AIDE – File Integrity Monitoring

The idea of using file integrity monitoring to validate your operating system and applications has been around since the late ’90s, with programs like Tripwire. Today, we have a steady stream of companies offering their own version for FIM. However, one consistent and reliable open source solution for Linux is AIDE or the Advanced Intrusion Detection Environment.

Installation

Install the aide package,

# dnf install aide

On some older versions of Red Hat, it is recommended to disable prelinking to avoid false positives. Change the value, PRELINKING=yes to PRELINKING=no in /etc/sysconfig/prelink

# vi /etc/sysconfig/prelink
PRELINKING=no

Review man prelink for more information. This change will go into effect on the next daily run but you can initiate it now if your system was using prelinking to set the binaries back to their original before they were prelinked.

# /etc/cron.daily/prelink
or
# prelink -ua

Configuration

The configuration file is located in /etc/aide.conf. Within this file, you can control all the rules that are checked from permissions, ownership, timestamps and more,

# more /etc/aide.conf
...
# These are the default rules.
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
...
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only
PERMS = p+i+u+g+acl+selinux
...

… the directories and files that should be checked,

# more /etc/aide.conf
...
# directories/files you want in the database
/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
/lib    NORMAL
/lib64  NORMAL
/opt    NORMAL
/usr    NORMAL
/root   NORMAL
...
/etc    PERMS
/etc/exports  NORMAL
/etc/fstab    NORMAL
/etc/passwd   NORMAL
/etc/group    NORMAL
/etc/gshadow  NORMAL
/etc/shadow   NORMAL
...

… as well as directories to ignore,

# more /etc/aide.conf
...
# These are too volatile
!/usr/src
!/usr/tmp
!/var/log/.*
!/usr/share/zoneinfo/.*
!/root/.viminfo$
!/root/history
...

For more information, review ‘man aide.conf’. The default configuration is fairly comprehensive but you should customize it for your own environment. It may take a few weeks before you can fine-tune the config for your system to limit false positives.

Initialization

Generate the initial database for your system.

# aide --init

Once the initial database is created, it will be stored in /var/lib/aide/aide.db.new.gz. Before running a check against the database, you will need to rename the db and remove the new string,

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Test Configuration

Before checking for system changes, I’m going to add a new user and replace a the sudo binary file.

# useradd test
# passwd test
Changing password for user test.
New password: 
Retype new password: 

# rm /usr/bin/sudo
# mv /root/fakesudo /usr/bin/sudo

Now we will perform an integrity check by manually running the following command to see if it reports our changes,

# aide --check
AIDE found differences between database and filesystem!!
Start timestamp: 2021-04-24 14:19:30

Summary:
  Total number of files:	160824
  Added files:			0
  Removed files:		0
  Changed files:		10

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/group-
changed: /etc/passwd-
changed: /etc/gshadow-
changed: /etc/shadow-
changed: /etc/passwd
changed: /etc/gshadow
changed: /etc/shadow
changed: /etc/group
changed: /usr/bin
changed: /usr/bin/sudo

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/group-
  Mtime    : 2019-01-14 14:45:07              , 2020-03-11 03:03:06
  Ctime    : 2020-03-11 03:03:06              , 2021-04-24 14:18:22

File: /etc/passwd-
  Size     : 2438                             , 2471
  Mtime    : 2018-09-26 08:36:36              , 2018-09-27 09:54:29
  Ctime    : 2018-09-27 09:54:29              , 2021-04-24 14:18:22
  MD5      : cHsr0LiUqbHQATdT4qqMPg==         , J7QnX0n1qFLzxOxSyP4yXw==
  RMD160   : rYKZCwsEpYDEOG+mjg/gJ4umEsY=     , MMdSjegrilSmhGEA7FDWmdhd92o=
  SHA256   : 1UzVQ0yK7knR+Et+LLYlBN0JuFVTxnER , SEH2SgK04zEvikDY7vHwuq1gOskq4rYc

File: /etc/gshadow-
  Size     : 864                              , 871
  Mtime    : 2018-09-21 09:23:34              , 2018-09-27 09:54:29
  Ctime    : 2018-09-27 09:54:29              , 2021-04-24 14:18:22
  MD5      : SHwN799wkoytdkca/vNTgw==         , WyBRaCmOajOsXTPFj+JKVw==
  RMD160   : nvSYbAVG/8JoyKFs2Qc641oDjd8=     , 8c3IlgA2ZGRmOeOcES4peTPkuVM=
  SHA256   : 1NRi36bJHlatD7gWQNnMrNSIpadoKWnf , //rE+7BLKC9WKtMLLedEEI4EzlYEyAOn

File: /etc/shadow-
  Size     : 1786                             , 1907
  Mtime    : 2018-09-27 09:53:08              , 2018-10-01 10:48:25
  Ctime    : 2018-09-27 09:54:29              , 2021-04-24 14:18:22
  MD5      : 7ixF3HZO1nNYCH7Cc//t/Q==         , HQHL6erLD0ixIvb46fiSQA==
  RMD160   : JnSXZmalfHDLCAMQItKL/pT2zho=     , Q+4V0VP+64DQGzejCrY2GQLZ1gA=
  SHA256   : MTaA+0+q7Lo9oGkdgJLbeh4X/RrU66UB , W/44o0ofXXnwIKFp4Y4mhU2lKwSRZ1Hi

