|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
AIDE - Advanced Intrusion Detection Environment
|
|
Packit |
762fc5 |
-------------------------------------------------
|
|
Packit |
762fc5 |
Version 0.16
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
This file is free software; as a special exception the author gives
|
|
Packit |
762fc5 |
unlimited permission to copy and/or distribute it, with or without
|
|
Packit |
762fc5 |
modifications, as long as this notice is preserved.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
This file is distributed in the hope that it will be useful, but
|
|
Packit |
762fc5 |
WITHOUT ANY WARRANTY, to the extend permitted by law; without even the
|
|
Packit |
762fc5 |
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Introduction
|
|
Packit |
762fc5 |
------------
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
AIDE is a tool for monitoring file system changes. It can be used
|
|
Packit |
762fc5 |
to detect unauthorized monitored files and directories. AIDE was
|
|
Packit |
762fc5 |
written to be a simple and free alternative to Tripwire. Features
|
|
Packit |
762fc5 |
currently included in AIDE are as follows:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
o File attributes monitored: perissions, inode, user, group
|
|
Packit |
762fc5 |
file size, mtime, atime, ctime, links and growing size.
|
|
Packit |
762fc5 |
o Checksums and hashes supported: SHA1, MD5, RMD160, and TIGER.
|
|
Packit |
762fc5 |
CRC32, HAVAL and GOST if Mhash support is compiled in.
|
|
Packit |
762fc5 |
o Plain text configuration files and database for simplicity.
|
|
Packit |
762fc5 |
o Rules, variables and macros that can be customized to local
|
|
Packit |
762fc5 |
site or system policies.
|
|
Packit |
762fc5 |
o Powerful regular expression support to selectively include or
|
|
Packit |
762fc5 |
exclude files and directories to be monitored.
|
|
Packit |
762fc5 |
o gzip database compression if zlib support is compiled in.
|
|
Packit |
762fc5 |
o Stand alone static binary for easy client/server monitoring
|
|
Packit |
762fc5 |
configurations.
|
|
Packit |
762fc5 |
o Free software licensed under the GNU General Public License.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Current Version
|
|
Packit |
762fc5 |
---------------
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
AIDE is currently maintained on the SourceForge. Details of the
|
|
Packit |
762fc5 |
latest version of AIDE can be found on the server project page under
|
|
Packit |
762fc5 |
http://sourceforge.net/projects/aide/.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Documentation
|
|
Packit |
762fc5 |
-------------
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The documentation for AIDE can be found in the doc/ directory. The
|
|
Packit |
762fc5 |
most up-to-date documentation an be found on the SourceForge project
|
|
Packit |
762fc5 |
web site.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Installation
|
|
Packit |
762fc5 |
------------
|
|
Packit |
762fc5 |
For generic instructions please see the INSTALL file.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
For AIX 5.3 it has been reported there is a problem with using mhash
|
|
Packit |
762fc5 |
which causes an "Undefined symbol: .rpl_malloc" error. This is a problem
|
|
Packit |
762fc5 |
in mhash_config.h which can be fixed by removing the line that reads
|
|
Packit |
762fc5 |
#define malloc rpl_malloc
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
For Mac OS X Darwin/Leopard (10.4/10.5) and Solaris 10/OpenSolaris you need
|
|
Packit |
762fc5 |
to use --disable-static when configuring AIDE. Please note that dynamic
|
|
Packit |
762fc5 |
linking introduces a security risk and is not recommended.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Since Mac OS Leopard (10.5) you also need to use --disable-lfs because it
|
|
Packit |
762fc5 |
handles 64 bit file support out of the box.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Source Code Verification
|
|
Packit |
762fc5 |
------------------------
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
We highly recommend checking that the version of AIDE downloaded and
|
|
Packit |
762fc5 |
installed is an original and unmodified one. You can either verify the
|
|
Packit |
762fc5 |
source tarball or the git tag.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
To check the supplied signature with GnuPG:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
$ gpg --verify aide-<VERSION_NUMBER>.tar.gz.asc
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
This checks that the detached signature file is indeed a signature
|
|
Packit |
762fc5 |
of aide-<VERSION_NUMBER>.tar.gz.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
To validate the gpg signature of the git tag:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
$ git verify-tag v<VERSION_NUMBER>
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The current public key needed for signature verification is:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
pub 4096R/68E7B931 2011-06-28 [expires: 2021-06-27]
|
|
Packit |
762fc5 |
uid Hannes von Haugwitz <hannes@vonhaugwitz.com>
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
If you do not have this key, you can get it from one of the well known PGP
|
|
Packit |
762fc5 |
key servers. You have to make sure that the key you install is not a faked
|
|
Packit |
762fc5 |
one. You can do this with reasonable assurance by comparing the output of:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
$ gpg --fingerprint 0x68E7B931
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
with the fingerprint published elsewhere.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Requirements
|
|
Packit |
762fc5 |
------------
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
AIDE requires the following development tools:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
o C compiler (such as Gcc).
