Sunday, February 14, 2016

intrusion detection system for checking the integrity of files using aide

aide: Advanced Intrusion Detection Environment (AIDE) was initially developed as a free replacement for Tripwire.

1- Install aide
$ sudo apt-get install aide

2- configure aide by editing file /etc/aide/aide.conf
the following with initialize the whole system, except, /proc, /sys, /dev, /var, /home, /lib, /boot, /lib64

database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes
summarize_changes=yes
grouped=yes
verbose = 6
report_base16 = no
/ R
!/proc
!/sys
!/dev
!/usr
!/var
!/home
!/boot
!/lib
!/lin64
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger
database_attrs = Checksums
OwnerMode = p+u+g+ftype
Size = s+b
InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums
RamdiskData = InodeData-i
Full = InodeData+StaticFile
VarTime = InodeData+Checksums
VarInode = VarTime-i
VarFile = OwnerMode+n+l+X
VarDir = OwnerMode+n+i+X
VarDirInode = OwnerMode+n+X
VarDirTime = InodeData
Log = OwnerMode+n+S+X
FreqRotLog = Log-S
LowLog = Log-S
SerMemberLog  = Full+I
LoSerMemberLog = SerMemberLog+ANF
HiSerMemberLog = SerMemberLog+ARF
LowDELog = SerMemberLog+ANF+ARF
SerMemberDELog = Full+ANF
LinkedLog = Log-n


3- start initialize the database
$ sudo aide --init --config=/etc/aide/aide.conf

4- copy the output file to be our database for checking file integrity
$ sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

5- now you can test by modified add new file to any directory, except the excepted directory

$ sudo aide -C --config=/etc/aide/aide.conf
do_md(): open() for /mnt/thai/ขอใจเธอแลกเบอร์โทร - หญิงลี ศรีจุมพล (1).mp3 failed: Permission denied
AIDE 0.16a2-19-g16ed855 found differences between database and filesystem!!
Start timestamp: 2016-02-14 13:15:57 -0500
Verbose level: 6

Summary:
  Total number of entries:    3029
  Added entries:        1
  Removed entries:        0
  Changed entries:        4

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/newtest

---------------------------------------------------
Changed entries:
---------------------------------------------------

d = ... mc.. .. .: /etc
f > ... mci.C.. .: /etc/test
d = ... mc.. .. .: /root
f > ... mci.C.. .: /root/.viminfo

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /etc
  Mtime    : 2016-02-14 12:51:17 -0500        | 2016-02-14 12:56:38 -0500
  Ctime    : 2016-02-14 12:51:17 -0500        | 2016-02-14 12:56:38 -0500

File: /etc/test
  Size     : 4                                | 7
  Mtime    : 2016-02-14 12:50:50 -0500        | 2016-02-14 12:52:58 -0500
  Ctime    : 2016-02-14 12:50:50 -0500        | 2016-02-14 12:52:58 -0500
  Inode    : 12584956                         | 12584962
  MD5      : nNWZo1I4mOahLhPseH2lCg==         | q8HzdpbdOviM0qdrIyBB5Q==

Directory: /root
  Mtime    : 2016-02-14 12:51:55 -0500        | 2016-02-14 12:56:56 -0500
  Ctime    : 2016-02-14 12:51:55 -0500        | 2016-02-14 12:56:56 -0500

File: /root/.viminfo
  Size     : 4126                             | 4412
  Mtime    : 2016-02-14 12:51:55 -0500        | 2016-02-14 12:56:56 -0500
  Ctime    : 2016-02-14 12:51:55 -0500        | 2016-02-14 12:56:56 -0500
  Inode    : 2097157                          | 2097156
  MD5      : 0/xikvDmZMMzrfiF2XwgWg==         | 3RmfQDb4CGEYjd28PPa41w==


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  RMD160   : d8QWQJ+9OmNYnF+mJpbJ8ymOReY=
  TIGER    : 7E6FCB/QtcK22St18atGuG6b9FO76s3M
  SHA256   : V4JB8LLHl6GW3ah14/VoF+TziDZE8JnT
             1rvaIEI1ARs=
  SHA512   : PdyF0Kldrj/CFHViCJ3g8vVyiBd1pnAR
             +jOl+/65skHl5xbhIJOZq5aGECkgvG71
             0Hgav0tZr/qS7PWBOYarOg==
  CRC32    : XFs6QA==
  HAVAL    : kuxzWsRyMYFddqckfct7ksQnB2O/OoU0
             PALIEx13L6Q=
  GOST     : 1ZcdnbxRCUXXg51jTJiGlD5cb7I3wY/k
             RkVDwYKQRQI=


End timestamp: 2016-02-14 13:15:58 -0500 (run time: 0m 1s)



as the result, we see one file added and two file modified,
with aide, now we can know which files have been tempered by intruder.

No comments:

Post a Comment