Context:-
IPS(Intrusion Prevention System) - A mechanism which help us to prevent intrusions
IDS(Intrusion Detection System) - A mechanism which help us to detect intrusions.
Here I will discuss about Intrusion Detection System for file system(files/directories). Normally we listen IDS/IPS this at network and firewall level but this post is for file system.
There are some very critical and sensitive files and directories in our system, a small change in these type file may change the system functionality completely and also might compromised with security. Let's have some example.
[root@localhost ~]# ll /etc/shadow
----------. 1 root root 1023 Jan 22 16:36 /etc/shadow
[root@localhost ~]# ll /etc/passwd
-rw-r--r--. 1 root root 1615 Jan 22 14:28 /etc/passwd
If some how I have removed 'x'(password link to shadow file for root user) from /etc/passwd file root user configuration, system won't ask for password when you try to access with root user, and if some can login with root user in your system, you know what he/she can do.
[root@localhost ~]# vim /etc/passwd
root:x:0:0:root:/root:/bin/bash
IPS(Intrusion Prevention System) - A mechanism which help us to prevent intrusions
IDS(Intrusion Detection System) - A mechanism which help us to detect intrusions.
Here I will discuss about Intrusion Detection System for file system(files/directories). Normally we listen IDS/IPS this at network and firewall level but this post is for file system.
There are some very critical and sensitive files and directories in our system, a small change in these type file may change the system functionality completely and also might compromised with security. Let's have some example.
[root@localhost ~]# ll /etc/shadow
----------. 1 root root 1023 Jan 22 16:36 /etc/shadow
[root@localhost ~]# ll /etc/passwd
-rw-r--r--. 1 root root 1615 Jan 22 14:28 /etc/passwd
If some how I have removed 'x'(password link to shadow file for root user) from /etc/passwd file root user configuration, system won't ask for password when you try to access with root user, and if some can login with root user in your system, you know what he/she can do.
[root@localhost ~]# vim /etc/passwd
root:x:0:0:root:/root:/bin/bash
Same as some directory as well
[root@localhost ~]# ls -ld /root/
dr-xr-x---. 26 root root 4096 Feb 9 07:44 /root/
As we know /root is the home directory and and other user are not allowed to access anything into it.
But if somehow any user changed file and directory integrity(content, permission,size), how as system administrator we can check/know that something has been changed.
There are two way to know about it-
1. Manually remember each and every file/directory permission, size and content(practically not possible)
2. With the help of a program/tool(intrusion detector), which automatically let us know if anything has been changed.
We are lucky in this matter because we have a very smart tool(AIDE) available in market which can do intrusion detection for files and directory smartly.
If AIDE is available then how to configure and use it?
Install AIDE package.
[root@localhost ~]# yum install aide
Configure AIDE configuration file
If you have a look in aide.conf file, all most all the important and critical files and directories are configured over here but if you want you can change the configuration as per your requirement.
[root@localhost ~]# cp /etc/aide.conf /etc/aide.conf.bkp
To explain it in detail I am removing all the configurations as of now configured in aide.conf(removed all the line from Line number 87 in RHEL6 and 99 in RHEL7) and added a line for /etc/shadow file
[root@localhost ~]# vim /etc/aide.conf
/etc/shadow s
Here 1st filed is filename with path and 2nd filed is for what do you want to monitor? Like s is for size. We have mean of these words in config file. Please have a look into it for the details.
# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only
PERMS = p+i+u+g+acl+selinux
# Logfile are special, in that they often change
LOG = >
# Just do md5 and sha256 hashes
LSPP = R+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger
I am enabling AIDE for /etc/shadow size change.
[root@localhost ~]# vim /etc/aide.conf
/etc/shadow s
[root@localhost ~]# aide --init
[root@localhost ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
So if there is any change in size aide will let you know, how?
[root@localhost ~]# aide --check
AIDE, version 0.14
### All files match AIDE database. Looks okay!
[root@localhost ~]#
Lets do some change(added a # keyword at the end of, you can do anything you want) in /etc/shadow and if it detect-
[root@localhost ~]# vim /etc/shadow
#
[root@localhost ~]# aide --check
AIDE found differences between database and filesystem!!
Start timestamp: 2019-02-09 09:14:14
Summary:
Total number of files: 4
Added files: 0
Removed files: 0
Changed files: 1
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/shadow
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/shadow
Size : 1023 , 1025
Permissions: ---------- , ----------
[root@localhost ~]#
Yes! There is some change in size from 1023 to 1025. So please have a look into the file to know what changes have done, if changes are genuine and there is not any malicious activity observed then you should update the aide database.
[root@localhost ~]# aide --init
AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
[root@localhost ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
cp: overwrite `/var/lib/aide/aide.db.gz'? y
[root@localhost ~]# aide --check
AIDE, version 0.14
### All files match AIDE database. Looks okay!
[root@localhost ~]#
If malicious activity observed, remove the changes.
This example was only for size, but we can monitor lots of things and for that we have few keywords in configuration files to monitoring multiple things for a file and directory.like-
# Access control only
PERMS = p+i+u+g+acl+selinux
There are many more keywords available, please check config file /etc/aide.conf for more details.
Also you can create custom rules like this.
[root@localhost ~]# vim /etc/aide.conf
TINKU = s+p+selinux
[root@localhost ~]# aide --init
AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such blog.
ReplyDeleteQuickBooks Technical Support phone number
QuickBooks Desktop Support phone number
QuickBooks Pro Support phone number
QuickBooks Premier Support phone number
Thank you so much for the feedback, yes I keep on posting such things on this blog.
Delete