AIDE
Advance Intrution Detection Enviornment is a tool to check the file integritty. It is a opensource substitute for TRIPWIRE. It allows to take snapshot of all the major configuration files, binaries as well libraries stats. And helps to find which binaries has been changed in case of compramisation of the system . This can be downloaded from http://sourceforge.net
Download both the binaries and signature file.
Import and Verify the GPG keys.
Compiling and installing the AIDE
Read the INSTALL doc in the source code of AIDE to get the requirement of the packages. The mhash utility is needed prior to the installation of the AIDE. Download the mhash utility that is needed for running the AIDE. Download it from sourceforge.net
Extract the packages AIDE & MHASH
installing the MHASH
# tar -zxvf mhash-0.9.2.tar.gz
# cd mhash-0.9.2
# ./configure
# make
# make install
this will place the binaries and libraries in to /usr/local
Installing the AIDE
# tar -zxvf aide-0.10.tar.gz
# cd aide-0.10
# ./configure
# make "this will create the aide binary"
# make install
will copy the binaries to /usr/local/bin.
note:-
Making note of the md5sum for the binary which has been installed is a good idea to trace out the man in middle attack .
Configuring and Monitoring the files with AIDE
Step 1.
Generate aide DB (creating the snapshot of file stats)
edit aide.conf configuration file from the aide-0.10/doc/ directory to define the rule that which directory has to be monitored.
------
# 3 type of line are there
# 1. variables
# 2. Macros
# 3. types of file, which includes the directories, to monitor.
database=file:/home/kiran/aide/aide.db (this will define the aide database store location)
#Now define here the aide rules
#This will monitor all the subdirectories beneath /etc/
/etc R
# check the defnition for R in the aide.conf file.
#=/etc/ R (Only etc directory will be moniotoerd)
------
Now create the aide DB.
# aide -c aide.conf --init
This will create a new database called aide.db.new. This command will scan all the files in the /etc/ directory and stores as a database called aide.db.new
Note:-
AIDE uses the stat command to get the details of the file including the permissions, inode, acess time modified time etc and will store in the aide.db file
Comparing the AIDE with the DB
# aide -c aide.conf --check
This will show the status of the current /etc/ subdirectory by comparing with the aide.db, the snap shot taken from the previos command.
Now test the AIDE Functionality.
#edit any file in /etc/ sub directory
now check again with the command
# aide -c aide.conf --check
This will show the change of the file from previos state.
Note:-
The aide --check has to be done in frequent. and if we found any changes verify it and again update the aide DB.
Updating the aide DB after checking the aide db
# aide -c aide.conf --update
This will reset the database to current status of the /etc/ subdirectories.
Including the more directories to monitor.
#edit aide.conf
-------------
/boot R
/bin R
/etc R
/lib R
/usr R
/install R
/sbin$ R #aide will not recurse in to the subdirectories
-------------
Other configuration options
-------
/ R
!/var # This will make to monitor all the directories inside the "/" and will exclude the /var directory.
-------
# aide -c aide.conf --init
This will generate a new DB for all the directories defined in the aide.conf.
Note:-
This will help us to trace out which file has been effected incase of any compramise happened to the system by comparission with the DB taken prior. Once we have the aide db created better to burn the aide binary config files and the aide db in to any read only medium. So this will increase the integrity of the aide DB.
#mkisofs -V Aide_DB`date +%F` -J -R -o aide.iso /Aide/directory
#cdrecord -v -eject aide.iso
Later incase of any suspect to exploit can load these binary, aide DB and config file for AIDE Audit.
No comments:
Post a Comment
tag ur valuable ideas below