Using Advanced Intrusion Detection Environment, AIDE
| Using Advanced Intrusion Detection Environment, AIDE |
| Server - CentOS |
|
The Advanced Intrusion Detection Environment, AIDE, has replaced the free version of Tripwire. It works the same as Tripwire, and uses the same command switches. As is the case with the free version of Tripwire, AIDE works best for small-scale use. For taking care of larger networks, you'll want to try the commercial version of Tripwire. The best time to install either Tripwire or AIDE is as soon as possible after you've just installed a new operating system. If you wait for any significant time afterward, you'll run the risk that someone might already have installed a rootkit by the time you do your first check. Since Tripwire and AIDE work by detecting changes in files, neither would be able to detect a rootkit that had been previously installed. It's also recommended that you change the configuration of these programs so that the initialization database is stored on a floppy disk, instead of on the hard drive. That way, if someone does break in, he won't be able to tamper with your database. You can do this by opening the /etc/aide.conf file, and changing the second line in the file to: @@define DBDIR /mnt/floppy/aide If your system is using selinux you will see a lot of errors related to selinux settings. If selinux is disabled you will see hundreds of warnings. If you have selinux disabled you can avoid all of those warnings by eliminating the selinux file check, but you will need to make the following changes. ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256 DIR = p+i+n+u+g+acl+xattrs PERMS = p+i+u+g+acl LOG = p+u+g+i+n+S+acl+xattrs LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256 DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
Initialize the database first. It will create a database in /var/lib/aide. aide --init
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide/db.gz
aide --check
AIDE, version 0.13.1
### All files match AIDE database. Looks okay!
If you run aide and files have changed, review the files and then determine if they are legitimate changes. If they are update. Notice in this example you can see changed files and the sums for those that changed.
AIDE found differences between database and filesystem!! Start timestamp: 2006-08-12 19:37:06
Summary: Total number of files: 269108 Added files: 1 Removed files: 0 Changed files: 7
--------------------------------------------------- Added files: --------------------------------------------------- added:/root/aide_init.png -------------------------------------------------- Changed files: --------------------------------------------------- changed:/root changed:/root/.gconfd changed:/root/.gconfd/saved_state changed:/root/.rhn-applet.conf changed:/root/.gnome2_private changed:/root/.gconf/apps/gnome-settings/gnome-panel-screenshot changed:/root/.gconf/apps/gnome-settings/gnome-panel-screenshot/%gconf.xml -------------------------------------------------- Detailed information about changes: ---------------------------------------------------
Directory: /root Mtime : 2006-08-12 18:45:08 , 2006-08-12 19:34:43 Ctime : 2006-08-12 18:45:08 , 2006-08-12 19:34:43
Directory: /root/.gconfd Mtime : 2006-08-12 18:46:05 , 2006-08-12 19:35:05 Ctime : 2006-08-12 18:46:05 , 2006-08-12 19:35:05
File: /root/.gconfd/saved_state Mtime : 2006-08-12 18:46:05 , 2006-08-12 19:35:05 Ctime : 2006-08-12 18:46:05 , 2006-08-12 19:35:05 Inode : 1296092 , 1295517 MD5 : v/qlqHmdeLNudHyU+uOTtQ== , 77GBQoTIaRoaGLe26HXbQA== SHA1 : OH627hZUYx4qOLNQer+zIEhoxQY= , kuCBemwtfCWpoXy0yzfyiLO1nIw=
File: /root/.rhn-applet.conf Mtime : 2006-08-12 18:45:27 , 2006-08-12 19:31:06 Ctime : 2006-08-12 18:45:27 , 2006-08-12 19:31:06
Directory: /root/.gnome2_private Ctime : 2006-08-12 18:46:02 , 2006-08-12 19:34:20
Directory: /root/.gconf/apps/gnome-settings/gnome-panel-screenshot Mtime : 2006-08-07 10:02:50 , 2006-08-12 19:35:43 Ctime : 2006-08-07 10:02:50 , 2006-08-12 19:35:43
File: /root/.gconf/apps/gnome-settings/gnome-panel-screenshot/%gconf.xml Size : 948 , 1052 Mtime : 2006-08-07 10:02:50 , 2006-08-12 19:35:43 Ctime : 2006-08-07 10:02:50 , 2006-08-12 19:35:43 Inode : 1869108 , 1867936 MD5 : qJAU5QN5aLH48sn0kcRVSw== , Y2GEo7nfTOx+mR/0ApETcA== SHA1 : Ul8ZUUFGe26pHHT38a/glP+CtDc= , u2I7euF7gggthDfw+Y8jWjf4mCE=
Now run an update. aide --update
Once you have updated change to the database directory and copy the new database to the original. cd /var/lib/aide cp aide.db.new.gz aide.db.gz
You will need to constantly update so you do not see the same files that you have verified previously. |
