Tuesday, October 13, 2009

Linux Securirty Notes 11: AIDE File integrity

     Advance Intrution Detection Enviornment is a tool to check the file integritty. It is a opensource substitute for TRIPWIRE. It allows to take snapshot of all the major configuration files, binaries as well libraries stats. And helps to find which binaries has been changed in case of compramisation of the system . This can be downloaded from http://sourceforge.net

Download both the binaries and signature file.
Import and Verify the GPG keys.

Compiling and installing the AIDE
     Read the INSTALL doc in the source code of AIDE to get the requirement of the packages. The mhash utility is needed prior to the installation of the AIDE. Download the mhash utility that is needed for running the AIDE. Download it from sourceforge.net

Extract the packages AIDE & MHASH

installing the MHASH
# tar -zxvf mhash-0.9.2.tar.gz
# cd mhash-0.9.2
# ./configure
# make
# make install

    this will place the binaries and libraries in to /usr/local

Installing the AIDE
# tar -zxvf aide-0.10.tar.gz
# cd aide-0.10
# ./configure
# make "this will create the aide binary"
# make install

    will copy the binaries to /usr/local/bin.
    Making note of the md5sum for the binary which has been installed is a good idea to trace out the man in middle attack .

Configuring and Monitoring the files with AIDE

Step 1.
Generate aide DB (creating the snapshot of file stats)

edit aide.conf configuration file from the aide-0.10/doc/ directory  to define the rule that which directory has to be monitored.
# 3 type of line are there
#    1. variables
#    2. Macros
#    3. types of file, which includes the directories, to monitor.
database=file:/home/kiran/aide/aide.db (this will define the aide database store location)
#Now define here the aide rules
#This will monitor all the subdirectories beneath /etc/
/etc R
# check the defnition for R in the aide.conf file.
#=/etc/ R (Only etc directory will be moniotoerd)


Now create the aide DB.
# aide  -c  aide.conf  --init
    This will create a new database called aide.db.new.  This command will scan all the files in the /etc/ directory and stores as a database called aide.db.new
    AIDE uses the stat command to get the details of the file including the permissions, inode, acess time modified time etc and will store in the aide.db file

Comparing the AIDE with the DB
# aide -c aide.conf  --check
    This will show the status of the current /etc/ subdirectory by comparing with the aide.db, the snap shot taken from the previos command.

Now test the AIDE Functionality.

#edit any file in /etc/ sub directory
now check again with the command
# aide -c aide.conf  --check

   This will show the change of the file from previos state.

    The aide --check has to be done in frequent. and if we found any changes verify it and again update the aide DB.
Updating the aide DB after checking the aide db
# aide -c aide.conf --update
    This will reset the database to current status of the /etc/ subdirectories.

Including the more directories to monitor.
#edit aide.conf
/boot  R
/bin   R
/etc   R
/lib   R
/usr   R
/install   R
/sbin$   R #aide will not recurse in to the subdirectories

Other configuration options
/ R
!/var  #
This will make to monitor all the directories inside the "/" and will exclude the /var directory.
# aide -c aide.conf  --init
    This will generate a new DB for all the directories defined in the aide.conf.
    This will help us to trace out which file has been effected incase of any compramise happened to the system by comparission with the DB taken prior. Once we have the aide db created better to burn the aide binary config files and the aide db in to any read only medium. So this will increase  the integrity of the aide DB.
#mkisofs -V Aide_DB`date +%F` -J -R -o aide.iso /Aide/directory
#cdrecord -v -eject aide.iso

 Later incase of any suspect to exploit can load these binary, aide DB and config file for AIDE Audit.

No comments:

Post a Comment

tag ur valuable ideas below