The Types of AIDE Checks


You may be wondering about the different types of checks AIDE can perform. The checks are described again in Table 12.2.

Table 12.2. AIDE Check Types

DIRECTIVE

DESCRIPTION

p

permissions

i

inode

n

number of links

u

user

g

group

s

size

b

block count

m

Mtime

a

Atime

c

Ctime

S

check for growing size

md5

md5 checksum

sha1

sha1 checksum

rmd160

rmd160 checksum

tiger

tiger checksum

R

p+i+n+u+g+s+m+c+md5

L

p+i+n+u+g

E

Empty group

>

Growing logfile p+u+g+i+n+S

haval

haval checksum

gost

gost checksum

crc32

crc32 checksum


It's probably helpful to break down the types of AIDE checks into categories. There are three basic categories of AIDE checks: what I will term standard checks, grouped checks, and checksums. The standard type of AIDE check looks for information that can be gathered from the file or the file's descriptor. These checks are listed in Table 12.3.

Table 12.3. Standard Checks in AIDE

DIRECTIVE

DESCRIPTION

p

permissions

i

inode

n

number of links

u

user

g

group

s

size

b

block count

m

Mtime

a

Atime

c

Ctime

S

check for growing size


These standard checks all utilize filesystem functions that are built-in or native in Linux and can be found from the inode entry for the file. As such, running a given standard check is less resource intensive than a checksum check. Some of these checks lend themselves to certain files, whereas others will cause the file to show up in a report nearly every time the check is run. For example, the Ctime of a given file should not change unless the file is deleted or replaced with another.

It may not be readily apparent what some of the standard checks actually do. Table 12.4 describes what may be the more obscure checks within this group.

Table 12.4. Explanation of Some Standard Checks

CHECK NAME

EXPLANATION

inode

The inode is a data structure that holds information about a given file in Linux. The inode contains information such as the location of the file, the permissions, the owner and group information, and many other useful bits.

Number of links

Links are akin to shortcuts in the Windows world. This type of check looks to see how many links exist to the given file.

Mtime

The Mtime of a file is the time when the file was last modified.

Atime

The Atime of a file is the time when the file was last accessed.

Ctime

The Ctime of a file is the time when the file was created.


On the other hand, grouped checks combine some of the more commonly used standard checks, as described in Table 12.5.

Table 12.5. Grouped Checks in AIDE

DIRECTIVE

DEFINITION

R

p+i+n+u+g+s+m+c+md5

L

p+i+n+u+g

E

Empty group

>

Growing logfile p+u+g+i+n+S


Finally, checksums utilize cryptographic checksums of the files, as explained earlier in the chapter and defined in Table 12.6.

Table 12.6. Checksum Checks in AIDE

DIRECTIVE

DEFINITION

md5

md5 checksum

sha1

sha1 checksum

rmd160

rmd160 checksum

tiger

tiger checksum

haval

haval checksum

gost

gost checksum

crc32

crc32 checksum


The differences in the various checksum check types can be explained simply as the differences in the cryptographic algorithms used to create the checksums. I'll leave it up to you to do further research on the types of cryptographic algorithms used by AIDE. I recommend Applied Cryptography, by Bruce Schneier, as a great reference for this purpose.




Linux Firewalls
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
ISBN: 1593271417
EAN: 2147483647
Year: 2005
Pages: 163
Authors: Michael Rash

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net