AIDE is basically advanced intrusion detection environment which performs function of file system integrity check of Linux system. Normally various file integrity checker are available but they all are made for single host machine..........Wat if administrator wants to check several system in its domain simultaneously...from its own single system........???????????????????????
Solution is right here ........."AIDE using ICU" (Advanced intrusion detection environment using Integrtiy Checking utility ) AIDE alone can check single system but to check for multiple system together we need ICU.
ICU server and client are established and configured.
1 ) Download and install aide latest version ....system with RHEL6 have package in there YUM repositry by default......check for other distro's of Linux.
Establishing ICU Server
1) download tar file for ICU from http://nitzer.dhs.org/ICU/ICU.html OR GOOGLE IT .......
2) I downloaded version ICU-0.3.tar.gz
3) su - root on your system and extract source on system which you want to create ICU server.By this server you have to launch ICU on remote linux system on which u want to perform integrity check .
4) extract the source and copy the folder so obtained after extraction ICU-0.3 to /usr/local/ICU on your server system
5) create user "icu"
# useradd icu
# chown -R /usr/local/ICU //changing ownership of directory and files of ICU
# chmod -R 700 /usr/local/ICU
6) # vim /usr/local/ICU/ICU.conf
modify directive ICU_server_name
modify directive admin_e-mail
ssh = /usr/bin/local/ssh
scp = /usr/bin/local/scp
ssh-keygen = /usr/bin/ssh-keygen
If u dont use sendmail as default mail server basically RHEL5 uses sendmail as default mail server and RHEL6 uses Postfix by default .
Postfix = /usr/sbin/postfix
7) su - icu and run following command
#perl ICU.pl -G
8) #perl ICU.pl -s
if any error message occur fix it accordingly
9) copy and rename aide binary files from /usr/local/bin to /usr/local/ICUbinaries/aide.bin-i386-linux
Establishing ICU Client
The ICU server runs AIDE on remotehost via ssh protocol.Here it is how to establish ICU client
1) edit /usr/local/ICU/ICU.hosts file to add client name you want to monitor
syntax
hostname : email : OS : architecture : port
client.localdomain : root@server.localdomain : linux : i386 : 22
2) Perform sanity check of file using
# /usr/local/ICU/perl ICU.pl -s -r client.localdomain
3) create a tarball containing all necesaary files and configuration for remote host to run aide on it .
# perl ICU.pl -n -r client.localdomain
This will create tar file of all required configuration file that are required at host side
4) FTP the tarr file to host machine (client) whose files are to be checked
5) At clientside on client system
# tar xvf client.localdomain-icu-install.tar
it creates new directory client.localdomain-install
6) #cd client.localdomain-icu-install
7) # sh icu-install.sh //this installs copy of aide.conf and aide.db file to /var/adm/.icu
It automatically apends keys to various files .
Initializing remote host integrity check
1) log in as su - icu
2) cd /usr/local/ICu
3) #perl ICU.pl -i -r client.localdomain
enter yes when prompted becuz server connecting to host via ssh for first tym
4) wait till database is initailized for first tym . after initializaiton run same script again in futre to check file system.
When initializing new host first integrity database and configuration are saved as
/usr/local/ICU/database/client.localdomian/archives/adie.db-first-TIMESTAMP.gz
and
/usr/local/ICU/database/client.localdomian/archives/adie.conf-first-TIMESTAMP.gz
are initaial databse and cofniguration files . eah tym integrity is checked these files are matched and files with latest timstamp is updated at server.
Checking of Remote Host Integrity Database
# su - icu
# /usr/local/ICU/perl ICU.pl -v -c -r client.localdomain
All Results will be mailed to root@server.localdomain or whatever email u provided in ICU.hosts file
Thanks ........
Solution is right here ........."AIDE using ICU" (Advanced intrusion detection environment using Integrtiy Checking utility ) AIDE alone can check single system but to check for multiple system together we need ICU.
ICU server and client are established and configured.
1 ) Download and install aide latest version ....system with RHEL6 have package in there YUM repositry by default......check for other distro's of Linux.
Establishing ICU Server
1) download tar file for ICU from http://nitzer.dhs.org/ICU/ICU.html OR GOOGLE IT .......
2) I downloaded version ICU-0.3.tar.gz
3) su - root on your system and extract source on system which you want to create ICU server.By this server you have to launch ICU on remote linux system on which u want to perform integrity check .
4) extract the source and copy the folder so obtained after extraction ICU-0.3 to /usr/local/ICU on your server system
5) create user "icu"
# useradd icu
# chown -R /usr/local/ICU //changing ownership of directory and files of ICU
# chmod -R 700 /usr/local/ICU
6) # vim /usr/local/ICU/ICU.conf
modify directive ICU_server_name
modify directive admin_e-mail
ssh = /usr/bin/local/ssh
scp = /usr/bin/local/scp
ssh-keygen = /usr/bin/ssh-keygen
If u dont use sendmail as default mail server basically RHEL5 uses sendmail as default mail server and RHEL6 uses Postfix by default .
Postfix = /usr/sbin/postfix
7) su - icu and run following command
#perl ICU.pl -G
8) #perl ICU.pl -s
if any error message occur fix it accordingly
9) copy and rename aide binary files from /usr/local/bin to /usr/local/ICUbinaries/aide.bin-i386-linux
Establishing ICU Client
The ICU server runs AIDE on remotehost via ssh protocol.Here it is how to establish ICU client
1) edit /usr/local/ICU/ICU.hosts file to add client name you want to monitor
syntax
hostname : email : OS : architecture : port
client.localdomain : root@server.localdomain : linux : i386 : 22
2) Perform sanity check of file using
# /usr/local/ICU/perl ICU.pl -s -r client.localdomain
3) create a tarball containing all necesaary files and configuration for remote host to run aide on it .
# perl ICU.pl -n -r client.localdomain
This will create tar file of all required configuration file that are required at host side
4) FTP the tarr file to host machine (client) whose files are to be checked
5) At clientside on client system
# tar xvf client.localdomain-icu-install.tar
it creates new directory client.localdomain-install
6) #cd client.localdomain-icu-install
7) # sh icu-install.sh //this installs copy of aide.conf and aide.db file to /var/adm/.icu
It automatically apends keys to various files .
Initializing remote host integrity check
1) log in as su - icu
2) cd /usr/local/ICu
3) #perl ICU.pl -i -r client.localdomain
enter yes when prompted becuz server connecting to host via ssh for first tym
4) wait till database is initailized for first tym . after initializaiton run same script again in futre to check file system.
When initializing new host first integrity database and configuration are saved as
/usr/local/ICU/database/client.localdomian/archives/adie.db-first-TIMESTAMP.gz
and
/usr/local/ICU/database/client.localdomian/archives/adie.conf-first-TIMESTAMP.gz
are initaial databse and cofniguration files . eah tym integrity is checked these files are matched and files with latest timstamp is updated at server.
Checking of Remote Host Integrity Database
# su - icu
# /usr/local/ICU/perl ICU.pl -v -c -r client.localdomain
All Results will be mailed to root@server.localdomain or whatever email u provided in ICU.hosts file
Thanks ........
No comments:
Post a Comment