![[ Prev ]](../gx/navbar/prev.jpg){kind=small}
![[ Table of Contents ]](../gx/navbar/toc.jpg){kind=small}
![[ Front Page ]](../gx/navbar/frontpage.jpg){kind=small}
![[ Talkback ]](../gx/navbar/talkback.jpg){kind=small}
![[ FAQ ]](./../gx/navbar/faq.jpg){kind=small}
![[ Next ]](../gx/navbar/next.jpg){kind=small}
If your system was compromised, chances are that the hacker, cracker, trojan, worm or whatever replaced system files, or installed new ones, generally backdoors or hostile code. Imagine a replaced version of the login program, which lets someone in with root access after supplying a magic password (like the ones included in most rootkits), or a trojanized ssh client, which emails server, user and password information to someone when used (something like this happened in an important site last year).
File integrity checkers can help us by keeping checksums or hashes, and various attributes like size, owner, permissions, etc. of files in a database to later, and regularly, compare this information checking for changes. So if the login binary is replaced, or a /tmp/.hidden/backdoord is installed, you would be alerted.
This article will try to explain how to install and use an AIDE, an open source Intrusion Detection System (IDS) of the host-based type, or file integrity checker, if you prefer. Quoting from the AIDE website...
"AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more."
The installation of the whole system will be done on a floppy disk. We'll check for changes in various files and directories, being a little paranoid. That will take more time and generate more false alarms or false positives, but I think it makes things less complicated, and, hopefully, not less secure. When you set up your own configuration, you can start with my example, and then after a couple of weeks of use you will know what should be changed. You'll mount the disk each time you're ready to do the checks. That requires more steps, but if an attacker gets in, he will not be able to (A) change our database, and (B) not even notice we check our system regularly with AIDE.
First we will make the filesystem in the floppy disk... (mine is on /dev/fd0, drive A: under DOS, if you use B: under DOS you will use /dev/fd1 here.)
root@pc2:~# root@pc2:~# mkfs /dev/fd0 mke2fs 1.22, 22-Jun-2001 for EXT2 FS 0.5b, 95/08/09 Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 184 inodes, 1440 blocks 72 blocks (5.00%) reserved for the super user First data block=1 1 block group 8192 blocks per group, 8192 fragments per group 184 inodes per group Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 37 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. root@pc2:~#mount it, and create the aide directory...
root@pc2:~# root@pc2:~# mount /dev/fd0 /mnt/floppy root@pc2:~# root@pc2:~# mkdir /mnt/floppy/aide root@pc2:~#
Now we will get the sources of AIDE, compile them in a temporary directory, install the system in the floppy disk (pay attenton to the --prefix option when running configure), strip the aide binary before doing the make install, and finally remove the temporary directory...
root@pc2:~#
root@pc2:~# mkdir /tmp/aide
root@pc2:~#
root@pc2:~# cd /tmp/aide
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# wget http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz
--12:54:47-- http://www.cs.tut.fi/%7Erammer/aide-0.7.tar.gz
=> `aide-0.7.tar.gz'
Connecting to www.cs.tut.fi:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 219,837 [application/x-tar]
0K .......... .......... .......... .......... .......... 23% @ 34.84 KB/s
50K .......... .......... .......... .......... .......... 46% @ 50.97 KB/s
100K .......... .......... .......... .......... .......... 69% @ 65.45 KB/s
150K .......... .......... .......... .......... .......... 93% @ 46.38 KB/s
200K .......... .... 100% @ 7.17 MB/s
12:54:52 (50.40 KB/s) - `aide-0.7.tar.gz' saved [219837/219837]
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# tar xvfz aide-0.7.tar.gz
aide-0.7/
aide-0.7/Makefile.in
[...]
aide-0.7/include/compare_db.h
aide-0.7/include/gnu_regex.h
root@pc2:/tmp/aide#
root@pc2:/tmp/aide# cd aide-0.7
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# ./configure --prefix=/mnt/floppy/aide
creating cache ./config.cache
checking for a BSD compatible install... /usr/bin/ginstall -c
[...]
creating aide.spec
creating config.h
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# make
make all-recursive
make[1]: Entering directory `/tmp/aide/aide-0.7'
[...]
make[2]: Leaving directory `/tmp/aide/aide-0.7'
make[1]: Leaving directory `/tmp/aide/aide-0.7'
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# strip src/aide
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# make install
\Making install in src
make[1]: Entering directory `/tmp/aide/aide-0.7/src'
[...]
make[2]: Leaving directory `/tmp/aide/aide-0.7'
make[1]: Leaving directory `/tmp/aide/aide-0.7'
root@pc2:/tmp/aide/aide-0.7#
root@pc2:/tmp/aide/aide-0.7# cd ..
