1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
|
<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Installing and using AIDE LG #75</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
WIDTH="600" HEIGHT="124" border="0"></A>
<BR>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="jones.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue75/maiorano.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="nielsen.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">Installing and using AIDE</font></H1>
<H4>By <a href="mailto:arielm@radar.com.ar">Ariel Maiorano</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<H2>Introduction</H2>
<P>
If your system was compromised, chances are that the hacker, cracker,
trojan, worm or whatever replaced system files, or installed new ones,
generally backdoors or hostile code. Imagine a replaced version of the
login program, which lets someone in with root access after supplying a
magic password (like the ones included in most rootkits),
or a trojanized ssh client, which emails server, user and password
information to someone when used (something like this happened in an
important site last year).
</P>
<P>
File integrity checkers can help us by keeping checksums or hashes, and
various attributes like size, owner, permissions, etc. of files in a database
to later, and regularly, compare this information checking for changes.
So if the login binary is replaced, or a /tmp/.hidden/backdoord is installed,
you would be alerted.
</P>
<P>
This article will try to explain how to install and use an AIDE, an open
source Intrusion Detection System (IDS) of the host-based type, or
file integrity checker, if you prefer. Quoting from the AIDE website...
</P>
<P>
"AIDE (Advanced Intrusion Detection Environment) is a free replacement
for Tripwire. It does the same things as the semi-free Tripwire and more."
</P>
<P>
The installation of the whole system will be done on a floppy disk. We'll
check for changes in various files and directories, being a little paranoid.
That will take more time and generate more false alarms or false positives, but
I think it makes things less complicated, and, hopefully, not less secure.
When you set up your own configuration, you can start
with my example, and then after a couple of weeks of use you will know what
should be changed.
You'll mount the disk each time you're ready to do the checks. That requires
more steps, but if an attacker gets in, he will not be able to (A) change our
database, and (B) not even notice we check our system regularly with AIDE.
</P>
<H2>Installation</H2>
<P>
First we will make the filesystem in the floppy disk...
(mine is on /dev/fd0, drive A: under DOS, if you use B: under DOS you will use /dev/fd1 here.)
<PRE>
root@pc2:~#
root@pc2:~# mkfs /dev/fd0
mke2fs 1.22, 22-Jun-2001 for EXT2 FS 0.5b, 95/08/09
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
184 inodes, 1440 blocks
72 blocks (5.00%) reserved for the super user
First data block=1
1 block group
8192 blocks per group, 8192 fragments per group
184 inodes per group
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 37 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
root@pc2:~#
</PRE>
mount it, and create the aide directory...
<PRE>
root@pc2:~#
root@pc2:~# mount /dev/fd0 /mnt/floppy
root@pc2:~#
root@pc2:~# mkdir /mnt/floppy/aide
root@pc2:~#
</PRE>
</P>
<P>
Now we will get the sources of AIDE, compile them in a temporary directory, install
the system in the floppy disk (pay attenton to the --prefix option when running
configure), strip the aide binary before doing the make install, and finally remove
the temporary directory...
<PRE>
root@pc2:~#
root@pc2:~# mkdir /tmp/aide
root@pc2:~#
root@pc2:~# cd /tmp/aide
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# wget http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz
--12:54:47-- http://www.cs.tut.fi/%7Erammer/aide-0.7.tar.gz
=> `aide-0.7.tar.gz'
Connecting to www.cs.tut.fi:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 219,837 [application/x-tar]
0K .......... .......... .......... .......... .......... 23% @ 34.84 KB/s
50K .......... .......... .......... .......... .......... 46% @ 50.97 KB/s
100K .......... .......... .......... .......... .......... 69% @ 65.45 KB/s
150K .......... .......... .......... .......... .......... 93% @ 46.38 KB/s
200K .......... .... 100% @ 7.17 MB/s
12:54:52 (50.40 KB/s) - `aide-0.7.tar.gz' saved [219837/219837]
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# tar xvfz aide-0.7.tar.gz
aide-0.7/
aide-0.7/Makefile.in
[...]
aide-0.7/include/compare_db.h
aide-0.7/include/gnu_regex.h
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# cd aide-0.7
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# ./configure --prefix=/mnt/floppy/aide
creating cache ./config.cache
checking for a BSD compatible install... /usr/bin/ginstall -c
[...]
creating aide.spec
creating config.h
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# make
make all-recursive
make[1]: Entering directory `/tmp/aide/aide-0.7'
[...]
make[2]: Leaving directory `/tmp/aide/aide-0.7'
make[1]: Leaving directory `/tmp/aide/aide-0.7'
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# strip src/aide
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# make install
\Making install in src
make[1]: Entering directory `/tmp/aide/aide-0.7/src'
[...]
make[2]: Leaving directory `/tmp/aide/aide-0.7'
make[1]: Leaving directory `/tmp/aide/aide-0.7'
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# cd ..
root@pc2:/tmp/aide# cd ..
root@pc2:/tmp# rm -r aide
root@pc2:/tmp#
</PRE>
</P>
<P>
Finally we will create a very simple configuration file, that will check for
changes in permissions, inode number, number of links, user owner, group owner, size,
modification time, creation time and md5 checksums in various directory files (including
all files under them), and generate the database...
