AIDE (Advanced Intrusion Detection Environment) configuration

As headline says AIDE (Advanced Intrusion Detection Environment) is system for file / directory integrity checking aimed to provide us with system to ensure their integrity over time.In its core,AIDE is an intrusion detection system that detects changes to files on the local system.It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files.It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file.
On RHEL,run

# yum install aide

to install aide package.It comes with two configuration files

# rpm -qc aide
/etc/aide.conf
/etc/logrotate.d/aide

For us in interesting /etc/aide.conf where we can define what files we want to monitor with aide tool.Once we are happy with it,we will want to initialize aide database

# aide --init

--init option can take a bit of time to finish.Depending on number of specified directories/files we decided aide to check.Once it finishes it will create database files in /var/lib/aide/

# aide --init
AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

aide --check looks for /var/lib/aide/aide.db.gz so it is necessary to rename newly created file

# cd /var/lib/aide

  1. mv aide.db.new.gz aide.db.gz

aide.db.gzis golden sample / good state of system.It is recommended to run aide --init after system installation,and keep aide.db.gzcreated at that time at safe location – the best not on machine for which it is created,and if possible at some locked location.
Why?Well,if your system by got compromised,then clever intruders will alter aide.db.gz as well and you will have wrong information that all is fine,when it is not.

I find practical aide usage in cases when you have system where is important to have particular files unchanged over time,and if they are changed you want to know that.For purpose of this discussion I prepared short demonstration.In my /home I created file test.txt and run aide --init afterwards

# touch test.txt

  1. aide --init

Later on I edited test.txt ( please note,it can be any file ), or someone else edited / altered it.

# echo 200 > test.txt

If we now run check against aide database,we will be warned about change

# aide --check 
AIDE found differences between database and filesystem!!
Start timestamp: 2012-12-31 20:32:52

Summary:
  Total number of files:	1566
  Added files:			0
  Removed files:		0
  Changed files:		1
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /home/test.txt

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /home/test.txt
  Size : 0                                   , 4
  Mtime: 2012-12-31 20:28:46                 , 2012-12-31 20:32:50
  Ctime: 2012-12-31 20:28:46                 , 2012-12-31 20:32:50
  MD5  : 1B2M2Y8AsgTpgAmY7PhCfg==            , wbpYsF9iRfIhrWU5H6ZpCw==
  RMD160: nBGFpcXp/FRhKAiXfuj1SLIljTE=        , fV7JOfIkw2Al48/9N4hcenN1KIE=
  SHA256: 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NM    , wR4/SDfv3iRB4jp7naAhMfU79Z/d63FH

So now,we know that test.txt was changed,we see its checksums at time it was created an after change.Obviously for configuration files this does not make much sense,but it does make much sense for files in /bin,/sbin and other static files on system which are not changing over time.
AIDE is interesting approach,it will warn you about change and you will not be in situation that some files are changed and you do not know about it.It is very important to keep aide.db.gz at secure location once it is created,clever intruder,once (s)he detects that AIDE is in play will probably alter it to hide tracks.
In this post we covered how to install AIDE on RHEL,all is same for Debian,only minor change is necessary s/yum/aptitude/g

Advertisements

#rhel-aide, #security