ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Intrusion Detection with AIDE</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.local_security.html" title="Part II. Local Security"><link rel="prev" href="cha.security.cryptofs.html" title="Chapter 11. Encrypting Partitions and Files"><link rel="next" href="part.network_security.html" title="Part III. Network Security"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.local_security.html">Local Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 11. Encrypting Partitions and Files" href="cha.security.cryptofs.html"><span>◀</span></a> </strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 12. Intrusion Detection with AIDE"><div class="titlepage"><div><div><h2 class="title"><a name="cha.aide"></a>Chapter 12. Intrusion Detection with AIDE<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.aide">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.aide.html#sec.aide.why">12.1. Why Using AIDE?</a></span></dt><dt><span class="sect1"><a href="cha.aide.html#sec.aide.setup">12.2. Setting Up an AIDE Database</a></span></dt><dt><span class="sect1"><a href="cha.aide.html#sec.aide.check">12.3. Local AIDE Checks</a></span></dt><dt><span class="sect1"><a href="cha.aide.html#sec.aide.independent">12.4. System Independent Checking</a></span></dt><dt><span class="sect1"><a href="cha.aide.html#sec.aide.more">12.5. For More Information</a></span></dt></dl></div><div class="abstract" title="Abstract"><p class="title"><b>Abstract</b></p><p>
Securing your systems is a mandatory task for any mission-critical system
administrator. Because it is impossible to always guarantee that the
system is not compromised,it is very important to do extra checks
regularly (for example with cron) to ensure that the system is still
under your control. This is where AIDE, the <span class="emphasis"><em>Advanced
Intrusion Detection Environment</em></span>, comes into play.
</p></div><div class="sect1" title="12.1. Why Using AIDE?"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.aide.why"></a>12.1. Why Using AIDE?<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.aide.why">¶</a></span></h2></div></div></div><p>
An easy check that often can reveal unwanted changes can be done by means
of RPM. The package manager has a built-in verify function that checks
all the managed files in the system for changes. To verify of all files,
run the command <span class="command"><strong>rpm -Va</strong></span>. However, this command will
also display changes in configuration files and you will have to do some
filtering to detect important changes.
</p><p>
An additional problem to the method with RPM is that an intelligent
attacker will modify <span class="command"><strong>rpm</strong></span> itself to hide any changes
that might have been done by some kind of rootkit which allows the
attacker to mask its intrusion and gain root privilege. To solve this,
you should implement a secondary check that can also be run completely
independent of the installed system.
</p></div><div class="sect1" title="12.2. Setting Up an AIDE Database"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.aide.setup"></a>12.2. Setting Up an AIDE Database<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.aide.setup">¶</a></span></h2></div></div></div><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Initialize AIDE Database After Installation"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Initialize AIDE Database After Installation</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Before you install your system, verify the checksum of your medium (see
Section “Checking Media” (Chapter 9, <i>Common Problems and Their Solutions</i>, ↑Start-Up)) to make sure you do
not use a compromised source. After you have installed the system,
initialize the AIDE database. To be really sure that all went well
during and after the installation, do an installation directly on the
console, without any network attached to the computer. Do not leave the
computer unattended or connected to any network before AIDE creates
its database.
</p></td></tr></table></div><p>
AIDE is not installed by default on openSUSE. To install it, either
use <span class="guimenu">Computer</span>+<span class="guimenu">Install
Software</span>, or enter <code class="literal">zypper install
aide</code> on the command line as <code class="systemitem">root</code>.
</p><p>
To tell AIDE which attributes of which files should be checked, use the
<code class="filename">/etc/aide.conf</code> configuration file. It must be
modified to become the actual configuration. The first section handles
general parameters like the location of the AIDE database file. More
relevant for local configurations are the <code class="systemitem">Custom
Rules</code> and the <code class="systemitem">Directories and Files</code>
sections. A typical rule looks like the following:
</p><pre class="screen">Binlib = p+i+n+u+g+s+b+m+c+md5+sha1</pre><p>
After defining the variable <code class="literal">Binlib</code>, the respective
checking options are used in the files section. Important options include
the following:
</p><div class="table"><a name="tab.aide.options"></a><p class="title"><b>Table 12.1. Important AIDE Checking Options</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#tab.aide.options">¶</a></span></p><div class="table-contents"><table summary="Important AIDE Checking Options" border="1"><colgroup><col><col></colgroup><thead><tr><th>
<p>
Option
</p>
</th><th>
<p>
Description
</p>
</th></tr></thead><tbody><tr><td>
<p>
p
</p>
</td><td>
<p>
Check for the file permissions of the selected files or directories.
