January 20, 2005

Intrusion detection with AIDE

Author: Preston St. Pierre

If an intruder penetrates your system, it will not be long before they upload and replace key system files. This is done to hide malicious programs and cover up the
intrusion. For example, the ls program may be replaced with a trojaned version, which hides files that have been uploaded to your system. The ps program is also often replaced to hide the fact that malicious programs have been installed. Installing an intrusion detection system (IDS) can give you a heads up on whether or not filesystems have been modified.

The Advanced Intrusion Detection Environment (AIDE) is a GPL licensed IDS. AIDE works by creating a database containing information about the files on your system. The database is created from rules laid out in the configuration file aide.conf. When AIDE is run, this database is referenced to check for changes. Any changes not permitted by the configuration file are reported.

AIDE can be downloaded from http://sourceforge.net/projects/aide. Installation instructions are included in the README file. Although the README states that mhash is a requirement, it fails to mention that AIDE expects it to be statically linked. To do this, append --enable-static=yes to the configure stage of the mhash installation. Once this is done, AIDE installs cleanly.

Some configuration guidelines

Before initializing the database, a working configuration file needs to be set up. A sample aide.conf is installed in the doc subdirectory. Included is a list of file attributes AIDE can monitor along with a few sample rules.

Unless you like reading pages and pages of output, it is a good idea to only check files that should not change often. System binaries, libraries, and configuration files should be checked while you may want to exclude directories such as /home, /var/log, and /tmp. On the other hand, an attacker may specifically place files in those directories because many people choose to exclude them from an IDS database. This is a trade-off between security and manageability that must be made on a case-by-case basis.

Let us take a quick look at a simple rule by adding the line:

/etc p+u+g

to the end of aide.conf. This rule instructs AIDE to check all files in the /etc directory for any modifications in the permission, user, or group file attributes. We will use this rule later to put AIDE to the test.

Perhaps the most important decision to make is where to store the database. It does not matter what files are monitored if an intruder is able to alter the database or install a trojaned AIDE binary. For this reason, the developers strongly recommend storing it on non-writable, removable media. To store the database on a floppy, change the database=file: and database_out=file: parameters to:

database=file:/mnt/floppy/aide.db
database_out=file:/mnt/floppy/aide.db.new

This is of course assuming that your floppy is mounted at /mnt/floppy. The reference database will be stored as aide.db and any newly created or updated databases will be stored as aide.db.new.

Another change you may wish to make is where to output the reports. By default, messages are sent to the standard output (your monitor) when running AIDE. The parameter report_url=stdout can be changed so that reports are sent to a file. For example,

report_url=/tmp/aideoutput.txt

Once you have made the changes necessary for your system, copy aide.conf to /usr/local/etc.

Initializing and checking the database

AIDE should be run immediately after operating system installation, before making any network connections. This ensures that the system is in a clean state while AIDE creates its database. Initialize the database with:

aide --init

The file aide.db.new now exits on /mnt/floppy. Rename aide.db.new to aide.db to make it your permanent reference database.

The database can now be checked with:

aide --check.

To update that database after changing a parameter in aide.conf issue the command:

aide --update

The newly updated database will now exist on /mnt/floppy and can be copied over to become the default database.

A quick test

To put AIDE to a quick test, make the file /etc/hosts executable and run

aide --check.

The results should be similar to:


AIDE found differences between database and filesystem!!
Start timestamp: 2005-01-06 14:41:17
Summary:
Total number of files=4145,added files=0,removed files=0,changed files=1

Changed files:
changed:/etc/hosts
Detailed information about changes:

File: /etc/hosts
Permissions: -rw-r--r-- , -rwxr-xr-x

AIDE correctly reports that one file has been changed and the executable bit has been set on /etc/hosts.

No multi-user or networked system will ever be 100% secure. However, using an IDS such as AIDE is a good first step towards alerting an administrator to a possible system intrusion. In fact, AIDE was the IDS used by the Debian Project's administration team to learn that four of their servers had been compromised.

For more information, including how to create more advanced rules using regular expressions, check out the online manual at http://www.cs.tut.fi/~rammer/aide/manual.html An online mailing list is also archived at https://mailman.cs.tut.fi/pipermail/aide/.

Click Here!