VizagInfo.com Home | VizagInfo Mirror of LG


LINUX GAZETTE
[ Prev ][ Table of Contents ][ Front Page ][ Talkback ][ FAQ ][ Next ]

"Linux Gazette...making Linux just a little more fun!"


Installing and using AIDE

By Ariel Maiorano


Introduction

If your system was compromised, chances are that the hacker, cracker, trojan, worm or whatever replaced system files, or installed new ones, generally backdoors or hostile code. Imagine a replaced version of the login program, which lets someone in with root access after supplying a magic password (like the ones included in most rootkits), or a trojanized ssh client, which emails server, user and password information to someone when used (something like this happened in an important site last year).

File integrity checkers can help us by keeping checksums or hashes, and various attributes like size, owner, permissions, etc. of files in a database to later, and regularly, compare this information checking for changes. So if the login binary is replaced, or a /tmp/.hidden/backdoord is installed, you would be alerted.

This article will try to explain how to install and use an AIDE, an open source Intrusion Detection System (IDS) of the host-based type, or file integrity checker, if you prefer. Quoting from the AIDE website...

"AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more."

The installation of the whole system will be done on a floppy disk. We'll check for changes in various files and directories, being a little paranoid. That will take more time and generate more false alarms or false positives, but I think it makes things less complicated, and, hopefully, not less secure. When you set up your own configuration, you can start with my example, and then after a couple of weeks of use you will know what should be changed. You'll mount the disk each time you're ready to do the checks. That requires more steps, but if an attacker gets in, he will not be able to (A) change our database, and (B) not even notice we check our system regularly with AIDE.

Installation

First we will make the filesystem in the floppy disk... (mine is on /dev/fd0, drive A: under DOS, if you use B: under DOS you will use /dev/fd1 here.)

root@pc2:~# 
root@pc2:~# mkfs /dev/fd0
mke2fs 1.22, 22-Jun-2001 for EXT2 FS 0.5b, 95/08/09
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
184 inodes, 1440 blocks
72 blocks (5.00%) reserved for the super user
First data block=1
1 block group
8192 blocks per group, 8192 fragments per group
184 inodes per group

Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
root@pc2:~# 
mount it, and create the aide directory...
root@pc2:~# 
root@pc2:~# mount /dev/fd0 /mnt/floppy
root@pc2:~# 
root@pc2:~# mkdir /mnt/floppy/aide
root@pc2:~# 

Now we will get the sources of AIDE, compile them in a temporary directory, install the system in the floppy disk (pay attenton to the --prefix option when running configure), strip the aide binary before doing the make install, and finally remove the temporary directory...

root@pc2:~# 
root@pc2:~# mkdir /tmp/aide
root@pc2:~# 
root@pc2:~# cd /tmp/aide
root@pc2:/tmp/aide# 
root@pc2:/tmp/aide# wget http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz
--12:54:47--  http://www.cs.tut.fi/%7Erammer/aide-0.7.tar.gz
           => `aide-0.7.tar.gz'
Connecting to www.cs.tut.fi:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 219,837 [application/x-tar]

    0K .......... .......... .......... .......... .......... 23% @  34.84 KB/s
   50K .......... .......... .......... .......... .......... 46% @  50.97 KB/s
  100K .......... .......... .......... .......... .......... 69% @  65.45 KB/s
  150K .......... .......... .......... .......... .......... 93% @  46.38 KB/s
  200K .......... ....                                       100% @   7.17 MB/s

12:54:52 (50.40 KB/s) - `aide-0.7.tar.gz' saved [219837/219837]

root@pc2:/tmp/aide# 
root@pc2:/tmp/aide# tar xvfz aide-0.7.tar.gz 
aide-0.7/
aide-0.7/Makefile.in

[...]

aide-0.7/include/compare_db.h
aide-0.7/include/gnu_regex.h
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# cd aide-0.7
root@pc2:/tmp/aide/aide-0.7# 
root@pc2:/tmp/aide/aide-0.7# ./configure --prefix=/mnt/floppy/aide 
creating cache ./config.cache
checking for a BSD compatible install... /usr/bin/ginstall -c

[...]

creating aide.spec
creating config.h
root@pc2:/tmp/aide/aide-0.7# 
root@pc2:/tmp/aide/aide-0.7# make
make  all-recursive
make[1]: Entering directory `/tmp/aide/aide-0.7'

[...]

make[2]: Leaving directory `/tmp/aide/aide-0.7'
make[1]: Leaving directory `/tmp/aide/aide-0.7'
root@pc2:/tmp/aide/aide-0.7# 
root@pc2:/tmp/aide/aide-0.7# strip src/aide
root@pc2:/tmp/aide/aide-0.7# 
root@pc2:/tmp/aide/aide-0.7# make install
\Making install in src
make[1]: Entering directory `/tmp/aide/aide-0.7/src'

[...]

