|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
Packit |
762fc5 |
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
Packit |
762fc5 |
<head><title>AIDE Manual version 0.16</title>
|
|
Packit |
762fc5 |
</head>
|
|
Packit |
762fc5 |
<body>
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The AIDE manual
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
This manual is by no means complete, usable, readable, comprehensible,
|
|
Packit |
762fc5 |
or error free.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
If you have any corrections, additions or constructive comments, please
|
|
Packit |
762fc5 |
report them as bugs, patches or feature requests
|
|
Packit |
762fc5 |
here.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
This document was originally written by Rami Lehti
|
|
Packit |
762fc5 |
<rammer@cs.tut.fi>
|
|
Packit |
762fc5 |
with additions made by Marc Haber
|
|
Packit |
762fc5 |
<mh+aide-manual@zugschlus.de>
|
|
Packit |
762fc5 |
, Richard van den Berg
|
|
Packit |
762fc5 |
<richard@vdberg.org>
|
|
Packit |
762fc5 |
and Hannes von Haugwitz
|
|
Packit |
762fc5 |
.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
About this document
|
|
Packit |
762fc5 |
Table of Contents
|
|
Packit |
762fc5 |
What is AIDE?
|
|
Packit |
762fc5 |
Compiling AIDE
|
|
Packit |
762fc5 |
Configuration
|
|
Packit |
762fc5 |
Usage
|
|
Packit |
762fc5 |
Database and config signing
|
|
Packit |
762fc5 |
Miscellaneous
|
|
Packit |
762fc5 |
General guidelines for security
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
AIDE (Advanced Intrusion Detection Environment) is an intrusion
|
|
Packit |
762fc5 |
detection program. More specifically a file integrity checker.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
AIDE constructs a database of the files specified in aide.conf, AIDE's configuration file.
|
|
Packit |
762fc5 |
The AIDE database stores various file attributes including:
|
|
Packit |
762fc5 |
file type, permissions, inode number, user, group, file size, mtime and ctime,
|
|
Packit |
762fc5 |
atime, growing size, number of links and link name.
|
|
Packit |
762fc5 |
AIDE also creates a cryptographic checksum or hash of each file using
|
|
Packit |
762fc5 |
one or a combination of the following message digest algorithms: sha1,
|
|
Packit |
762fc5 |
sha256, sha512, md5, rmd160, tiger, haval, crc32 (gost and whirlpool can be
|
|
Packit |
762fc5 |
compiled in if mhash support is available).
|
|
Packit |
762fc5 |
Additionally, the attributes acl, xattr, selinux and e2fsattrs can be used when
|
|
Packit |
762fc5 |
explicitly enabled during compile time.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Typically, a system administrator will create an AIDE database on a
|
|
Packit |
762fc5 |
new system before it is brought onto the network. This first AIDE
|
|
Packit |
762fc5 |
database is a snapshot of the system in it's normal state and the
|
|
Packit |
762fc5 |
yardstick by which all subsequent updates and changes will be
|
|
Packit |
762fc5 |
measured. The database should contain information about key system
|
|
Packit |
762fc5 |
binaries, libraries, header files, all files
|
|
Packit |
762fc5 |
that are expected to remain the same over time. The database probably
|
|
Packit |
762fc5 |
should not contain information about files which change frequently
|
|
Packit |
762fc5 |
like log files, mail spools, proc filesystems, user's home
|
|
Packit |
762fc5 |
directories, or temporary directories.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
After a break-in, an administrator may begin by examining the system
|
|
Packit |
762fc5 |
using system tools like ls, ps, netstat, and who ---
|
|
Packit |
762fc5 |
the very tools most likely to be trojaned. Imagine that ls has been
|
|
Packit |
762fc5 |
doctored to not show
|
|
Packit |
762fc5 |
any file named "sniffedpackets.log" and that ps and netstat have been
|
|
Packit |
762fc5 |
rewritten to not show any information for a process named
|
|
Packit |
762fc5 |
"sniffdaemond".
