Skip to main content

AIDE(Advanced Intrusion Detection Environment)

Context:-

IPS(Intrusion Prevention System) - A mechanism which help us to prevent intrusions
IDS(Intrusion Detection System) - A mechanism which help us to detect intrusions.
Here I will discuss about Intrusion Detection System for file system(files/directories). Normally we listen IDS/IPS this at network and firewall level but this post is for file system.

There are some very critical and sensitive files and directories in our system, a small change in these type file may change the system functionality completely and also might compromised with security. Let's have some example.

[root@localhost ~]# ll /etc/shadow
----------. 1 root root 1023 Jan 22 16:36 /etc/shadow
[root@localhost ~]# ll /etc/passwd
-rw-r--r--. 1 root root 1615 Jan 22 14:28 /etc/passwd
If some how I have removed 'x'(password link to shadow file for root user) from /etc/passwd file root user configuration, system won't ask for password when you try to access with root user, and if some can login with root user in your system, you know what he/she can do.
[root@localhost ~]# vim /etc/passwd
root:x:0:0:root:/root:/bin/bash

Same as some directory as well
[root@localhost ~]# ls -ld /root/
dr-xr-x---. 26 root root 4096 Feb  9 07:44 /root/
As we know /root is the home directory and and other user are not allowed to access anything into it.
But if somehow any user changed file and directory integrity(content, permission,size), how as system administrator we can check/know that something has been changed.
There are two way to know about it-
1. Manually remember each and every file/directory permission, size and content(practically not possible)
2. With the help of a program/tool(intrusion detector), which automatically let us know if anything has been changed.
We are lucky in this matter because we have a very smart tool(AIDE) available in market which can do intrusion detection for files and directory smartly.

If AIDE is available then how to configure and use it?
Install AIDE package.
[root@localhost ~]# yum install aide

Configure AIDE configuration file
If you have a look in aide.conf file, all most all the important and critical files and directories are configured over here but if you want you can change the configuration as per your requirement.
[root@localhost ~]# cp /etc/aide.conf /etc/aide.conf.bkp

To explain it in detail I am removing all the configurations as of now configured in aide.conf(removed all the line from Line number 87 in RHEL6 and 99 in RHEL7) and added a line for /etc/shadow file

[root@localhost ~]# vim /etc/aide.conf
/etc/shadow s

Here 1st filed is filename with path and 2nd filed is for what do you want to monitor? Like s is for size. We have mean of these words in config file. Please have a look into it for the details.

# These are the default rules.
#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum

#haval:  haval checksum (MHASH only)
#gost:   gost checksum (MHASH only)
#crc32:  crc32 checksum (MHASH only)
#whirlpool:     whirlpool checksum (MHASH only)

#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L:             p+i+n+u+g+acl+selinux+xattrs
#E:             Empty group
#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES

# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only
PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change
LOG = >

# Just do md5 and sha256 hashes
LSPP = R+sha256

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

I am enabling AIDE for /etc/shadow size change.
[root@localhost ~]# vim /etc/aide.conf
/etc/shadow s
[root@localhost ~]# aide --init
[root@localhost ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

So if there is any change in size aide will let you know, how?
[root@localhost ~]# aide --check
AIDE, version 0.14
### All files match AIDE database. Looks okay!
[root@localhost ~]#

Lets do some change(added a # keyword at the end of, you can do anything you want) in /etc/shadow and if it detect-
[root@localhost ~]# vim /etc/shadow
#
[root@localhost ~]# aide --check
AIDE found differences between database and filesystem!!
Start timestamp: 2019-02-09 09:14:14

Summary:
  Total number of files:        4
  Added files:                  0
  Removed files:                0
  Changed files:                1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/shadow