root@pc2:/tmp/aide# cd ..
root@pc2:/tmp# rm -r aide
root@pc2:/tmp#
Finally we will create a very simple configuration file, that will check for changes in permissions, inode number, number of links, user owner, group owner, size, modification time, creation time and md5 checksums in various directory files (including all files under them), and generate the database...
root@pc2:/tmp# root@pc2:/tmp# cd /mnt/floppy/aide/bin/ root@pc2:/mnt/floppy/aide/bin# root@pc2:/mnt/floppy/aide/bin# cat aide.conf database=file:/mnt/floppy/aide/bin/aide.db database_out=file:/mnt/floppy/aide/bin/aide.db.new /vmlinuz R /boot R /etc R /bin R /usr/bin R /usr/local/bin R /sbin R /usr/sbin R /usr/local/sbin R =/var/log R /tmp R /var/tmp R root@pc2:/mnt/floppy/aide/bin# root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --init root@pc2:/mnt/floppy/aide/bin# root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db root@pc2:/mnt/floppy/aide/bin#The config file is only a working example, and i use it this way, but of course you may or should change it to suit your needs, remember the database generated must reside in the floppy disk. Check the end of this document to download the example aide.conf. We can now umount the floppy and are ready for regular use (checks and updates).
Now that we have the floppy disk with the generated database we can use it regularly to check for changes in the files to be audited. I will create a file in the /tmp directory to show an example of how AIDE tell us about it...
root@pc2:/# root@pc2:/# cat > /tmp/.hidden hidden root@pc2:/# root@pc2:/# mount /dev/fd0 /mnt/floppy/ root@pc2:/# cd /mnt/floppy/aide/bin/ root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check AIDE found differences between database and filesystem!! Start timestamp: 2002-01-21 15:22:56 Summary: Total number of files=1443,added files=1,removed files=0,changed files=1 Added files: added:/tmp/.hidden Changed files: changed:/tmp Detailed information about changes: File: /tmp Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03 Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03 root@pc2:/mnt/floppy/aide/bin#So here you see clearly what happened, of course if an existing file was modified you would be alerted in a similar way.
Now imagine that /tmp/.hidden is a file that you placed there, you will not remove it and wish to stop seeing it in the reports, you can update the database, like this...
root@pc2:/mnt/floppy/aide/bin# root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --update AIDE found differences between database and filesystem!! Start timestamp: 2002-01-21 15:28:58 Summary: Total number of files=1443,added files=1,removed files=0,changed files=1 Added files: added:/tmp/.hidden Changed files: changed:/tmp Detailed information about changes: File: /tmp Mtime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03 Ctime: old = 2002-01-21 13:36:25, new = 2002-01-21 15:22:03 root@pc2:/mnt/floppy/aide/bin# root@pc2:/mnt/floppy/aide/bin# mv aide.db.new aide.db root@pc2:/mnt/floppy/aide/bin# root@pc2:/mnt/floppy/aide/bin# ./aide --config=./aide.conf --check root@pc2:/mnt/floppy/aide/bin#
Remember to keep all the AIDE stuff in the floppy disk, umount and remove it after use,
change the example configuration file to suit your needs, try to not leave any information
in the system that may reveal to an attacker that you are using AIDE. You are encouraged to
read the manual pages and manual.html of AIDE, it's a very flexible program. And finally, quoting the 'General guidelines for security'
section of the AIDE manual:
" Do not assume anything
Trust no-one, nothing
Nothing is secure
Security is a trade-off with usability
Paranoia is your friend ".
The example aide.conf configuration file: misc/maiorano/aide.conf.txt
Home of the AIDE project: http://www.cs.tut.fi/~rammer/aide.html
download AIDE tarball: http://www.cs.tut.fi/~rammer/aide-0.7.tar.gz
Home of the more famous alternative to AIDE, Tripwire: http://www.tripwire.org
Some papers and articles for further reading...
An interesting article at securityfocus.com titled 'You may already be hacked.': http://www.securityfocus.com/columnists/12
An article at linuxsecurity.com titled 'Getting Started with Tripwire (Open Source Linux Edition)': http://www.linuxsecurity.com/feature_stories/feature_story-81.html
'Network- vs. Host-based Intrusion Detection - A Guide to Intrusion Detection Technology' from ISS, interesting reading also: http://secinf.net/info/ids/nvh_ids/
A more commercial point of view from NetworkWorldFusion, 'Getting the drop on network intruders': http://www.nwfusion.com/reviews/1004trends.html
Ariel Maiorano