make[2]: Leaving directory `/tmp/aide/aide-0.7'
make[1]: Leaving directory `/tmp/aide/aide-0.7'
root@pc2:/tmp/aide/aide-0.7#  
root@pc2:/tmp/aide/aide-0.7# cd ..
root@pc2:/tmp/aide# cd ..
root@pc2:/tmp# rm -r aide
root@pc2:/tmp# 

Finally we will create a very simple configuration file, that will check for changes in permissions, inode number, number of links, user owner, group owner, size, modification time, creation time and md5 checksums in various directory files (including all files under them), and generate the database...

root@pc2:/tmp# 
root@pc2:/tmp# cd /mnt/floppy/aide/bin/
root@pc2:/mnt/floppy/aide/bin# 
root@pc2:/mnt/floppy/aide/bin# cat aide.conf
database=file:/mnt/floppy/aide/bin/aide.db
database_out=file:/mnt/floppy/aide/bin/aide.db.new
/vmlinuz        R
/boot           R
/etc		R
/bin            R
/usr/bin        R
/usr/local/bin  R
/sbin           R
/usr/sbin       R
/usr/local/sbin R
=/var/log       R
/tmp            R
/var/tmp        R
root@pc2:/mnt/floppy/aide/bin# 
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --init
root@pc2:/mnt/floppy/aide/bin# 
root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db
root@pc2:/mnt/floppy/aide/bin# 
The config file is only a working example, and i use it this way, but of course you may or should change it to suit your needs, remember the database generated must reside in the floppy disk. Check the end of this document to download the example aide.conf. We can now umount the floppy and are ready for regular use (checks and updates).

Regular use (checks and updates)

Now that we have the floppy disk with the generated database we can use it regularly to check for changes in the files to be audited. I will create a file in the /tmp directory to show an example of how AIDE tell us about it...

root@pc2:/# 
root@pc2:/# cat > /tmp/.hidden
hidden
root@pc2:/# 
root@pc2:/# mount /dev/fd0 /mnt/floppy/
root@pc2:/# cd /mnt/floppy/aide/bin/
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check
AIDE found differences between database and filesystem!!
Start timestamp: 2002-01-21 15:22:56
Summary:
Total number of files=1443,added files=1,removed files=0,changed files=1

Added files:
added:/tmp/.hidden
Changed files:
changed:/tmp
Detailed information about changes:

File: /tmp
Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
root@pc2:/mnt/floppy/aide/bin# 
So here you see clearly what happened, of course if an existing file was modified you would be alerted in a similar way.

Now imagine that /tmp/.hidden is a file that you placed there, you will not remove it and wish to stop seeing it in the reports, you can update the database, like this...

root@pc2:/mnt/floppy/aide/bin# 
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --update
AIDE found differences between database and filesystem!!
Start timestamp: 2002-01-21 15:28:58
Summary:
Total number of files=1443,added files=1,removed files=0,changed files=1

Added files:
added:/tmp/.hidden
Changed files:
changed:/tmp
Detailed information about changes:

File: /tmp
Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
root@pc2:/mnt/floppy/aide/bin# 
root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db
root@pc2:/mnt/floppy/aide/bin# 
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check 
root@pc2:/mnt/floppy/aide/bin# 

Finally... conclusion, files, links, etc.

Remember to keep all the AIDE stuff in the floppy disk, umount and remove it after use, change the example configuration file to suit your needs, try to not leave any information in the system that may reveal to an attacker that you are using AIDE. You are encouraged to read the manual pages and manual.html of AIDE, it's a very flexible program. And finally, quoting the 'General guidelines for security' section of the AIDE manual:
" Do not assume anything
Trust no-one, nothing
Nothing is secure
Security is a trade-off with usability
Paranoia is your friend ".

The example aide.conf configuration file: misc/maiorano/aide.conf.txt

Home of the AIDE project: http://www.cs.tut.fi/~rammer/aide.html
download AIDE tarball: http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz

Home of the more famous alternative to AIDE, Tripwire: http://www.tripwire.org

Some papers and articles for further reading...

An interesting article at securityfocus.com titled 'You may already be hacked.': http://www.securityfocus.com/columnists/12

An article at linuxsecurity.com titled 'Getting Started with Tripwire (Open Source Linux Edition)': http://www.linuxsecurity.com/feature_stories/feature_story-81.html

'Network- vs. Host-based Intrusion Detection - A Guide to Intrusion Detection Technology' from ISS, interesting reading also: http://secinf.net/info/ids/nvh_ids/

A more commercial point of view from NetworkWorldFusion, 'Getting the drop on network intruders': http://www.nwfusion.com/reviews/1004trends.html

Ariel Maiorano

I'm a free-lance programmer in Argentina, working mostly on web and security development.


Copyright © 2002, Ariel Maiorano.
Copying license http://www.linuxgazette.com/copying.html
Published in Issue 75 of Linux Gazette, February 2002

[ Prev ][ Table of Contents ][ Front Page ][ Talkback ][ FAQ ][ Next ]