Posts Tagged ‘AIDE’

Advanced Intrusion Detection Environment

Monday, March 2nd, 2009

Advanced Intrusion Detection Environment (AIDE) is a file integrity checker for UNIX operating systems. Its purpose to provide reporting on the integrity of data on supported file systems. It is essentially the open source version of Tripwire. While you can use a tool such as Splunk to perform file integrity monitoring it requires more overhead on the server (running splunkd all the time) whereas AIDE is run only when it executed. This post will show you how you can install and setup a quick script to run AIDE on a target host from a trusted host (using ssh keys). By running AIDE multiple times on the target host you can determine what files are changing. Also, by using a trusted host you keep any data off of the target host free from being compromised (in theory).

The Environment

1. Target host
2. Trusted host (authorized to ssh as root using a public key to the target host)

The Concept

Here is a simple diagram of what we are going to setup.

aidedesign

Install AIDE using yum

You can install aide using yum or you can download it from SourceForge


#yum install aide

or

#wget http://superb-west.dl.sourceforge.net/sourceforge/aide/aide-0.13.1.tar.gz
#tar -xvzf aide-0.13.1.tar.gz
....
#cd aide-0.13.1
#./configure
...
#make
...
#make install
...

Install the runaide.ksh script

First, make the directories you need.


# mkdir -p /app/aide
# for x in store conf report bin; do mkdir /app/aide/$x; done

On your trusted host copy the following into a file called runaide.ksh


#!/bin/ksh -x
#
# Author: jameslabocki@gmail.com
# Date: 05.12.08
#
# A simple script that performs the following
# 1. Secure copies an aide configuration to each host
# 2. Executes an aide init via ssh on each host
# 3. Secure copies the aide database to the store directory
# 4. Performs a compare of the two databases and records the results
# 5. Emails the results to a specified email address
#
WHOTOMAIL=linux.admins@domain.com,infosec@domain.com
#
#Important variables :)
TS=`date '+%m%d%y'`
YESTERDAY=`date -d "1 day ago" '+%m%d%y'`
TWODAYS=`date -d "2 days ago" '+%m%d%y'`
ROOTDIR=/app/aide
REPODIR=${ROOTDIR}/store
CONFDIR=${ROOTDIR}/conf
REPORTDIR=${ROOTDIR}/report
BINDIR=${ROOTDIR}/bin
HOSTLIST=${CONFDIR}/hostlist
SSH=/usr/bin/ssh
#
#Almost as important variables :)
AIDE=/usr/sbin/aide
HOSTCONFDIR=/root
HOSTCONFFILE=${HOSTCONFDIR}/aide.cfg
HOSTDBFILE=/var/lib/aide/aide.db.new.gz
#
#Loop through the hosts and create database, copyi
for host in `cat $HOSTLIST`; do
scp ${CONFDIR}/aide.cfg ${host}:${HOSTCONFFILE}
ssh ${host} "${AIDE} --init -c ${HOSTCONFFILE}"
scp ${host}:${HOSTDBFILE} ${REPODIR}/${host}.${TS}.gz
#
if [ ! -f ${REPODIR}/${host}.${YESTERDAY}.gz ]; then
echo "${host}.${YESTERDAY}.gz does not exist yet" |mail -s "Aide Report for ${host}" ${WHOTOMAIL}
else
#Shortcoming in aide having to use config files for everything
cp ${CONFDIR}/aidecompare.cfg ${REPODIR}/${host}.${TS}.cfg
cat ${REPODIR}/${host}.${TS}.cfg |awk '{sub(/todaysdatabase/,'"\"${host}.${TS}.gz\""');print}' |awk '{sub(/yesterdaysdatabase/,'"\"${host}.${YESTERDAY}.gz\""');print}' > ${REPODIR}/${host}.${TS}.cfg.tmp
${AIDE} --compare -c ${REPODIR}/${host}.${TS}.cfg.tmp > ${REPORTDIR}/${host}.${TS}.log
cat ${REPORTDIR}/${host}.${TS}.log |mail -s "Aide Report for ${host}" ${WHOTOMAIL}
fi
#
#remove the db from two days ago
rm ${REPODIR}/${host}.${TWODAYS}.gz
#
done

The script looks for a file named hostlist in /app/aide/conf and then runs through the list of hosts copying over an aide.cfg file and running the aide executable on each host. This means that you can customize the aide.cfg in one place for your environment and not worry about maintaining the configuration file across machines. Once you have a hostlist and a general configuration file you can execute the script.

Further Development
I also setup the reports directory to be served over http through apache and authenticated against Active Directory using mod_authz_ldap. This is nice because you can allow a third party to review the reports on a daily basis.

Here are a few helpful crontab entries after you have the script running.


#Remove old aide reports files
30 1 * * * /usr/bin/find /app/aide/store/ -mtime +10 -exec rm {} \;
30 1 * * * /usr/bin/find /app/aide/report/ -mtime +30 -exec rm {} \;
#Aide job that audits file changes on systems at 3AM each day
0 3 * * * /app/admin/servicedelivery/linux/admin/bin/runaide.ksh

Tags: , , , ,
Posted in Linux, Scripting | No Comments »