| ||
The Advanced Intrusion Detection Environment (AIDE) is a utility that watches for changes in the attributes of files on a system. The goal of a tool like AIDE is to react to file changes that may be due to Trojans, backdoors, or unauthorized activity. For example, if the read permissions of an /etc/shadow file are changed to world-readable, then something very suspicious is going on with the system. AIDE is an outgrowth of the concepts that began with the Tripwire utility (covered later in this chapter). While Tripwire's Open Source version has not aged well, AIDE has taken up the capabilities and is actively maintained . It is available at http:// sourceforge .net/projects/aide/.
AIDE relies on the libmhash library for its cryptographic hash algorithm support. If this library is not present on your system, then you can download it from http://mhash.sourceforge.net/. Follow the normal installation steps with the ./configure and make commands.
The configuration file for AIDE, aide.conf, isn't created by default when you build from the source file. Nevertheless, it is simple to create. The aide.conf file consists of a collection of directives that determine what files or directories are to be monitored and what attributes of those files should be recorded. Table 12-2 lists the attributes that can be used within rules. Attributes can be combined to create custom rules by "adding" them with plus symbols, as shown in the R , L , and > rules.
Attribute | Description (The target may be a file, directory, or group of files.) |
---|---|
p | Read, write, and execute permissions. |
i | Inode (physical disk location). |
n | Number of links. |
u | User ID. |
g | Group ID. |
s | Size . |
b | Block count (physical space taken on the drive). |
m | Mtime |
a | Atime |
c | Ctime |
S | The file's size is expected to grow. This is most useful for logfiles. |
md5 | Record the MD5 checksum for the file. |
sha1 | Record the SHA1 checksum for the file. |
rmd160 | Record the RMD160 checksum for the file. |
tiger | Record the Tiger checksum for the file. |
R | Abbreviated rule that combines several attributes: p+i+n+u+g+s+m+c+md5 |
L | Abbreviated rule that combines several attributes: p+i+n+u+g |
E | Empty group, no attributes to check. |
> | Abbreviated rule useful for logfiles: p+u+g+i+n+S |
You must create a configuration file before you can use AIDE. The most basic entry in this file must contain a directory or file and its monitoring rules. For example, to watch the permissions, inode, user, and group for files in the /etc directory you would create a rule like this:
/etc p+i+u+g
Prepend an exclamation point to the directory to instruct AIDE to ignore the directory. The monitor directives can also contain regular expressions to make more robust entries. For example, to ignore the spool directory:
!/var/log/.*
Tip | AIDE uses GNU regular expressions, which have different extensions and advanced matching rules than Perl-compatible regular expressions. Double-check the aide.conf syntax if you are creating complex expressions. |
After you've created a configuration file then it is time to initialize the AIDE file attribute database. This database should be created at a point in time when the system can be considered secure and unaffected by a compromise. After all, the point of the database is to record a snapshot of a secure system and continuously monitor the system for changes. Any change may indicate suspicious behavior. Use the init option to build the original database.
[mike@localhost lib]$ sudo aide --init AIDE, version 0.11-rc1 ### AIDE database initialized.
The init option creates a file called aide.db.new (by default, this will be in the /usr/local/etc directory). Copy this file to aide.db. Now you can run periodic checks against the database with the check option.
[mike@localhost etc]$ sudo aide --check AIDE, version 0.11-rc1 ### All files match AIDE database. Looks okay!
Of course, this lends itself quite nicely to automation as a cron job. If you ever add or modify rules in the aide.conf file, then you'll need to update the database. Just use the update option to add the new file or directory entries to the database. Be sure to do this when you trust the integrity of the file system, not after the system has been compromised.
AIDE provides good details about any changes that occur to a database entry. For example, here is the output when the /etc/passwd file's permissions have been changed to include world-writable access. Such a change could indicate someone is trying to create a backdoor account on the system.
[mike@localhostetc]$sudoaide--check AIDEfounddifferencesbetweendatabaseandfilesystem!! Starttimestamp:2005-10-2115:29:18 Summary: Totalnumberoffiles=2737,addedfiles=0,removedfiles=0,changedfiles=1 Changedfiles: changed:/etc/passwd Detailedinformationaboutchanges: File:/etc/passwd Permissions:-rw-r--r-- ,-rw-rw-rw-
| ||