AIDE Integrity Checking
2 - 3 min read
Sep 28, 2000
Once a system is cracked, all information on that system is in full view of unauthorized persons. If the cracker covers his tracks well, the intrusion might not be noticed for a while, allowing more and more information to be obtained by the cracker. System administrators must be just as thorough about intrusion detection as they must be with system security.
AIDE, Advanced Intrusion Detection Environment, is a file integrity checker, a type of intrusion detection program. With AIDE, a database is constructed of important files on the system and their file attributions, such as permissions, inode number, user, group, and number of links. Also, an encrypted checksum of each file is created. With this information put on to a read-only type of media, such as a writeable CD-ROM, it is be extremely hard for a cracker to cover her tracks..
Download and Installation
The first step is to download the source code for AIDE here (or get the RPM).
After getting the source code, run:
tar xvzf aide-0.7.tar.gz
Next, after going into the aide-0.7 directory, configure AIDE for compile-time like this:
./configure --with-gnu-regexp
Finally, to complete installation, run:
make;make install
Note: the binary, aide, should also be put onto read-only media like the database is put on to.
Configuration
The next step in the process of setting up AIDE is to configure aide.conf. Formatting for this configuration file is simple. Before working on the configuration file, read the configuration file, which gives detailed directions, and also look at the aide.conf man page which can be accessed like this:
man aide.conf
Here is a sample short aide.conf:
Rule = p+i+u+g+n+s+md5 /etc p+i+u+g /sbin Rule /usr/local/apache/conf Rule /var Rule !/var/spool/.* !/var/log/.*
In this configuration file, a rule called "Rule" is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). Then this rule was applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf because they should rarely if ever change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn't. All files and directories in /var/spool and /var/log are not checked because they change too often.
Usage
After AIDE is properly installed and configured, a database of all the files that should be checked for changes must be created. To do this, type:
aide --init
Once the database is created, copy both the database and the aide binary on to a read-only media, such as a CD-ROM. Now, AIDE is setup and ready for use whenever needed. It is a good idea to run aide every couple of days and whenever log oddities are noticed or there is reason to believe a crack attempt was made.
Resources
Aside from the manual, not many quality documents are available on the net about AIDE. But between the man pages and the manual, most topics are covered. If there is a problem not covered,
