Intrusion detection Setup with AIDE (Advanced Intrusion Detection Environment)

Printer-friendly versionPDF version

So after my server was compromised by the shell shock vulnerability, I had no way of knowing what was compromised. What follows next is way to find what has changed on your system/server when you are compromised.
AIDE is a tool that helps you in that. Under debian "apt-get insall aide" gets it on your system. Debain provides a whole set of ready to go configurations for you. You can go over them under directory "/etc/aide/aide.conf.d" and the file "/etc/aide/aide.conf". Under debian these files generate a configuration file under "/var/lib/aide/aide.conf.autogenerated". This is the config file you are going to use with your aide commands with the --config flag.
If you want to regenerate this file after changing some settings you can do this as below:

update-aide.conf

So start using aide you need to initialize your database as below:

root@ahsanscorner:/ # aideinit
Overwrite existing /var/lib/aide/aide.db.new [Yn]? Y
Running aide --init...

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new initialized.

Overwrite /var/lib/aide/aide.db [yN]? y

To see the configuration file being used to initialize the database you can run the following command in another terminal while the aideinit script is running. You'll see that "aideinit" is just a wrapper script for convenience. When you manually use aide even with the aide --init option you need to use the configuration file shown by pgrep explicitly.

root@ahsanscorner:/# pgrep -fl aide
1594 /bin/sh /usr/sbin/aideinit
2225 /bin/sh /usr/bin/aide.wrapper --init
2868 /usr/bin/aide --config /var/lib/aide/aide.conf.autogenerated --init

You need to initialize your database before you stick it to a network. Than as a best practice copy the database over to another machine or media which you can later use for integrity checks. You can call it your master database.
To run an integrity check on your server at some later point in time, you need the master database that the aideinit script created and moved to location "/var/lib/aide/aide.db" above. Assuming you did not move the file you can run the following command for integrity checks. If you moved it to another media/location than copy it back and run below :

#--check option below is optional
aide --config /var/lib/aide/aide.conf.autogenerated --check

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2015-02-17 15:47:01

Summary:
Total number of files: 168483
Added files: 0
Removed files: 0
Changed files: 71

Changed files:

d =.... mc.. .. .: /etc/backup.d
f =.... mci.... .: /etc/backup.d/20-blog.tar

Detailed information about changes:

Directory: /etc/backup.d
Mtime : 2015-02-17 13:12:24 , 2015-02-17 15:13:01
Ctime : 2015-02-17 13:12:24 , 2015-02-17 15:13:01

File: /etc/backup.d/20-blog.tar
Mtime : 2015-02-17 13:12:24 , 2015-02-17 15:13:01
Ctime : 2015-02-17 13:12:24 , 2015-02-17 15:13:01
Inode : 1327106 , 35889

From time to time you might want to update your master database. For this you can do as below :

aide --config /var/lib/aide/aide.conf.autogenerated --update

The input and output databases in the update case will be different.
 
If you want to free up your server resources for comparison of databases, you can regenerate the aide db every time on your server. Copy it over to another machine. Than use aide to compare option to compare the 2 databases as below :

aide --compare --config=./aide.conf

The contents of aide.conf look like below:

database=file:/aide.db.master
database_new=file:/aide.db.new

From time to time you might want to update your original database. But don't replace the orignial just immediately, go through what has changed between the master copy and the updated copy. Than you might want to promote it to your master copy. Even then I probably keep the database with different date stamps. Space is cheap.
I will show you how I back up my web server soon. I am going to make aide integrity checking part of the procedure. So stay tuned for updates.

Tags:

Top level category:

Add new comment