Difference between revisions of "AIDE"

From ArchWiki
Jump to: navigation, search
m (Help:Style adaptations)
m (Usage)
(7 intermediate revisions by 4 users not shown)
Line 1: Line 1:
[[Category:Security (English)]]
+
[[Category:Security]]
{{i18n|AIDE}}
+
 
+
 
AIDE is a host-based intrusion detection system (HIDS) for checking the integrity of files.
 
AIDE is a host-based intrusion detection system (HIDS) for checking the integrity of files.
 
It does this by creating a baseline database of files on an initial run,
 
It does this by creating a baseline database of files on an initial run,
Line 16: Line 14:
  
 
== Setup ==
 
== Setup ==
 +
 
=== Installation ===
 
=== Installation ===
[[pacman|Install]] {{pkg|aide}} from the [[Official Repositories]].
+
 
 +
[[pacman|Install]] {{Pkg|aide}} from the [[official repositories]].
  
 
=== Configuration ===
 
=== Configuration ===
The default config file at /etc/aide.conf has pretty sane defaults and is heavily commented.
 
It works by including directories to check, like /bin, /lib, and /sbin.
 
You may wish instead to include everything by default,
 
and exclude volatile directories that change often.
 
Here's an example of such a configuration:
 
 
<pre>
 
@@define DBDIR /var/lib/aide
 
@@define LOGDIR /var/log/aide
 
 
database=file:@@{DBDIR}/aide.db.gz
 
database_out=file:@@{DBDIR}/aide.db.new.gz
 
 
gzip_dbout=yes
 
verbose=5
 
report_url=file:@@{LOGDIR}/aide.log
 
report_url=stdout
 
 
NORMAL = R+rmd160+sha256
 
LOG = >
 
 
/ NORMAL
 
!/dev
 
!/home
 
!/media
 
!/mnt
 
!/proc
 
!/root
 
!/run
 
!/srv
 
!/sys
 
!/tmp
 
!/var
 
/var/log LOG
 
!/etc/mtab
 
</pre>
 
  
See <code>man aide.conf</code> for documentation on the config file.
+
The default config file at {{ic|/etc/aide.conf}} has pretty sane defaults and is heavily commented.
 +
If you want to change the rules, see <code>man aide.conf</code>
 +
and the [http://aide.sourceforge.net/stable/manual.html AIDE Manual]
 +
for documentation.
  
 
=== Usage ===
 
=== Usage ===
To check your configuration, use <code>aide -D</code>.
 
  
To initialize the database, use <code>aide -i</code>.
+
To check your configuration, use {{ic|aide -D}}.
 +
 
 +
To initialize the database, use {{ic|aide -i}} or {{ic|aideinit}}.
 
Depending on your configuration and system,
 
Depending on your configuration and system,
 
this command can take a while to complete.
 
this command can take a while to complete.
  
You can check the system against the baseline database using <code>aide -C</code>,
+
You can check the system against the baseline database using {{ic|aide -C}},
or update the baseline db using <code>aide -u</code>
+
or update the baseline db using {{ic|aide -u}}.
  
For more info, see <code>man aide</code>.
+
For more info, see {{ic|man aide}}.
  
 
=== Cron ===
 
=== Cron ===
 +
 
AIDE can be run manually if desired,
 
AIDE can be run manually if desired,
 
but you may want to run it automatically instead.
 
but you may want to run it automatically instead.
Line 79: Line 48:
 
If cron is set up to automatically mail all job output,
 
If cron is set up to automatically mail all job output,
 
it can be as simple as
 
it can be as simple as
<pre>
+
{{bc|<nowiki>#!/bin/bash -e
#!/bin/bash -e
+
  
 
# these should be the same as what's defined in /etc/aide.conf
 
# these should be the same as what's defined in /etc/aide.conf
Line 95: Line 63:
 
mv $database $database.back
 
mv $database $database.back
 
mv $database_out $database
 
mv $database_out $database
</pre>
+
</nowiki>}}
  
 
For examples of more complicated cron scripts see
 
For examples of more complicated cron scripts see
Line 102: Line 70:
  
 
=== Security ===
 
=== Security ===
 +
 
Since the database is stored on the root filesystem,
 
Since the database is stored on the root filesystem,
attackers can easily modify it to cover their tracks if they compromise yuor system.
+
attackers can easily modify it to cover their tracks if they compromise your system.
 
You may want to copy the database to offline, read-only media
 
You may want to copy the database to offline, read-only media
 
and perform checks against this copy periodically.
 
and perform checks against this copy periodically.
  
 
== See also ==
 
== See also ==
* [http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=13#doc_chap1 Gentoo Docs - Intrusion Detection]
+
 
 +
* [http://aide.sourceforge.net/stable/manual.html AIDE manual]
 +
* [http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=13#doc_chap1 Gentoo Docs - Intrusion detection]
 
* [http://www.la-samhna.de/library/scanners.html Samhain Labs - file integrity checkers]
 
* [http://www.la-samhna.de/library/scanners.html Samhain Labs - file integrity checkers]

Revision as of 13:31, 28 September 2013

AIDE is a host-based intrusion detection system (HIDS) for checking the integrity of files. It does this by creating a baseline database of files on an initial run, and then checks this database against the system on subsequent runs. File properties that can be checked against include inode, permissions, modification time, file contents, etc.

AIDE only does file integrity checks. It does not check for rootkits or parse logfiles for suspicious activity, like some other HIDS (such as OSSEC) do. For these features, you can use an additional HIDS (see here for a possibly biased comparison), or use standalone rootkit scanners (rkhunter, chkrootkit) and log monitoring solutions (logwatch, logcheck).

Setup

Installation

Install aide from the official repositories.

Configuration

The default config file at /etc/aide.conf has pretty sane defaults and is heavily commented. If you want to change the rules, see man aide.conf and the AIDE Manual for documentation.

Usage

To check your configuration, use aide -D.

To initialize the database, use aide -i or aideinit. Depending on your configuration and system, this command can take a while to complete.

You can check the system against the baseline database using aide -C, or update the baseline db using aide -u.

For more info, see man aide.

Cron

AIDE can be run manually if desired, but you may want to run it automatically instead. How you set this up will depend on your cron daemon and MUA (if email notification is desired).

If cron is set up to automatically mail all job output, it can be as simple as

#!/bin/bash -e

# these should be the same as what's defined in /etc/aide.conf
database=/var/lib/aide/aide.db.gz
database_out=/var/lib/aide/aide.db.new.gz

if [ ! -f "$database" ]; then
        echo "$database not found" >&2
        exit 1
fi

aide -u || true

mv $database $database.back
mv $database_out $database

For examples of more complicated cron scripts see here or here.

Security

Since the database is stored on the root filesystem, attackers can easily modify it to cover their tracks if they compromise your system. You may want to copy the database to offline, read-only media and perform checks against this copy periodically.

See also