Important: You are required to change your passwords used for Gentoo services and set an email address for your Wiki account if you haven't done so. See the full announcement and Wiki email policy change for more information.

AIDE

From Gentoo Wiki
Jump to: navigation, search
Other languages:English 100% • ‎한국어 100% • ‎русский 100%

AIDE

AIDE stands for Advanced Intrusion Detection Environment and is an application that scans files and other resources and stores information about these files in a database. This information can be hash information, file size, ownership and more. The application can then, once this database is available, rescan the system and compare the results with the previously stored values. If values differ, then the file is changed and this change is reported.

Installation and configuration

Within Gentoo, you can easily install aide after setting the USE flags accordingly. The supported USE flags at the time of writing are:


→ Information about USE flags
USE flag Default Recommended Description
acl No Adds support for Access Control Lists
audit No Yes Enable support for sys-process/audit
curl No Adds support for client-side URL transfer library
mhash No Yes Adds support for the mhash library
nls No Yes Adds Native Language Support (using gettext - GNU locale utilities)
postgres No Adds support for the postgresql database
prelink No Enable support for sys-devel/prelink
selinux No  !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
static No  !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
xattr No Yes Adds support for extended attributes (filesystem-stored metadata)
zlib No Yes Adds support for zlib (de)compression

Then it is a matter of installing the software:

root # emerge --ask app-forensics/aide

The configuration file for aide is not as daunting as it might seem at first sight. The default file is stored at /etc/aide/aide.conf but you can easily create multiple separate configuration files if you want. Besides a few variables, the configuration file contains a few short-hand notations for what aspects of files to scan for (only hashes, or also inode information, etc.) and then which files to scan.

Let's first look at the variables.

Fileaide.confvariables

database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

These parameters define where the database is stored that contains the known values (database) and where to store a new database if you create a new one (database_out). It is generally recommended to not have these variables point to the same, instead manually copying over the generated database from one location to the other.

For now, leave those variables as-is, we'll get back to them later.

Fileaide.confshorthand notations

Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
...

These are short-hand notations for what to measure. The letters are described in the default aide.conf file, so instead of documenting them all here, I'll just give information about a few of them: permissions, inode number, number of (hard)links, user information, group information, s'ize (or S if the size is allowed to grow but never shrink), block count, modification time, etc. Also, you probably have guessed that md5 and sha1 mean that the MD5 and SHA-1 checksums are taken.

These short-hand notations are then used to identify what to scan for which files.

Fileaide.confscan targets

/bin Binlib
/sbin Binlib
/var/log Logs
...

This is the overview of which directories to scan, and what to scan for. In the above three lines example, we tell AIDE to scan the /bin and /sbin locations and take the measures identified earlier in the Binlib short-hand notation. The /var/log location should use the Logs scan measures.

AIDE supports regular expressions and you are allowed to "remove" matches. For instance, if you want to scan /var/log but not /var/log/portage then you can include an exclusion set as well:

Fileaide.confother scan targets

/var/log Logs
!/var/log/portage

Initialization and frequent scanning

First we need to initialize the database once.

root # aide --init --config=/etc/aide/aide.conf
AIDE, version 0.14.2
  
### AIDE database at /var/lib/aide/aide.db.new initialized.

Once initialized, we can copy over the database file.

root # cd /var/lib/aide; cp aide.db.new aide.db

With the database now available, we can scan the entries again for potential modifications:

root # aide --check --config=/etc/aide/aide.conf
AIDE, version 0.14.2
  
### All files match AIDE database. Looks okay!

When a file modification is occurred, you will get a notification:

root # aide --check --config=/etc/aide/aide.conf
AIDE found differences between database and filesystem!!
Start timestamp: 2013-04-11 15:31:02
  
Summary:
  Total number of files:        318
  Added files:                  0
  Removed files:                0
  Changed files:                2
  
  
---------------------------------------------------
Changed files:
---------------------------------------------------
  
changed: /etc/pam.d
changed: /etc/pam.d/run_init
  
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
  
  
Directory: /etc/pam.d
  Mtime    : 2013-04-09 22:11:18              , 2013-04-11 15:31:01
  Ctime    : 2013-04-09 22:11:18              , 2013-04-11 15:31:01
  
File: /etc/pam.d/run_init
  Size     : 205                              , 208
  Mtime    : 2013-04-09 22:11:18              , 2013-04-11 15:31:00
  Ctime    : 2013-04-09 22:11:18              , 2013-04-11 15:31:01
  Inode    : 394203                           , 394053
  MD5      : Mm0KPzpPt63eqGClTJ/KaQ==         , eLUrP2BsIq25f3AZX+dlBA==
  SHA1     : NrQtsUeOsXS4RHUq+ejYBne5V6E=     , 5A6ef6VJCcMiqEjKQ7e9xkBNZB8=

Best Practices

Be clear with what to scan

The default AIDE configuration is useful, but you'll need to fine-tune it to suit your needs. It is important to know which files to scan and why.

For instance, if you want to scan for all authentication-related files but not for other files, you can use a configuration like so:

Fileaide.confauthentication-related scan targets

# SELinux policy and settings
/etc/selinux ConfFiles
# Authentication databases
/etc/passwd ConfFiles
/etc/shadow ConfFiles
/etc/nsswitch.conf ConfFiles
# Authentication configuration
/etc/pam.d ConfFiles
/etc/securetty ConfFiles
/etc/security ConfFiles
# PAM libraries
/lib(64)?/security Binlib

Keep the database offline and read-only

A second important aspect is that you really want the result database to be stored off-line when you don't need it, and use it in read-only modus when you do. This gives some protection against a malicious user, that might already have compromised the machine, to also modify the results database. For instance, you can provide the result database on a read-only NFS mount (for servers) or read-only medium (when you have physical access to the machine) such as CD/DVD or read-only USB sticks.

When you have the database on such location, update the aide.conf file to have database= point to this new location.

Do offline scanning

If you can, try using offline scanning methods for the system. In case of virtual platforms, you might be able to take a snapshot of the system, mount this snapshot (read-only) and then run the aide scan on the mounted file system.

root # losetup /dev/loop0 /srv/virt/gentoo.img
root #
vgscan
root #
vgchange -ay
root #
mount -o ro /dev/volgrpX/volumeY /mnt/image
root #
chroot /mnt/image
root #
aide --check --config=/path/to/aide.conf
root #
exit
root #
umount /mnt/image
root #
vgchange -an /dev/volgrpX
root #
losetup -d /dev/loop0

The above approach uses a chroot. This is only needed when the initial file system has been scanned from the live system and you want to perform an offline validation. If you did your initial scan offline, then your aide.conf will point to the mount point already and the database will use these paths immediately, so then you do not have the need for chrooting.

More information