Previous Page
Next Page

8.8. Detecting File Changes with AIDE

The Advanced Intrusion Detection Environment (AIDE) is a program that takes a "fingerprint" of system files so that changes in those files can be detected. You can use it to detect a system intrusion, accidental file overwrites, and file corruption.

8.8.1. How Do I Do That?

To initialize the AIDE fingerprint database, execute it with the --init option:

# aide --init

AIDE, version 0.11

### AIDE database at /var/lib/aide/ initialized.

It will take several minutes to run. When it is finished, a fingerprint database will be saved as /var/lib/aide/ Rename it to /var/lib/aide/aide.db.gz to make it the active AIDE database:

# mv /var/lib/aide/ /var/lib/aide/aide.db.gz

Once the fingerprint database is configured, you can check for file changes using the --check argument:

# aide --check
AIDE found differences between database and filesystem!!
Start timestamp: 2006-06-01 12:50:01

  Total number of files:        127172
  Added files:                  2
  Removed files:                0
  Changed files:                4

Added files:


Changed files:


Detailed information about changes:

Directory: /root
  Mtime    : 2006-06-01 09:51:05               , 2006-06-01 11:43:23
  Ctime    : 2006-06-01 09:51:05               , 2006-06-01 11:43:23

File: /root/.lesshst
  Mtime    : 2006-06-01 10:57:21               , 2006-06-01 12:47:34
  Ctime    : 2006-06-01 10:57:21               , 2006-06-01 12:47:34

Directory: /bin
  Mtime    : 2006-03-21 00:18:37               , 2006-06-01 12:49:18
  Ctime    : 2006-03-21 00:18:37               , 2006-06-01 12:49:18

File: /bin/date
  Size     : 54684                             , 2003
  Bcount   : 128                               , 16
  Permissions: -rwxr-xr-x                        , -rws--x--x
  Mtime    : 2006-02-11 01:43:13               , 2006-06-01 12:49:18
  Ctime    : 2006-03-21 00:11:18               , 2006-06-01 12:49:32
  Inode    : 1986165                           , 1977386
  MD5      : sGkOBZz1ixmfifDWyS5PNw==          , RUhh+HqFShK4bABDxePEtw==
  SHA1     : mY4z3oD64L+e36a7s2LQ32E4k+8=      , NAkwd0kI05k8svWFerYN5k8C1t0=

A copy of this report is automatically saved in /var/log/aide.log.

In this case, AIDE has detected a change in /bin/date and in /root/.lesshst (the history for the less command). The change to date is of particular note because that is a commonly used program, and the new version is configured with the set-user-ID bit set, meaning that any user typing date will execute a program with superuser privileges.

Since some files are expected to change in specific ways, the qualities that AIDE checks for each file and directory are configurable. Table 8-6 summarizes the default configuration.

Table 8-6. Default AIDE fingerprint configuration
PathnamesFingerprint qualities
/boot/bin/sbin/lib/opt/usr /root/etc/exports/etc/fstab/etc/passwd/etc/group/etc/gshadow/etc/shadow Permissionsinode numberNumber of linksUserGroupSizeTime of last modificationTime of creation or last inode modificationBlock countMD5 checksumSHA1 checksum
All other files in /etc (except /etc/mtab, which is not checked)Permissionsinode numberUserGroup
/var/log PermissionsNumber of linksUserGroup

AIDE is configured using the text file /etc/aide.conf; the default contents of this file are:

# Sample configuration file for AIDE.

@@define DBDIR /var/lib/aide

# The location of the database to be read

# The location of the database to be written

# Whether to gzip the output to database

# Default

#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#md5:    md5 checksum
#sha1:   sha1 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
#haval:  haval checksum
#gost:   gost checksum
#crc32:  crc32 checksum
#R:      p+i+n+u+g+s+m+c+md5
#L:      p+i+n+u+g
#E:      Empty group
#>:      Growing logfile p+u+g+i+n+S

# You can create custom rules like this

NORMAL = R+b+sha1
DIR = p+i+n+u+g

# Next decide what directories/files you want in the database

/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
/lib    NORMAL
/opt    NORMAL
/usr    NORMAL
/root   NORMAL

