Use AIDE to help detect a compromised system

Most administrators assume that security begins and ends at the firewall. Wrong! Forgetting server security can be the death knell for your machines. Let Scott Lowe show you how to use AIDE to enhance your server security.

Infrastructure security does not begin and end with a firewall—even a perfectly configured firewall that is kept constantly up to date. If a firewall is breached, or an unverified user gets access to a system, an Apache server, a Linux/UNIX router, or a Sendmail server, the administrator must be made aware of the steps needed to protect that system.

A security plan should include the protection of key system files. On modern UNICES (such as Linux, Solaris, AIX, BSD, and Tru64), the Advanced Intrusion Detection Environment (AIDE) tool can serve this purpose. In this Daily Drill Down, I’ll show you how to get, install, and configure this flexible and powerful tool.

What is AIDE?
AIDE is an open source package that keeps certain information about files in a configuration file or a database. This information includes the size of the file, the owner, and modification date and time, as well as the results of a digest algorithm, such as MD5, SHA1, etc., which is used to check the integrity of the file.

The current version of AIDE is 0.9 and can be downloaded here.

Installing the software
When you download the software, save it in the /usr/src directory. To run AIDE, you’ll need libmhash.

Poorly defined default installations
The AIDE default installation does not create the most secure setup. Later on I will show you how to employ a CD-RW to make AIDE as secure as possible.

Libmhash allows AIDE to access strong hashes such as MD5 and SHA1, among others. You can get libmhash at the SourceForge Web site. To install libmhash on Red Hat Linux, use the commands shown in Listing A from the directory in which you will save the downloaded file.

The five steps in Listing A unpack the distribution, switch to its directory, create a configuration script, compile the files, and install the software.

Installing AIDE is similar to installing many other open source packages, including the one above. Just follow the commands shown in Listing B.

The AIDE executable is installed in /usr/local/bin and by default will look for the configuration file /usr/local/etc/aide.conf. Later in this article, I’ll discuss why the AIDE default installation locations are a very bad idea and show you how to work around them.

Configuring AIDE
For AIDE to protect your system, you need to tell it what to look for. For example, AIDE should watch xinetd binary but not the system’s temporary files.

In general, you should use AIDE to watch all important system files and configuration files, such as those in /etc and /sbin,while ignoring files in /var/log. The reason is simple: Every time a file changes, AIDE puts it in a report, which is sent to you. If constantly changing files are included, this report will begin to grow very large.

AIDE works by reading the aide.conf file and then building a database that corresponds to the rules present there. Listing C shows a sample aide.conf file.

Lines beginning with a # are comments. I highly recommend that you heavily comment this configuration file; doing so will make it easier to make changes.

The database and database_out directives tell AIDE the name of the current database as well as the name of the new database that will be generated when you run the AIDE executable against this configuration file.

The report_url directive tells AIDE where to write report files. For this example, I’ve told AIDE to write the report files into my Apache Web server root directory (/usr/local/apache/htdocs/) where I will view them with a Web browser.

Under the rules definition section, I’ve defined three rule sets. The first one, R+a+sha1+rmd160+tiger, is a high-priority rule and tells AIDE to verify the following:
  • ·        p - permissions
  • ·        i - inode
  • ·        n - number of links
  • ·        u - user
  • ·        g - group
  • ·        s - size
  • ·        m - mtime
  • ·        c - ctime
  • ·        md5 - use MD5 check sum
  • ·        a - atime
  • ·        sha1 - use SHA1 checksum
  • ·        rmd160 - use RMD160 checksum
  • ·        tiger - use tiger checksum

The ‘R’ at the beginning of the high-priority rule is a shortcut to assign p+i+n+u+g+s+m+c+md5 rules.

The medium- and low-priority rules aren’t as restrictive and less complex than high-priority rules. Medium is a good choice for system binary files and low is best for text files.

At the bottom of the file is a list of file and directory names. The lines that begin with an exclamation point won’t be included in the list of databases to watch. Lines that don’t begin with an exclamation point, on the other hand, will be included in that list.

Creating the database
Once the configuration file is complete, you need to make AIDE aware of this file so the system can build the database. To do so, run the aide executable with the -c parameter (as shown in Listing D).

Where -c is the location of aide.conf, -i tells AIDE to initialize the database. This process will take a little time, since it needs to go through the entire file system and gather information about every file in every directory specified in the aide.conf file.

This process creates a new file, You must rename this file to aide.db, which is the correct name for the AIDE database.

Doing things right
For AIDE to be truly effective, you need to make sure that the AIDE executable and database are protected from changes. If they are not, an attacker could gain access to the system and then modify the AIDE database and executable to never notify you of any configuration changes, which would completely defeat the purpose of the program.

The easiest way to protect yourself from this situation is to make use of a CD-RW drive and burn the AIDE database, executable, and configuration file to it. I recommend a CD-RW over a CD-R because the AIDE database will need to change as you add new software to the system. If you use a CD-R, you’ll be throwing away a lot of CDs. Also, it is best not to burn the CD using the same Linux system that is to be protected. If you have a CD burner and CD-burning software on the same system, an attacker will be able to make use of the software and overwrite your AIDE databases with their own versions.

Your safest option is to burn the three aforementioned files to a CD on another machine. Next, mount the CD-ROM drive on your AIDE-protected server using the mount -t iso9660 -r /dev/cdrom /mnt/cdrom command.

Once you have done this, you can run the AIDE executable from the CD, and your AIDE database will be protected from tampering.

Testing AIDE
Testing AIDE is as simple as making a change to a system file or touching a system file (with the touch command) to change the modified date and time.

For this example, I’ll modify the /etc/hosts file and add an entry. To run AIDE for comparison of the current file system to the contents of the database, use the command shown in Listing E.

This will take a while, as the entire file system needs to be traversed and compared to the database. Listing F shows the results.

The report in Listing F shows that out of 36,144 files AIDE is watching, two new ones have been added, one was deleted, and four were changed. The remainder of the report provides a detailed analysis of exactly what was changed. Look closely at the last section (under File: /etc/hosts) This entry shows a growth in size (from 156 Kb to 180 Kb); modification time and checksum have changed as well. This all makes sense because an entry was added to the file.

AIDE best practices
Always keep your AIDE binaries and databases on read-only media. The advantage of using read-only media is that, if someone does gain access to the system, they will have a much more difficult time covering their tracks. If the AIDE configuration files and databases are on read/write media, a hacker can simply change them to suit her needs.

Next, make sure that the system is secure before AIDE is installed. If AIDE is installed on a system with a root kit (or some other compromise), AIDE will only ensure that the files the hacker used to get into your system are not changed!

Third, make sure the AIDE check is run on a daily basis, preferably during a period of low activity. For example, if you wanted AIDE to run a daily check at 1 A.M., you’d just add the following line to the AIDE.CONF file:
00 01 * * * * /usr/local/bin/aide -c /usr/local/etc/aide.conf –C

Don't depend only on AIDE
No matter how useful or secure a utility can be, be careful about relying too much on these types of tools. Certain rootkits can directly modify the system kernel and mask scans by tools such as Tripwire or AIDE, rendering them useless. For complete security, make sure to employ proper firewalling policies and procedures. That said, AIDE is an excellent tool that should be running on all Linux servers where security is a key concern. It provides an important element of security to your system.


Editor's Picks