Section 8.8. Detecting File Changes with AIDE

Previous page
Table of content
Next page

8.8. Detecting File Changes with AIDE

The Advanced Intrusion Detection Environment (AIDE) is a program that takes a "fingerprint" of system files so that changes in those files can be detected. You can use it to detect a system intrusion, accidental file overwrites, and file corruption.

8.8.1. How Do I Do That?

To initialize the AIDE fingerprint database, execute it with the --init option:

# aide --init AIDE, version 0.11 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

It will take several minutes to run. When it is finished, a fingerprint database will be saved as /var/lib/aide/aide.db.new.gz. Rename it to /var/lib/aide/aide.db.gz to make it the active AIDE database:

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Once the fingerprint database is configured, you can check for file changes using the --check argument:

# aide --check AIDE found differences between database and filesystem!! Start timestamp: 2006-06-01 12:50:01 Summary:   Total number of files:        127172   Added files:                  2   Removed files:                0   Changed files:                4 --------------------------------------------------- Added files: --------------------------------------------------- added:/root/.xauth0VekVw added:/root/.xauthcvqPrt --------------------------------------------------- Changed files: --------------------------------------------------- changed:/root changed:/root/.lesshst changed:/bin changed:/bin/date -------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /root   Mtime    : 2006-06-01 09:51:05               , 2006-06-01 11:43:23   Ctime    : 2006-06-01 09:51:05               , 2006-06-01 11:43:23 File: /root/.lesshst   Mtime    : 2006-06-01 10:57:21               , 2006-06-01 12:47:34   Ctime    : 2006-06-01 10:57:21               , 2006-06-01 12:47:34 Directory: /bin   Mtime    : 2006-03-21 00:18:37               , 2006-06-01 12:49:18   Ctime    : 2006-03-21 00:18:37               , 2006-06-01 12:49:18 File: /bin/date   Size     : 54684                             , 2003   Bcount   : 128                               , 16   Permissions: -rwxr-xr-x                        , -rws--x--x   Mtime    : 2006-02-11 01:43:13               , 2006-06-01 12:49:18   Ctime    : 2006-03-21 00:11:18               , 2006-06-01 12:49:32   Inode    : 1986165                           , 1977386   MD5      : sGkOBZz1ixmfifDWyS5PNw==          , RUhh+HqFShK4bABDxePEtw==   SHA1     : mY4z3oD64L+e36a7s2LQ32E4k+8=      , NAkwd0kI05k8svWFerYN5k8C1t0=

A copy of this report is automatically saved in /var/log/aide.log.


In this case, AIDE has detected a change in /bin/date and in /root/.lesshst (the history for the less command). The change to date is of particular note because that is a commonly used program, and the new version is configured with the set-user-ID bit set, meaning that any user typing date will execute a program with superuser privileges.

Since some files are expected to change in specific ways, the qualities that AIDE checks for each file and directory are configurable. Table 8-6 summarizes the default configuration.

Table 8-6. Default AIDE fingerprint configuration
PathnamesFingerprint qualities
/boot/bin/sbin/lib/opt/usr /root/etc/exports/etc/fstab/etc/passwd/etc/group/etc/gshadow/etc/shadow Permissionsinode numberNumber of linksUserGroupSizeTime of last modificationTime of creation or last inode modificationBlock countMD5 checksumSHA1 checksum
All other files in /etc (except /etc/mtab, which is not checked)Permissionsinode numberUserGroup
/var/log PermissionsNumber of linksUserGroup


AIDE is configured using the text file /etc/aide.conf; the default contents of this file are:

# Sample configuration file for AIDE. @@define DBDIR /var/lib/aide # The location of the database to be read database=file:@@{DBDIR}/aide.db.gz # The location of the database to be written #database_out=sql:host:port:database:login_name:passwd:table #database_out=file:aide.db.new database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes # Default verbose=5 report_url=file:/var/log/aide.log report_url=stdout #report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com #NOT IMPLEMENTED report_url=syslog:LOG_AUTH # These are the default rules # #p:      permissions #i:      inode: #n:      number of links #u:      user #g:      group #s:      size #b:      block count #m:      mtime #a:      atime #c:      ctime #S:      check for growing size #md5:    md5 checksum #sha1:   sha1 checksum #rmd160: rmd160 checksum #tiger:  tiger checksum #haval:  haval checksum #gost:   gost checksum #crc32:  crc32 checksum #R:      p+i+n+u+g+s+m+c+md5 #L:      p+i+n+u+g #E:      Empty group #>:      Growing logfile p+u+g+i+n+S # You can create custom rules like this NORMAL = R+b+sha1 DIR = p+i+n+u+g # Next decide what directories/files you want in the database /boot   NORMAL /bin    NORMAL /sbin   NORMAL /lib    NORMAL /opt    NORMAL /usr    NORMAL /root   NORMAL # Check only permissions, inode, user and group for /etc, but # cover some important files closely /etc    p+i+u+g !/etc/mtab /etc/exports  NORMAL /etc/fstab    NORMAL /etc/passwd   NORMAL /etc/group    NORMAL /etc/gshadow  NORMAL /etc/shadow   NORMAL /var/log   p+n+u+g # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future versions. # #=/lost\+found    DIR #=/home           DIR

