LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 19th, 2014
Linux Advisory Watch: December 12th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Hacks From Pax: Using AIDE to Ensure System Integrity Print E-mail
User Rating:      How can I rate this item?
Posted by Pax Dickinson   
Features Today in Hacks From Pax we'll talk about AIDE, a host intrusion detection system. AIDE can provide another important layer of security for a system, specifically a layer designed not to keep intruders out per se, but to notify administrators of a possible compromise or intrusion. By itself it won't prevent a successful intrusion, but it can help prevent the only thing worse: a successful intrusion that you don't know about yet.

What is AIDE?

AIDE stands for Advanced Intrusion Detection Environment, it is a host-based IDS that tracks and checks file integrity. It works by creating a database of system file information and checks the files against this database periodically, notifying an administrator of any changes to the file. AIDE checks not just the file size and modification times, but also can keep track of inode numbers, user and group permissions, and various file checksums.

The purpose of this checking is to notify the administrator when any system file changes. A hacker intrusion can result in the modification of system files in order to install a backdoor to the system, and AIDE can help detect this. Ideally an attacker will never penetrate this far, but if it happens AIDE can be a lifesaver, enabling you to know in a timely manner that your machine has been compromised.

Configuring AIDE

Packages for AIDE exist for all major distributions, and installing AIDE should not pose a problem. Compiling from source involves a typical configure, make, make install procedure and should also be relatively trouble free.

The key to using AIDE effectively is in the construction of your AIDE configuration file, /etc/aide/aide.conf. The configuration file allows you to set some typical options such as file paths for the file integrity database and generated reports, but the heart of it is a list of regular expressions that are matched to file paths and the specific attributes of those files that should be checked.

The default available attributes are as follows:

p:      permissions
i:      inode
n:      number of links to the file
u:      user
g:      group
s:      size
b:      block count
m:      last modification time (mtime)
a:      last access time (atime)
c:      last inode/permission change time (ctime)
S:      size may only grow, not shrink
md5:    md5 checksum
sha1:   sha1 checksum
rmd160: rmd160 checksum
tiger:  tiger checksum
R:      p+i+n+u+g+s+m+c+md5
L:      p+i+n+u+g
E:      Empty group
>:      Growing logfile p+u+g+i+n+S

You can create your own combinations of these attributes for shorthand use within the configuration file. EnGarde Secure Linux, which includes AIDE in the default install, defines the following rules in it's default configuration file:


SEC_BIN = p+i+n+u+g+s+b+m+crc32+md5     # Read only
SEC_CONFIG = p+i+n+u+g                  # Changing file
SEC_CRIT = p+i+n+u+g+s+b+m+c+crc32+md5
SEC_INVARIANT = p+u+g
SEC_LOG = p+i+n+u+g+S                   # Can grow but not shrink
SEC_DEV = p+u+g+s
SEC_RUN = p+u+g

For example, a typical configuration file located in /etc would be assigned the SEC_CONFIG attribute, which would track changes to the file's permissions, inode, number of links, owner, and group, but not content changes since the file may be changed. A logfile would be assigned SEC_LOG and would track the same attributes but also alert if the file shrunk in size, a suspicious sign of log entries being removed.

The rest of the configuration file is a list of regular expressions that assign a desired attribute to any files whose paths match the regexp. Files can be ignored by prefixing the regexp with a ! character. A trailing $ must be used to prevent matching more than just the desired path, for example /etc$ would match only the /etc directory, while having just /etc in your config file would match the /etc directory and everything within it as well.

Using AIDE

Once your configuration file is completed and you have the files you would like to track listed in it, you can generate the AIDE database by running the command aide --init. This creates the database and stores the initial accounting information about each file in your configuration file to be checked against later. The truly paranoid should burn this database to a CD or other read only media to prevent it being modified by an attacker and change the config file to point to this location. Alternatively, SELinux permissions could restrict access to the database as well. As with any security implementation, you must balance your need for security against usability. A perfectly secured offline AIDE database that requires you to perform manual checking may eventually be neglected and therefore not as useful as a possibly compromisable online database that automatically checks the system daily. It depends on your specific security requirements.

Now that the database is created, you can check for violations of the AIDE policy by running aide --check. This will create an AIDE report in the location specified in the configuration file, listing all the differences between the accounting information in the database and the current state of the monitored files. The checking can be run as often as necessary depending on your needs, and if automated by a cron job it is a simple matter to have the report emailed to a recipient of your choice for review.

Periodically as changes accumulate in the report you should refresh the database to eliminate these old results using the command aide --update. This regenerates the database with the current state of the system and should be done whenever the report becomes unwieldy and cluttered with old changes that no longer are a concern.

AIDE can be a very useful addition to your security toolbox. Maintaining an eye on your machine's system file integrity warns you of possible outside intrusion as well as allows you to record when internal changes were made to the system. AIDE and other host-based intrusion detection tools can be a valuable last line of defense behind your firewall and network IDS to notify you of possible trouble.
--
Pax Dickinson has over ten years of experience in systems administration and software development on a wide variety of hardware and software platforms. He is currently employed by Guardian Digital as a systems programmer where he develops and implements security solutions using EnGarde Secure Linux. His experience includes UNIX and Windows systems engineering and support at Prudential Insurance, Guardian Life Insurance, Philips Electronics and a wide variety of small business consulting roles.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Report: U.S. planning “proportional response” to Sony hack, blamed on North Korea
Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.