|
|
Packit |
762fc5 |
Even an administrator who had previously printed out on paper the
|
|
Packit |
762fc5 |
dates and sizes of these key system files can not be certain by
|
|
Packit |
762fc5 |
comparison that they have not been modified in some way. File dates
|
|
Packit |
762fc5 |
and sizes can be manipulated, some better root-kits make this trivial.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
While it is possible to manipulate file dates and sizes, it is much
|
|
Packit |
762fc5 |
more difficult to manipulate a single cryptographic checksum like md5,
|
|
Packit |
762fc5 |
and exponentially more difficult to manipulate each of the entire
|
|
Packit |
762fc5 |
array of checksums that AIDE supports. By rerunning AIDE after a
|
|
Packit |
762fc5 |
break-in, a system administrator can quickly identify changes to key
|
|
Packit |
762fc5 |
files and have a fairly high degree of confidence as to the accuracy
|
|
Packit |
762fc5 |
of these findings.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Unfortunately, AIDE can not provide absolute sureness about change in
|
|
Packit |
762fc5 |
files. Like any other system file, AIDE's binary and/or database can
|
|
Packit |
762fc5 |
also be altered.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
I'm in a hurry. Bottom line about compilation.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
After you have installed all the necessary software do
|
|
Packit |
762fc5 |
./configure;make;make install in the main AIDE
|
|
Packit |
762fc5 |
directory of the unpacked source tree. You should carefully think
|
|
Packit |
762fc5 |
about the configuration and what a possible hacker can do if
|
|
Packit |
762fc5 |
he/her/they/it has root access.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Getting all that is needed
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Before you can compile AIDE you must have certain things:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
AIDE source code
|
|
Packit |
762fc5 |
ANSI C-compiler (GCC will do just fine)
|
|
Packit |
762fc5 |
GNU Flex
|
|
Packit |
762fc5 |
GNU Bison
|
|
Packit |
762fc5 |
GNU Make
|
|
Packit |
762fc5 |
PCRE library
|
|
Packit |
762fc5 |
Mhash library (highly recommended)
|
|
Packit |
762fc5 |
zlib (recommended)
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Please check to see if there are mirrors available.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Once you have the source code of AIDE you should unpack it. If you
|
|
Packit |
762fc5 |
have GNU tar then the command is tar zxvf
|
|
Packit |
762fc5 |
aide-<VERSION_NUMBER>.tar.gz
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Source Code Verification
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
It is highly recommended to verify the signature of your
|
|
Packit |
762fc5 |
downloaded source code. You can either verify the source tarball or the git
|
|
Packit |
762fc5 |
tag.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
To check the supplied signature with GnuPG:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
$ gpg --verify aide-<VERSION_NUMBER>.tar.gz.asc
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
To validate the gpg signature of the git tag:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
$ git verify-tag v<VERSION_NUMBER>
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The current public key is published on aide.sourceforge.net.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
If you do not have that key, you can get it from one of the well known PGP key
|
|
Packit |
762fc5 |
servers.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
You have to make sure that the key you install is not a faked one. You
|
|
Packit |
762fc5 |
can do this with reasonable assurance by comparing the output of
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
$ gpg --fingerprint 0x<KEYID>
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
with the fingerprint published elsewhere.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Compile-time configuration
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Next you must use the configure script found in AIDE's source code
|
|
Packit |
762fc5 |
package to configure the compilation process.
|
|
Packit |
762fc5 |
There are several options you can select to configure. You can find out
|
|
Packit |
762fc5 |
what options are available with ./configure --help
|
|
Packit |
762fc5 |
command. Most of the time you do not need to give any options.
