Debianhelp.co.uk


AIDE (Advanced Intrusion Detection Environment) configuration

What is AIDE?

AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions.

Download AIDE

http://sourceforge.net/projects/aide

Supported Platforms

Solaris 2.5.1,2.6,7,8,9,10
Linux 2.x
FreeBSD 2.2.8,3.4
Unixware 7.0.1
BSDi 4.1
OpenBSD 2.6,3.0
AIX 4.2
TRU64 4.0x
HP-UX 11i
Cygwin

Install AIDE in Debian

#apt-get install aide
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
 aide
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 444kB of archives.
After unpacking 1151kB of additional disk space will be used.
Get:1 http://mirror.ox.ac.uk stable/main aide 0.10-6.1sarge2 [444kB]
Fetched 444kB in 1s (414kB/s)
Preconfiguring packages ...
Selecting previously deselected package aide.
(Reading database ... 12784 files and directories currently installed.)
Unpacking aide (from .../aide_0.10-6.1sarge2_i386.deb) ...
Setting up aide (0.10-6.1sarge2) ...

At the time of installation it will ask the following questions and you need to answer as follows

Where should daily reports be mailed?

Daily reports are mailed to root by default. You may change that here or in /etc/default/aide. ok
Initialize aide database? yes

It is advisable for you to first look over /var/lib/aide/aide.db.new file before replacing the existing db. Would you like to replace it anyway?Copy aide.db.new to aide.db? yes

This will complete the installation and the configuration file located at /etc/aide/aide.conf.Check here for default aide.conf file.

The configuration file defines a list of checks, such as the following:

Binlib = p+i+n+u+g+s+b+m+c+md5+sha1

Here we see the check called Binlib is defined as a combination of different tests from the following table:

# Here are all the things we can check - these are the default rules
#
#p:      permissions
#i:      inode
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#md5:    md5 checksum
#sha1:   sha1 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
#R:      p+i+n+u+g+s+m+c+md5
#L:      p+i+n+u+g
#E:      Empty group
#>:      Growing logfile p+u+g+i+n+S

There are a number of tests defined for different purposes, such as ConfFiles designed to cover things in /etc, Logs for logfiles, etc.

Then these tests are applied to a group of directories.

So my previous example covering most of the important directories looks like this for aide:

# Binaries
/bin            Binlib
/sbin           Binlib
/usr/bin        Binlib
/usr/sbin       Binlib
/usr/local/bin  Binlib
/usr/local/sbin Binlib
/usr/games      Binlib

# Libraries
/lib            Binlib
/usr/lib        Binlib
/usr/local/lib  Binlib

# Logfiles
/var/log$       StaticDir
/var/log        Logs

# Things to ignore
!/dev
!/proc
!/mnt
!/usr/src
!/usr/doc
!/usr/share/doc

Once this is done you can intialise the database, with the following command:

#aideinit

The database, by default, will be placed in /var/lib/aide/aide.db.new. If you're happy with the output you can copy it to the real location for running tests against:

#mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

As before we'll modify a file and then run a test:

#touch /bin/ls

#aide --check

This gives the following output:

AIDE found differences between database and filesystem!!
Start timestamp: 2006-07-20 14:39:45
Summary:
Total number of files=11247,added files=0,removed files=0,changed files=1

Changed files:
changed:/bin/ls

Detailed information about changes:

File: /bin/ls
 Mtime    : 2004-11-30 14:26:18               , 2004-11-30 14:39:39
 Ctime    : 2004-11-30 14:26:18               , 2004-11-30 14:39:39

For more options how to use aide check aide man page and also if you want to know more about aide check aide manual