manual.html

This piece of software was written as a replacement and extension for Tripwire. Tripwire is an exce

<html>
<head><title>Aide Manual version 0.1</title>
<meta name="cvsheader" content="
$Header: /cvs-root-aide/aide2/doc/manual.html,v 1.2 2002/03/17 20:06:07 rammer Exp $
">
</meta>
</head>
<body bgcolor="#FFFFFF">

<h1>The Aide manual</h1>
<a name="about"></a>
<h2>About this document</h2>
<strong>This manual is by no means complete, usable, readable, comprihensible,
or error free.<br>
<p>
If you have any corrections, additions or constructive comments, please send
them to <a href="mailto:rammer@cs.tut.fi">me</a>.</strong></p>
This document was written by Rami Lehti 
<a href="mailto:rammer@cs.tut.fi">&lt;rammer@cs.tut.fi&gt;</a> 

<a name="toc"></a>
<h2>Table of Contents</h2>
<ol>
<li><a href="#about">About this document</a>
<li><a href="#toc">Table of Contents</a>
<li><a href="#whatisAide">What is Aide?</a>
<li><a href="#compilation">Compiling Aide</a>
<li><a href="#config">Configuration</a>
<li><a href="#usage">Usage</a>
<li><a href="#general">General guidelines for security</a>
</ol>

<a name="whatisAide"></a>
<h2>What is Aide?</h2>
<p>
AIDE (Advanced intrusion detection environment) is an intrusion
detection program. More specifically a file integrity checker.
</p>
<p>
Aide constructs a database of the files specified in Aide.conf, Aide's configuration file. 
The Aide database  stores various file attributes including:
permissions, inode number, user, group, file size, mtime and ctime,
atime, growing size and number of links.  
Aide also creates a cryptographic checksum or hash of each file using
one or a combination of the following message digest algorithms: sha1,
md5, rmd160, tiger (crc32, haval and gost can be compiled in if mhash
support is available). 
</p><p>
Typically, a system administrator will create an AIDE database on a
new system before it is brought onto the network. This first AIDE
database is a snapshot of the system in it's normal state and the
yardstick by which all subsequent updates and changes will be
measured. The database should contain information about key system
binaries, libraries, header files, all files  
that are expected to remain the same over time.  The database probably
should not contain information about files which change frequently
like log files, mail spools, proc filesystems, user's home
directories, or temporary directories.
</p><p>
After a break-in, an administrator may begin by examinining the system
using system tools like ls, ps, netstat, and who ---  
 the very tools most likely to be trojaned. Imagine that ls has been
doctored to not show 
any file named "sniffedpackets.log" and that ps and netstat have been
rewritten to not show any information for a  process named
"sniffdaemond".  
Even an administrator who had previously printed out on paper the
dates and sizes of these key system files can not be certain by
comparison that they have not been modified in some way. File dates
and sizes can be manipulated, some better root-kits make this trivial.
</p><p>
While it is possible to manipulate file dates and sizes, it is much
more difficult to manipulate a single cryptographic checksum like md5,
and exponentially more difficult to manipulate each of the entire
array of checksums that Aide supports. By rerunning Aide after a
break-in, a system administrator can quickly identify changes to key
files and have a fairly high degree of confidence as to the accuracy
of these findings.  
</p>
<p>
Unfortunately, Aide can not provide absolute sureness about change in
files.  Like any other system files, Aide's binary and/or database can
also be altered.
</p>


<a name=compilation></a>
<h2>Compiling Aide</h2>
<h3>I'm in a hurry. Bottomline about compilation.</h3>
<p>
After you have installed all the necessary sofware do
<code>./configure;make;make install</code> in the main Aide  
directory of the unpacked source tree. <b>You should carefully think
about the configuration and what a possible hacker can do if
he/her/they/it has root access.</b></p>

