Enhance your Linux security and better manage it with aide!

Security has been a hot topic for a long time, not even recently. Particularly in this era of digitalization in Japan, there are always opportunities for many people to interact with systems.

I am a Linux server management engineer, and Linux is my favorite OS. Every OS has its drawbacks and advantages, but I like Linux because I find it easy to use.

However, even beginners can manage Linux, but on the other hand, it is too free and everyone can come up with best practices on their own. Also, since there are some differences in the content studied by each individual, it is impossible to manage the system in exactly the same way.

In a production (operation) environment, there is a high probability that the system is not run by just one person, and is often managed by multiple engineers. As someone who manages Linux, everyone has their own ``best method'' and ``rules,'' but the usage and specifications of Linux differ depending on the purpose of the system, environment, and various other aspects.

In situations like this...

• “I just need to write the settings somewhere!”
• “You can never change it!”
• "Get permission before making changes!"
• "Who made the change?"
• others!

It may seem difficult to manage Linux, but AIDE is a tool that stands out!

What is aide?

In Europe and America, CIS , which is managed by security-related communities and provides benchmark materials for various systems. Best practice benchmarks for OS and even middleware are provided in detail.

Especially from the side of managing server-based OSes, there are a lot of server settings from various server types. Therefore, I think that even if you refer to benchmark materials and use them as a baseline for security enhancements that you are not aware of, you will definitely only get positive results.

Some Linux documentation always recommends the use of a tool called AIDE.

aide is a file tampering detection tool called Advanced Intrusion Detection Environment.

It is an important tool especially used by the Pentagon.

The SHA of a file changes when any file is edited, so AIDE, which runs cron, extracts the SHA of the specified file or all files in the file path, compares it in AIDE's database, and records it. .

example:

As shown in the image above, you can check which files have changed.

Watch using aide!

1. Install aide!

Since AIDE is a very useful or necessary tool, it exists in the standard repositories of Linux distributions such as DEB and RHEL, so it can be easily installed.

RHEL series

yum install aide

Debian series

apt install aide

Once installed, please check the version!

aide -v

2. Check and edit aide settings.

/etc/aide/aide.conf

or

/etc/aide.conf

There is an AIDE setting in .

Default settings are provided during installation, so you can use them as is.

You can also change the configuration file, database, etc. depending on your needs and preferences.

3. Initialize aide

RHEL series

aide --init

Debian series

aidinit

The first time you run it, it will take some time as it records the SHA of all files in the database.

4. Check for tampered files with aide!

RHEL series

aide --check

Debian series

aide.wrapper --check

Manage files using aide results

With AIDE, you can see which files have changed, but if there is a problem, it is normal to restore it from a backup, but if you cannot take a backup, use " etckeeper " (explained in another blog). By using this, it is possible to restore files saved in git.

 

Can you monitor aide and notify me if anything changes?

/etc/default/aide

Settings for e-mail notification are described in .

You can also have the monitoring tool notify you if an abnormality is detected.

This will be a monitoring issue, so I will write about it in my next blog!

Well then!