AIDE Timothy J. Bruce 21 September 2010 For the Portland Linux/Unix Group (PLUG) Protecting your...
-
Upload
annice-curtis -
Category
Documents
-
view
216 -
download
3
Transcript of AIDE Timothy J. Bruce 21 September 2010 For the Portland Linux/Unix Group (PLUG) Protecting your...
AIDEAIDE
Timothy J. BruceTimothy J. Bruce21 September 201021 September 2010
For the Portland Linux/Unix Group (PLUG)For the Portland Linux/Unix Group (PLUG)
Protecting your file systemProtecting your file system
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 22
IntroIntro
What is AIDE / What does it doWhat is AIDE / What does it do Why do I need itWhy do I need it ConfigurationConfiguration ResultsResults Issues / LimitationsIssues / Limitations Competing SolutionsCompeting Solutions Why did I Select AIDE?Why did I Select AIDE? ConclusionConclusion ReferencesReferences
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 33
What is AIDE?What is AIDE?
What does AIDE stand for?What does AIDE stand for?Advanced Intrusion Detection Advanced Intrusion Detection
EnvironmentEnvironment
What is itWhat is itIntrusion Detection SystemIntrusion Detection System
What does it do?What does it do?File Integrity CheckerFile Integrity CheckerSaves results and compares later scans Saves results and compares later scans
against the known databaseagainst the known database
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 44
Why do I need it?Why do I need it?
To monitor for files that have To monitor for files that have changedchangedHacking / Break-inHacking / Break-in
Identify if there are unauthorized Identify if there are unauthorized changeschanges(SOX / HIPPA / PCI Auditing / Internal (SOX / HIPPA / PCI Auditing / Internal
Audit)Audit)
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 55
What does it Check?What does it Check?
File PermissionsFile Permissions iNodeiNode Number of LinksNumber of Links Link NameLink Name File OwnerFile Owner Group OwnerGroup Owner SizeSize Block countBlock count MTime/ATime/CTimeMTime/ATime/CTime
Growing SizeGrowing Size Option to ignore Option to ignore
changed filenamechanged filename AclAcl Selinux (SELinux Selinux (SELinux
security context)security context) Xatrr (Extended file Xatrr (Extended file
attributes)attributes)
ChecksumsChecksums
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 66
Supported ChecksumsSupported Checksums
md5md5 sha1sha1 sha256sha256 sha512sha512 rmd160rmd160 TigerTiger havalhaval crc32crc32
If enabled (through If enabled (through mhash support mhash support during compile)during compile)
gostgost whirlpoolwhirlpool
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 77
ConfigurationConfiguration
/etc/aide/aide.conf/etc/aide/aide.confdatabasedatabasedatabase_outdatabase_outPermission “macros”Permission “macros”
/etc/aide/aide.conf.d/*/etc/aide/aide.conf.d/*Files contain: Files contain:
file / permissionfile / permissiondirectory / permissiondirectory / permission
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 88
Aide.confAide.conf
database=file:/var/lib/aide/aide.dbdatabase=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.newdatabase_out=file:/var/lib/aide/aide.db.new
Checksums = md5+sha1+crc32+tigerChecksums = md5+sha1+crc32+tiger
OwnerMode = p+u+gOwnerMode = p+u+g
Size = s+bSize = s+b
InodeData = OwnerMode+n+i+SizeInodeData = OwnerMode+n+i+Size
StaticFile = m+c+ChecksumsStaticFile = m+c+Checksums
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 99
Aide.conf (cont’d)Aide.conf (cont’d)
Full = InodeData+StaticFileFull = InodeData+StaticFile
VarFile = OwnerMode+nVarFile = OwnerMode+n
VarDir = OwnerMode+n+iVarDir = OwnerMode+n+i
RotatedLogs = Full+IRotatedLogs = Full+I
Logs = OwnerMode+n+SLogs = OwnerMode+n+S
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1010
Configuration FilesConfiguration Files Specific to installed program to identify Specific to installed program to identify
locations to scan/ignore (Ubuntu)locations to scan/ignore (Ubuntu) Regex Matching on filename / directory Regex Matching on filename / directory
namename Equality matching using “=“ as first Equality matching using “=“ as first
charactercharacter Exclusion by ! as the first characterExclusion by ! as the first character
filename RULEfilename RULEdirectory RULEdirectory RULE
Read the documentation for rule Read the documentation for rule complexity / buildingcomplexity / building
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1111
31_aide_initscripts31_aide_initscripts
/var/lib/urandom/random-seed$ VarFile/var/lib/urandom/random-seed$ VarFile/var/lib/(urandom|initscripts)$ VarDir/var/lib/(urandom|initscripts)$ VarDir/var/log/dmesg$ VarFile/var/log/dmesg$ VarFile/var/log/dmesg\.0$ LowLogs/var/log/dmesg\.0$ LowLogs/var/log/dmesg\.1\.gz$ RotatedLogs+ANF/var/log/dmesg\.1\.gz$ RotatedLogs+ANF/var/log/dmesg\.[23]\.gz$ RotatedLogs/var/log/dmesg\.[23]\.gz$ RotatedLogs/var/log/dmesg\.4\.gz$ RotatedLogs+ARF/var/log/dmesg\.4\.gz$ RotatedLogs+ARF/var/log/fsck/check(root|fs)$ VarFile/var/log/fsck/check(root|fs)$ VarFile/var/run/motd$ VarFile/var/run/motd$ VarFile
