RH415 - ch07s02

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

Section 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

SectionSection 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Guided Exercise: Detecting File System Changes with AIDE

In this exercise, you will install AIDE, perform an initial baseline scan, and then make changes to files on a monitored file system in order to explore how AIDE detects and reports those changes.

Outcomes

You should be able to:

Install the aide package.
Modify the /etc/aide.conf configuration file.
Perform an initial baseline scan.
Detect changes made to files since the baseline scan with a subsequent scan.
Update the AIDE database to accept approved changes to the file system.

Verify that the workstation and servera machines are started.

Log in to workstation as student using student as the password. On workstation, run the lab aide-detect setup command to prepare the classroom environment for the guided exercise. This command verifies that neither AIDE nor its configuration and database directory have been installed on servera. Additionally, this command verifies that the Cron job scheduler is installed on servera.

[student@workstation ~]$ lab aide-detect setup

From workstation, log in to servera as the student user. Public-key authentication has been set up for the student user between these two machines so that you can log in without a password.
```
[student@workstation ~]$ ssh student@servera
Last login: Wed Jul 18 04:56:35 2018 from workstation.lab.example.com
[student@servera ~]$
```
The following commands are executed on servera.

Change to the root user and install the aide package.

Use sudo -i to log in as root interactively from the student account. Use student as the password.
```
[student@servera ~]$ sudo -i
[sudo] password for student: student
[root@servera ~]#
```

Install the aide package.

[root@servera ~]# yum install aide
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package aide.x86_64 0:0.15.1-13.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================
 Package                   Arch                        Version                              Repository                             Size
=====================================================================
Installing:
 aide                      x86_64                      0.15.1-13.el7                        rhel--server-dvd                      133 k

Transaction Summary
=====================================================================
Install  1 Package

Total download size: 133 k
Installed size: 311 k
Is this ok [y/d/N]: y
...output omitted...
Installed:
  aide.x86_64 0:0.15.1-13.el7

Complete!

Back up the original copy of the AIDE configuration file.
```
[root@servera ~]# cp /etc/aide.conf /etc/aide.conf.orig
```
Modify the AIDE configuration file (/etc/aide.conf) so that AIDE monitors the directories /etc (existing directory) and /testdir (new directory) for any change in permissions and file content. Use regular selection lines so that the contents of those directories are also monitored. Remove all other selection lines not associated with the mentioned directories.
Note
We have asked you to remove the other selection lines in order to speed up preparation of the AIDE database for this exercise. This will cause AIDE to only analyze a handful of the files on the system. In practice you might decide to keep or adjust the default selection lines, rather than removing them.
```
[root@servera ~]# vim /etc/aide.conf
```
The last few lines of the modified /etc/aide.conf file should look like the following example.
```
...output omitted...
# Extended content + file type + access.
CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes.
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

# Next decide what directories/files you want in the database. Aide
# uses a first match system. Put file specific instructions before generic
# matches. e.g. Put file matches before directories.

/etc           CONTENT_EX
/testdir       CONTENT_EX
```
The CONTENT_EX group definition is provided in the default /etc/aide.conf file. Any selection line that uses it will monitor the selected files for any change in content, Linux file type, number of links, ownership, permissions, SELinux context, and extended attributes.
The two selection lines cause AIDE to monitor any object within the hierarchy of the /etc and /testdir directories in the file system using the checks specified by the CONTENT_EX group definition.
Create the /testdir directory.
```
[root@servera ~]# mkdir /testdir
```
Initialize the database with the aide --init command. This performs an initial baseline scan, generating a new AIDE database that records the current state of the file system hierarchy.
```
[root@servera ~]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
```
Rename the new AIDE database file, /var/lib/aide/aide.db.new.gz, to /var/lib/aide/aide.db.gz so that AIDE will use the newly generated file as the current database. (The file name of any new database generated, and that of the database actually used by AIDE, are set in /etc/aide.conf by default.)
```
[root@servera ~]# mv /var/lib/aide/aide.db.new.gz \
> /var/lib/aide/aide.db.gz
```
Determine the current status of the machine's file systems.
```
[root@servera ~]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!
```
AIDE reports that there have been no changes to the files and directories it monitors. This makes sense, because you have not changed any files or directories since initializing the AIDE database.
Create a new file called /testdir/testfile. This file is in one of the directories that you configured AIDE to monitor.
```
[root@servera ~]# touch /testdir/testfile
```

Again determine the current status of the machine's file systems.

