AIDEAIDE

Timothy J. BruceTimothy J. Bruce21 September 201021 September 2010

For the Portland Linux/Unix Group (PLUG)For the Portland Linux/Unix Group (PLUG)

Protecting your file systemProtecting your file system

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 22

IntroIntro

What is AIDE / What does it doWhat is AIDE / What does it do Why do I need itWhy do I need it ConfigurationConfiguration ResultsResults Issues / LimitationsIssues / Limitations Competing SolutionsCompeting Solutions Why did I Select AIDE?Why did I Select AIDE? ConclusionConclusion ReferencesReferences

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 33

What is AIDE?What is AIDE?

What does AIDE stand for?What does AIDE stand for?Advanced Intrusion Detection Advanced Intrusion Detection

EnvironmentEnvironment

What is itWhat is itIntrusion Detection SystemIntrusion Detection System

What does it do?What does it do?File Integrity CheckerFile Integrity CheckerSaves results and compares later scans Saves results and compares later scans

against the known databaseagainst the known database

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 44

Why do I need it?Why do I need it?

To monitor for files that have To monitor for files that have changedchangedHacking / Break-inHacking / Break-in

Identify if there are unauthorized Identify if there are unauthorized changeschanges(SOX / HIPPA / PCI Auditing / Internal (SOX / HIPPA / PCI Auditing / Internal

Audit)Audit)

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 55

What does it Check?What does it Check?

File PermissionsFile Permissions iNodeiNode Number of LinksNumber of Links Link NameLink Name File OwnerFile Owner Group OwnerGroup Owner SizeSize Block countBlock count MTime/ATime/CTimeMTime/ATime/CTime

Growing SizeGrowing Size Option to ignore Option to ignore

changed filenamechanged filename AclAcl Selinux (SELinux Selinux (SELinux

security context)security context) Xatrr (Extended file Xatrr (Extended file

attributes)attributes)

ChecksumsChecksums

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 66

Supported ChecksumsSupported Checksums

md5md5 sha1sha1 sha256sha256 sha512sha512 rmd160rmd160 TigerTiger havalhaval crc32crc32

If enabled (through If enabled (through mhash support mhash support during compile)during compile)

gostgost whirlpoolwhirlpool

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 77

ConfigurationConfiguration

/etc/aide/aide.conf/etc/aide/aide.confdatabasedatabasedatabase_outdatabase_outPermission “macros”Permission “macros”

/etc/aide/aide.conf.d/*/etc/aide/aide.conf.d/*Files contain: Files contain:

file / permissionfile / permissiondirectory / permissiondirectory / permission

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 88

Aide.confAide.conf

database=file:/var/lib/aide/aide.dbdatabase=file:/var/lib/aide/aide.db

database_out=file:/var/lib/aide/aide.db.newdatabase_out=file:/var/lib/aide/aide.db.new

Checksums = md5+sha1+crc32+tigerChecksums = md5+sha1+crc32+tiger

OwnerMode = p+u+gOwnerMode = p+u+g

Size = s+bSize = s+b

InodeData = OwnerMode+n+i+SizeInodeData = OwnerMode+n+i+Size

StaticFile = m+c+ChecksumsStaticFile = m+c+Checksums

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 99

Aide.conf (cont’d)Aide.conf (cont’d)

Full = InodeData+StaticFileFull = InodeData+StaticFile

VarFile = OwnerMode+nVarFile = OwnerMode+n

VarDir = OwnerMode+n+iVarDir = OwnerMode+n+i

RotatedLogs = Full+IRotatedLogs = Full+I

Logs = OwnerMode+n+SLogs = OwnerMode+n+S

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1010

Configuration FilesConfiguration Files Specific to installed program to identify Specific to installed program to identify

locations to scan/ignore (Ubuntu)locations to scan/ignore (Ubuntu) Regex Matching on filename / directory Regex Matching on filename / directory

namename Equality matching using “=“ as first Equality matching using “=“ as first

charactercharacter Exclusion by ! as the first characterExclusion by ! as the first character

filename RULEfilename RULEdirectory RULEdirectory RULE

Read the documentation for rule Read the documentation for rule complexity / buildingcomplexity / building

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1111

31_aide_initscripts31_aide_initscripts

/var/lib/urandom/random-seed$ VarFile/var/lib/urandom/random-seed$ VarFile/var/lib/(urandom|initscripts)$ VarDir/var/lib/(urandom|initscripts)$ VarDir/var/log/dmesg$ VarFile/var/log/dmesg$ VarFile/var/log/dmesg\.0$ LowLogs/var/log/dmesg\.0$ LowLogs/var/log/dmesg\.1\.gz$ RotatedLogs+ANF/var/log/dmesg\.1\.gz$ RotatedLogs+ANF/var/log/dmesg\.[23]\.gz$ RotatedLogs/var/log/dmesg\.[23]\.gz$ RotatedLogs/var/log/dmesg\.4\.gz$ RotatedLogs+ARF/var/log/dmesg\.4\.gz$ RotatedLogs+ARF/var/log/fsck/check(root|fs)$ VarFile/var/log/fsck/check(root|fs)$ VarFile/var/run/motd$ VarFile/var/run/motd$ VarFile

