386 lines
14 KiB
HTML
386 lines
14 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Installing and using AIDE LG #75</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
|
|
WIDTH="600" HEIGHT="124" border="0"></A>
|
|
<BR>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="jones.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue75/maiorano.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="nielsen.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">Installing and using AIDE</font></H1>
|
|
<H4>By <a href="mailto:arielm@radar.com.ar">Ariel Maiorano</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<H2>Introduction</H2>
|
|
|
|
<P>
|
|
If your system was compromised, chances are that the hacker, cracker,
|
|
trojan, worm or whatever replaced system files, or installed new ones,
|
|
generally backdoors or hostile code. Imagine a replaced version of the
|
|
login program, which lets someone in with root access after supplying a
|
|
magic password (like the ones included in most rootkits),
|
|
or a trojanized ssh client, which emails server, user and password
|
|
information to someone when used (something like this happened in an
|
|
important site last year).
|
|
</P>
|
|
|
|
<P>
|
|
File integrity checkers can help us by keeping checksums or hashes, and
|
|
various attributes like size, owner, permissions, etc. of files in a database
|
|
to later, and regularly, compare this information checking for changes.
|
|
So if the login binary is replaced, or a /tmp/.hidden/backdoord is installed,
|
|
you would be alerted.
|
|
</P>
|
|
|
|
<P>
|
|
This article will try to explain how to install and use an AIDE, an open
|
|
source Intrusion Detection System (IDS) of the host-based type, or
|
|
file integrity checker, if you prefer. Quoting from the AIDE website...
|
|
</P>
|
|
|
|
<P>
|
|
"AIDE (Advanced Intrusion Detection Environment) is a free replacement
|
|
for Tripwire. It does the same things as the semi-free Tripwire and more."
|
|
</P>
|
|
|
|
<P>
|
|
The installation of the whole system will be done on a floppy disk. We'll
|
|
check for changes in various files and directories, being a little paranoid.
|
|
That will take more time and generate more false alarms or false positives, but
|
|
I think it makes things less complicated, and, hopefully, not less secure.
|
|
When you set up your own configuration, you can start
|
|
with my example, and then after a couple of weeks of use you will know what
|
|
should be changed.
|
|
|
|
You'll mount the disk each time you're ready to do the checks. That requires
|
|
more steps, but if an attacker gets in, he will not be able to (A) change our
|
|
database, and (B) not even notice we check our system regularly with AIDE.
|
|
</P>
|
|
|
|
<H2>Installation</H2>
|
|
|
|
<P>
|
|
First we will make the filesystem in the floppy disk...
|
|
(mine is on /dev/fd0, drive A: under DOS, if you use B: under DOS you will use /dev/fd1 here.)
|
|
<PRE>
|
|
root@pc2:~#
|
|
root@pc2:~# mkfs /dev/fd0
|
|
mke2fs 1.22, 22-Jun-2001 for EXT2 FS 0.5b, 95/08/09
|
|
Filesystem label=
|
|
OS type: Linux
|
|
Block size=1024 (log=0)
|
|
Fragment size=1024 (log=0)
|
|
184 inodes, 1440 blocks
|
|
72 blocks (5.00%) reserved for the super user
|
|
First data block=1
|
|
1 block group
|
|
8192 blocks per group, 8192 fragments per group
|
|
184 inodes per group
|
|
|
|
Writing inode tables: done
|
|
Writing superblocks and filesystem accounting information: done
|
|
|
|
This filesystem will be automatically checked every 37 mounts or
|
|
180 days, whichever comes first. Use tune2fs -c or -i to override.
|
|
root@pc2:~#
|
|
</PRE>
|
|
mount it, and create the aide directory...
|
|
<PRE>
|
|
root@pc2:~#
|
|
root@pc2:~# mount /dev/fd0 /mnt/floppy
|
|
root@pc2:~#
|
|
root@pc2:~# mkdir /mnt/floppy/aide
|
|
root@pc2:~#
|
|
</PRE>
|
|
</P>
|
|
|
|
<P>
|
|
Now we will get the sources of AIDE, compile them in a temporary directory, install
|
|
the system in the floppy disk (pay attenton to the --prefix option when running
|
|
configure), strip the aide binary before doing the make install, and finally remove
|
|
the temporary directory...
|
|
<PRE>
|
|
root@pc2:~#
|
|
root@pc2:~# mkdir /tmp/aide
|
|
root@pc2:~#
|
|
root@pc2:~# cd /tmp/aide
|
|
root@pc2:/tmp/aide#
|
|
root@pc2:/tmp/aide# wget http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz
|
|
--12:54:47-- http://www.cs.tut.fi/%7Erammer/aide-0.7.tar.gz
|
|
=> `aide-0.7.tar.gz'
|
|
Connecting to www.cs.tut.fi:80... connected!