Most of this file consists of selection lines, which contain two fields. The first field is used to specify files to process or, if prepended with !, files to exclude from processing. This field is evaluated as a regular expression, so the pattern /lib will match any filename starting with /lib, including files such as /lib/lsb/init-functions.

These regular expressions are treated as if they have ^ prepended (they match only at the start of filenames). To exactly match one filename, append $:

/var/log/messages$ >

The $ prevents this selection line from matching the logrotate history files (such as /var/log/messages.1).


The second field is a list of fingerprint qualities, drawn from the list included in the file as comments, separated with + characters. The values NORMAL and DIR are configured as group definitions, permitting easy reference to commonly used combinations of fingerprint qualities. In this case, NORMAL is defined as R+b+sha1, meaning the predefined fingerprint-qualities group R, block count, and SHA1 checksums. R in turn means permissions, inode number, number of links, user, group, size, modification time, creation/inode change time, and MD5 checksum.

To add additional files to be fingerprinted, append entries to this file. For example, to verify that your web pages have not changed, append:

/var/www/html   NORMAL

8.8.2. How Does It Work?

AIDE works by recording the fingerprint qualities in its database file as plain text (though the file is normally compressed using gzip). Here is a sample of a fingerprint database:

@@begin_db # This file was generated by Aide, version 0.11 # Time of generation was 2006-06-01 10:57:23 @@db_spec name lname attr perm bcount uid gid size mtime ctime inode lcount md5 sha1 /etc 0 541 40755 0 0 0 0 0 0 713153 0 0 0 /sbin 0 4029 40755 32 0 0 12288 MTE0MjkxODMyMg== MTE0MjkxODMyMg== 1880129 2 0 0 /root 0 4029 40750 16 0 0 4096 MTE0OTE2OTg2NQ== MTE0OTE2OTg2NQ== 1296641 8 0 0 /usr 0 4029 40755 16 0 0 4096 MTE0Mjg5MjIzOA== MTE0Mjg5MjIzOA== 1782881 14 0 0 ...(Lines snipped)... /boot/grub/grub.conf 0 16317 100600 4 0 0 599 MTE0Mjg5NTcwNw== MTE0Mjg5NTcwNw== 2011 1 zvjoV7HEEv/lHBdWPRNK9g== xJ2OrD9u9dqn9n3M2y/iKgxzoHk= /boot/grub/reiserfs_stage1_5 0 16317 100644 20 0 0 9056 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2022 1 3QMuqfoxpKu/nMsBGE554Q== 6fWY3Yrk7M4+aW0voaqzOIxyQY8= /boot/grub/jfs_stage1_5 0 16317 100644 18 0 0 8032 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2020 1 6favoJt1WCIN/dnckuHbfQ== aIlm2nFM9bVJSaE/rwLYehLgpRQ= @@end_db

When run with the -C option, aide simply calculates a new fingerprint and compares the value with the old fingerprint, reporting any discrepancies.

8.8.3. What About...

8.8.3.1. ...an intruder altering the fingerprint database?

This is a very real possibility. To guard against this, the fingerprint database should be recorded on read-only media (such as a CD-R), stored on a different system, or stored on removable media that the system administrator can secure against alteration.

8.8.3.2. ...automating AIDE scans?

To automate daily AIDE scans, create the file /etc/cron.daily/50aide with these contents:

#!/bin/bash /usr/sbin/aide --check 2>&1|mail -s "AIDE scan results" root

Make the file executable by root:

# chown root /etc/cron.daily/50aide # chmod u+rx /etc/cron.daily/50aide

An AIDE scan will then be performed daily, and the results will be mailed to root on the local system (or the user who receives root mail, as defined in /etc/aliases).

8.8.4. Where Can I Learn More?

  • The manpages for aide and aide.conf

  • The AIDE online manual: http://www.cs.tut.fi/~rammer/aide/manual.html



Previous page
Table of content
Next page
Fedora Linux
Fedora Linux: A Complete Guide to Red Hats Community Distribution
ISBN: 0596526822
EAN: 2147483647
Year: 2006
Pages: 115
Authors: Chris Tyler
BUY ON AMAZON
Documenting Software Architectures: Views and Beyond
C++ GUI Programming with Qt 3
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Microsoft VBScript Professional Projects
.NET-A Complete Development Cycle
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy