Table of contents
S-38.153 exercise: Advanced Intrusion Detection Environment 1
1 Introduction 3
2 Operation 3
3 Installation 5
4 Configuration 6
5 Usage 7
6 Exercise 8
7 Solution 9
Advanced Intrusion Detection System (AIDE) is a system which is designed to check the system for possible intrusions. This document focuses on how to use AIDE and configure it for intrusion prevention. Firstly the operation of AIDE is explained and then the installation and usage. Finally, an exercise and a solution is documented.
There are several different approaches to intrusion detection. Network IDSes follow the network traffic and try to make educated guesses of possible intrusions. Then there are intrusion detection systems based on file system integrity. These store the initial state of the files and then later on allow checks for possible changes in the system.
These intrusion detection systems usually work by allowing administrator to take snapshots of the system. Practically this means that before a system is put online, everything (or almost everything) concerning the state of files is logged to a database for possible future comparison.
If at some point administrator speculates possible intrusion he can check the current state of the files against the initial snapshot. This makes it easy to see if some core files have been hacked or replaced altogether.
AIDE works exactly like this and it is easy to use. It also offers an easy way of configuration and rule customization . AIDE works by creating a snapshot of the files of the system. It will take timestamps, permissions, sizes and checksums of the wanted files. Since AIDE offers md5, sha1, rmd160 and tiger checksums it makes it quite hard to mess up with the file database.
Figures 1. and 2. show the operation of AIDE.
Before you install AIDE make sure you have the following tools: GCC (or some other ANSI C compiler), GNU Flex, Bison, Make. These are usually installed on every system. You also need mhash which you can download from http://schumann.cx/mhash/
Use gunzip and tar to unpack the mhash package and install it. Here are the steps
tar –xvf mhash-0.8.17.tar
go to mhash directory
AIDE is easy to install. Follow these steps to perform installation:
Download the latest version. (0.9 was the newest when writing this document) It can be downloaded from ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.9.tar.gz
Unpack the package (gunzip aide-0.9.tar.gz && tar –xvf aide-0.9.tar)
su to root, ie: su –
Go to the main AIDE directory
Compile AIDE with
AIDE is configured using aide.conf file. AIDE offers three types of configuration lines. Namely these are:
Configuration files are used to set configuration parameters and variables. Selection lines are used to name the files included in the database and macro lines to define and undefine variables.
AIDE can check the following things (first the actual configuration command, then the explanation):
n: number of links
b: block count
S: check for growing size
md5: md5 checksum
sha1: sha1 checksum
rmd160: rmd160 checksum
tiger: tiger checksum
E: Empty group
>: Growing logfile p+u+g+i+n+S
(# Means comment)
In the configuration files you can also create custom rules such as:
ToughRule = p+i+n+u+g+m+c+s+b+tiger+md5+sha1
Then you have to decide what you want to include in the database:
/etc p+u+g #check permissions, user and group for etc
!/var/log/.* # don’t check the log dir
Usually you want to include files which are critical for the system, are most often replaced by hacked version or are most prone for worms and trojans etc.
What you probably don’t want to include in the configuration files are files which are changed often like log files etc.
AIDE is very easy and straightforward to use. To get the AIDE database (=snapshot of the system as specified in the configuration file) type:
/> aide --init
The created database, AIDE binaries and configuration files SHOULD be then placed on some secure media, in case a hacker manages to change the database and/or the binaries of the AIDE system.
When you want to check your system you should type:
/> aide --check
on the command line. This will check the database against the initial database and produce a report of the differences.
The exercise tries to familiarize user with the AIDE system, its installation, usage and logic by simulating a hacker originated change in the system. In this case only a README file is changed, but in real case this could be some system critical service.
The exercise is to download, install and configure AIDE and to simulate a hacker attack. To summarize, perform the following:
Download and install AIDE
Configure AIDE to check only the AIDE installation files. So make a configuration file of your own which describes the environment of the snapshot. Also make sure that file changes are checked.
Init AIDE database.
Change README file found in AIDE main directory to readME.ME (This simulates a change in the system.)
Perform check of the database and see the report.
Using the same logic, you could try to init your database of the system critical directories and the place a rootkit in there!
Download the mhash package and AIDE files. Do the ./configure, make and make install commands as root.
This should then be the contents of the aide.conf file (there may be variations) :
# AIDE 0.9
# example configuration file
# IMPORTANT NOTE!! PLEASE READ
# This configuration file checks the integrity of the
# AIDE package.
# This file is not intended to be used as the primary aide.conf file #for
# your system. This file is intended to be a showcase for different
# features for aide.conf file.
# WRITE YOUR OWN CONFIGURATION FILE AND UNDERSTAND WHAT YOU ARE #WRITING
# Default values for the parameters are in comments before the
# corresponding line.
# The location of the database to be read.
database=file:[YOUR CHOSEN DATABASE PATH]/aide.db.new
# The location of the database to be written.
database_out=file:[YOUR CHOSEN DATABASE PATH]/aide.db.new
# Whether to gzip the output to database
#NOT IMPLEMENTED report_url=mailto:firstname.lastname@example.org
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
# read by aide.
#n: number of links
#b: block count
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#E: Empty group
#>: Growing logfile p+u+g+i+n+S
#The following are available if you have mhash support enabled.
#haval: haval checksum
#gost: gost checksum
#crc32: crc32 checksum
# Rule definition
# ignore_list is a special rule definition
# the attributes listed in it are not displayed in the
# final report
# Quite strict check
# The commented rules are just examples the rest are used by
# make check
#Selection regexp rule
[PATH OF INSTALLATION]/aide-0.9/*.* Norm
Then by typing:
/> aide --init
and changing README to readME.ME (mv README readME.ME)
/> aide --check
You should see something like:
[root@mymachine myuser]# aide --check
WARNING:Input and output database urls are the same.
open_dir():No such file or directory: [PATH OF INSTALLATION]/aide-0.9/README
Not implemented in db_readline_file 310
"@@end_db"AIDE found differences between database and filesystem!!
Start timestamp: 2002-10-04 21:01:17
Total number of files=130,added files=1,removed files=1,changed files=0
added:[PATH OF INSTALLATION]/aide-0.9/readME.ME
removed:[PATH OF INSTALLATION]/aide-0.9/README