An Intrusion detection system (or IDS) is a software or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems through a network.AIDE is useful in server security services. Some of the best IDS applications know are Snort, Untangle, Tripwire, AIDE etc. Among the simplest to configure and use is AIDE.
What is AIDE
AIDE (Advanced Intrusion Detection Environment) is an intrusion detection program. It is a free replacement for Tripwire. AIDE constructs a database of the files specified in AIDE’s configuration file. The AIDE database stores various file attributes like permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name. AIDE also creates a cryptographic checksum or hash of each file using message digest algorithms like sha, md5, rmd160, tiger etc. Also acl, xattr and selinux can be used if enabled during compile time.
Initially the administrator has to create an AIDE database on a new server before it is setup for networking or business (eg hosting). This AIDE database is a summary of the system in it’s normal state.It will hold information about system binaries, libraries, header files etc that are expected to remain the same over time.
Suppose someone has broken-into the system, though it is easier to manipulate file dates, sizes etc, it will be quite difficult for him to manipulate cryptographic checksum like md5. Thus by rerunning AIDE after a break-in, the administrator can quickly identify changes to files with high degree of accuracy.
AIDE Compilation
Some of the prerequisites (packages) for AIDE are:
- GCC compiler for C (gcc)
- GNU Flex (flex)
- GNU Bison (bison)
- GNU Make (make)
- Mhash library (libmhash2 and libmhash-dev)
- PostgreSQL Development Library (postgresql-server-dev)
Simple instructions using Ubuntu
Firstly become root by using the given command and then supplying your password:
sudo su –
For each prerequisite (say package gcc) search if it is installed or not by:
dpkg –get-selections|grep gcc
If you get:
gcc-4.3 install
then gcc is installed otherwise if you get no output then it means that gcc is not installed.
If the package gcc is not installed then use:
sudo apt-get install gcc
Once all the packages are installed then download aide from sourceforge.net/projects/aide. It will be a gzipped tar archive.
create a folder packages and extract the tar achieve in this folder using the command:
tar -xzvf aide-x.xx.x.tar.gz (replace x with version number)
now a folder by name aide-x.xx.x will be created
go inside that folder by:
cd aide-x.xx.x
now execute:
./configure
make
make install
make clean
open the aide config file and determine where the aide database is stored. Go to that location
To initialise the database perform:
aide -i
mv aide.db.new aide.db
then to check if aide works execute:
aide
Configuration of AIDE
AIDE has its config file located inside (if installed via package management software like synaptic, config file is /etc/aide/aide.conf) /usr/local/etc/aide.conf .
And it’s default executable is located inside /usr/local/bin/aide.
Explanation of the aide.conf file
database=file:/var/lib/aide/aide.db
location of the database to be read (This is the database taken as benchmark)
database_new=file:/var/lib/aide/aide.db.comp
location of the database for –compare is read (This is not present by default and is used only when we have to compare two distinct databases.)
database_out=file:/var/lib/aide/aide.db.new
location of the database to be written
AIDE uses a set of rules to determine what to check for within a particular file or directory. This is found inside aide.conf. These rules are also called groups.
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S
These basic rules are then grouped to custom rules which define the collection of rules they comply to for example ‘pug: p+u+g’ means pug supports permissions, user and group rules together. You can alse create custom rules
#R: p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+l+n+u+g+acl+selinux+xattrs
#MyRule: p+i+l+n+u+g
The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
The following are available when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattr: extended file attributes
AIDE has three types of selection lines
- Regular selection lines, beginning with “/”. This line is a file/dirctory path with or without regular expressions followed by a rule to be used here.
- Equals selection lines, beginning with “=”. This line is followed by a path to directory/file and tells aide not to proceed the rule into any subdirectory or file.
- Negative selection lines, beginning with “!”. This line is followed by a path to directory/file and tells aide what files/directories to ignore in database.
Next we have to decide what directories/files you want in the database
/etc p+i+u+g #check only permissions, inode, user and group for etc
/bin MyRule # apply the custom rule to the files in bin
/sbin MyRule # apply the same custom rule to the files in sbin
/var MyRule
!/var/log/.* # ignore the log dir it changes too often
!/var/spool/.* # ignore spool dirs as they change too often
!/var/adm/utmp$ # ignore the file /var/adm/utmp
URLS that can be used
we have URLs in the database and database_out portion of aide.conf. These Urls can be any of the following. Input urls cannot be used as outputs and vice versa.
stdout
stderr Output is sent to stdout,stderr respectively.
stdin Input is read from stdin.
file://filename
Input is read from filename or output is written to filename.
fd:number
Input is read from file-descriptor number or output is written to
number.
Useful Commands
aide -C : Performs a check on the filesystem ? (also same as: aide)
aide -i : Initialises or creates the benchmark database supplied by database_out directive (here it is aide.db.new)
aide -u -c /etc/aide.conf : update the database and use the specified config file
Usage
Before putting one’s server into the network, the admin will have to save a secure configuration of the system by:
aide -i
mv aide.db.new aide.db
The second command transfers the server’s earlier state(aide.db database) with the new one(aide.db.new). So be careful when you do this. It is advisable to keep a backup of the earlier database.
Next time in-order to check for any break-in perform
aide
or
aide -C
To compare the current database with some earlier backed-up database, give the path of the backed-up database to database_new option in aide.conf and perform:
aide –compare
The task of saving the old database and comparing with a new one has to be done periodically (preferably daily with the help of a cron task).
Reference Links
http://www.cs.tut.fi/~rammer/aide.html (Home Page)
http://sourceforge.net/projects/aide (Sourceforge Project Page)
http://www.cs.tut.fi/~rammer/aide/manual.html (Manual Page)
http://www.securityfocus.com/infocus/1424 (Reference)
http://www.penguin-soft.com/penguin/man/5/aide.conf.html (Reference)
