m+c+md5 
#L:      p+i+n+u+g 
#E:      Empty group 
#>:      Growing logfile p+u+g+i+n+S 

# You can alse create custom rules - my home made rule definition goes like this 
MyRule = p+i+n+u+g+s+b+m+c+md5+sha1
REFERENCES:
Powered By Fat Penguin Hosting   |   Disclaimer