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1212
ResultsResults
Email ResultsEmail Results
AIDE found differences between database and filesystem!!AIDE found differences between database and filesystem!!Start timestamp: 2010-09-21 10:56:51 Start timestamp: 2010-09-21 10:56:51 Summary:Summary: Total number of files: 370Total number of files: 370 Added files: 75Added files: 75 Removed files: 2Removed files: 2 Changed files: 52Changed files: 52
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1313
ResultsResults------------------------------------------------------------------------------------------------------Added files:Added files:------------------------------------------------------------------------------------------------------added: /var/log/apache2/error.log.12.gzadded: /var/log/apache2/error.log.12.gzadded: /var/log/apache2/error.log.5.gzadded: /var/log/apache2/error.log.5.gz------------------------------------------------------------------------------------------------------ Removed files:Removed files:--------------------------------------------------- --------------------------------------------------- removed: /var/log/daemon.log.5.gzremoved: /var/log/daemon.log.5.gzremoved: /var/log/daemon.log.6.gzremoved: /var/log/daemon.log.6.gz --------------------------------------------------- --------------------------------------------------- Changed files:Changed files:------------------------------------------------------------------------------------------------------changed: /var/log/aide/aide.log.2.gzchanged: /var/log/aide/aide.log.2.gzchanged: /var/log/aide/aide.log.4.gzchanged: /var/log/aide/aide.log.4.gz
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1414
ResultsResults
-------------------------------------------------- -------------------------------------------------- Detailed information about changes:Detailed information about changes:--------------------------------------------------- --------------------------------------------------- File: /var/log/aide/aide.log.2.gzFile: /var/log/aide/aide.log.2.gzSize : 16319 , 17841Size : 16319 , 17841Bcount : 32 , 40 Bcount : 32 , 40 Mtime : 2009-12-09 10:25:20 , 2010-09-14 10:26:12Mtime : 2009-12-09 10:25:20 , 2010-09-14 10:26:12Ctime : 2009-12-14 10:25:27 , 2010-09-21 10:25:54Ctime : 2009-12-14 10:25:27 , 2010-09-21 10:25:54Inode : 191245 , 191257Inode : 191245 , 191257MD5 : o83Sbw573PYSUTkBkVs/FQ== , MD5 : o83Sbw573PYSUTkBkVs/FQ== ,
KDnwIZ7cmoML6IQWUSjTyA==KDnwIZ7cmoML6IQWUSjTyA==……WHIRLPOOL: EXaR0CgV2Z4DF3M62thbKUp+VRjtsBuo , WHIRLPOOL: EXaR0CgV2Z4DF3M62thbKUp+VRjtsBuo ,
RXPMG/LGk+ie+nIXAnS4s3KEJU1rfjBj RXPMG/LGk+ie+nIXAnS4s3KEJU1rfjBj
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1515
Issues / LimitationsIssues / Limitations
Determines changes AFTER the factDetermines changes AFTER the fact
Does not prevent file from being Does not prevent file from being alteredaltered
Requires reading the logs / emailsRequires reading the logs / emails
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1616
Competing SolutionsCompeting Solutions
TripwireTripwire RealEyes IDS (Real-Time)RealEyes IDS (Real-Time) SnortSnort FAM – File Access MonitoringFAM – File Access Monitoring AppArmorAppArmor SELinuxSELinux
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1717
Why did I select AIDE?Why did I select AIDE?
Free / OpenSourceFree / OpenSourceConcerns with TripwireConcerns with Tripwire
Quick SolutionQuick Solution• Easy to configureEasy to configure• Want to know what’s broken / what was Want to know what’s broken / what was
changedchanged• Didn’t have to learn a lot… build new Didn’t have to learn a lot… build new
rules / restartrules / restart
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1818
ConclusionConclusion
What it isWhat it is ConfigurationConfiguration Sample ResultsSample Results Issues / LimitationsIssues / Limitations Competing Products / SolutionsCompeting Products / Solutions
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 1919
Security ThoughtsSecurity Thoughts
Do not assume anything Do not assume anything Trust no-one,nothing Trust no-one,nothing Nothing is secure Nothing is secure Security is a trade-off with usability Security is a trade-off with usability Paranoia is your friendParanoia is your friend
http://www.cs.tut.fi/~rammer/aide/manual.htmlhttp://www.cs.tut.fi/~rammer/aide/manual.html
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 2020
ReferencesReferences
http://www.cs.tut.fi/~rammer/aide.htmlhttp://www.cs.tut.fi/~rammer/aide.html
http://www.cs.tut.fi/~rammer/aide/http://www.cs.tut.fi/~rammer/aide/manual.htmlmanual.html
http://sourceforge.net/projects/aide/http://sourceforge.net/projects/aide/
21 Sep 201021 Sep 2010 Timothy J. BruceTimothy J. Bruce PLUG PLUG 2121
System SecuritySystem Security
Turn this around….Turn this around….
What do you use?What do you use?
Why?Why?