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /etc/shadow
  Size     : 1023                             , 1025
  Permissions: ----------                       , ----------
[root@localhost ~]#
Yes! There is some change in size from 1023 to 1025. So please have a look into the file to know what changes have done, if changes are genuine and there is not any malicious activity observed then you should update the aide database.
[root@localhost ~]# aide --init
AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
[root@localhost ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
cp: overwrite `/var/lib/aide/aide.db.gz'? y
[root@localhost ~]# aide --check
AIDE, version 0.14
### All files match AIDE database. Looks okay!
[root@localhost ~]#

If malicious activity observed, remove the changes.
This example was only for size, but we can monitor lots of things and for that we have few keywords in configuration files to monitoring multiple things for a file and directory.like-
# Access control only
PERMS = p+i+u+g+acl+selinux

There are many more keywords available, please check config file /etc/aide.conf  for more details.
Also you can create custom rules like this.
[root@localhost ~]# vim /etc/aide.conf
TINKU = s+p+selinux

[root@localhost ~]# aide --init
AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Comments

  1. I really happy found this website eventually. Really informative and inoperative, Thanks for the post and effort! Please keep sharing more such blog.
    QuickBooks Technical Support phone number
    QuickBooks Desktop Support phone number
    QuickBooks Pro Support phone number
    QuickBooks Premier Support phone number

    ReplyDelete
    Replies
    1. Thank you so much for the feedback, yes I keep on posting such things on this blog.

      Delete

Post a Comment

Please share your experience.....

Popular posts from this blog

error: db5 error(11) from dbenv->open: Resource temporarily unavailable

If rpm command is not working in your system and it is giving an error message( error: db5 error(11) from dbenv->open: Resource temporarily unavailable ). What is the root cause of this issue? How to fix this issue?   just a single command- [root@localhost rpm]# rpm --rebuilddb Detailed error message- [root@localhost rpm]# rpm -q firefox ^Cerror: db5 error(11) from dbenv->open: Resource temporarily unavailable error: cannot open Packages index using db5 - Resource temporarily unavailable (11) error: cannot open Packages database in /var/lib/rpm ^Cerror: db5 error(11) from dbenv->open: Resource temporarily unavailable error: cannot open Packages database in /var/lib/rpm package firefox is not installed [root@localhost rpm]# RPM manage a database in which it store all information related to packages installed in our system. /var/lib/rpm, this is directory where this information is available. [root@localhost rpm]# cd /var/lib/rpm ...

Failed to get D-Bus connection: Operation not permitted

" Failed to get D-Bus connection: Operation not permitted " - systemctl command is not working in Docker container. If systemctl command is not working in your container and giving subjected error message then simple solution of this error is, create container with -- privileged option and also provide init file full path  /usr/sbin/init [root@server109 ~]# docker container run -dit --privileged --name systemctl_not_working_centos1 centos:7 /usr/sbin/init For detailed explanation and understanding I am writing more about it, please have look below. If we have a daemon based program(httpd, sshd, jenkins, docker etc.) running inside a container and we would like to start/stop or check status of daemon inside docker then it becomes difficult for us to perform such operations , because by default systemctl and service  commands don't work inside docker. Normally we run below commands to check services status in Linux systems. [root@server109 ~]# systemctl status ...

AWS cloud automation using Terraform

In this post I'll create multiple resources in AWS cloud using Terraform . Terraform is an infrastructure as code( IAC ) software which can do lots of things but it is superb in cloud automation. To use Terraform we have write code in a high-level configuration language known as Hashicorp Configuration Language , optionally we can write code in JSON as well. I'll create below service using Terraform- 1. Create the key-pair and security group which allow inbound traffic on port 80 and 22 2. Launch EC2 instance. 3. To create EC2 instance use same key and security group which created in step 1 4. Launch Volume(EBS) and mount this volume into /var/www/html directory 5. Upload index.php file and an image on GitHub repository 6. Clone GitHub repository into /var/www/html 7. Create S3 bucket, copy images from GitHub repo into it and set permission to public readable 8 Create a CloudFront use S3 bucket(which contains images) and use the CloudFront URL to update code in /var/w...