AIDE/ko

AIDE (Advanced Intrusion Detection Environment) is a host-based intrusion detection system. AIDE scans files and other resources and stores information about these files in a database. Stored information includes key file attributes such as file hash output, file size, ownership, modification time, creation time, and more. After the initial database has been created, AIDE then rescans the system and compares new scan results with previously stored values. If values differ then the file has been changed and the change will be reported. The idea behind using AIDE is to create a snapshot of a system then compare the snapshot to another created snapshot to find compromised files.

USE flags
It is easy to install aide after setting the USE flags accordingly.

USE flag changes specific to a certain package should be defined in the file, or a text file inside a directory called. For example, when using a file:

Emerge
After the USE flags have been set, install the software:

Configuration
The configuration file for aide is not as daunting as it might seem at first sight. The default file is stored at but administrators can easily create multiple configuration files if necessary. Besides a few variables, the configuration file contains short-hand notations for what aspects of files to scan for (only hashes, or also inode information, etc.) and which files to scan.

Take look at the database variables:

The first line in the example above defines where the location of database that contains the known values. The second line defines where to store new databases when another is generated. It is generally recommended against having these variables point to the same database (having the same paths for each variable). If one database is to overwrite another, the best method is to manually copy over the generated database from one location to the other. For example, to overwrite the first database with the second, this command could be used:

For now, leave the database variables as they are; they will be covered in more detail later in the article.

The next file to consider is the file. The values of the variable are short-hand notations for what information to record in the database.

The letters are described in the default file, but for convenience the following table provides an overview of the most common options:

Next is an overview of which directories to scan, and what to scan for. In three line example to follow, AIDE is instructed to scan the and  directories via the measures identified in the   short-hand notation variable. The file will display the scan measures defined in the   variable defined above.

AIDE supports regular expressions and users are allowed to "remove" matches. For instance, to scan but not  then make an exclusion set by using the   (exclamation point) before the excluded path(s):

초기화 및 잦은 검사
For a basic AIDE setup, a database must be initialized. This is performed using the  option. To make sure AIDE uses the configuration settings defined in the sections before, be sure to pass the  option pointed to the correct configuration file:

Once initialized, any pre-existing database files can be copied over:

With a new database available, the entries can be scanned again (now or at a later date) using the  option. This will create another database containing any modifications that have made to the file system since the first database has been created. Be sure to use the  option pointed to the same configuration file that the first database was created with:

If file modification(s) occurred, a notification will be sent out:

Be clear on what to scan
기본 AIDE 설정은 유용하지만, 사용자의 요구에 맞추려면 세밀하게 조절해야 합니다. 어떤 파일을 왜 검사해야 하는지 아는 것이 중요합니다.

예를 들어, 인증 관련 파일만을 모두 검사하지만, 다른 파일에 대해서는 검사하지 않는다면, 다음처럼 설정을 사용할 수 있습니다:

데이터베이스를 오프라인 상태 및 읽기 전용으로 유지하십시오
A second important aspect is that the result database should be stored offline when not needed and should be used in read-only mode when the database is needed. This gives some protection against a malicious user that might have compromised the machine to modify the results database. For instance, provide the result database on a read-only NFS mount (for servers) or read-only medium (when physical access to the machine is possible) such as a CD/DVD or a read-only USB drive.

After storing the database on a read-only location, update the file to have   point to this new location.

오프라인 상태에서 검사하십시오
가능하다면, 시스템에 대해 오프라인 검사 방법을 사용해보십시오. 가상 플랫폼의 경우 시스템의 스냅샷을 취할 수 있고 이 스냅샷을 마운트(읽기 전용) 할 수 있으며 마운트한 파일 시스템에 대해 AIDE 검사를 수행할 수 있습니다.

The above approach uses chroot. This is only needed when the initial file system has been scanned from the live system and the administrator wants to perform an offline validation. If the initial scan was done offline, then the file will point to the mount point already and the database will use these paths immediately, so then there is no need for chrooting.

추가 참조

 * Integrity/Concepts 에서는 시스템 무결성과 관련한 개념을 다룹니다

External resources

 * Tutorial on how to use AIDE (Linux.com)
 * Securing Linux with AIDE article (Symantec.com)