This document was written by Rami Lehti <rammer@cs.tut.fi>
AIDE constructs a database of the files specified in aide.conf, aide's configuration file. The AIDE database stores various file attributes including: permissions, inode number, user, group, file size, mtime and ctime, atime, growing size and number of links. AIDE also creates a cryptographic checksum or hash of each file using one or a combination of the following message digest algorithms: sha1, md5, rmd160, tiger (rmd128, crc32, hval, gost and snefru can be compiled in if mhash support is available).
Typically, a system administrator will create an AIDE database on a new system before it is brought onto the network. This first AIDE database is a snapshot of the system in it's normal state and the yardstick by which all subsequent updates and changes will be measured. The database should contain information about key system binaries, libraries, header files, all files that are expected to remain the same over time. The database probably should not contain information about files which change frequently like log files, mail spools, proc filesystems, user's home directories, or temporary directories.
After a break-in, an administrator may begin examinining the system using system tools like ls, ps, netstat, and who --- the very tools most likely to be trojaned. Imagine that ls has been doctored to not show any file named "sniffedpackets.log" and that ps and netstat have been rewritten to not show any information for a process named "sniffdaemond". Even an administrator who had previously printed out on paper the dates and sizes of these key system files can not be certain by comparison that they have not been modified in some way. File dates and sizes can be manipulated, some better root-kits make this trivial.
While it is possible to manipulate file dates and sizes, it is much more difficult to manipulate a single cryptographic checksum like md5, and exponentially more difficult to manipulate each of the entire handfull of checksums that AIDE supports. By rerunning AIDE after a break-in, a system administrator can quickly identify changes to key files and have a fairly high degree of confidance as to the accuracy of these findings.
Unfortunately, AIDE can not provide absolute sureness about change in files. Like any other system files, AIDE's binary or database can also be altered.
./configure;make;make install in the main aide
directory of the unpacked source tree. You should carefully think
about the configuration and what a possible hacker can do if
he/her/they/it has root access.
Once you have the source code of Aide you should unpack it. If you
have GNU tar then the command is tar zxvf
aide-version.tar.gz .
There are several options you can give to configure. You can find out
what options are available with ./configure --help
command. Most of the time you do not need to give any options.
You can just use configure without any parameters.
However, if you want more digest functions you should consider
using --with-mhash option. This enables mhash support. You
have to have mhash library installed to use this option. The mhash
support enables RMD128, HAVAL, GOST, CRC32 and SNEFRU digest
functions.
If you want to use the bundled gnu regular expression package
you can give the --with-gnu-regexp option.
If you want to change the directory where aide is installed you can
use --prefix option. For example ./configure --prefix=/usr
make. You can
now type make install to install the binary and the
manual pages. The binary however should be installed on read-only
media or in some other tamperproof place. Also the databases should
be kept somewhere where a possible intruder cannot change them.There are three types of lines in aide.conf:
#AIDE conf # Here are all the things we can check - these are the default rules # #p: permissions #i: inode #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #md5: md5 checksum #sha1: sha1 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #R: p+i+n+u+g+s+m+c+md5 #L: p+i+n+u+g #E: Empty group #>: Growing logfile p+u+g+i+n+S # You can alse create custom rules - my home made rule definition goes like this # MyRule = p+i+n+u+g+s+b+m+c+md5+sha1 # Next decide what directories/files you want in the database /etc p+i+u+g #check only permissions, inode, user and group for etc /bin MyRule # apply the custom rule to the files in bin /sbin MyRule # apply the same custom rule to the files in sbin /var MyRule !/var/log/.* # ignore the log dir it changes too often !/var/spool/.* # ignore spool dirs as they change too often
Here we include files in /etc, /bin and /sbin. We also include /var but ignore /var/log and /var/spool.
It is generally a good idea to ignore directories that frequently change, unless you want to read long reports. It is good practice to exclude tmp directories, mail spools, log directories, proc filesystems, user's home directories, web content directories, anything that changes regularly. It is good practice to include all system binaries, libraries, include files, system source files. It will also be a good idea to include directories you don't often look in like /dev /usr/man/.*usr/. Of course you'll want to include as many files as practical, but think about what you include.
#############For example if you have a block device whose owner keeps changing you can just record the attributes that do not normally change (inode,number of links,ctime).
aide --init. The database should be moved to a secure
location such as read-only media.Check,
Update if you want to,
Check again.