|
|
Packit |
762fc5 |
You can just use configure without any parameters.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
If you want to change the directory where AIDE is installed you can
|
|
Packit |
762fc5 |
use --prefix option. For example ./configure --prefix=/usr
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Compilation and installation
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The compilation is done by simply typing make . You can
|
|
Packit |
762fc5 |
now type make install to install the binary and the
|
|
Packit |
762fc5 |
manual pages. The binary however should be installed on read-only
|
|
Packit |
762fc5 |
media or in some other tamperproof place. Also the databases should
|
|
Packit |
762fc5 |
be kept somewhere where a possible intruder cannot change them.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Next you have to create a configuration file. You can find
|
|
Packit |
762fc5 |
more documentation for this in aide.conf(5) manual page.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
There are three types of lines in aide.conf:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
configuration lines - used to set configuration parameters and define/undefine variables
|
|
Packit |
762fc5 |
(restricted) selection lines - indicate which files will be added to the database
|
|
Packit |
762fc5 |
macro lines - define or undefine variables within the config file
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Lines beginning with # are ignored as comments.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Here is an example configuration.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
#AIDE conf
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
# Here are all the things we can check - these are the default rules
|
|
Packit |
762fc5 |
#
|
|
Packit |
762fc5 |
#p: permissions
|
|
Packit |
762fc5 |
#ftype: file type
|
|
Packit |
762fc5 |
#i: inode
|
|
Packit |
762fc5 |
#n: number of links
|
|
Packit |
762fc5 |
#l: link name
|
|
Packit |
762fc5 |
#u: user
|
|
Packit |
762fc5 |
#g: group
|
|
Packit |
762fc5 |
#s: size
|
|
Packit |
762fc5 |
#b: block count
|
|
Packit |
762fc5 |
#m: mtime
|
|
Packit |
762fc5 |
#a: atime
|
|
Packit |
762fc5 |
#c: ctime
|
|
Packit |
762fc5 |
#S: check for growing size
|
|
Packit |
762fc5 |
#I: ignore changed filename
|
|
Packit |
762fc5 |
#md5: md5 checksum
|
|
Packit |
762fc5 |
#sha1: sha1 checksum
|
|
Packit |
762fc5 |
#sha256: sha256 checksum
|
|
Packit |
762fc5 |
#sha512: sha512 checksum
|
|
Packit |
762fc5 |
#rmd160: rmd160 checksum
|
|
Packit |
762fc5 |
#tiger: tiger checksum
|
|
Packit |
762fc5 |
#haval: haval checksum
|
|
Packit |
762fc5 |
#crc32: crc32 checksum
|
|
Packit |
762fc5 |
#R: p+ftupe+i+l+n+u+g+s+m+c+md5
|
|
Packit |
762fc5 |
#L: p+ftype+i+l+n+u+g
|
|
Packit |
762fc5 |
#E: Empty group
|
|
Packit |
762fc5 |
#>: Growing file p+ftype+l+u+g+i+n+S
|
|
Packit |
762fc5 |
#The following are available if you have mhash support enabled:
|
|
Packit |
762fc5 |
#gost: gost checksum
|
|
Packit |
762fc5 |
#whirlpool: whirlpool checksum
|
|
Packit |
762fc5 |
#The following are available and added to the default groups R, L and >
|
|
Packit |
762fc5 |
#only when explicitly enabled using configure:
|
|
Packit |
762fc5 |
#acl: access control list
|
|
Packit |
762fc5 |
#selinux SELinux security context
|
|
Packit |
762fc5 |
#xattrs: extended file attributes
|
|
Packit |
762fc5 |
#e2fsattrs: file attributes on a second extended file system
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
# You can also create custom rules - my home made rule definition goes like this
|
|
Packit |
762fc5 |
#
|
|
Packit |
762fc5 |
MyRule = p+i+n+u+g+s+b+m+c+md5+sha1
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
# Next decide what directories/files you want in the database
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
/etc p+i+u+g #check only permissions, inode, user and group for etc
|
|
Packit |
762fc5 |
/bin MyRule # apply the custom rule to the files in bin
|
|
Packit |
762fc5 |
/sbin MyRule # apply the same custom rule to the files in sbin
|
|
Packit |
762fc5 |
/var MyRule
|
|
Packit |
762fc5 |
!/var/log/.* # ignore the log dir it changes too often
|
|
Packit |
762fc5 |
!/var/spool/.* # ignore spool dirs as they change too often
|
|
Packit |
762fc5 |
!/var/adm/utmp$ # ignore the file /var/adm/utmp
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Here we include files in /etc, /bin and /sbin. We also include
|
|
Packit |
762fc5 |
/var but ignore /var/log, /var/spool and a single file /var/adm/utmp.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
It is generally a good idea to ignore directories that frequently
|
|
Packit |
762fc5 |
change, unless you want to read long reports.
