File Integrity Checking with AIDE, GSLUG 2003

Sure, no slides whatsoever this time, but still it's probably better than the post-talk typescripts that I provided for my GPG talk... This talk is primarily by Jeremy Reed, I'm just adding a bit of AIDE at the end, no pun intended...

Compilation

Snag source from http://www.cs.tut.fi/~rammer/aide.html.

# tar xzvf aide-0.9.tar.gz
# cd aide-0.9
# ./configure
# make
# make install

Many Distros have it available precompiled.

Config File

This is the config file supplied by Debian by default. Actual AIDE default is different, and likely your distro has one similar but different as well.

# cat /etc/aide/aide.conf
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes

# Here are all the things we can check - these are the default rules
#
#   p:      permissions
#   i:      inode
#   n:      number of links
#   u:      user
#   g:      group
#   s:      size
#   b:      block count
#   m:      mtime
#   a:      atime
#   c:      ctime
#   S:      check for growing size
#   md5:    md5 checksum
#   sha1:   sha1 checksum
#   rmd160: rmd160 checksum
#   tiger:  tiger checksum
#   R:      p+i+n+u+g+s+m+c+md5
#   L:      p+i+n+u+g
#   E:      Empty group
#>:      Growing logfile p+u+g+i+n+S
#   haval:         haval checksum
#   gost:          gost checksum
#   crc32:         crc32 checksum

# This is the email address reports get mailed to
# It's only used by the cron script and at the moment only the first address
# specified in this manner will be used.
@@define MAILTO root
@@define LINES 1000

# Custom rules
Binlib =    p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs =      p+i+n+u+g+S
Devices =   p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages =  p+i+n+u+g+s+b+m+c+md5+sha1

# Next decide what directories/files you want in the database

# Kernel, system map, etc.
=/boot$ Binlib

# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
/usr/games Binlib

# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib

# Log files
/var/log$ StaticDir
/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
/var/log/aide/error.log(.[0-9])?(.gz)? Databases
/var/log/setuid.changes(.[0-9])?(.gz)? Databases
/var/log Logs

# Devices
!/dev/pts
/dev Devices

# Other miscellaneous files
/var/run$ StaticDir
!/var/run

# Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc

# You can look through these examples to get further ideas

# MD5 sum files - especially useful with debsums -g
#/var/lib/dpkg/info/([^\.]+).md5sums

# Check crontabs
#/var/spool/anacron/cron.daily Databases
#/var/spool/anacron/cron.monthly Databases
#/var/spool/anacron/cron.weekly Databases
#/var/spool/cron Databases
#/var/spool/cron/crontabs Databases

# manpages can be trojaned, especially depending on *roff implementation
#/usr/man ManPages
#/usr/share/man ManPages
#/usr/local/man ManPages

# docs
#/usr/doc ManPages
#/usr/share/doc ManPages

# check users' home directories
#/home Binlib

# check sources for modifications
#/usr/src L
#/usr/local/src L

# Check headers for same
#/usr/include L
#/usr/local/include L

Initialization

Should be done as soon after system installation as possible!

# aide --init

Creates aide.db.new:

