What is AIDE:-
AIDE (Advanced Intrusion Detection Environment) is an intrusion detection program. It is a free replacement for Tripwire.It can find out any changes made on the system binaries, libraries, header files , and configuration files etc by "comparing" regularly with the database of these files which was made at the time of its instllation.
How Does AIDE works:-
Once AIDE is installed, It creates a database of the files specified in AIDE’s configuration file. The AIDE database stores various file attributes like permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name. AIDE also creates a cryptographic checksum or hash of each file using message digest algorithms like sha, md5, rmd160, tiger etc. Also acl, xattr and selinux can be used if enabled during compile time.This databse is created before the server/system is bought into the network.The AIDE should be installed to the system before it is exposed to the internet.
So Initially the administrator need to create an AIDE database on a new server before it is setup for networking eg hosting.This AIDE database is an excat summary of the Linux system before it is bought into the network.This database(db) will hold information about system binaries, libraries, header files etc that are expected to remain the same throughout.Suppose someone has broken-into the system, though it is easier to manipulate file dates, sizes etc, it will be quite difficult for him to manipulate cryptographic checksum like md5. Thus by rerunning AIDE after a break-in, the administrator can quickly identify changes to files with high degree of accuracy.
How to Install AIDE in UBUNTU?
1)You need the root access to install AIDE:- sudo su -
2)Install These prerequisites (packages) for AIDE:
GCC compiler for C : apt-get install gcc byacc
GNU Flex : apt-get install flex
GNU Bison : apt-get install bison
GNU Make : apt-get install make
Mhash library : apt-get install libmhash2 libmhash-dev
PostgreSQL Development Library : apt-get install postgresql-server-dev-8.3
Some of the above packages maybe already installed on your box, in that case when you execute the above commands it shows " 0 upgraded".so need not worry about that packages.
Or else you can check manually whether the packages are installed or not by using the follawing command: dpkg –get-selections | grep gcc
If the result is : gcc-4.3 install
then gcc is installed otherwise if you get no output ,then it means that gcc is not installed.
3)Once all the packages are installed then download aide from here . The downloaded packaege will be zipped in tar.
4)Create a folder 'downloades' and extract the tar achieve into this folder using the command: tar -xzvf aide-x.xx.x.tar.gz (replace x with version number)
Now you wil get the folder aide-x.xx.x
goto that folder by: cd aide-x.xx.x
Then execute the following commands :
./configure
make
make install
make clean
5)NOw you need to open the aide configuration file and determine the location where the aide database is stored. Go to that location
6)To initialise the database perform:
aide -i
mv aide.db.new aide.db
7)Now we can check wether the AIDE works by using the following command:-
aide
8)Configuration of AIDE
AIDE has its config file located inside (if installed via package management software like synaptic, config file is /etc/aide/aide.conf) /usr/local/etc/aide.conf .
And it’s default executable is located inside /usr/local/bin/aide.
9)Explanation of the aide.conf file
database=file:/var/lib/aide/aide.db
location of the database to be read (This is the database taken as benchmark)
database_new=file:/var/lib/aide/aide.db.comp
location of the database for –compare is read (This is not present by default and is used only when we have to compare two distinct databases.)
database_out=file:/var/lib/aide/aide.db.new
location of the database to be written
10)Useful Commands
aide -C : Performs a check on the filesystem ? (also same as: aide)
aide -i : Initialises or creates the benchmark database supplied by database_out directive (here it is aide.db.new)
aide -u -c /etc/aide.conf : update the database and use the specified config file
11)Usage
Before putting one’s server into the network, the admin will have to save a secure configuration of the system by:
aide -i
mv aide.db.new aide.db
The second command transfers the server’s earlier state(aide.db database) with the new one(aide.db.new). So be careful when you do this. It is advisable to keep a backup of the earlier database.
Next time in-order to check for any break-in perform
aide
or
aide -C
To compare the current database with some earlier backed-up database, give the path of the backed-up database to database_new option in aide.conf and perform:
aide –compare
The task of saving the old database and comparing with a new one has to be done periodically (preferably daily with the help of a cron task).
Reference Links
http://www.cs.tut.fi/~rammer/aide.html
http://supportsages.com/blog
thanks & regards
tell2humanlinux@gmail.com
No comments:
Post a Comment