|
|
Packit |
762fc5 |
It is good practice to exclude tmp directories, mail spools, log
|
|
Packit |
762fc5 |
directories, proc filesystems, user's home directories, web content
|
|
Packit |
762fc5 |
directories, anything that changes regularly. It is also good practice to
|
|
Packit |
762fc5 |
include all system binaries, libraries, include files, system source
|
|
Packit |
762fc5 |
files. It will also be a good idea to include directories you don't
|
|
Packit |
762fc5 |
often look in like /dev /usr/man/.*usr/. Of course you'll want to
|
|
Packit |
762fc5 |
include as many files as practical, but think about what you include.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
One example: If
|
|
Packit |
762fc5 |
you have a block device whose owner is changing frequently, you can
|
|
Packit |
762fc5 |
configure aide to just
|
|
Packit |
762fc5 |
check the attributes that do not normally change (inode, number of
|
|
Packit |
762fc5 |
links, ctime).
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Note that if you are referring to a single file you should add $ to
|
|
Packit |
762fc5 |
the end of the regexp. This matches to the name of the file exactly
|
|
Packit |
762fc5 |
and does not include any other files that might have the same
|
|
Packit |
762fc5 |
beginning. In the example, all filenames beginning with
|
|
Packit |
762fc5 |
/var/adm/utmp would be ignored if there were no dollar sign at the
|
|
Packit |
762fc5 |
end of the last line. An intruder could then create a
|
|
Packit |
762fc5 |
directory called /var/adm/utmp_root_kit and place all the files
|
|
Packit |
762fc5 |
he/she/they wanted there and they would be ignored by AIDE.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Special group definitions
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
There are several special group definitions to tweak what attributes are
|
|
Packit |
762fc5 |
printed in the report. First report_force_attrs lists those attributes
|
|
Packit |
762fc5 |
that are always printed from changed files. For example, if you say
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
report_force_attrs = u+g
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
and the size of a file changes, it's user and group id will also be printed
|
|
Packit |
762fc5 |
in the report. Secondly, report_ignore_added_attrs,
|
|
Packit |
762fc5 |
report_ignore_removed_attrs and report_ignore_changed_attrs define which
|
|
Packit |
762fc5 |
attributes to ignore from the report. For example, if you define
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
report_ignore_changed_attrs = b
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
and the size of a file changes, it's block count will not be printed in the
|
|
Packit |
762fc5 |
report, even if it did change as well.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
If an attribute is both ignored and forced the attribute is not considered for
|
|
Packit |
762fc5 |
file change but printed in the final report if the file has been otherwise
|
|
Packit |
762fc5 |
changed.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Troubleshooting your config
|
|
Packit |
762fc5 |
Making a config file is a lot of hard work and must be done on a case
|
|
Packit |
762fc5 |
by case bases. Don't give up simply because you don't get it right
|
|
Packit |
762fc5 |
the first time around. This section gives you a few hints on how to debug
|
|
Packit |
762fc5 |
your config.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
You can use aide --verbose=255 to generate a lot of debug
|
|
Packit |
762fc5 |
output to help you see which files get added and which are discarded.