<PRE>
root@pc2:/tmp#
root@pc2:/tmp# cd /mnt/floppy/aide/bin/
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# cat aide.conf
database=file:/mnt/floppy/aide/bin/aide.db
database_out=file:/mnt/floppy/aide/bin/aide.db.new
/vmlinuz R
/boot R
/etc R
/bin R
/usr/bin R
/usr/local/bin R
/sbin R
/usr/sbin R
/usr/local/sbin R
=/var/log R
/tmp R
/var/tmp R
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --init
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db
root@pc2:/mnt/floppy/aide/bin#
</PRE>
The config file is only a working example, and i use it this way, but of course you may
or should change it to suit your needs, remember the database generated must reside in the floppy disk.
Check the end of this document to download the example aide.conf. We can now umount the floppy and
are ready for regular use (checks and updates).
</P>
<H2>Regular use (checks and updates)</H2>
<P>
Now that we have the floppy disk with the generated database we can use it regularly
to check for changes in the files to be audited. I will create a file in the /tmp
directory to show an example of how AIDE tell us about it...
<PRE>
root@pc2:/#
root@pc2:/# cat > /tmp/.hidden
hidden
root@pc2:/#
root@pc2:/# mount /dev/fd0 /mnt/floppy/
root@pc2:/# cd /mnt/floppy/aide/bin/
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check
AIDE found differences between database and filesystem!!
Start timestamp: 2002-01-21 15:22:56
Summary:
Total number of files=1443,added files=1,removed files=0,changed files=1
Added files:
added:/tmp/.hidden
Changed files:
changed:/tmp
Detailed information about changes:
File: /tmp
Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
root@pc2:/mnt/floppy/aide/bin#
</PRE>
So here you see clearly what happened, of course if an existing file was modified you
would be alerted in a similar way.
</P>
<P>
Now imagine that /tmp/.hidden is a file that you placed there, you will not remove it
and wish to stop seeing it in the reports, you can update the database, like this...
<PRE>
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --update
AIDE found differences between database and filesystem!!
Start timestamp: 2002-01-21 15:28:58
Summary:
Total number of files=1443,added files=1,removed files=0,changed files=1
Added files:
added:/tmp/.hidden
Changed files:
changed:/tmp
Detailed information about changes:
File: /tmp
Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db
root@pc2:/mnt/floppy/aide/bin#
root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check
root@pc2:/mnt/floppy/aide/bin#
</PRE>
</P>
<H2>Finally... conclusion, files, links, etc.</H2>
<P>
Remember to keep all the AIDE stuff in the floppy disk, umount and remove it after use,
change the example configuration file to suit your needs, try to not leave any information
in the system that may reveal to an attacker that you are using AIDE. You are encouraged to
read the manual pages and manual.html of AIDE, it's a very flexible program. And finally, quoting the 'General guidelines for security'
section of the AIDE manual:
<BR>
" Do not assume anything
<BR>
Trust no-one, nothing
<BR>
Nothing is secure
<BR>
Security is a trade-off with usability
<BR>
Paranoia is your friend ".
</P>
<P>
The example aide.conf configuration file: <A HREF="misc/maiorano/aide.conf.txt">misc/maiorano/aide.conf.txt</A>
</P>
<P>
Home of the AIDE project: <A HREF="http://www.cs.tut.fi/~rammer/aide.html">http://www.cs.tut.fi/~rammer/aide.html</A>
<BR>
download AIDE tarball: <A HREF="http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz">http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz</A>
</P>
<P>
Home of the more famous alternative to AIDE, Tripwire: <A HREF="http://www.tripwire.org">http://www.tripwire.org</A>
</P>
<P>
Some papers and articles for further reading...
</P>
<P>
An interesting article at securityfocus.com titled 'You may already be hacked.': <A HREF="http://www.securityfocus.com/columnists/12">http://www.securityfocus.com/columnists/12</A>
</P>
<P>
An article at linuxsecurity.com titled 'Getting Started with Tripwire (Open Source Linux Edition)': <A HREF="http://www.linuxsecurity.com/feature_stories/feature_story-81.html">http://www.linuxsecurity.com/feature_stories/feature_story-81.html</A>
</P>
<P>
'Network- vs. Host-based Intrusion Detection - A Guide to Intrusion Detection Technology' from ISS, interesting reading also: <A HREF="http://secinf.net/info/ids/nvh_ids/">http://secinf.net/info/ids/nvh_ids/</A>
</P>
<P>
A more commercial point of view from NetworkWorldFusion, 'Getting the drop on network intruders': <A HREF="http://www.nwfusion.com/reviews/1004trends.html">http://www.nwfusion.com/reviews/1004trends.html</A>
</P>
<!-- *** BEGIN bio *** -->
<SPACER TYPE="vertical" SIZE="30">
<P>
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">Ariel Maiorano</H4>
<EM>I'm a free-lance programmer in Argentina, working mostly on web and security development.</EM>
<!-- *** END bio *** -->
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright © 2002, Ariel Maiorano.<BR>
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 75 of <i>Linux Gazette</i>, February 2002</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="jones.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue75/maiorano.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="nielsen.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
|
