| Documentation / Chapter 12. Intrusion Detection with AIDE | ||||
|---|---|---|---|---|
 | 11.3. Using vi to Encrypt Single ASCII Text Files | 12.2. Local AIDE Checks |  | |
| Documentation / Chapter 12. Intrusion Detection with AIDE | ||||
|---|---|---|---|---|
| 11.3. Using vi to Encrypt Single ASCII Text Files | 12.2. Local AIDE Checks | | |
Contents
Securing your systems is a mandatory task for any mission critical system. However, regardless how hard you try, it is impossible to guarantee that the system is not compromised. When administering important servers, where the integrity and security of your data is critical, it is a good idea to do some extra checks from time to time to ensure that the system is still under control of the administrator.
An easy check that often can reveal unwanted changes can be done by means of rpm. The package manager has a built in verify function, that checks all the managed files in the system for changes. To do a verify of all files, run the command rpm -Va. However, this command will also display changes in configuration files and you will have to do some filtering to detect important changes.
An additional problem to the method with rpm is that an intelligent attacker will modify rpm itself to hide any changes that might have been done by some kind of root kit which allows the attacker to gain control over your system. To solve this, you should implement a secondary check that can also be run completely independent of the installed system. This is where AIDE comes into play.
The initialization of the AIDE database should be done directly after installing the system. To be really sure that no bad things happened during or after the installation, do a installation directly at the console, without any network attached to the computer. Do not let the computer unattended or connected to any network before the AIDE created its database.
To tell AIDE which attributes of which files should be checked, a
configuration file must be created. Find an example configuration at
/etc/aide.conf. This file is also a template and may
be modified to create the actually used configuration. The first section
of the configuration handles general configuration parameters like the
location of the AIDE database file. More interesting for your local
configurations are the Custom Rules and the
Directories and Files sections. A typical rule
looks like the following:
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
After defining the variable Binlib, the respective
checking options are used in the files section. Important options include
the following:
Table 12.1. Important AIDE Checking Options
|
Option |
Description |
|---|---|
|
p |
Check for the file permissions of the selected files or directories. |
|
i |
Check for the inode number. Every filename has a unique inode number that should not change. |
|
n |
Check for the number of links pointing to the respective file. |
|
u |
Check if the owner of the file changed. |
|
g |
Check if the group of the file changed. |
|
s |
Check if the file size changed. |
|
b |
Check if the block count used by the file changed. |
|
m |
Check if the modification time of the file changed. |
|
c |
Check if the files access time changed. |
|
md5 |
Check if the md5 checksum of the file changed. |
|
sha1 |
Check if the sha1 (160 Bit) checksum of the file changed. |
For a complete list of the available checking options, see
/usr/share/doc/packages/aide/manual.html
Before you can start using AIDE, you have to define which files should be checked with what checking options. The definition of the file selection needs some knowledge about regular expression. There are three major possibilities to define the files to be checked. These are defined by the first letter of each line that defines a file selection:
/
Check if a file matches the following regular expression.
=
Select only the file that directly match the file specified after the
=. Note, for directories you should not use a
trialing “/”.
!
This is similar to the selection with / but defines
which files not to use.
A configuration, that checks for all files in /sbin
with the options defined in Binlib but omits the
directory /sbin/conf.d would look like the
following:
/sbin Binlib !/sbin/conf.d
After creating the configuration file
/etc/aide.conf, first check if the configuration is
sane with the command:
aide --config-check
Any output of this command is a hint that the configuration is not alright. For example, if you get the following output:
aide --config-check 35:syntax error:! 35:Error while reading configuration:! Configuration error
The error is to be expected in line 36 of
/etc/aide.conf. Note, that the error message
contains the last successfully read line of the configuration file.
To actually initialize the AIDE database, run the command:
aide -i
This will create a new database at the location specified as
database_out in the configuration file. By default,
this is /var/lib/aide/aide.db.new. If you want to
check if all of your configuration worked as expected, you can open this
database file in a text viewer. Each of the checked files should appear
at the beginning of a line in this file.
Finally, copy the generated database to a save location like a CD-R, a remote Server or an USB disk for later use.