|
|
Packit |
762fc5 |
The following section gives some more information about
|
|
Packit |
762fc5 |
AIDE's rule matching algorithm.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Understanding AIDE rule matching
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Before reading this you should have basic understanding of how regular
|
|
Packit |
762fc5 |
expressions in general and Perl Compatible Regular Expressions in particular
|
|
Packit |
762fc5 |
work. There are several good books about this. Several Perl-books also have
|
|
Packit |
762fc5 |
decent explanations about this subject.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
As you already know, aide has three types of selection lines:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Regular selection lines, beginning with "/".
|
|
Packit |
762fc5 |
Equals selection lines, beginning with "=".
|
|
Packit |
762fc5 |
Negative selection lines, beginning with "!".
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The string following the first character is taken as a regular
|
|
Packit |
762fc5 |
expression matching to a complete filename, including the path. In a
|
|
Packit |
762fc5 |
regular selection rule, the slash is included in the regular
|
|
Packit |
762fc5 |
expression. An implicit ^ is added in front of each rule. A group
|
|
Packit |
762fc5 |
definition follows the regular expression.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
When reading the configuration file, aide internally builds a tree
|
|
Packit |
762fc5 |
that roughly resembles the directory tree to be checked. Each node
|
|
Packit |
762fc5 |
corresponds to a directory, and each node has one rule list for the
|
|
Packit |
762fc5 |
associated regular selection lines, one for the associated negative
|
|
Packit |
762fc5 |
selection lines and one for the associated equals selection lines. If
|
|
Packit |
762fc5 |
there is no associated rule, the respective list may be empty.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
aide tries to place a rule as far down in the tree as possible while
|
|
Packit |
762fc5 |
still assuring that it is above all files that it matches. This is
|
|
Packit |
762fc5 |
determined by the first "special" regexp character in the rule. For
|
|
Packit |
762fc5 |
example, !/proc would be placed in the root node,
|
|
Packit |
762fc5 |
!/proc/.* would be placed in the /proc node,
|
|
Packit |
762fc5 |
!/var/log/syslog* is placed in the /var/log node and,
|
|
Packit |
762fc5 |
finally, !/home/[a-z0-9]+/.bashrc$ is placed in the /home
|
|
Packit |
762fc5 |
node.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The algorithm that aide uses for rule matching is described in the
|
|
Packit |
762fc5 |
following paragraphs. The pseudocode is an adaption from src/gen_list.c.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
check_node_for_match(node,filename,first_time)
|
|
Packit |
762fc5 |
if (first_time)
|
|
Packit |
762fc5 |
check(equals list for this node)
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
check(regular list for this node)
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
if (node is not the root node)
|
|
Packit |
762fc5 |
check_node_for_match(nodes parent,filename,false)
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
if (this file is about to be added)
|
|
Packit |
762fc5 |
check(negative list for this node)
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
return (info about whether this file should be added or not and how)
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
When aide needs to determine whether a file found in the file system is
|
|
Packit |
762fc5 |
to be checked, it first determines the deepest possible node x to
|
|
Packit |
762fc5 |
match the current file against (that algorithm is not part of the
|
|
Packit |
762fc5 |
pseudocode above), and then calls check-node_for_match(x, filename,
|
|
Packit |
762fc5 |
true). So, the recursion starts at the deepest possible match.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
As it can also be seen, equals selection lines are only checked in the
|
|
Packit |
762fc5 |
first recursion step, thus providing some kind of speed optimization
|
|
Packit |
762fc5 |
by reducing the number of necessary regular expression evaluations,
|
|
Packit |
762fc5 |
