1 / 21

AIDE

AIDE. Protecting your file system. Timothy J. Bruce 21 September 2010 For the Portland Linux/Unix Group (PLUG). Intro. What is AIDE / What does it do Why do I need it Configuration Results Issues / Limitations Competing Solutions Why did I Select AIDE? Conclusion References.

octavia-gillespie
Download Presentation

AIDE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AIDE Protecting your file system Timothy J. Bruce 21 September 2010 For the Portland Linux/Unix Group (PLUG)

  2. Intro • What is AIDE / What does it do • Why do I need it • Configuration • Results • Issues / Limitations • Competing Solutions • Why did I Select AIDE? • Conclusion • References Timothy J. Bruce

  3. What is AIDE? What does AIDE stand for? Advanced Intrusion Detection Environment What is it Intrusion Detection System What does it do? File Integrity Checker Saves results and compares later scans against the known database Timothy J. Bruce

  4. Why do I need it? • To monitor for files that have changed Hacking / Break-in • Identify if there are unauthorized changes (SOX / HIPPA / PCI Auditing / Internal Audit) Timothy J. Bruce

  5. File Permissions iNode Number of Links Link Name File Owner Group Owner Size Block count MTime/ATime/CTime Growing Size Option to ignore changed filename Acl Selinux (SELinux security context) Xatrr (Extended file attributes) Checksums What does it Check? Timothy J. Bruce

  6. md5 sha1 sha256 sha512 rmd160 Tiger haval crc32 If enabled (through mhash support during compile) gost whirlpool Supported Checksums Timothy J. Bruce

  7. Configuration • /etc/aide/aide.conf database database_out Permission “macros” • /etc/aide/aide.conf.d/* Files contain: file / permission directory / permission Timothy J. Bruce

  8. Aide.conf database=file:/var/lib/aide/aide.db database_out=file:/var/lib/aide/aide.db.new Checksums = md5+sha1+crc32+tiger OwnerMode = p+u+g Size = s+b InodeData = OwnerMode+n+i+Size StaticFile = m+c+Checksums Timothy J. Bruce

  9. Aide.conf (cont’d) Full = InodeData+StaticFile VarFile = OwnerMode+n VarDir = OwnerMode+n+i RotatedLogs = Full+I Logs = OwnerMode+n+S Timothy J. Bruce

  10. Configuration Files • Specific to installed program to identify locations to scan/ignore (Ubuntu) • Regex Matching on filename / directory name • Equality matching using “=“ as first character • Exclusion by ! as the first character filename RULE directory RULE • Read the documentation for rule complexity / building Timothy J. Bruce

  11. 31_aide_initscripts /var/lib/urandom/random-seed$ VarFile /var/lib/(urandom|initscripts)$ VarDir /var/log/dmesg$ VarFile /var/log/dmesg\.0$ LowLogs /var/log/dmesg\.1\.gz$ RotatedLogs+ANF /var/log/dmesg\.[23]\.gz$ RotatedLogs /var/log/dmesg\.4\.gz$ RotatedLogs+ARF /var/log/fsck/check(root|fs)$ VarFile /var/run/motd$ VarFile Timothy J. Bruce

  12. Results Email Results AIDE found differences between database and filesystem!! Start timestamp: 2010-09-21 10:56:51 Summary: Total number of files: 370 Added files: 75 Removed files: 2 Changed files: 52 Timothy J. Bruce

  13. Results --------------------------------------------------- Added files: --------------------------------------------------- added: /var/log/apache2/error.log.12.gz added: /var/log/apache2/error.log.5.gz --------------------------------------------------- Removed files: --------------------------------------------------- removed: /var/log/daemon.log.5.gz removed: /var/log/daemon.log.6.gz --------------------------------------------------- Changed files: --------------------------------------------------- changed: /var/log/aide/aide.log.2.gz changed: /var/log/aide/aide.log.4.gz Timothy J. Bruce

  14. Results -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /var/log/aide/aide.log.2.gz Size : 16319 , 17841 Bcount : 32 , 40 Mtime : 2009-12-09 10:25:20 , 2010-09-14 10:26:12 Ctime : 2009-12-14 10:25:27 , 2010-09-21 10:25:54 Inode : 191245 , 191257 MD5 : o83Sbw573PYSUTkBkVs/FQ== , KDnwIZ7cmoML6IQWUSjTyA== … WHIRLPOOL: EXaR0CgV2Z4DF3M62thbKUp+VRjtsBuo , RXPMG/LGk+ie+nIXAnS4s3KEJU1rfjBj Timothy J. Bruce

  15. Issues / Limitations Determines changes AFTER the fact Does not prevent file from being altered Requires reading the logs / emails Timothy J. Bruce

  16. Competing Solutions • Tripwire • RealEyes IDS (Real-Time) • Snort • FAM – File Access Monitoring • AppArmor • SELinux Timothy J. Bruce

  17. Why did I select AIDE? • Free / OpenSource Concerns with Tripwire • Quick Solution • Easy to configure • Want to know what’s broken / what was changed • Didn’t have to learn a lot… build new rules / restart Timothy J. Bruce

  18. Conclusion • What it is • Configuration • Sample Results • Issues / Limitations • Competing Products / Solutions Timothy J. Bruce

  19. Security Thoughts • Do not assume anything • Trust no-one,nothing • Nothing is secure • Security is a trade-off with usability • Paranoia is your friend http://www.cs.tut.fi/~rammer/aide/manual.html Timothy J. Bruce

  20. References • http://www.cs.tut.fi/~rammer/aide.html • http://www.cs.tut.fi/~rammer/aide/manual.html • http://sourceforge.net/projects/aide/ Timothy J. Bruce

  21. System Security • Turn this around…. What do you use? Why? Timothy J. Bruce

More Related