Transcript AIDE
AIDE Protecting your file system Timothy J. Bruce 21 September 2010 For the Portland Linux/Unix Group (PLUG) Intro What is AIDE / What does it do Why do I need it Configuration Results Issues / Limitations Competing Solutions Why did I Select AIDE? Conclusion References 21 Sep 2010 Timothy J. Bruce PLUG 2 What is AIDE? What does AIDE stand for? Advanced Intrusion Detection Environment What is it Intrusion Detection System What does it do? File Integrity Checker Saves results and compares later scans against the known database 21 Sep 2010 Timothy J. Bruce PLUG 3 Why do I need it? To monitor for files that have changed Hacking / Break-in Identify if there are unauthorized changes (SOX / HIPPA / PCI Auditing / Internal Audit) 21 Sep 2010 Timothy J. Bruce PLUG 4 What does it Check? File Permissions iNode Number of Links Link Name File Owner Group Owner Size Block count MTime/ATime/CTime 21 Sep 2010 Growing Size Option to ignore changed filename Acl Selinux (SELinux security context) Xatrr (Extended file attributes) Checksums Timothy J. Bruce PLUG 5 Supported Checksums md5 sha1 sha256 sha512 rmd160 Tiger haval crc32 21 Sep 2010 If enabled (through mhash support during compile) gost whirlpool Timothy J. Bruce PLUG 6 Configuration /etc/aide/aide.conf database database_out Permission “macros” /etc/aide/aide.conf.d/* Files contain: file / permission directory / permission 21 Sep 2010 Timothy J. Bruce PLUG 7 Aide.conf database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new Checksums OwnerMode Size InodeData StaticFile 21 Sep 2010 = md5+sha1+crc32+tiger = p+u+g = s+b = OwnerMode+n+i+Size = m+c+Checksums Timothy J. Bruce PLUG 8 Aide.conf (cont’d) Full VarFile VarDir RotatedLogs Logs 21 Sep 2010 = InodeData+StaticFile = OwnerMode+n = OwnerMode+n+i = Full+I = OwnerMode+n+S Timothy J. Bruce PLUG 9 Configuration Files Specific to installed program to identify locations to scan/ignore (Ubuntu) Regex Matching on filename / directory name Equality matching using “=“ as first character Exclusion by ! as the first character filename RULE directory RULE Read the documentation for rule complexity / building 21 Sep 2010 Timothy J. Bruce PLUG 10 31_aide_initscripts /var/lib/urandom/random-seed$ /var/lib/(urandom|initscripts)$ /var/log/dmesg$ /var/log/dmesg\.0$ /var/log/dmesg\.1\.gz$ /var/log/dmesg\.[23]\.gz$ /var/log/dmesg\.4\.gz$ /var/log/fsck/check(root|fs)$ /var/run/motd$ 21 Sep 2010 Timothy J. Bruce VarFile VarDir VarFile LowLogs RotatedLogs+ANF RotatedLogs RotatedLogs+ARF VarFile VarFile PLUG 11 Results Email Results AIDE found differences between database and filesystem!! Start timestamp: 2010-09-21 10:56:51 Summary: Total number of files: 370 Added files: 75 Removed files: 2 Changed files: 52 21 Sep 2010 Timothy J. Bruce PLUG 12 Results --------------------------------------------------Added files: --------------------------------------------------added: /var/log/apache2/error.log.12.gz added: /var/log/apache2/error.log.5.gz --------------------------------------------------Removed files: --------------------------------------------------removed: /var/log/daemon.log.5.gz removed: /var/log/daemon.log.6.gz --------------------------------------------------Changed files: --------------------------------------------------changed: /var/log/aide/aide.log.2.gz changed: /var/log/aide/aide.log.4.gz 21 Sep 2010 Timothy J. Bruce PLUG 13 Results -------------------------------------------------Detailed information about changes: --------------------------------------------------File: /var/log/aide/aide.log.2.gz Size : 16319 , 17841 Bcount : 32 , 40 Mtime : 2009-12-09 10:25:20 , 2010-09-14 10:26:12 Ctime : 2009-12-14 10:25:27 , 2010-09-21 10:25:54 Inode : 191245 , 191257 MD5 : o83Sbw573PYSUTkBkVs/FQ== , KDnwIZ7cmoML6IQWUSjTyA== … WHIRLPOOL: EXaR0CgV2Z4DF3M62thbKUp+VRjtsBuo , RXPMG/LGk+ie+nIXAnS4s3KEJU1rfjBj 21 Sep 2010 Timothy J. Bruce PLUG 14 Issues / Limitations Determines changes AFTER the fact Does not prevent file from being altered Requires reading the logs / emails 21 Sep 2010 Timothy J. Bruce PLUG 15 Competing Solutions Tripwire RealEyes IDS (Real-Time) Snort FAM – File Access Monitoring AppArmor SELinux 21 Sep 2010 Timothy J. Bruce PLUG 16 Why did I select AIDE? Free / OpenSource Concerns with Tripwire Quick Solution • Easy to configure • Want to know what’s broken / what was changed • Didn’t have to learn a lot… build new rules / restart 21 Sep 2010 Timothy J. Bruce PLUG 17 Conclusion What it is Configuration Sample Results Issues / Limitations Competing Products / Solutions 21 Sep 2010 Timothy J. Bruce PLUG 18 Security Thoughts Do not assume anything Trust no-one,nothing Nothing is secure Security is a trade-off with usability Paranoia is your friend http://www.cs.tut.fi/~rammer/aide/manual.html 21 Sep 2010 Timothy J. Bruce PLUG 19 References http://www.cs.tut.fi/~rammer/aide.html http://www.cs.tut.fi/~rammer/aide/manu al.html http://sourceforge.net/projects/aide/ 21 Sep 2010 Timothy J. Bruce PLUG 20 System Security Turn this around…. What do you use? Why? 21 Sep 2010 Timothy J. Bruce PLUG 21