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1212

ResultsResults

Email ResultsEmail Results

AIDE found differences between database and filesystem!!AIDE found differences between database and filesystem!!Start timestamp: 2010-09-21 10:56:51 Start timestamp: 2010-09-21 10:56:51 Summary:Summary: Total number of files: 370Total number of files: 370 Added files: 75Added files: 75 Removed files: 2Removed files: 2 Changed files: 52Changed files: 52

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1313

ResultsResults------------------------------------------------------------------------------------------------------Added files:Added files:------------------------------------------------------------------------------------------------------added: /var/log/apache2/error.log.12.gzadded: /var/log/apache2/error.log.12.gzadded: /var/log/apache2/error.log.5.gzadded: /var/log/apache2/error.log.5.gz------------------------------------------------------------------------------------------------------ Removed files:Removed files:--------------------------------------------------- --------------------------------------------------- removed: /var/log/daemon.log.5.gzremoved: /var/log/daemon.log.5.gzremoved: /var/log/daemon.log.6.gzremoved: /var/log/daemon.log.6.gz --------------------------------------------------- --------------------------------------------------- Changed files:Changed files:------------------------------------------------------------------------------------------------------changed: /var/log/aide/aide.log.2.gzchanged: /var/log/aide/aide.log.2.gzchanged: /var/log/aide/aide.log.4.gzchanged: /var/log/aide/aide.log.4.gz

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1414

ResultsResults

-------------------------------------------------- -------------------------------------------------- Detailed information about changes:Detailed information about changes:--------------------------------------------------- --------------------------------------------------- File: /var/log/aide/aide.log.2.gzFile: /var/log/aide/aide.log.2.gzSize : 16319 , 17841Size : 16319 , 17841Bcount : 32 , 40 Bcount : 32 , 40 Mtime : 2009-12-09 10:25:20 , 2010-09-14 10:26:12Mtime : 2009-12-09 10:25:20 , 2010-09-14 10:26:12Ctime : 2009-12-14 10:25:27 , 2010-09-21 10:25:54Ctime : 2009-12-14 10:25:27 , 2010-09-21 10:25:54Inode : 191245 , 191257Inode : 191245 , 191257MD5 : o83Sbw573PYSUTkBkVs/FQ== , MD5 : o83Sbw573PYSUTkBkVs/FQ== ,

KDnwIZ7cmoML6IQWUSjTyA==KDnwIZ7cmoML6IQWUSjTyA==……WHIRLPOOL: EXaR0CgV2Z4DF3M62thbKUp+VRjtsBuo , WHIRLPOOL: EXaR0CgV2Z4DF3M62thbKUp+VRjtsBuo ,

RXPMG/LGk+ie+nIXAnS4s3KEJU1rfjBj RXPMG/LGk+ie+nIXAnS4s3KEJU1rfjBj

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1515

Issues / LimitationsIssues / Limitations

Determines changes AFTER the factDetermines changes AFTER the fact

Does not prevent file from being Does not prevent file from being alteredaltered

Requires reading the logs / emailsRequires reading the logs / emails

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1616

Competing SolutionsCompeting Solutions

TripwireTripwire RealEyes IDS (Real-Time)RealEyes IDS (Real-Time) SnortSnort FAM – File Access MonitoringFAM – File Access Monitoring AppArmorAppArmor SELinuxSELinux

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1717

Why did I select AIDE?Why did I select AIDE?

Free / OpenSourceFree / OpenSourceConcerns with TripwireConcerns with Tripwire

Quick SolutionQuick Solution• Easy to configureEasy to configure• Want to know what’s broken / what was Want to know what’s broken / what was

changedchanged• Didn’t have to learn a lot… build new Didn’t have to learn a lot… build new

rules / restartrules / restart

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1818

ConclusionConclusion

What it isWhat it is ConfigurationConfiguration Sample ResultsSample Results Issues / LimitationsIssues / Limitations Competing Products / SolutionsCompeting Products / Solutions

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1919

Security ThoughtsSecurity Thoughts

Do not assume anything Do not assume anything Trust no-one,nothing Trust no-one,nothing Nothing is secure Nothing is secure Security is a trade-off with usability Security is a trade-off with usability Paranoia is your friendParanoia is your friend

http://www.cs.tut.fi/~rammer/aide/manual.htmlhttp://www.cs.tut.fi/~rammer/aide/manual.html

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 2020

ReferencesReferences

http://www.cs.tut.fi/~rammer/aide.htmlhttp://www.cs.tut.fi/~rammer/aide.html

http://www.cs.tut.fi/~rammer/aide/http://www.cs.tut.fi/~rammer/aide/manual.htmlmanual.html

http://sourceforge.net/projects/aide/http://sourceforge.net/projects/aide/

21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 2121

System SecuritySystem Security

Turn this around….Turn this around….

What do you use?What do you use?

Why?Why?