LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue75/maiorano.html

386 lines
14 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Installing and using AIDE LG #75</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
WIDTH="600" HEIGHT="124" border="0"></A>
<BR>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="jones.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue75/maiorano.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="nielsen.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">Installing and using AIDE</font></H1>
<H4>By <a href="mailto:arielm@radar.com.ar">Ariel Maiorano</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<H2>Introduction</H2>
<P>
If your system was compromised, chances are that the hacker, cracker,
trojan, worm or whatever replaced system files, or installed new ones,
generally backdoors or hostile code. Imagine a replaced version of the
login program, which lets someone in with root access after supplying a
magic password (like the ones included in most rootkits),
or a trojanized ssh client, which emails server, user and password
information to someone when used (something like this happened in an
important site last year).
</P>
<P>
File integrity checkers can help us by keeping checksums or hashes, and
various attributes like size, owner, permissions, etc. of files in a database
to later, and regularly, compare this information checking for changes.
So if the login binary is replaced, or a /tmp/.hidden/backdoord is installed,
you would be alerted.
</P>
<P>
This article will try to explain how to install and use an AIDE, an open
source Intrusion Detection System (IDS) of the host-based type, or
file integrity checker, if you prefer. Quoting from the AIDE website...
</P>
<P>
"AIDE (Advanced Intrusion Detection Environment) is a free replacement
for Tripwire. It does the same things as the semi-free Tripwire and more."
</P>
<P>
The installation of the whole system will be done on a floppy disk. We'll
check for changes in various files and directories, being a little paranoid.
That will take more time and generate more false alarms or false positives, but
I think it makes things less complicated, and, hopefully, not less secure.
When you set up your own configuration, you can start
with my example, and then after a couple of weeks of use you will know what
should be changed.
You'll mount the disk each time you're ready to do the checks. That requires
more steps, but if an attacker gets in, he will not be able to (A) change our
database, and (B) not even notice we check our system regularly with AIDE.
</P>
<H2>Installation</H2>
<P>
First we will make the filesystem in the floppy disk...
(mine is on /dev/fd0, drive A: under DOS, if you use B: under DOS you will use /dev/fd1 here.)
<PRE>
root@pc2:~#
root@pc2:~# mkfs /dev/fd0
mke2fs 1.22, 22-Jun-2001 for EXT2 FS 0.5b, 95/08/09
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
184 inodes, 1440 blocks
72 blocks (5.00%) reserved for the super user
First data block=1
1 block group
8192 blocks per group, 8192 fragments per group
184 inodes per group
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
root@pc2:~#
</PRE>
mount it, and create the aide directory...
<PRE>
root@pc2:~#
root@pc2:~# mount /dev/fd0 /mnt/floppy
root@pc2:~#
root@pc2:~# mkdir /mnt/floppy/aide
root@pc2:~#
</PRE>
</P>
<P>
Now we will get the sources of AIDE, compile them in a temporary directory, install
the system in the floppy disk (pay attenton to the --prefix option when running
configure), strip the aide binary before doing the make install, and finally remove
the temporary directory...
<PRE>
root@pc2:~#
root@pc2:~# mkdir /tmp/aide
root@pc2:~#
root@pc2:~# cd /tmp/aide
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# wget http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz
--12:54:47-- http://www.cs.tut.fi/%7Erammer/aide-0.7.tar.gz
=> `aide-0.7.tar.gz'
Connecting to www.cs.tut.fi:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 219,837 [application/x-tar]
0K .......... .......... .......... .......... .......... 23% @ 34.84 KB/s
50K .......... .......... .......... .......... .......... 46% @ 50.97 KB/s
100K .......... .......... .......... .......... .......... 69% @ 65.45 KB/s
150K .......... .......... .......... .......... .......... 93% @ 46.38 KB/s
200K .......... .... 100% @ 7.17 MB/s
12:54:52 (50.40 KB/s) - `aide-0.7.tar.gz' saved [219837/219837]
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# tar xvfz aide-0.7.tar.gz
aide-0.7/
aide-0.7/Makefile.in
[...]
aide-0.7/include/compare_db.h
aide-0.7/include/gnu_regex.h
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# cd aide-0.7
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# ./configure --prefix=/mnt/floppy/aide
creating cache ./config.cache
checking for a BSD compatible install... /usr/bin/ginstall -c
[...]
creating aide.spec
creating config.h
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# make
make all-recursive
make[1]: Entering directory `/tmp/aide/aide-0.7'
[...]
make[2]: Leaving directory `/tmp/aide/aide-0.7'
make[1]: Leaving directory `/tmp/aide/aide-0.7'
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# strip src/aide
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# make install
\Making install in src
make[1]: Entering directory `/tmp/aide/aide-0.7/src'
[...]
make[2]: Leaving directory `/tmp/aide/aide-0.7'
make[1]: Leaving directory `/tmp/aide/aide-0.7'
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# cd ..
root@pc2:/tmp/aide# cd ..
root@pc2:/tmp# rm -r aide
root@pc2:/tmp#
</PRE>
</P>
<P>
Finally we will create a very simple configuration file, that will check for
changes in permissions, inode number, number of links, user owner, group owner, size,
modification time, creation time and md5 checksums in various directory files (including
all files under them), and generate the database...
