AIDE

Installation

AIDE relies on the libmhash library for its cryptographic hash algorithm support. If this library is not present on your system, then you can download it from http://mhash.sourceforge.net/. Follow the normal installation steps with the ./configure and make commands.

Implementation

The configuration file for AIDE, aide.conf, isn't created by default when you build from the source file. Nevertheless, it is simple to create. The aide.conf file consists of a collection of directives that determine what files or directories are to be monitored and what attributes of those files should be recorded. Table 12-2 lists the attributes that can be used within rules. Attributes can be combined to create custom rules by "adding" them with plus symbols, as shown in the R , L , and > rules.

You must create a configuration file before you can use AIDE. The most basic entry in this file must contain a directory or file and its monitoring rules. For example, to watch the permissions, inode, user, and group for files in the /etc directory you would create a rule like this:

 /etc p+i+u+g 

Prepend an exclamation point to the directory to instruct AIDE to ignore the directory. The monitor directives can also contain regular expressions to make more robust entries. For example, to ignore the spool directory:

 !/var/log/.* 

After you've created a configuration file then it is time to initialize the AIDE file attribute database. This database should be created at a point in time when the system can be considered secure and unaffected by a compromise. After all, the point of the database is to record a snapshot of a secure system and continuously monitor the system for changes. Any change may indicate suspicious behavior. Use the init option to build the original database.

 [mike@localhost lib]$ sudo aide --init AIDE, version 0.11-rc1 ### AIDE database initialized. 

The init option creates a file called aide.db.new (by default, this will be in the /usr/local/etc directory). Copy this file to aide.db. Now you can run periodic checks against the database with the check option.

 [mike@localhost etc]$ sudo aide --check AIDE, version 0.11-rc1 ### All files match AIDE database. Looks okay! 

Of course, this lends itself quite nicely to automation as a cron job. If you ever add or modify rules in the aide.conf file, then you'll need to update the database. Just use the update option to add the new file or directory entries to the database. Be sure to do this when you trust the integrity of the file system, not after the system has been compromised.

AIDE provides good details about any changes that occur to a database entry. For example, here is the output when the /etc/passwd file's permissions have been changed to include world-writable access. Such a change could indicate someone is trying to create a backdoor account on the system.

 [mike@localhostetc]$sudoaide--check AIDEfounddifferencesbetweendatabaseandfilesystem!! Starttimestamp:2005-10-2115:29:18 Summary: Totalnumberoffiles=2737,addedfiles=0,removedfiles=0,changedfiles=1 Changedfiles: changed:/etc/passwd Detailedinformationaboutchanges: File:/etc/passwd   Permissions:-rw-r--r--                       ,-rw-rw-rw-