File: /etc/passwd
  Size     : 2471                             , 2508
  Mtime    : 2018-09-27 09:54:29              , 2021-04-24 14:18:22
  Ctime    : 2018-09-27 09:54:29              , 2021-04-24 14:18:22
  Inode    : 7998314                          , 7997536
  MD5      : J7QnX0n1qFLzxOxSyP4yXw==         , UDl4oag1VHHXgZSznFxtaQ==
  RMD160   : MMdSjegrilSmhGEA7FDWmdhd92o=     , RILFS4birahKt0xpXJ9sZ86ELkA=
  SHA256   : SEH2SgK04zEvikDY7vHwuq1gOskq4rYc , tow6izwHv1CQlLtPJXjMUQkftLuIoM59

File: /etc/gshadow
  Size     : 871                              , 880
  Mtime    : 2018-09-27 09:54:29              , 2021-04-24 14:18:22
  Ctime    : 2018-09-27 09:54:29              , 2021-04-24 14:18:22
  Inode    : 7998304                          , 7997515
  MD5      : WyBRaCmOajOsXTPFj+JKVw==         , kl7rgFTdGUFo9Qt1KsLKlw==
  RMD160   : 8c3IlgA2ZGRmOeOcES4peTPkuVM=     , CDTBFlmfjJtW0XIegkuJgRYKY34=
  SHA256   : //rE+7BLKC9WKtMLLedEEI4EzlYEyAOn , M6E38Gra/7nXasDs+/yP4YKbFcYzZZc3

File: /etc/shadow
  Size     : 1907                             , 2030
  Mtime    : 2018-10-01 10:48:25              , 2021-04-24 14:18:33
  Ctime    : 2018-10-01 10:48:25              , 2021-04-24 14:18:33
  Inode    : 7996969                          , 7996140
  MD5      : HQHL6erLD0ixIvb46fiSQA==         , FPopX66NOjb29HZcVuexxA==
  RMD160   : Q+4V0VP+64DQGzejCrY2GQLZ1gA=     , 6h1gF55Lt4X8iJ2BMvgmChChhbE=
  SHA256   : W/44o0ofXXnwIKFp4Y4mhU2lKwSRZ1Hi , 0tNA4K+c0SH1UG4m+3MQlH3vZOs5I5ht

File: /etc/group
  Size     : 1060                             , 1072
  Mtime    : 2020-03-11 03:03:06              , 2021-04-24 14:18:22
  Ctime    : 2020-03-11 03:03:06              , 2021-04-24 14:18:22
  Inode    : 7997515                          , 7996969
  MD5      : 3iyrWultX61BbvvRVMaq3A==         , uDex34KAvrqaVbPgUxU1bg==
  RMD160   : xCmDPLZpi6maY3XvShV9K/VGqD0=     , lhuygZWBNEabrozob2of3JUin9w=
  SHA256   : RXYPW7g2jKm7pXv8ETh1spaSnRCRe229 , BxkfA83ekVfrj1DtcFGB8cG1Bifs7W6S

Directory: /usr/bin
  Mtime    : 2020-12-01 03:03:16              , 2021-04-24 14:18:58
  Ctime    : 2020-12-01 03:03:16              , 2021-04-24 14:18:58

File: /usr/bin/sudo
  Size     : 123832                           , 122912
  Permissions: ---s--x--x                       , ---x--x--x
  Mtime    : 2020-02-13 10:47:21              , 2021-04-24 14:17:55
  Ctime    : 2020-03-06 03:02:32              , 2021-04-24 14:18:58
  Inode    : 13901840                         , 6031103
  MD5      : 0ru7oRsNZcz/zxKEleVMqg==         , 3+2aCcJvcfgdMwNL9UDfdA==
  RMD160   : VUcnBtWjWndhZSQ2AQhGMAsMIj0=     , 0skgmqUkp7M4Yw5BUTyGmCb+lUo=
  SHA256   : 5adRkABPGnHEUCRx4H5HEFxAX9fsullv , pW/5tJUQGTP1cMcwi/4n0tLqbtPOfqUy
  SELinux  : system_u:object_r:sudo_exec_t:s0 , unconfined_u:object_r:admin_home_t:s0

As you can see, it picked up changes in the /etc configuration files and found our trojan binary. You may notice that /home/test was not listed. This is because the /home directory is not monitored by default within /etc/aide.conf. Besides sending the output to stdout, the report will be stored in /var/lib/aide or /var/log/aide depending on your configuration.

Updating the Database

After changes have occurred in the database and you have verified they are legitimate, you can update aide to create a new database,

# aide --update

This will create a new database in /var/lib/aide/aide.db.new.gz. Replace the old configuration with this new db.

# mv /var/lib/aide/aide.db.gz /var/lib/aide/aide.db.gz-24APR21
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Final Thoughts

After troubleshooting what to monitor and ignore within aide.conf, you will want to automate this process through cron. Ideally, this would be done from another server that connects in and uses a stored aide db that is not on the server being checked. Obviously, if the server becomes compromised, the hacker would change or disable aide to hide their tracks. Offloading and centralizing your database files is a critical step that should be considered instead of maintaining them locally in /var/lib/aide. Lastly, you might consider speeding up the process by going with one message digest algorithm, like sha512, and disable md5, rmd160 and sha256.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s