AIDE stands for Advanced Intrusion Detection Environment and is an application that scans files and other resources and stores information about these files in a database. This information can be hash information, file size, ownership and more. The application can then, once this database is available, rescan the system and compare the results with the previously stored values. If values differ, then the file is changed and this change is reported.
Installation and configuration
Within Gentoo, it is easy to install aide after setting the USE flags accordingly. The supported USE flags at the time of writing are:
|USE flag (what is that?)||Default||Recommended||Description|
||No||Add support for Access Control Lists|
||No||Yes||Enable support for sys-process/audit|
||No||Add support for client-side URL transfer library|
||No||Yes||Add support for the mhash library|
||No||Yes||Add Native Language Support (using gettext - GNU locale utilities)|
||No||Add support for the postgresql database|
||No||Enable support for sys-devel/prelink|
||No||!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur|
||No||!!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically|
||No||Yes||Add support for extended attributes (filesystem-stored metadata)|
||No||Yes||Add support for zlib (de)compression|
Then it is a matter of installing the software:
emerge --ask app-forensics/aide
The configuration file for aide is not as daunting as it might seem at first sight. The default file is stored at /etc/aide/aide.conf but administrators can easily create multiple separate configuration files if necessary. Besides a few variables, the configuration file contains a few short-hand notations for what aspects of files to scan for (only hashes, or also inode information, etc.) and then which files to scan.
Let's first look at the variables.
These parameters define where the database is stored that contains the known values (
database) and where to store a new database when a new one (
database_out) is created. It is generally recommended to not have these variables point to the same, instead manually copying over the generated database from one location to the other.
For now, leave those variables as-is, we'll get back to them later.
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1 Logs = p+i+n+u+g+S ...
These are short-hand notations for what to measure. The letters are described in the default aide.conf file, but the next table gives an overview of the most common ones.
||Number of (hard)links|
||Size (only report when the size is suddenly smaller - growing is allowed)|
Also, it is pretty obvious that
sha1 mean that the MD5 and SHA-1 checksums are taken respectively.
These short-hand notations are then used to identify what to scan for which files.
/bin Binlib /sbin Binlib /var/log Logs ...
This is the overview of which directories to scan, and what to scan for. In the above three lines example, we tell AIDE to scan the /bin and /sbin locations and take the measures identified earlier in the
Binlib short-hand notation. The /var/log location should use the
Logs scan measures.
AIDE supports regular expressions and users are allowed to "remove" matches. For instance, to scan /var/log but not /var/log/portage then include an exclusion set like so:
/var/log Logs !/var/log/portage
Initialization and frequent scanning
First we need to initialize the database once.
aide --init --config=/etc/aide/aide.conf
AIDE, version 0.14.2 ### AIDE database at /var/lib/aide/aide.db.new initialized.
Once initialized, we can copy over the database file.
cd /var/lib/aide; cp aide.db.new aide.db
With the database now available, we can scan the entries again for potential modifications:
aide --check --config=/etc/aide/aide.conf
AIDE, version 0.14.2 ### All files match AIDE database. Looks okay!
When a file modification occurred, a notification will be sent out:
aide --check --config=/etc/aide/aide.conf
AIDE found differences between database and filesystem!! Start timestamp: 2013-04-11 15:31:02 Summary: Total number of files: 318 Added files: 0 Removed files: 0 Changed files: 2 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /etc/pam.d changed: /etc/pam.d/run_init --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /etc/pam.d Mtime : 2013-04-09 22:11:18 , 2013-04-11 15:31:01 Ctime : 2013-04-09 22:11:18 , 2013-04-11 15:31:01 File: /etc/pam.d/run_init Size : 205 , 208 Mtime : 2013-04-09 22:11:18 , 2013-04-11 15:31:00 Ctime : 2013-04-09 22:11:18 , 2013-04-11 15:31:01 Inode : 394203 , 394053 MD5 : Mm0KPzpPt63eqGClTJ/KaQ== , eLUrP2BsIq25f3AZX+dlBA== SHA1 : NrQtsUeOsXS4RHUq+ejYBne5V6E= , 5A6ef6VJCcMiqEjKQ7e9xkBNZB8=
Be clear with what to scan
The default AIDE configuration is useful, but it needs to be fine-tuned to suit the users' needs. It is important to know which files to scan and why.
For instance, to scan for all authentication-related files but not for other files, use a configuration like so:
# SELinux policy and settings /etc/selinux ConfFiles # Authentication databases /etc/passwd ConfFiles /etc/shadow ConfFiles /etc/nsswitch.conf ConfFiles # Authentication configuration /etc/pam.d ConfFiles /etc/securetty ConfFiles /etc/security ConfFiles # PAM libraries /lib(64)?/security Binlib
Keep the database offline and read-only
A second important aspect is that the result database should be stored off-line when not needed, and use it in read-only modus when the database is needed. This gives some protection against a malicious user, that might already have compromised the machine, to also modify the results database. For instance, provide the result database on a read-only NFS mount (for servers) or read-only medium (when physical access to the machine is possible) such as CD/DVD or read-only USB sticks.
After storing the database on such location, update the aide.conf file to have
database= point to this new location.
Do offline scanning
If applicable, try using offline scanning methods for the system. In case of virtual platforms, it might be possible to take a snapshot of the system, mount this snapshot (read-only) and then run the aide scan on the mounted file system.
losetup /dev/loop0 /srv/virt/gentoo.img
mount -o ro /dev/volgrpX/volumeY /mnt/image
aide --check --config=/path/to/aide.conf
vgchange -an /dev/volgrpX
losetup -d /dev/loop0
The above approach uses a chroot. This is only needed when the initial file system has been scanned from the live system and the administrator wants to perform an offline validation. If the initial scan was done offline, then the aide.conf file will point to the mount point already and the database will use these paths immediately, so then there is no need for chrooting.
- Integrity/Concepts talks about the concepts related to system integrity