|
|
HTTP request sent, awaiting response... 200 OK
|
|
Length: 219,837 [application/x-tar]
|
|
|
|
0K .......... .......... .......... .......... .......... 23% @ 34.84 KB/s
|
|
50K .......... .......... .......... .......... .......... 46% @ 50.97 KB/s
|
|
100K .......... .......... .......... .......... .......... 69% @ 65.45 KB/s
|
|
150K .......... .......... .......... .......... .......... 93% @ 46.38 KB/s
|
|
200K .......... .... 100% @ 7.17 MB/s
|
|
|
|
12:54:52 (50.40 KB/s) - `aide-0.7.tar.gz' saved [219837/219837]
|
|
|
|
root@pc2:/tmp/aide#
|
|
root@pc2:/tmp/aide# tar xvfz aide-0.7.tar.gz
|
|
aide-0.7/
|
|
aide-0.7/Makefile.in
|
|
|
|
[...]
|
|
|
|
aide-0.7/include/compare_db.h
|
|
aide-0.7/include/gnu_regex.h
|
|
root@pc2:/tmp/aide#
|
|
root@pc2:/tmp/aide# cd aide-0.7
|
|
root@pc2:/tmp/aide/aide-0.7#
|
|
root@pc2:/tmp/aide/aide-0.7# ./configure --prefix=/mnt/floppy/aide
|
|
creating cache ./config.cache
|
|
checking for a BSD compatible install... /usr/bin/ginstall -c
|
|
|
|
[...]
|
|
|
|
creating aide.spec
|
|
creating config.h
|
|
root@pc2:/tmp/aide/aide-0.7#
|
|
root@pc2:/tmp/aide/aide-0.7# make
|
|
make all-recursive
|
|
make[1]: Entering directory `/tmp/aide/aide-0.7'
|
|
|
|
[...]
|
|
|
|
make[2]: Leaving directory `/tmp/aide/aide-0.7'
|
|
make[1]: Leaving directory `/tmp/aide/aide-0.7'
|
|
root@pc2:/tmp/aide/aide-0.7#
|
|
root@pc2:/tmp/aide/aide-0.7# strip src/aide
|
|
root@pc2:/tmp/aide/aide-0.7#
|
|
root@pc2:/tmp/aide/aide-0.7# make install
|
|
\Making install in src
|
|
make[1]: Entering directory `/tmp/aide/aide-0.7/src'
|
|
|
|
[...]
|
|
|
|
make[2]: Leaving directory `/tmp/aide/aide-0.7'
|
|
make[1]: Leaving directory `/tmp/aide/aide-0.7'
|
|
root@pc2:/tmp/aide/aide-0.7#
|
|
root@pc2:/tmp/aide/aide-0.7# cd ..
|
|
root@pc2:/tmp/aide# cd ..
|
|
root@pc2:/tmp# rm -r aide
|
|
root@pc2:/tmp#
|
|
</PRE>
|
|
</P>
|
|
|
|
<P>
|
|
Finally we will create a very simple configuration file, that will check for
|
|
changes in permissions, inode number, number of links, user owner, group owner, size,
|
|
modification time, creation time and md5 checksums in various directory files (including
|
|
all files under them), and generate the database...
|
|
<PRE>
|
|
root@pc2:/tmp#
|
|
root@pc2:/tmp# cd /mnt/floppy/aide/bin/
|
|
root@pc2:/mnt/floppy/aide/bin#
|
|
root@pc2:/mnt/floppy/aide/bin# cat aide.conf
|
|
database=file:/mnt/floppy/aide/bin/aide.db
|
|
database_out=file:/mnt/floppy/aide/bin/aide.db.new
|
|
/vmlinuz R
|
|
/boot R
|
|
/etc R
|
|
/bin R
|
|
/usr/bin R
|
|
/usr/local/bin R
|
|
/sbin R
|
|
/usr/sbin R
|
|
/usr/local/sbin R
|
|
=/var/log R
|
|
/tmp R
|
|
/var/tmp R
|
|
root@pc2:/mnt/floppy/aide/bin#
|
|
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --init
|
|
root@pc2:/mnt/floppy/aide/bin#
|
|
root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db
|
|
root@pc2:/mnt/floppy/aide/bin#
|
|
</PRE>
|
|
The config file is only a working example, and i use it this way, but of course you may
|
|
or should change it to suit your needs, remember the database generated must reside in the floppy disk.
|
|
Check the end of this document to download the example aide.conf. We can now umount the floppy and
|
|
are ready for regular use (checks and updates).
|
|
</P>
|
|
|
|
<H2>Regular use (checks and updates)</H2>
|
|
|
|
<P>
|
|
Now that we have the floppy disk with the generated database we can use it regularly
|
|
to check for changes in the files to be audited. I will create a file in the /tmp
|
|
directory to show an example of how AIDE tell us about it...
|
|
<PRE>
|
|
root@pc2:/#
|
|
root@pc2:/# cat > /tmp/.hidden
|
|
hidden
|
|
root@pc2:/#
|
|
root@pc2:/# mount /dev/fd0 /mnt/floppy/
|
|
root@pc2:/# cd /mnt/floppy/aide/bin/
|
|
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check
|
|
AIDE found differences between database and filesystem!!