# Check only permissions, inode, user and group for /etc, but
# cover some important files closely
/etc    p+i+u+g
/etc/exports  NORMAL
/etc/fstab    NORMAL
/etc/passwd   NORMAL
/etc/group    NORMAL
/etc/gshadow  NORMAL
/etc/shadow   NORMAL

/var/log   p+n+u+g

# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future versions.
#=/lost\+found    DIR
#=/home           DIR

Most of this file consists of selection lines, which contain two fields. The first field is used to specify files to process or, if prepended with !, files to exclude from processing. This field is evaluated as a regular expression, so the pattern /lib will match any filename starting with /lib, including files such as /lib/lsb/init-functions.

These regular expressions are treated as if they have ^ prepended (they match only at the start of filenames). To exactly match one filename, append $:

/var/log/messages$ >

The $ prevents this selection line from matching the logrotate history files (such as /var/log/messages.1).

The second field is a list of fingerprint qualities, drawn from the list included in the file as comments, separated with + characters. The values NORMAL and DIR are configured as group definitions, permitting easy reference to commonly used combinations of fingerprint qualities. In this case, NORMAL is defined as R+b+sha1, meaning the predefined fingerprint-qualities group R, block count, and SHA1 checksums. R in turn means permissions, inode number, number of links, user, group, size, modification time, creation/inode change time, and MD5 checksum.

To add additional files to be fingerprinted, append entries to this file. For example, to verify that your web pages have not changed, append:

/var/www/html   NORMAL

8.8.2. How Does It Work?

AIDE works by recording the fingerprint qualities in its database file as plain text (though the file is normally compressed using gzip). Here is a sample of a fingerprint database:

# This file was generated by Aide, version 0.11
# Time of generation was 2006-06-01 10:57:23
@@db_spec name lname attr perm bcount uid gid size mtime ctime inode lcount md5 sha1
/etc 0 541 40755 0 0 0 0 0 0 713153 0 0 0
/sbin 0 4029 40755 32 0 0 12288 MTE0MjkxODMyMg== MTE0MjkxODMyMg== 1880129 2 0 0
/root 0 4029 40750 16 0 0 4096 MTE0OTE2OTg2NQ== MTE0OTE2OTg2NQ== 1296641 8 0 0
/usr 0 4029 40755 16 0 0 4096 MTE0Mjg5MjIzOA== MTE0Mjg5MjIzOA== 1782881 14 0 0
...(Lines snipped)...
/boot/grub/grub.conf 0 16317 100600 4 0 0 599 MTE0Mjg5NTcwNw== MTE0Mjg5NTcwNw== 2011 1 zvjoV7HEEv/lHBdWPRNK9g== xJ2OrD9u9dqn9n3M2y/iKgxzoHk=
/boot/grub/reiserfs_stage1_5 0 16317 100644 20 0 0 9056 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2022 1 3QMuqfoxpKu/nMsBGE554Q== 6fWY3Yrk7M4+aW0voaqzOIxyQY8=
/boot/grub/jfs_stage1_5 0 16317 100644 18 0 0 8032 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2020 1 6favoJt1WCIN/dnckuHbfQ== aIlm2nFM9bVJSaE/rwLYehLgpRQ=

When run with the -C option, aide simply calculates a new fingerprint and compares the value with the old fingerprint, reporting any discrepancies.

8.8.3. What About... intruder altering the fingerprint database?

This is a very real possibility. To guard against this, the fingerprint database should be recorded on read-only media (such as a CD-R), stored on a different system, or stored on removable media that the system administrator can secure against alteration. ...automating AIDE scans?

To automate daily AIDE scans, create the file /etc/cron.daily/50aide with these contents:


/usr/sbin/aide --check 2>&1|mail -s "AIDE scan results" root

Make the file executable by root:

# chown root /etc/cron.daily/50aide
# chmod u+rx /etc/cron.daily/50aide

An AIDE scan will then be performed daily, and the results will be mailed to root on the local system (or the user who receives root mail, as defined in /etc/aliases).

8.8.4. Where Can I Learn More?

Previous Page
Next Page