[root@servera ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-07-18 12:37:55

Summary:
  Total number of files:  2606
  Added files:            1
  Removed files:          0
  Changed files:          0


---------------------------------------------------
Added files:
---------------------------------------------------

added: /testdir/testfile

AIDE reports that the file /testdir/testfile has been added. It also reports that it scanned a total of 2606 files. No files have been removed or changed.

Modify the permissions of the /etc/shadow file to 644 (read/write for user, read-only for group and other).
```
[root@servera ~]# chmod 644 /etc/shadow
```

Determine the current status of the machine's file systems.

[root@servera ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-07-18 12:50:20

Summary:
  Total number of files:  2606
  Added files:            1
  Removed files:          0
  Changed files:          1


---------------------------------------------------
Added files:
---------------------------------------------------

added: /testdir/testfile

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/shadow

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /etc/shadow
 Perm     : ----------                       , -rw-r--r--
 ACL      : old = A:
----
user::---
group::---
other::---
----
                  D: <NONE>
            new = A:
----
user::rw-
group::r--
other::r--
----
                  D: <NONE>

AIDE reports that the permissions of /etc/shadow have changed and what those changes are. It also still reports about the newly created file, /testdir/testfile.

Restore the file permissions of /etc/shadow to 000 (no access for user, group, or other).
```
[root@servera ~]# chmod 000 /etc/shadow
```
Determine the current status of the file system.
```
[root@servera ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-07-18 13:07:26

Summary:
  Total number of files:  2606
  Added files:            1
  Removed files:          0
  Changed files:          0


---------------------------------------------------
Added files:
---------------------------------------------------

added: /testdir/testfile
```
After restoring the file permissions of the /etc/shadow file, AIDE no longer reports that it has changed. It does still report about the newly created file /testdir/testfile, because that change has not been reverted.
Note
If the CONTENT_EX group definition included the c group to monitor ctime (status change time stamp) updates, the /etc/shadow file would still report a change, because ctime is updated when permissions are changed.
That time stamp is separate from the mtime (modification time stamp) that AIDE monitors with the m group and which shows up in normal ls -l listings to indicate when the contents of the file last changed.
Implement a cron job to automatically run AIDE to check the current status of the file systems. It should run as the root user at 12 noon on a weekly basis. Create an /etc/cron.d/aide file containing the appropriate job specification.
```
[root@servera ~]# vim /etc/cron.d/aide
```
The /etc/cron.d/aide file should contain the following content.
```
00 12 */7 * * root /sbin/aide --check
```
Using this automated approach of verifying the file system's current status allows administrators to periodically monitor the file system for changes and merge the accepted changes with the AIDE database.
Note
This is not the only way to implement a system cron job to automatically run AIDE. For example, it could also be defined in /etc/crontab. The advantage of using a separate /etc/cron.d/aide file is that it is easier and less error prone to deploy the cron configuration by creating a new file on the system than by editing an existing file.
Generate an updated AIDE database to accept the changes you made to the machine's file systems. Rename the newly generated aide.db.new.gz file to aide.db.gz to ensure that AIDE uses the correct database to detect file system changes.
```
[root@servera ~]# aide --update
...output omitted...
[root@servera ~]# mv /var/lib/aide/aide.db.new.gz \
> /var/lib/aide/aide.db.gz
```
Confirm that you successfully updated the AIDE database to reflect the changes to the machine's file systems.
```
[root@servera ~]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!
```
If you succeeded, AIDE will no longer report that /testdir/testfile is a new file.

Log out from the servera system completely.

[root@servera ~]# logout
[student@servera ~]$ logout
[student@workstation ~]$

Cleanup

On workstation, run the lab aide-detect cleanup command to clean up this exercise.

This command uninstalls AIDE, deletes the configuration and database remnants of AIDE, deletes any file system objects created in this guided exercise. This command also deletes the cron job to run the file system check on a weekly basis, created in this guided exercise. Running this command causes you to lose all of your work done as a part of this guided exercise.

[student@workstation ~]$ lab aide-detect cleanup

This concludes the guided exercise.

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c

Red Hat Security: Linux in Physical, Virtual, and Cloud

This course is now legacy content

Guided Exercise: Detecting File System Changes with AIDE

Note

Note

Note