Monday, May 6, 2013

Detecting Changed Files

Detecting Changed Files


AIDE wiki 'definition' :

--------------------------
AIDE takes a "snapshot" of the state of the system, register hashes, modification times, and other data regarding the files defined by the administrator. This "snapshot" is used to build a database that is saved and may be stored on an external device for safekeeping.

When the administrator wants to run an integrity test, the administrator places the previously built database in an accessible place and commands AIDE to compare the database against the real status of the system. Should a change have happened to the computer between the snapshot creation and the test, AIDE will detect it and report it to the administrator. Alternatively, AIDE can be configured to run on a schedule and report changes daily using scheduling technologies such as cron, which is the default behavior of the Debian AIDE package.[1]

This is mainly useful for security purposes, given that any malicious change which could have happened inside of the system would be reported by AIDE.

https://en.wikipedia.org/wiki/Advanced_Intrusion_Detection_Environment

--------------------------

AIDE - Advanced intrusion detection environment
http://AIDE.sourceforge.net/

- File integrity checker
- Highly configurable catalog of file properties
- Compatibility with Fedora/RHEL OS

Proccess installation of AIDE :

# yum install aide -y
# aide --install


Verify system integrity with AIDE(report) :


# cp -v /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# aide --check

Troubleshooting :

If got erros like "at least one of file's dependencies has changed since prelinking
Error on exit of prelink child process", check if your system is up to date and also 'prelink' database .


# /etc/cron.daily/prelink


If the report wasn't generated because of an intrusion but rather of changes you have caused to some files contained into the database and you want to upgrade it, try "AIDE --update" :

# aide --update

This will create an updated aide.db.new.gz database file. You can than rename it to aide.db.gz and replace the old one. Replacing the input database should also be a manually process and should not be automated.


For better security reasons, you should place your database on a read-only, so that it can't be altered after an intrusion. If your are even more paranoid, you could also think about putting the AIDE binary itself and the config file on a usb-stick, which will only be mounted when you compare your system files against the database. This has the advantage that an intruder do not know which directories and files are under control of an Intrusion Detection System (IDS).

No comments:

Post a Comment