Documentation< Previous | Contents | Next >
Monitoring Files: AIDE
The Advanced Intrusion Detection Environment (AIDE) tool checks file integrity and detects any change against a previously-recorded image of the valid system. The image is stored as a database (/var/lib/aide/aide.db) containing the relevant information on all files of the system (finger- prints, permissions, timestamps, and so on).
You can install AIDE by running apt update followed by apt install aide. You will first initial- ize the database with aideinit; it will then run daily (via the /etc/cron.daily/aide script) to
check that nothing relevant changed. When changes are detected, AIDE records them in log files (/var/log/aide/*.log) and sends its findings to the administrator by email.
Protecting the Database Since AIDE uses a local database to compare the states of the files, the validity of its results is directly linked to the validity of the database. If an attacker gets root permissions on a compromised system, they will be able to replace the database and cover their tracks. One way to prevent this subversion is to store the reference data on read-only storage media.
Protecting the Database Since AIDE uses a local database to compare the states of the files, the validity of its results is directly linked to the validity of the database. If an attacker gets root permissions on a compromised system, they will be able to replace the database and cover their tracks. One way to prevent this subversion is to store the reference data on read-only storage media.
You can use options in /etc/default/aide to tweak the behavior of the aide package. The AIDE configuration proper is stored in /etc/aide/aide.conf and /etc/aide/aide.conf.d/ (ac- tually, these files are only used by update-aide.conf to generate /var/lib/aide/aide.conf. autogenerated). The configuration indicates which properties of which files need to be checked. For instance, the contents of log files changes routinely, and such changes can be ignored as long as the permissions of these files stay the same, but both contents and permissions of executable programs must be constant. Although not very complex, the configuration syntax is not fully intuitive and we recommend reading the aide.conf(5) manual page for more details.
A new version of the database is generated daily in /var/lib/aide/aide.db.new; if all recorded changes were legitimate, it can be used to replace the reference database.
Tripwire is very similar to AIDE; even the configuration file syntax is almost the same. The main addition provided by tripwire is a mechanism to sign the configuration file so that an attacker cannot make it point at a different version of the reference database.
Samhain also offers similar features as well as some functions to help detect rootkits (see the sidebar “The checksecurity and chkrootkit/rkhunter packages” [page 164]). It can also be deployed globally on a network and record its traces on a central server (with a signature).
The checksecurity and checksecurity consists of several small scripts that perform basic checks on the system chkrootkit/rkhunter (searching for empty passwords, new setuid files, and so on) and warn you if these packages conditions are detected. Despite its explicit name, you should not rely solely on it to
make sure a Linux system is secure.
The chkrootkit and rkhunter packages detect certain rootkits potentially installed on the system. As a reminder, these are pieces of software designed to hide the compro- mise of a system while discreetly keeping control of the machine. The tests are not 100 percent reliable but they can usually draw your attention to potential problems.
The checksecurity and checksecurity consists of several small scripts that perform basic checks on the system chkrootkit/rkhunter (searching for empty passwords, new setuid files, and so on) and warn you if these packages conditions are detected. Despite its explicit name, you should not rely solely on it to
make sure a Linux system is secure.
The chkrootkit and rkhunter packages detect certain rootkits potentially installed on the system. As a reminder, these are pieces of software designed to hide the compro- mise of a system while discreetly keeping control of the machine. The tests are not 100 percent reliable but they can usually draw your attention to potential problems.