20 Intrusion detection with AIDE #
    Securing your systems is a mandatory task for any mission-critical
    system administrator. Because it is impossible to always guarantee that
    the system is not compromised, it is very important to do extra checks
    regularly (for example with
    cron) to ensure that the system
    is still under your control. This is where AIDE, the
    Advanced Intrusion Detection Environment, comes
    into play.
   
20.1 Why use AIDE? #
   An easy check that often can reveal unwanted changes can be done by means
   of RPM. The package manager has a built-in verify function that checks
   all the managed files in the system for changes. To verify of all files,
   run the command rpm -Va. However, this command will
   also display changes in configuration files and you will need to do some
   filtering to detect important changes.
  
   An additional problem to the method with RPM is that an intelligent
   attacker will modify rpm itself to hide any changes
   that might have been done by some kind of root-kit which allows the
   attacker to mask its intrusion and gain root privilege. To solve this,
   you should implement a secondary check that can also be run completely
   independent of the installed system.
  
20.2 Setting up an AIDE database #
Before you install your system, verify the checksum of your medium (see Book “Deployment Guide”, Chapter 8 “Troubleshooting”, Section 8.1 “Checking media”) to make sure you do not use a compromised source. After you have installed the system, initialize the AIDE database. To make sure that all went well during and after the installation, do an installation directly on the console, without any network attached to the computer. Do not leave the computer unattended or connected to any network before AIDE creates its database.
   AIDE is not installed by default on SUSE Linux Enterprise Desktop. To install it,
   either use  › , or enter zypper install
   aide on the command line as root.
  
   To tell AIDE which attributes of which files should be checked, use
   the /etc/aide.conf configuration file. It must be
   modified to become the actual configuration. The first section handles
   general parameters like the location of the AIDE database file. More
   relevant for local configurations are the Custom
   Rules and the Directories and Files
   sections. A typical rule looks like the following:
  
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
   After defining the variable Binlib, the respective
   check boxes are used in the files section. Important options include the
   following:
  
| Option | Description | 
|---|---|
| p | Check for the file permissions of the selected files or directories. | 
| i | Check for the inode number. Every file name has a unique inode number that should not change. | 
| n | Check for the number of links pointing to the relevant file. | 
| u | Check if the owner of the file has changed. | 
| g | Check if the group of the file has changed. | 
| s | Check if the file size has changed. | 
| b | Check if the block count used by the file has changed. | 
| m | Check if the modification time of the file has changed. | 
| c | Check if the files access time has changed. | 
| S | Check for a changed file size. | 
| I | Ignore changes of the file name. | 
| md5 | Check if the md5 checksum of the file has changed. We recommend to use sha256 or sha512. | 
| sha1 | Check if the sha1 (160 Bit) checksum of the file has changed. We recommend to use sha256 or sha512. | 
| sha256 | Check if the sha256 checksum of the file has changed. | 
| sha512 | Check if the sha512 checksum of the file has changed. | 
   This is a configuration that checks for all files in
   /sbin with the options defined in
   Binlib but omits the
   /sbin/conf.d/ directory:
  
/sbin Binlib !/sbin/conf.d
To create the AIDE database, proceed as follows:
- Open - /etc/aide.conf.
- Define which files should be checked with which check boxes. For a complete list of available check boxes, see - /usr/share/doc/packages/aide/manual.html. The definition of the file selection needs some knowledge about regular expressions. Save your modifications.
- To check whether the configuration file is valid, run: - #aide --config-check- Any output of this command is a hint that the configuration is not valid. For example, if you get the following output: - #aide --config-check 35:syntax error:! 35:Error while reading configuration:! Configuration error- The error is to be expected in line 36 of - /etc/aide.conf. Note that the error message contains the last successfully read line of the configuration file.
- Initialize the AIDE database. Run the command: - #aide -i
- Copy the generated database to a save location like a CD-R or DVD-R, a remote server or a flash disk for later use. Important- This step is essential as it avoids compromising your database. It is recommended to use a medium which can be written only once to prevent the database being modified. Never leave the database on the computer which you want to monitor. 
20.3 Local AIDE checks #
To perform a file system check, proceed as follows:
- Rename the database: - #mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
- After any configuration change, you always need to re-initialize the AIDE database and subsequently move the newly generated database. It is also a good idea to make a backup of this database. See Section 20.2, “Setting up an AIDE database” for more information. 
- Perform the check with the following command: - #aide --check
If the output is empty, everything is fine. If AIDE found changes, it displays a summary of changes, for example:
# aide --check
AIDE found differences between database and filesystem!!
Summary:
  Total number of files:        1992
  Added files:                  0
  Removed files:                0
  Changed files:                1
   To learn about the actual changes, increase the verbose level of the
   check with the parameter -V. For the previous example,
   this could look like the following:
  
# aide --check -V
AIDE found differences between database and filesystem!!
Start timestamp: 2009-02-18 15:14:10
Summary:
  Total number of files:        1992
  Added files:                  0
  Removed files:                0
  Changed files:                1
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/passwd
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/passwd
  Mtime    : 2009-02-18 15:11:02              , 2009-02-18 15:11:47
  Ctime    : 2009-02-18 15:11:02              , 2009-02-18 15:11:47
   In this example, the file /etc/passwd was touched to
   demonstrate the effect.
  
20.4 System independent checking #
To avoid risk, it is advisable to also run the AIDE binary from a trusted source. This excludes the risk that some attacker also modified the aide binary to hide its traces.
To accomplish this task, AIDE must be run from a rescue system that is independent of the installed system. With SUSE Linux Enterprise Desktop it is relatively easy to extend the rescue system with arbitrary programs, and thus add the needed functionality.
Before you can start using the rescue system, you need to provide two packages to the system. These are included with the same syntax as you would add a driver update disk to the system. For a detailed description about the possibilities of linuxrc that are used for this purpose, see https://en.opensuse.org/SDB:Linuxrc. In the following, one possible way to accomplish this task is discussed.
- Provide an FTP server as a second machine. 
- Copy the packages - aideand- mhashto the FTP server directory, in our case- /srv/ftp/. Replace the placeholders ARCH and VERSION with the corresponding values:- #cp DVD1/suse/ARCH/aideVERSION.ARCH.rpm /srv/ftp- #cp DVD1/suse/ARCH/mhashVERSION.ARCH.rpm /srv/ftp
- Create an info file - /srv/ftp/info.txtthat provides the needed boot parameters for the rescue system:- dud:ftp://ftp.example.com/aideVERSION.ARCH.rpm dud:ftp://ftp.example.com/mhashVERSION.ARCH.rpm - Replace your FTP domain name, VERSION and ARCH with the values used on your system. 
- Restart the server that needs to go through an AIDE check with the Rescue system from your DVD. Add the following string to the boot parameters: - info=ftp://ftp.example.com/info.txt - This parameter tells - linuxrcto also read in all information from the- info.txtfile.
After the rescue system has booted, the AIDE program is ready for use.
20.5 More information #
Information about AIDE is available at the following places:
- The home page of AIDE: https://aide.github.io/ 
- In the documented template configuration - /etc/aide.conf.
- In several files below - /usr/share/doc/packages/aideafter installing the- aidepackage.
- On the AIDE user mailing list at https://www.ipi.fi/mailman/listinfo/aide.