|
|
Packit |
762fc5 |
o GNU flex.
|
|
Packit |
762fc5 |
o GNU yacc (bison).
|
|
Packit |
762fc5 |
o GNU make.
|
|
Packit |
762fc5 |
o PCRE library
|
|
Packit |
762fc5 |
o Mhash (optional, but highly recommended). Mhash is currently
|
|
Packit |
762fc5 |
available from http://mhash.sourceforge.net/. A static version of
|
|
Packit |
762fc5 |
libmhash needs to be build using the --enable-static=yes
|
|
Packit |
762fc5 |
configure option.
|
|
Packit |
762fc5 |
Aide requires at least mhash version 0.9.2
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Note:
|
|
Packit |
762fc5 |
flex version 2.5.31 is broken, you might see the following error
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
conf_lex.c: In function `conflex':
|
|
Packit |
762fc5 |
conf_lex.c:4728: error: `yy_prev_more_offset' undeclared (first use in
|
|
Packit |
762fc5 |
this function)
|
|
Packit |
762fc5 |
conf_lex.c:4728: error: (Each undeclared identifier is reported only once
|
|
Packit |
762fc5 |
conf_lex.c:4728: error: for each function it appears in.)
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Either downgrade to flex 2.5.4 or get an updated version that fixes
|
|
Packit |
762fc5 |
this bug. See also:
|
|
Packit |
762fc5 |
http://sourceforge.net/tracker/index.php?func=detail&aid=866477&group_id=72099&atid=533377
|
|
Packit |
762fc5 |
http://sourceforge.net/mailarchive/message.php?msg_id=5415848
|
|
Packit |
762fc5 |
http://sourceforge.net/mailarchive/message.php?msg_id=5561246
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Large File Support
|
|
Packit |
762fc5 |
-----------------
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
To be able to store the size of files larger than 2GB, aide needs
|
|
Packit |
762fc5 |
large file support (LFS) to be available in the OS. The configure
|
|
Packit |
762fc5 |
script automatically checks for the correct defines and functions.
|
|
Packit |
762fc5 |
If configure fails, and during compile time you see errors containing
|
|
Packit |
762fc5 |
the number 64, try configure again with the --disable-lfs option.
|
|
Packit |
762fc5 |
This turns off the large file support.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Cross Compilation
|
|
Packit |
762fc5 |
-----------------
|
|
Packit |
762fc5 |
When cross compiling, manually verify the data types defines in config.h
|
|
Packit |
762fc5 |
as they cannot be accurately determined by configure. Most notably,
|
|
Packit |
762fc5 |
AIDE_INO_TYPE will be set to "cross".
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Feedback and Support
|
|
Packit |
762fc5 |
--------------------
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
End user support is available on the AIDE mailing list. To subscribe,
|
|
Packit |
762fc5 |
send a message to majordomo@cs.tut.fi with an empty Subject: line and
|
|
Packit |
762fc5 |
the following text as the BODY of the message:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
subscribe aide
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
An archive for the mailing list archive is available online:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
http://www.mail-archive.com/aide@cs.tut.fi/
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
To report bugs, contribute patches and contact the current team of
|
|
Packit |
762fc5 |
developers, visit the SourceForge project web site for additional info:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
http://sourceforge.net/projects/aide/
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Credits
|
|
Packit |
762fc5 |
-------
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Please see the AUTHORS file.
|