which is a quite expensive operation.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Pitfalls
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
There are some side-effects from this algorithm that might seem
|
|
Packit |
762fc5 |
strange at first. For example if you have the following rules:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
/ R
|
|
Packit |
762fc5 |
=/var/log/messages$ R+a
|
|
Packit |
762fc5 |
!/var/log/messages.*
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
This is what you might write if you want to check /var/log/messages
|
|
Packit |
762fc5 |
but not /var/log/messages.0 and /var/log/messages.1 etc. However since
|
|
Packit |
762fc5 |
the negative selection rules are checked last and .* can match to an
|
|
Packit |
762fc5 |
empty string /var/log/messages is not added to the database. The
|
|
Packit |
762fc5 |
following is a more correct way of doing it.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
/ R
|
|
Packit |
762fc5 |
=/var/log/messages$ R+a
|
|
Packit |
762fc5 |
!/var/log/messages\.[0-9]$
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Now only messages files ending in number 0-9 are not included in the
|
|
Packit |
762fc5 |
database. Note an intruder could disguise a rootkit by creating a
|
|
Packit |
762fc5 |
directory called messages.9. If messages.9 does not already exist that
|
|
Packit |
762fc5 |
is.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Consider the following rules:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
/ n+p+l+i+u+g+s+b+m+c+md5+sha1+rmd160+haval+gost+crc32+tiger
|
|
Packit |
762fc5 |
/etc$ n+p+l+i+u+g
|
|
Packit |
762fc5 |
/etc/resolv.conf$ n+p+l+u+g
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
This way, changing /etc/resolv.conf will also report /etc as having
|
|
Packit |
762fc5 |
their mtime and ctime changed, even if /etc is configured not to be
|
|
Packit |
762fc5 |
checked for mtime and ctime. The reason is that aide only uses a
|
|
Packit |
762fc5 |
deepest-match algorithm to find the tree node to search, but a
|
|
Packit |
762fc5 |
first-match algorithm inside the node. Since /etc is in the /
|
|
Packit |
762fc5 |
directory, /etc will match the rule for the root directory and ignore
|
|
Packit |
762fc5 |
the specialized /etc rule.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Rearranging the configuration like this:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
/etc/resolv.conf$ n+p+l+u+g
|
|
Packit |
762fc5 |
/etc$ n+p+l+i+u+g
|
|
Packit |
762fc5 |
/ n+p+l+i+u+g+s+b+m+c+md5+sha1+rmd160+haval+gost+crc32+tiger
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
will solve the issue. It is generally a good idea to write the most
|
|
Packit |
762fc5 |
general rules last.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
First you must create a database against which future checks are
|
|
Packit |
762fc5 |
performed. This should be done immediately after the operating system
|
|
Packit |
762fc5 |
and applications have been installed, before the machine is plugged
|
|
Packit |
762fc5 |
into a network. You can do this by giving the command
|
|
Packit |
762fc5 |
aide --init .
|
|
Packit |
762fc5 |
This creates a database that contains all of the files that you
|
|
Packit |
762fc5 |
selected in your config file. The newly created database should now be
|
|
Packit |
762fc5 |
moved to a secure location such as read-only media. You should also
|
|
Packit |
762fc5 |
place the configuration file and the AIDE binary and preferably the
|
|
Packit |
762fc5 |
manual pages and this manual on that media also. Please remember to
|
|
Packit |
762fc5 |
edit the configuration file so that the input database is read from
|
|
Packit |
762fc5 |
that read-only media. The config file should not be kept on the
|
|
Packit |
762fc5 |
target machine. The attacker could read the config file and alter it
|
|
Packit |
762fc5 |
and if he does alter it he could place his rootkit in a place that
|
|
Packit |
762fc5 |
AIDE does not check. So the read-only media should be accessible only
|
|
Packit |
762fc5 |
during the check.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Now you are all set to go. You can now check the integrity of the
|
|
Packit |
762fc5 |
files. This can be done by giving the command
|
|
Packit |
762fc5 |
aide --check .