|
|
Start timestamp: 2002-01-21 15:22:56
|
|
Summary:
|
|
Total number of files=1443,added files=1,removed files=0,changed files=1
|
|
|
|
Added files:
|
|
added:/tmp/.hidden
|
|
Changed files:
|
|
changed:/tmp
|
|
Detailed information about changes:
|
|
|
|
File: /tmp
|
|
Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
|
|
Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
|
|
root@pc2:/mnt/floppy/aide/bin#
|
|
</PRE>
|
|
So here you see clearly what happened, of course if an existing file was modified you
|
|
would be alerted in a similar way.
|
|
</P>
|
|
|
|
<P>
|
|
Now imagine that /tmp/.hidden is a file that you placed there, you will not remove it
|
|
and wish to stop seeing it in the reports, you can update the database, like this...
|
|
<PRE>
|
|
root@pc2:/mnt/floppy/aide/bin#
|
|
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --update
|
|
AIDE found differences between database and filesystem!!
|
|
Start timestamp: 2002-01-21 15:28:58
|
|
Summary:
|
|
Total number of files=1443,added files=1,removed files=0,changed files=1
|
|
|
|
Added files:
|
|
added:/tmp/.hidden
|
|
Changed files:
|
|
changed:/tmp
|
|
Detailed information about changes:
|
|
|
|
File: /tmp
|
|
Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
|
|
Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
|
|
root@pc2:/mnt/floppy/aide/bin#
|
|
root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db
|
|
root@pc2:/mnt/floppy/aide/bin#
|
|
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check
|
|
root@pc2:/mnt/floppy/aide/bin#
|
|
</PRE>
|
|
</P>
|
|
|
|
<H2>Finally... conclusion, files, links, etc.</H2>
|
|
|
|
<P>
|
|
Remember to keep all the AIDE stuff in the floppy disk, umount and remove it after use,
|
|
change the example configuration file to suit your needs, try to not leave any information
|
|
in the system that may reveal to an attacker that you are using AIDE. You are encouraged to
|
|
read the manual pages and manual.html of AIDE, it's a very flexible program. And finally, quoting the 'General guidelines for security'
|
|
section of the AIDE manual:
|
|
<BR>
|
|
" Do not assume anything
|
|
<BR>
|
|
Trust no-one, nothing
|
|
<BR>
|
|
Nothing is secure
|
|
<BR>
|
|
Security is a trade-off with usability
|
|
<BR>
|
|
Paranoia is your friend ".
|
|
</P>
|
|
|
|
<P>
|
|
The example aide.conf configuration file: <A HREF="misc/maiorano/aide.conf.txt">misc/maiorano/aide.conf.txt</A>
|
|
</P>
|
|
|
|
<P>
|
|
Home of the AIDE project: <A HREF="http://www.cs.tut.fi/~rammer/aide.html">http://www.cs.tut.fi/~rammer/aide.html</A>
|
|
<BR>
|
|
download AIDE tarball: <A HREF="http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz">http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz</A>
|
|
</P>
|
|
|
|
<P>
|
|
Home of the more famous alternative to AIDE, Tripwire: <A HREF="http://www.tripwire.org">http://www.tripwire.org</A>
|
|
</P>
|
|
|
|
<P>
|
|
Some papers and articles for further reading...
|
|
</P>
|
|
|
|
<P>
|
|
An interesting article at securityfocus.com titled 'You may already be hacked.': <A HREF="http://www.securityfocus.com/columnists/12">http://www.securityfocus.com/columnists/12</A>
|
|
</P>
|
|
|
|
<P>
|
|
An article at linuxsecurity.com titled 'Getting Started with Tripwire (Open Source Linux Edition)': <A HREF="http://www.linuxsecurity.com/feature_stories/feature_story-81.html">http://www.linuxsecurity.com/feature_stories/feature_story-81.html</A>
|
|
</P>
|
|
|
|
<P>
|
|
'Network- vs. Host-based Intrusion Detection - A Guide to Intrusion Detection Technology' from ISS, interesting reading also: <A HREF="http://secinf.net/info/ids/nvh_ids/">http://secinf.net/info/ids/nvh_ids/</A>
|
|
</P>
|
|
|
|
<P>
|
|
A more commercial point of view from NetworkWorldFusion, 'Getting the drop on network intruders': <A HREF="http://www.nwfusion.com/reviews/1004trends.html">http://www.nwfusion.com/reviews/1004trends.html</A>
|
|
</P>
|
|
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN bio *** -->
|
|
<SPACER TYPE="vertical" SIZE="30">
|
|
<P>
|
|
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">Ariel Maiorano</H4>
|
|
<EM>I'm a free-lance programmer in Argentina, working mostly on web and security development.</EM>
|
|
|
|
<!-- *** END bio *** -->
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2002, Ariel Maiorano.<BR>
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 75 of <i>Linux Gazette</i>, February 2002</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="jones.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue75/maiorano.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="nielsen.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|