<PRE>
root@pc2:/tmp#
root@pc2:/tmp# cd /mnt/floppy/aide/bin/
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# cat aide.conf
database=file:/mnt/floppy/aide/bin/aide.db
database_out=file:/mnt/floppy/aide/bin/aide.db.new
/vmlinuz R
/boot R
/etc R
/bin R
/usr/bin R
/usr/local/bin R
/sbin R
/usr/sbin R
/usr/local/sbin R
=/var/log R
/tmp R
/var/tmp R
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --init
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db
root@pc2:/mnt/floppy/aide/bin#
</PRE>
The config file is only a working example, and i use it this way, but of course you may
or should change it to suit your needs, remember the database generated must reside in the floppy disk.
Check the end of this document to download the example aide.conf. We can now umount the floppy and
are ready for regular use (checks and updates).
</P>
<H2>Regular use (checks and updates)</H2>
<P>
Now that we have the floppy disk with the generated database we can use it regularly
to check for changes in the files to be audited. I will create a file in the /tmp
directory to show an example of how AIDE tell us about it...
<PRE>
root@pc2:/#
root@pc2:/# cat > /tmp/.hidden
hidden
root@pc2:/#
root@pc2:/# mount /dev/fd0 /mnt/floppy/
root@pc2:/# cd /mnt/floppy/aide/bin/
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check
AIDE found differences between database and filesystem!!
Start timestamp: 2002-01-21 15:22:56
Summary:
Total number of files=1443,added files=1,removed files=0,changed files=1
Added files:
added:/tmp/.hidden
Changed files:
changed:/tmp
Detailed information about changes:
File: /tmp
Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
root@pc2:/mnt/floppy/aide/bin#
</PRE>
So here you see clearly what happened, of course if an existing file was modified you
would be alerted in a similar way.
</P>
<P>
Now imagine that /tmp/.hidden is a file that you placed there, you will not remove it
and wish to stop seeing it in the reports, you can update the database, like this...
<PRE>
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --update
AIDE found differences between database and filesystem!!
Start timestamp: 2002-01-21 15:28:58
Summary:
Total number of files=1443,added files=1,removed files=0,changed files=1
Added files:
added:/tmp/.hidden
Changed files:
changed:/tmp
Detailed information about changes:
File: /tmp
Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check
root@pc2:/mnt/floppy/aide/bin#
</PRE>
</P>
<H2>Finally... conclusion, files, links, etc.</H2>
<P>
Remember to keep all the AIDE stuff in the floppy disk, umount and remove it after use,
change the example configuration file to suit your needs, try to not leave any information
in the system that may reveal to an attacker that you are using AIDE. You are encouraged to
read the manual pages and manual.html of AIDE, it's a very flexible program. And finally, quoting the 'General guidelines for security'
section of the AIDE manual:
<BR>
" Do not assume anything
<BR>
Trust no-one, nothing
<BR>
Nothing is secure
<BR>
Security is a trade-off with usability
<BR>
Paranoia is your friend ".
</P>
<P>
The example aide.conf configuration file: <A HREF="misc/maiorano/aide.conf.txt">misc/maiorano/aide.conf.txt</A>
</P>
<P>
Home of the AIDE project: <A HREF="http://www.cs.tut.fi/~rammer/aide.html">http://www.cs.tut.fi/~rammer/aide.html</A>
<BR>
download AIDE tarball: <A HREF="http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz">http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz</A>
</P>
<P>
Home of the more famous alternative to AIDE, Tripwire: <A HREF="http://www.tripwire.org">http://www.tripwire.org</A>
</P>
<P>
Some papers and articles for further reading...
</P>
<P>
An interesting article at securityfocus.com titled 'You may already be hacked.': <A HREF="http://www.securityfocus.com/columnists/12">http://www.securityfocus.com/columnists/12</A>
</P>
<P>
An article at linuxsecurity.com titled 'Getting Started with Tripwire (Open Source Linux Edition)': <A HREF="http://www.linuxsecurity.com/feature_stories/feature_story-81.html">http://www.linuxsecurity.com/feature_stories/feature_story-81.html</A>
</P>
<P>
'Network- vs. Host-based Intrusion Detection - A Guide to Intrusion Detection Technology' from ISS, interesting reading also: <A HREF="http://secinf.net/info/ids/nvh_ids/">http://secinf.net/info/ids/nvh_ids/</A>
</P>
<P>
A more commercial point of view from NetworkWorldFusion, 'Getting the drop on network intruders': <A HREF="http://www.nwfusion.com/reviews/1004trends.html">http://www.nwfusion.com/reviews/1004trends.html</A>
</P>
<!-- *** BEGIN bio *** -->
<SPACER TYPE="vertical" SIZE="30">
<P>
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">Ariel Maiorano</H4>
<EM>I'm a free-lance programmer in Argentina, working mostly on web and security development.</EM>
<!-- *** END bio *** -->
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright &copy; 2002, Ariel Maiorano.<BR>
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 75 of <i>Linux Gazette</i>, February 2002</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="jones.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue75/maiorano.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="nielsen.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink