AIDE - Advanced Intrusion Detection System (english)

2002-03-12 2002-03-12   693 words   ~4 mins
#Dateisysteme #Hash #Integrität #IDS

Table of Contents

What is AIDE?

AIDE (Advanced Intrusion Detection Environment) is a free file integrity checker, therefor it creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. This allows one to check if files have been manipulated for example by a worm, virus or intruder (e. g. a root-kit has been installed).

Installing AIDE on NetBSD

AIDE is available via pkgsrc, so it’s installation is very easily done with:

/usr/pkgsrc/security/aide/
make && make install && make clean

alternatively you can install AIDE as precompiled package, available at ftp.netbsd.org.

Configuring AIDE

After installation finished you have to configure AIDE and create a database, containing the data for each file chosen to be checked. The default path to the configuration file is /usr/pkg/etc/aide.conf, but this can be altered using the option --config=configfile.

The configuration file is easy to edit, it contains the directories to check and the options which should be used to check them.

database = file:///etc/aide.db
# path to AIDE database in URl format

database_new = file:///root/aide.db.new
# path to new AIDE database which shall be created

report_url = file:///root/aide.report
# path to generated report

 #p       : permissions
 #n       : number of links
 #u       : user
 #g       : group
 #s       : size
 #b       : block count
 #m       : mtime
 #c       : ctime
 #a       : atime
 #i       : inode
 #S       : check for growing size
 #E       : empty group
 #md5     : MD5 checksum
 #sha1    : SHA1 checksum
 #rmd160  : RMD160 checksum
 #tiger   : TIGER checksum
 #R       : p+i+n+u+g+s+m+c+md5
 #L       : p+i+n+u+g
 #>       : growing logfile and p+g+u+n+i+S

These options are almost self-explanatory, each submitted option will check in and compare the regarding fileattribute. “R”, “L” and “>” are just macros for the mentioned options, so you can also build your own macro in the same way, e.g.:

daemon  : md5+sha1+rmd160+tiger

heavy : sha1+p+u+g+m+c+a+i+n

daemon will create and check MD5, SHA1, RMD160 and TIGER checksums. Now it’s time to configure the files to be checked:

/etc            heavy
/bin            heavy
/sbin           heavy
/usr/bin        heavy
/usr/sbin       heavy
/usr/pkg/bin    heavy
/usr/pkg/sbin   heavy
# check with heavy-settings

/root           md5
/dev            u+g+i+s+S
#check with specified options

!/var/spool/
!/home/students
# do not check

This also done very easily, just list each directory and the options which should apply to it. Directories that should not be checked e. g. because they change very often, like /var/spool, or privacy of users might be violated, can be excluded with a single !.

Using AIDE

After AIDEs configuration is ready, you can start to build an initial database with: aide -i

The created database is usually stored in /usr/pkg/etc/, except you specified another path in aide.conf. Since this database is the fingerprint each other AIDE comparison run uses to compare with, you should ensure its integrity by protecting it. This can be done by cryptography (e.g. encrypt or sign the database with PGP/GnuPG) or simply moving it to a protected media like CDROM or write protected floppy/ZIP disk. If you are paranoid (Who isn’t?), you can also move AIDEs binary onto that media and deinstall the package to deceipt an intruder.

Now you can run AIDE to check the status of your filesystem, this is simply done by aide -C AIDE now builds a new database with the current status of all files and compares it against he initial database.

Excerpt from a database, build with heavy macro:

/etc/ld.so.conf 4217405 100644 0 0 55 156666 1 56ALmHB6PCPZN8bkbYHXvg== R+47jcSQFV59spXxQip+VJd+Jdw=
/etc/ttyaction 4217405 100644 0 0 123 156667 1 wHSegaYfbPPg1MbNbvSVOQ== kufrktfUPSYfMp4zyym2M7pyJE8=
/etc/motd 4217405 100664 0 0 1551 156668 1 PQ27jGbXvZUXb+Jsi7uNkg== X82oOZx8XV47nA9zF939H7aHc+A=
/etc/hosts.equiv 4217405 100600 0 0 2 156669 1 Ch8ho0FzieDAoTOSx5p6iQ== 4Axzy+iVsOK5B7wmqjQs0xAKgEs=

Now /etc/motd has been modified and aide -c has been run, excerpt from the produced report:

changed:/etc/motd
Detailed information about changes:

File: /etc/motd
  Size     : 1551                              , 1547                              
  Inode    : 156668                            , 156819                            
  MD5      : PQ27jGbXvZUXb+Jsi7uNkg==          , BPOFEUF6A8ttOxkeHnT2ow==          
  RMD160   : X82oOZx8XV47nA9zF939H7aHc+A=      , S6ZmfxjVOSYPpoBrt5TS3Z7fnO0=
← prev next →