</p>
</td></tr><tr><td>
<p>
i
</p>
</td><td>
<p>
Check for the inode number. Every filename has a unique inode number
that should not change.
</p>
</td></tr><tr><td>
<p>
n
</p>
</td><td>
<p>
Check for the number of links pointing to the relevant file.
</p>
</td></tr><tr><td>
<p>
u
</p>
</td><td>
<p>
Check if the owner of the file has changed.
</p>
</td></tr><tr><td>
<p>
g
</p>
</td><td>
<p>
Check if the group of the file has changed.
</p>
</td></tr><tr><td>
<p>
s
</p>
</td><td>
<p>
Check if the file size has changed.
</p>
</td></tr><tr><td>
<p>
b
</p>
</td><td>
<p>
Check if the block count used by the file has changed.
</p>
</td></tr><tr><td>
<p>
m
</p>
</td><td>
<p>
Check if the modification time of the file has changed.
</p>
</td></tr><tr><td>
<p>
c
</p>
</td><td>
<p>
Check if the files access time has changed.
</p>
</td></tr><tr><td>
<p>
md5
</p>
</td><td>
<p>
Check if the md5 checksum of the file has changed.
</p>
</td></tr><tr><td>
<p>
sha1
</p>
</td><td>
<p>
Check if the sha1 (160 Bit) checksum of the file has changed.
</p>
</td></tr></tbody></table></div></div><br class="table-break"><p>
This is a configuration that checks for all files in
<code class="filename">/sbin</code> with the options defined in
<code class="literal">Binlib</code> but omits the
<code class="filename">/sbin/conf.d/</code> directory:
</p><pre class="screen">/sbin Binlib
!/sbin/conf.d</pre><p>
To create the AIDE database, proceed as follows:
</p><div class="procedure"><a name="pro.aide.setup.db"></a><ol class="procedure" type="1"><li><p>
Open <code class="filename">/etc/aide.conf</code>.
</p></li><li><p>
Define which files should be checked with which checking options. For a
complete list of available checking options, see
<code class="filename">/usr/share/doc/packages/aide/manual.html</code>. The
definition of the file selection needs some knowledge about regular
expressions. Save your modifications.
</p></li><li><p>
To check whether the configuration file is valid, run:
</p><pre class="screen">aide --config-check</pre><p>
Any output of this command is a hint that the configuration is not
valid. For example, if you get the following output:
</p><pre class="screen">aide --config-check
35:syntax error:!
35:Error while reading configuration:!
Configuration error</pre><p>
The error is to be expected in line 36 of
<code class="filename">/etc/aide.conf</code>. Note that the error message
contains the last successfully read line of the configuration file.
</p></li><li><p>
Initialize the AIDE database. Run the command:
</p><pre class="screen">aide -i</pre></li><li><p>
Copy the generated database to a save location like a CD-R or DVD-R, a
remote server or a USB disk for later use.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: "><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left"></th></tr><tr><td colspan="2" align="left" valign="top"><p>
This step is essential as it avoids compromising your database. It is
recommended to use a medium which can be written only once to prevent
the database being modified. <span class="emphasis"><em>Never</em></span> leave the
database on the computer which you want to monitor.
</p></td></tr></table></div></li></ol></div></div><div class="sect1" title="12.3. Local AIDE Checks"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.aide.check"></a>12.3. Local AIDE Checks<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.aide.check">¶</a></span></h2></div></div></div><p>
To perform a filesystem check, proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Rename the database:
</p><pre class="screen">mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db</pre></li><li><p>
After any configuration change, you always have to reinitialize the
AIDE database and subsequently move the newly generated database. It
is also a good idea to make a backup of this database. See
<a class="xref" href="cha.aide.html#sec.aide.setup" title="12.2. Setting Up an AIDE Database">Section 12.2, “Setting Up an AIDE Database”</a> for more information.
</p></li><li><p>
Perform the check with the following command:
</p><pre class="screen">aide --check</pre></li></ol></div><p>
If the output is empty, everything is fine. If AIDE found changes, it
displays a summary of changes, for example:
</p><pre class="screen">aide --check
AIDE found differences between database and filesystem!!
Summary:
Total number of files: 1992
Added files: 0
Removed files: 0
Changed files: 1 </pre><p>
To learn about the actual changes, increase the verbose level of the
check with the parameter <code class="literal">-V</code>. For the previous example,
this could look like the following:
</p><pre class="screen">aide --check -V
AIDE found differences between database and filesystem!!