|
|
Packit |
762fc5 |
AIDE now reads the database and compares it to the files found on the
|
|
Packit |
762fc5 |
disk. AIDE may find changes in places that you might not expect. For
|
|
Packit |
762fc5 |
instance tty devices often change owners and permissions. You may want
|
|
Packit |
762fc5 |
to read long reports and that is up to you to decide. But most of us
|
|
Packit |
762fc5 |
do not have the time or the inclination read through tons of garbage
|
|
Packit |
762fc5 |
every day, so you should trim the config file to include only the
|
|
Packit |
762fc5 |
files and attributes of certain files that should not change. But keep
|
|
Packit |
762fc5 |
in mind that you should not ignore too much as that leaves you open
|
|
Packit |
762fc5 |
for an attack. An intruder might place his/her/its/their root kit in a
|
|
Packit |
762fc5 |
directory that you have ignored completely. One good example is
|
|
Packit |
762fc5 |
/var/spool/lp or something similar. This is the place that lp daemon
|
|
Packit |
762fc5 |
stores its temporary files. You should not ignore it completely
|
|
Packit |
762fc5 |
however. You should only ignore the format of files that you lp daemon
|
|
Packit |
762fc5 |
keeps creating. And remember to use the $-sign at the end of your
|
|
Packit |
762fc5 |
regexps. This stops someone from creating a directory that is ignored
|
|
Packit |
762fc5 |
along with its contents.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Now that you have trimmed your config file you should update the
|
|
Packit |
762fc5 |
database. This can be done by:
|
|
Packit |
762fc5 |
aide --update
|
|
Packit |
762fc5 |
The update command also does the same thing as check but it
|
|
Packit |
762fc5 |
creates a new database. This database should now be placed on
|
|
Packit |
762fc5 |
that read-only media along with the new config file. The check, trim,
|
|
Packit |
762fc5 |
update cycle should be repeated as long as necessary. I recommend that
|
|
Packit |
762fc5 |
the config file should be reviewed once in a while. The definition of
|
|
Packit |
762fc5 |
"a while" depends on your paranoia. Some might want do it daily after
|
|
Packit |
762fc5 |
each check. Some might want to do it weekly.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
There is usually some drift in the databases. What I mean by drift is
|
|
Packit |
762fc5 |
that new files are created, config files of applications are edited,
|
|
Packit |
762fc5 |
tons of small changes pile up until the report becomes
|
|
Packit |
762fc5 |
unreadable. This can be avoided by updating the database once in a
|
|
Packit |
762fc5 |
while. I myself run the update every night. But, I don't replace the
|
|
Packit |
762fc5 |
input database nearly as often. The replacement of the input datbase
|
|
Packit |
762fc5 |
should always be a manual operation. This should not be automated.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
There is also an alternative way of doing this. This method may be
|
|
Packit |
762fc5 |
preferable for people that have lots of machines that run aide.
|
|
Packit |
762fc5 |
You can run
|
|
Packit |
762fc5 |
aide --init
|
|
Packit |
762fc5 |
on all of the hosts and move the generated databases to a central host
|
|
Packit |
762fc5 |
where you compare different versions of the databases with
|
|
Packit |
762fc5 |
aide --compare
|
|
Packit |
762fc5 |
This has the benefit of freeing up resources on the monitored
|
|
Packit |
762fc5 |
machines.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The security of AIDE can be increased by signing the configuration and/or
|
|
Packit |
762fc5 |
database. When a database is signed, and it is changed manually, AIDE will
|
|
Packit |
762fc5 |
refuse to use it. Likewise, if a configuration is signed, AIDE will not use
|
|
Packit |
762fc5 |
it until the embedded hash is updated as well.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
To make use of the signing features, use these options to the configure
|
|
Packit |
762fc5 |
script:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
--with-confighmactype=TYPE
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Hash type to use for checking config. Valid values
|
|
Packit |
762fc5 |
are md5 and sha1.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
--with-confighmackey=KEY
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
HMAC hash key to use for checking config. Must be a
