Isntall aide service to audit linux OS.
1. Install aide software.
[root@server7-5499 ~]# yum install aide -y
2. Modify aide configuration file.
Basic cofigrations:
# Define DB/Log location.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# Define DB location and name.
database=file:@@{DBDIR}/aide.db.gz
database_out=file:@@{DBDIR}/aide.db.new.gz
# Compress aide DB.
gzip_dbout=yes
verbose=5
# Define generate report write into logs and print in screen.
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
# Define dirs which you want to audit.
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
#/lib NORMAL
#/lib64 NORMAL
#/opt NORMAL
#/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
3. After cofnigured aide, generate aide DB.
[root@server7-5499 ~]# aide -i
AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
4. Rename DB to var/lib/aide/aide.db.gz.
[root@server7-5499 ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Generate report with exist DB.
5.Check report.
[root@server7-5499 ~]# aide -C
AIDE, version 0.14
### All files match AIDE database. Looks okay!
6. Change something to verify.
a. Add user user2.
[root@server7-5499 ~]# useradd -u 10004 -s /sbin/nologin user2
b. Check changes.
[root@server7-5499 ~]# aide -C
AIDE found differences between database and filesystem!!
Start timestamp: 2015-04-17 04:16:51
Summary:
Total number of files: 1815
Added files: 1
Removed files: 0
Changed files: 11
---------------------------------------------------
Added files:
---------------------------------------------------
added: /var/log/httpd/access_log-20150417
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/passwd
changed: /etc/passwd-
changed: /etc/gshadow
changed: /etc/gshadow-
changed: /etc/group-
changed: /etc/shadow-
changed: /etc/shadow
changed: /etc/group
changed: /var/log/httpd/access_log
changed: /root
changed: /root/.viminfo
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/passwd
Size : 1339 , 1386
Mtime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
Ctime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
Inode : 25609 , 25599
MD5 : d+FKjnPVooobLRWIOQVHNQ== , MvDGwK3/gRL50jgog6EACQ==
RMD160 : 8YG5pF836arLZv21lTV+yqy2168= , VSNqhtinLe/sr8uXAYyA0oR+fSs=
SHA256 : INjoll/4rmfwEsOYToLMeNBJ8L/mfUxQ , tCOa5LDpBxfTfdCmbc8sbQkdcJCbFg1W
File: /etc/passwd-
Size : 1294 , 1339
Mtime : 2015-04-03 02:27:33 , 2015-04-17 02:09:33
Ctime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
MD5 : /00yqCUwzu/+80x3VOAuJg== , d+FKjnPVooobLRWIOQVHNQ==
RMD160 : rZODe9EDMan8u2ZqGWimvk2bLvw= , 8YG5pF836arLZv21lTV+yqy2168=
SHA256 : 7IVctSIG7Qw5zYavDOlFqAtDJrDGnklQ , INjoll/4rmfwEsOYToLMeNBJ8L/mfUxQ
File: /etc/gshadow
Size : 498 , 508
Mtime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
Ctime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
Inode : 25534 , 25311
MD5 : L6+T3NkFFkABarfcq2c4CQ== , T1TJBYLW6bOfDXRmlGa6gg==
RMD160 : DpgU5yThE0X5w7okjgWxuwHqzXA= , ibpE8mR6MV+8w7Voifbo4bzbxR8=
SHA256 : mT0lKR8rEv7aevcdmx8EJiFrppYNmXzD , zlbrYjEj+lFUR7ZVkcpBbgpv2GS6S/W6
File: /etc/gshadow-
Size : 488 , 498
Mtime : 2015-04-03 02:27:33 , 2015-04-17 02:09:33
Ctime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
MD5 : 6jpjE5dvxH/QyhmmkGPtfQ== , L6+T3NkFFkABarfcq2c4CQ==
RMD160 : BN7h6wDeG9Xyj07tJOinZUqt6+w= , DpgU5yThE0X5w7okjgWxuwHqzXA=
SHA256 : M1AdyyijKDEbD7jlHgzqHP6MD+53iGMg , mT0lKR8rEv7aevcdmx8EJiFrppYNmXzD
File: /etc/group-
Size : 594 , 608
Mtime : 2015-04-03 02:27:33 , 2015-04-17 02:09:33
Ctime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
MD5 : WrPAJ/80hAgvRGRPk6bDXg== , XhF8M1FnvxQV01xWfQvtzA==
RMD160 : mBJff/Xi0fN2bmekHpuz9gJOItg= , JWBfvVU6VslOSv7ED7kh0cDM6Wg=
SHA256 : QFlMvKnLkOEBiMyxvlwgQbrIDxkWzAL4 , s/36GkNID/mhdjANgxx5v2h82/XS17/C
File: /etc/shadow-
Size : 723 , 751
Mtime : 2015-04-03 02:27:33 , 2015-04-17 02:09:33
Ctime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
MD5 : A8Zb/ckBsHBtsk8mq76zxQ== , 3aUQZa/Rm4M2dM2OCuki8w==
RMD160 : ZlrkTM5D1FApq0jzXOMzJAj8f/Y= , 9pLx0kdQ2xUXHoyna9DL5DFMAeM=
SHA256 : iiOhA9Tmtq486nMVSKvFO0QluRkAnilR , 3KETpurrzpBFAMBqeY8ieDscEpL9X9Fu
File: /etc/shadow
Size : 751 , 779
Mtime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
Ctime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
Inode : 25536 , 25602
MD5 : 3aUQZa/Rm4M2dM2OCuki8w== , 4sl4OTMZdUxLFy8F5o1MIQ==
RMD160 : 9pLx0kdQ2xUXHoyna9DL5DFMAeM= , mrOgJ9i5zr2adGqFXHNVsnszQrg=
SHA256 : 3KETpurrzpBFAMBqeY8ieDscEpL9X9Fu , Uf0sxciwL16vT0plQeWLS8Kltd93F64t
File: /etc/group
Size : 608 , 623
Mtime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
Ctime : 2015-04-17 02:09:33 , 2015-04-17 04:16:22
Inode : 25311 , 25536
MD5 : XhF8M1FnvxQV01xWfQvtzA== , jLMJugOfdQRDiiqFvUUSBg==
RMD160 : JWBfvVU6VslOSv7ED7kh0cDM6Wg= , MY2+zs+5bSFXKOddHkDBxanlunY=
SHA256 : s/36GkNID/mhdjANgxx5v2h82/XS17/C , NjUENRSrdD7bg31irex1ME7YWZHidVPK
File: /var/log/httpd/access_log
Size : 730 , 0
Inode : 266417 , 266453
Directory: /root
Mtime : 2015-04-17 04:05:56 , 2015-04-17 04:15:20
Ctime : 2015-04-17 04:05:56 , 2015-04-17 04:15:20
File: /root/.viminfo
Inode : 25306 , 25269
[root@server7-5499 ~]#