Start timestamp: 2009-02-18 15:14:10
Summary:
Total number of files: 1992
Added files: 0
Removed files: 0
Changed files: 1
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/passwd
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/passwd
Mtime : 2009-02-18 15:11:02 , 2009-02-18 15:11:47
Ctime : 2009-02-18 15:11:02 , 2009-02-18 15:11:47</pre><p>
In this example, the file <code class="filename">/etc/passwd</code> was touched to
demonstrate the effect.
</p></div><div class="sect1" title="12.4. System Independent Checking"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.aide.independent"></a>12.4. System Independent Checking<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.aide.independent">¶</a></span></h2></div></div></div><p>
For the risk-averse administrator (and of course this is all about
risk-aversion) it is advisable to also run the AIDE binary from a
trusted source. This excludes the risk that some attacker also modified
the aide binary to hide his traces.
</p><p>
To accomplish this task, AIDE must be run from a rescue system that is
independent of the installed system. With openSUSE it is relatively
easy to extend the rescue system with arbitrary programs, and thus add
the needed functionality.
</p><p>
Before you can start using the rescue system, you need to provide two
packages to the system. These are included with the same syntax as you
would add a driver update disk to the system. For a detailed description
about the possibilities of linuxrc that are used for this purpose, see
<a class="ulink" href="http://en.opensuse.org/SDB:Linuxrc" target="_top">http://en.opensuse.org/SDB:Linuxrc</a>. In the following, one
possible way to accomplish this task is discussed.
</p><div class="procedure" title="Procedure 12.1. Starting a Rescue System with AIDE"><a name="id586987"></a><p class="title"><b>Procedure 12.1. Starting a Rescue System with AIDE</b></p><ol class="procedure" type="1"><li><p>
Provide an FTP server as a second machine.
</p></li><li><p>
Copy the packages <code class="systemitem">aide</code> and
<code class="systemitem">mhash</code> to the FTP server directory, in our case
<code class="filename">/srv/ftp/</code>. Replace the placeholders
<em class="replaceable"><code>ARCH</code></em> and <em class="replaceable"><code>VERSION</code></em>
with the corresponding values:
</p><pre class="screen">cp DVD1/suse/<em class="replaceable"><code>ARCH</code></em>/aide<em class="replaceable"><code>VERSION</code></em>.<em class="replaceable"><code>ARCH</code></em>.rpm /srv/ftp
cp DVD1/suse/<em class="replaceable"><code>ARCH</code></em>/mhash<em class="replaceable"><code>VERSION</code></em>.<em class="replaceable"><code>ARCH</code></em>.rpm /srv/ftp</pre></li><li><p>
Create an info file <code class="filename">/srv/ftp/info.txt</code> that
provides the needed boot parameters for the rescue system:
</p><pre class="screen">dud:ftp://ftp.example.com/aide<em class="replaceable"><code>VERSION</code></em>.<em class="replaceable"><code>ARCH</code></em>.rpm
dud:ftp://ftp.example.com/mhash<em class="replaceable"><code>VERSION</code></em>.<em class="replaceable"><code>ARCH</code></em>.rpm</pre><p>
Replace your FTP domain name, <em class="replaceable"><code>VERSION</code></em> and
<em class="replaceable"><code>ARCH</code></em> with the values used on your system.
</p></li><li><p>
Restart the server that needs to go through an AIDE check with the
Rescue system from your DVD. Add the following string to the boot
parameters:
</p><pre class="screen">info=ftp://ftp.example.com/info.txt</pre><p>
This parameter tells linuxrc to also read in all information from the
<code class="filename">info.txt</code> file.
</p></li></ol></div><p>
After the rescue system has booted, the AIDE program is ready for use.
</p></div><div class="sect1" title="12.5. For More Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.aide.more"></a>12.5. For More Information<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.aide.more">¶</a></span></h2></div></div></div><p>
Information about AIDE is available at the following places:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
The homepage of AIDE <a class="ulink" href="http://aide.sourceforge.net" target="_top">http://aide.sourceforge.net</a>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
In the documented template configuration
<code class="filename">/etc/aide.conf</code>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
In several files below
<code class="filename">/usr/share/doc/packages/aide</code> after installing the
<code class="systemitem">aide</code> package.
</p></li><li class="listitem" style="list-style-type: disc"><p>
On the AIDE user mailing list at
<a class="ulink" href="https://mailman.cs.tut.fi/mailman/listinfo/aide" target="_top">https://mailman.cs.tut.fi/mailman/listinfo/aide</a>.
</p></li></ul></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.local_security.html">Local Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 11. Encrypting Partitions and Files" href="cha.security.cryptofs.html"><span>◀</span></a> </strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018