|
|
8.8. Detecting File Changes with AIDEThe Advanced Intrusion Detection Environment (AIDE) is a program that takes a "fingerprint" of system files so that changes in those files can be detected. You can use it to detect a system intrusion, accidental file overwrites, and file corruption. 8.8.1. How Do I Do That?To initialize the AIDE fingerprint database, execute it with the --init option: # aide --init AIDE, version 0.11 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. It will take several minutes to run. When it is finished, a fingerprint database will be saved as /var/lib/aide/aide.db.new.gz. Rename it to /var/lib/aide/aide.db.gz to make it the active AIDE database: # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Once the fingerprint database is configured, you can check for file changes using the --check argument: # aide --check AIDE found differences between database and filesystem!! Start timestamp: 2006-06-01 12:50:01 Summary: Total number of files: 127172 Added files: 2 Removed files: 0 Changed files: 4 --------------------------------------------------- Added files: --------------------------------------------------- added:/root/.xauth0VekVw added:/root/.xauthcvqPrt --------------------------------------------------- Changed files: --------------------------------------------------- changed:/root changed:/root/.lesshst changed:/bin changed:/bin/date -------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /root Mtime : 2006-06-01 09:51:05 , 2006-06-01 11:43:23 Ctime : 2006-06-01 09:51:05 , 2006-06-01 11:43:23 File: /root/.lesshst Mtime : 2006-06-01 10:57:21 , 2006-06-01 12:47:34 Ctime : 2006-06-01 10:57:21 , 2006-06-01 12:47:34 Directory: /bin Mtime : 2006-03-21 00:18:37 , 2006-06-01 12:49:18 Ctime : 2006-03-21 00:18:37 , 2006-06-01 12:49:18 File: /bin/date Size : 54684 , 2003 Bcount : 128 , 16 Permissions: -rwxr-xr-x , -rws--x--x Mtime : 2006-02-11 01:43:13 , 2006-06-01 12:49:18 Ctime : 2006-03-21 00:11:18 , 2006-06-01 12:49:32 Inode : 1986165 , 1977386 MD5 : sGkOBZz1ixmfifDWyS5PNw== , RUhh+HqFShK4bABDxePEtw== SHA1 : mY4z3oD64L+e36a7s2LQ32E4k+8= , NAkwd0kI05k8svWFerYN5k8C1t0=
In this case, AIDE has detected a change in /bin/date and in /root/.lesshst (the history for the less command). The change to date is of particular note because that is a commonly used program, and the new version is configured with the set-user-ID bit set, meaning that any user typing date will execute a program with superuser privileges. Since some files are expected to change in specific ways, the qualities that AIDE checks for each file and directory are configurable. Table 8-6 summarizes the default configuration.
AIDE is configured using the text file /etc/aide.conf; the default contents of this file are: # Sample configuration file for AIDE.
@@define DBDIR /var/lib/aide
# The location of the database to be read
database=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default
verbose=5
report_url=file:/var/log/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
# These are the default rules
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#gost: gost checksum
#crc32: crc32 checksum
#R: p+i+n+u+g+s+m+c+md5
#L: p+i+n+u+g
#E: Empty group
#>: Growing logfile p+u+g+i+n+S
# You can create custom rules like this
NORMAL = R+b+sha1
DIR = p+i+n+u+g
# Next decide what directories/files you want in the database
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely
/etc p+i+u+g
!/etc/mtab
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/var/log p+n+u+g
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future versions.
#
#=/lost\+found DIR
#=/home DIRMost of this file consists of selection lines, which contain two fields. The first field is used to specify files to process or, if prepended with !, files to exclude from processing. This field is evaluated as a regular expression, so the pattern /lib will match any filename starting with /lib, including files such as /lib/lsb/init-functions.
The second field is a list of fingerprint qualities, drawn from the list included in the file as comments, separated with + characters. The values NORMAL and DIR are configured as group definitions, permitting easy reference to commonly used combinations of fingerprint qualities. In this case, NORMAL is defined as R+b+sha1, meaning the predefined fingerprint-qualities group R, block count, and SHA1 checksums. R in turn means permissions, inode number, number of links, user, group, size, modification time, creation/inode change time, and MD5 checksum. To add additional files to be fingerprinted, append entries to this file. For example, to verify that your web pages have not changed, append: /var/www/html NORMAL 8.8.2. How Does It Work?AIDE works by recording the fingerprint qualities in its database file as plain text (though the file is normally compressed using gzip). Here is a sample of a fingerprint database: @@begin_db # This file was generated by Aide, version 0.11 # Time of generation was 2006-06-01 10:57:23 @@db_spec name lname attr perm bcount uid gid size mtime ctime inode lcount md5 sha1 /etc 0 541 40755 0 0 0 0 0 0 713153 0 0 0 /sbin 0 4029 40755 32 0 0 12288 MTE0MjkxODMyMg== MTE0MjkxODMyMg== 1880129 2 0 0 /root 0 4029 40750 16 0 0 4096 MTE0OTE2OTg2NQ== MTE0OTE2OTg2NQ== 1296641 8 0 0 /usr 0 4029 40755 16 0 0 4096 MTE0Mjg5MjIzOA== MTE0Mjg5MjIzOA== 1782881 14 0 0 ...(Lines snipped)... /boot/grub/grub.conf 0 16317 100600 4 0 0 599 MTE0Mjg5NTcwNw== MTE0Mjg5NTcwNw== 2011 1 zvjoV7HEEv/lHBdWPRNK9g== xJ2OrD9u9dqn9n3M2y/iKgxzoHk= /boot/grub/reiserfs_stage1_5 0 16317 100644 20 0 0 9056 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2022 1 3QMuqfoxpKu/nMsBGE554Q== 6fWY3Yrk7M4+aW0voaqzOIxyQY8= /boot/grub/jfs_stage1_5 0 16317 100644 18 0 0 8032 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2020 1 6favoJt1WCIN/dnckuHbfQ== aIlm2nFM9bVJSaE/rwLYehLgpRQ= @@end_db When run with the -C option, aide simply calculates a new fingerprint and compares the value with the old fingerprint, reporting any discrepancies. 8.8.3. What About...8.8.3.1. ...an intruder altering the fingerprint database?This is a very real possibility. To guard against this, the fingerprint database should be recorded on read-only media (such as a CD-R), stored on a different system, or stored on removable media that the system administrator can secure against alteration. 8.8.3.2. ...automating AIDE scans?To automate daily AIDE scans, create the file /etc/cron.daily/50aide with these contents: #!/bin/bash /usr/sbin/aide --check 2>&1|mail -s "AIDE scan results" root Make the file executable by root: # chown root /etc/cron.daily/50aide
# chmod u+rx /etc/cron.daily/50aide
An AIDE scan will then be performed daily, and the results will be mailed to root on the local system (or the user who receives root mail, as defined in /etc/aliases). 8.8.4. Where Can I Learn More?
 |
|
|
