Linux Security Notes - AIDE File Integrity

Want to support HowtoForge? Become a subscriber!
 
Submitted by kiranjith (Contact Author) (Forums) on Fri, 2009-10-16 15:54. :: CentOS | Security

Linux Security Notes - AIDE File Integrity

AIDE (Advanced Intrusion Detection Enviornment) is a tool to check the file integrity. It is an opensource substitute for TRIPWIRE. It allows to take snapshots of all the major configuration files, binaries as well as libraries stats. And helps to find which binaries have been changed in case of compromisation of the system. This can be downloaded from http://sourceforge.net.

Download both the binaries and signature file. Import and verify the GPG keys.

 

Compiling and installing AIDE

Read the INSTALL doc in the source code of AIDE to get the requirements of the packages. The mhash utility is needed prior to the installation of AIDE. Download the mhash utility that is needed for running AIDE. Download it from sourceforge.net.    

Extract the packages AIDE & MHASH.

Installing MHASH:    

# tar -zxvf mhash-0.9.2.tar.gz
# cd mhash-0.9.2
# ./configure
# make
# make install

This will place the binaries and libraries in /usr/local.

Installing AIDE:

# tar -zxvf aide-0.10.tar.gz
# cd aide-0.10
# ./configure
# make "this will create the aide binary"
# make install

This will copy the binaries to /usr/local/bin.

Note: Making notes of the md5sum for the binary which has been installed is a good idea to track man-in-the-middle attacks.

 

Configuring and monitoring files with AIDE

Step 1. Generate the AIDE DB (creating the snapshot of file stats).

Edit the aide.conf configuration file from the aide-0.10/doc/ directory  to define the rules which directory has to be monitored.

# 3 type of line are there
#    1. variables
#    2. Macros
#    3. types of file, which includes the directories, to monitor.
database=file:/home/kiran/aide/aide.db (this will define the aide database store location)
#Now define here the aide rules
#This will monitor all the subdirectories beneath /etc/
/etc R
# check the defnition for R in the aide.conf file.
#=/etc/ R (Only etc directory will be monitored)

Now create the AIDE DB.

# aide  -c  aide.conf  --init

This will create a new database called aide.db.new.  This command will scan all the files in the /etc/ directory and stores them as a database called aide.db.new.

Note: AIDE uses the stat command to get the details of the file including the permissions, inode, acess time, modified time etc. and will store them in the aide.db file.

Comparing AIDE with the DB:

# aide -c aide.conf  --check

This will show the status of the current /etc/ subdirectory by comparing with the aide.db, the snapshot taken from the previous command.

Now test the AIDE functionality.

Edit any file in the /etc/ subdirectory.

Now check again with the command:

# aide -c aide.conf  --check

This will show the changes of the file from a previous state.

Note: The aide --check has to be done frequently. And if we find any changes, verify them and again update the aide DB.

Updating the aide DB after checking the aide db:

# aide -c aide.conf --update

This will reset the database to the current status of the /etc/ subdirectory.

Including more directories to monitor:

Edit aide.conf:

/boot  R
/bin   R
/etc   R
/lib   R
/usr   R
/install   R
/sbin$   R #aide will not recurse in to the subdirectories

Other configuration options:

/ R
!/var  # This will make to monitor all the directories inside the "/" and will exclude the /var directory.

# aide -c aide.conf  --init

This will generate a new DB for all the directories defined in the aide.conf.

Note: This will help us to trace out which file has been effected in case any compromise happened to the system by comparison with the DB taken prior. Once we have the aide db created it's better to burn the aide binary config files and the aide db to any read-only medium. So this will increase the integrity of the aide DB.

# mkisofs -V Aide_DB`date +%F` -J -R -o aide.iso /Aide/directory
# cdrecord -v -eject aide.iso

Later in case of any suspicion of an exploit you can load these binaries, aide DB and config file for AIDE audit.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by vijay (not registered) on Tue, 2009-10-27 11:06.

Fantastic post Kiranjith. Well explained and also in-depth.

Thank you and keep posting more and more.

 

Submitted by Anonymous (not registered) on Fri, 2012-01-13 16:54.

One crucial thing is missing and that is:

aide --init will create the new database as /var/lib/aide/aide.db.new. 
You need to copy/move /var/lib/aide/aide.db.new to /var/lib/aide/aide.db 
  when you do --init to initialize the db and after each subsequent 
--update. You can change these locations/files in the config file.

 which prevents this error:

Couldn't open file /var/lib/aide/aide.db for reading

Submitted by Anonymous (not registered) on Fri, 2012-07-06 08:17.
Actually is should be /var/lib/aide/aide.db.gz.

 It is all defined in /etc/aide.conf

    database=; database_out=; database_new=