|
|
Packit |
762fc5 |
base64 encoded byte stream. Maximum string length is
|
|
Packit |
762fc5 |
31 chars.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
--with-dbhmactype=TYPE
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Hash type to use for checking db. Valid values are
|
|
Packit |
762fc5 |
md5 and sha1.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
--with-dbhmackey=KEY
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
HMAC hash key to use for checking db. Must be a base64
|
|
Packit |
762fc5 |
encoded byte stream. Maximum string length is 31
|
|
Packit |
762fc5 |
chars.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The base64 encoding was chosen so that the keys are not limited to printable
|
|
Packit |
762fc5 |
characters. You can use a local base64 tool
|
|
Packit |
762fc5 |
to convert the keys to the right format. Then run configure, for example:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
./configure --with-confighmactype=sha1
|
|
Packit |
762fc5 |
-with-confighmackey="YWlkZSBhaWRlIGFpZGUgYWlkZQo=" --with-dbhmactype=sha1
|
|
Packit |
762fc5 |
--with-dbhmackey="YWlkZSBhaWRlIGFpZGUgYWlkZQo="
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
To make the presence of a valid signature mandatory, the following configure
|
|
Packit |
762fc5 |
options can be used:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
--enable-forced_dbmd
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Forces the file/pipe database's to have checksum.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
--enable-forced_configmd
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Forces the config to have checksum. Also disables
|
|
Packit |
762fc5 |
--config-check
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
It is also possible to edit the config.h file by hand, and
|
|
Packit |
762fc5 |
changing the values of the FORCEDBMD and
|
|
Packit |
762fc5 |
FORCECONFIGMD macros.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Creating the hash for the aide.db database is done by running aide
|
|
Packit |
762fc5 |
--init or aide --update . The hash for the aide.conf
|
|
Packit |
762fc5 |
configuration file can be obtained by running aide
|
|
Packit |
762fc5 |
--config-check:
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
$ aide --config-check
|
|
Packit |
762fc5 |
Config checked. Use the following to patch your config file.
|
|
Packit |
762fc5 |
0a1
|
|
Packit |
762fc5 |
> @@begin_config 27GF0+oKj1CvP4tltuibhu8YGIU=
|
|
Packit |
762fc5 |
13a15
|
|
Packit |
762fc5 |
> @@end_config
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The @@begin_config and @@end_config can be added
|
|
Packit |
762fc5 |
to the aide.conf file manually, or the output of aide
|
|
Packit |
762fc5 |
--config-check can be directly piped into patch :
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
$ aide --config-check | patch
|
|
Packit |
762fc5 |
can't find file to patch at input line 2
|
|
Packit |
762fc5 |
Perhaps you should have used the -p or --strip option?
|
|
Packit |
762fc5 |
The text leading up to this was:
|
|
Packit |
762fc5 |
--------------------------
|
|
Packit |
762fc5 |
|Config checked. Use the following to patch your config file.
|
|
Packit |
762fc5 |
--------------------------
|
|
Packit |
762fc5 |
File to patch: /etc/aide.conf
|
|
Packit |
762fc5 |
patching file /etc/aide.conf
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Using forced_configmd will make AIDE refuse to use unsigned
|
|
Packit |
762fc5 |
configuration files. This also disables the --config-check
|
|
Packit |
762fc5 |
option. This only makes sense if you already have a signed configuration, or
|
|
Packit |
762fc5 |
if you have an AIDE executable on another machine that can create the signed
|
|
Packit |
762fc5 |
configurations for you.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
The AIDE database can be used to find the real names and places of
|
|
Packit |
762fc5 |
files that have been moved to lost+found directory by fsck.
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
Do not assume anything
|
|
Packit |
762fc5 |
Trust no-one,nothing
|
|
Packit |
762fc5 |
Nothing is secure
|
|
Packit |
762fc5 |
Security is a trade-off with usability
|
|
Packit |
762fc5 |
Paranoia is your friend
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
|
|
Packit |
762fc5 |
</body>
|
|
Packit |
762fc5 |
</html>
|