# cd /var/lib/aide
	(Your database location may differ)
# ls
aide.db.new

# file *
aide.db:       gzip compressed data, from Unix

# zcat aide.db.new | more

@@begin_db
# This file was generated by Aide, version 0.9
# Time of generation was 2003-11-07 16:26:35
@@db_spec name attr perm bcount uid gid size mtime ctime inode lcount md5 sha1
/boot 4029 40755 8 0 0 4096 MTA2NzUyOTY5NQ== MTA2NzUyOTY5NQ== 2 3 0 0
/bin 4029 40755 8 0 0 4096 MTA2NzUyOTU3NQ== MTA2NzUyOTU3NQ== 32577 2 0 0
/dev 3773 40755 40 0 0 20480 0 MTA2Nzk1NTM1Ng== 48865 6 0 0
/usr/sbin 4029 40755 16 0 0 8192 MTA2ODI1MTE5MQ== MTA2ODI1MTE5MQ== 846993 2 0 0
...
/bin/ed 16317 100755 80 0 0 39544 MTA0OTMwMDYzOA== MTA1NDA3MDA5NQ== 32855 1 90n0JdsR5vJ4U5mqWskUVw== S1Wx+mrBHcbdw9t+Un0PF8sMOMM=
/bin/bash 16317 100755 1360 0 0 690668 MTA1NDk1OTQyNw== MTA1ODg5NjA2Mw== 35344 1 ovztEqp7trJ5paOaarLASA== y3v+hCAcp86Mw/wxi1fhHyvwTgw=
/bin/rbash 4031 120777 0 0 0 4 MTA1ODg5NjA2Mw== MTA1ODg5NjA2Mw== 35345 1 0 0
/bin/sh 4031 120777 0 0 0 4 MTA1ODg5NjA2Mw== MTA1ODg5NjA2Mw== 34274 1 0 0
/bin/readlink 16317 100755 24 0 0 10360 MTA1ODAxODA4OA== MTA1OTE0MjE2Nw== 34467 1 pQaHvKzVjpC4cCVmWqUeQg== hj+69PH6b9VZEFsflyalW+W8Ubs=
/bin/run-parts 16317 100755 24 0 0 10616 MTA2NzIxOTYwNA== MTA2NzUyOTI3MQ== 32655 1 WTSt4R41SKK2B2bpnPN3ow== 2y28N9Cr5G08U+Wo9AQB4x0UUFQ=
/bin/tempfile 16317 100755 16 0 0 5620 MTA2NzIxOTYwNA== MTA2NzUyOTI3MQ== 32656 1 2YY6BdazHYqZb8lhEeCYEg== AJKN9iEpxhKn1iJhS3aOA6loKGg=
/bin/mktemp 16317 100755 16 0 0 5576 MTA2NzIxOTYwNA== MTA2NzUyOTI3MQ== 32660 1 N AK9tgb9oQh4e2HN2qq11A== GtUULH2LoGSLtje3mwIo9hx2aBc=
...

Usage:

Usage: aide  command

Commands:

  -i
  --init
	Initialize the database

  -C
  --check
	Check the database

  -u
  --update
	Check and update the database non-interactively.

  --compare
	Compare two databases

  -v
  --version
	Show version of AIDE and compilation options.


Options:

  -c config_file
  --config=config_file
	Get config options from config_file.

  -B "config_stuff"
  --before="config_stuff"
	Before config_file is read use these options.

  -A "config_stuff"
  --after="config_stuff"
	After config_file is read use these options.

  -r reporter
  --report=reporter
	Where report output is written to.

-Vverbosity_level
--verbose=verbosity_level
	Level of debug messages.

--config-check just read config-file

Sample Report:

AIDE found differences between database and filesystem!!
Start timestamp: 2003-11-07 19:08:30
Summary:
Total number of files=21623,added files=3,removed files=1,changed files=8

Added files:
added:/bin/xnmap
added:/etc/ssh/shosts.equiv

Changed files:
changed:/bin
changed:/bin/ls
changed:/bin/tar
changed:/bin/login
changed:/var/log/messages
changed:/var/log/messages.0
changed:/var/log/messages.1.gz

Detailed information about changes:

Directory: /bin
  Mtime    : 2003-10-30 07:59:35               , 2003-11-07 19:07:39
  Ctime    : 2003-10-30 07:59:35               , 2003-11-07 19:07:39


File: /bin/ls
  Mtime    : 2003-07-12 06:54:48               , 2003-11-07 19:38:14
  Ctime    : 2003-07-25 07:09:27               , 2003-11-07 19:38:14
  Inode    : 34462                             , 34474

File: /bin/login
  Size     : 24344                             , 9752
  Bcount   : 48                                , 24
  Mtime    : 2003-07-12 06:54:48               , 2003-11-08 08:01:02
  Ctime    : 2003-07-25 07:09:27               , 2003-11-08 08:01:02
  Inode    : 34474                             , 34128
  MD5      : qzgOxSxn04F3dfUU9xNz8w==          , DdkmJmlKHA9CvqA56TSa9g==
  SHA1     : NxdYCHBCC5Ud4dshxGd4OI/YtLQ=      , JTyIuhywUow2wuZFclC8jlu8Gw0=

File: /bin/tar
  Permissions: -rwxr-xr-x                        , -rwsr-xr-x
  Ctime    : 2003-10-07 08:38:00               , 2003-11-07 19:23:55


File: /var/log/messages.1.gz
  Inode    : 961027                            , 961107

File: /var/log/messages.0
  Inode    : 961074                            , 961081

File: /var/log/messages
  Inode    : 961108                            , 961074

Check changes, install new database.


# ls -l /var/lib/aide
-rwx------    2 root     root         4096 Nov  6 10:10 RCS
-rw-------    1 root     root      1260516 Nov  7 16:40 aide.db
-rw-------    1 root     root      1260611 Nov  7 19:12 aide.db.new

# mv aide.db.new aide.db
# ci -u aide.db
     (Assumes you checked it out already.)
     (Works best when you don't gzip output.)