<h3>Getting all that is needed</h3>
<p>
Before you can compile Aide you must have certain things.
<ul>
<li>ANSI C-compiler (<a href="http://www.gnu.org/sofware/gcc/gcc.html">GCC</a>
will do just fine) 
<li><a href="ftp://ftp.gnu.org/pub/gnu/flex/">GNU Flex</a>
<li><a href="ftp://ftp.gnu.org/pub/gnu/bison/">GNU Bison</a>
<li><a href="ftp://ftp.gnu.org/pub/gnu/make">GNU Make</a>
<li><a href="http://www.cs.tut.fi/~rammer/aide.html">Aide source code</a>
<li><a href="http://schumann.cx/mhash/">Mhash library</a>
<li>And if you want to use postgres sql for database storage you must have the 
<a href="http://www.postgreSQL.org/">postgres sql developer
library</a> installed 
</ul>
Please check to see if there are mirrors available.</p>
<p>
Once you have the source code of Aide you should unpack it. If you
have GNU tar then the command is <code>tar zxvf
aide-version.tar.gz</code> .
</p>
<h3>Compile-time configuration</h3>
<p>
Next you must use the configure script found in Aide's source code
package to configure the compilation process.</p><p>
There are several options you can give to configure. You can find out
what options are available with <code>./configure --help</code> 
command. Most of the time you do not need to give any options.
You can just use configure without any parameters.</p><p>

If you want to use the bundled gnu regular expression package
you can give the <code>--with-gnu-regexp</code> option. Some OS's that 
a buggy regexp implementation you must use this option.</p><p>

If you want to change the directory where Aide is installed you can 
use --prefix option. For example <code>./configure --prefix=/usr
</code> 
</p>
<h3>Compilation and installation</h3>
<p>
The compilation is done by simply typing <code>make</code>. You can
now type <code>make install</code> to install the binary and the
manual pages. The binary however should be installed on read-only
media or in some other tamperproof place. Also the databases should 
be kept somewhere where a possible intruder cannot change them.</p>

<a name=config></a>
<h2>Configuration</h2>
<p>
Next you have to create a configuration file. You can find
documentation for this in aide.conf(5) manual page. Here are a few
pointers for what to look for.
</p>
<p>
There are three types of lines in aide.conf:
<ul>
<li>configuration lines - used to set configuration parameters and
define/undefine  variables   
<li>selection lines - indicate which files will be added to the database 
<li>macro lines - define or undefine variables within the the config file 
</ul>
Lines beginning with # are ignored as comments.
</p>
<p>
Here is an example configuration.</p>


<pre>
#AIDE conf

   # Here are all the things we can check - these are the default rules 
   #
   #p:      permissions
   #i:      inode
   #n:      number of links
   #u:      user
   #g:      group
   #s:      size
   #b:      block count
   #m:      mtime
   #a:      atime
   #c:      ctime
   #S:      check for growing size
   #md5:    md5 checksum
   #sha1:   sha1 checksum
   #rmd160: rmd160 checksum
   #tiger:  tiger checksum
   #R:      p+i+n+u+g+s+m+c+md5
   #L:      p+i+n+u+g
   #E:      Empty group
   #>:      Growing logfile p+u+g+i+n+S

   # You can alse create custom rules - my home made rule definition goes like this 
   #
   MyRule = p+i+n+u+g+s+b+m+c+md5+sha1 

   # Next decide what directories/files you want in the database

   /etc p+i+u+g     #check only permissions, inode, user and group for etc
   /bin MyRule      # apply the custom rule to the files in bin 
   /sbin MyRule     # apply the same custom rule to the files in sbin 
   /var MyRule		
   !/var/log/.*     # ignore the log dir it changes too often
   !/var/spool/.*   # ignore spool dirs as they change too often
   !/var/adm/utmp$  # ignore the file /var/adm/utmp


</pre>



<p>Here we include files in /etc, /bin and /sbin.  We also include
/var but ignore /var/log, /var/spool and a single file /var/adm/utmp. 
</p><p>
It is generally a good idea to ignore directories that frequently
change, unless you want to read long reports.  
It is good practice to exclude tmp directories, mail spools, log
directories, proc filesystems, user's home directories, web content
directories, anything that changes regularly.  It is good practice to
include all system binaries, libraries, include files, system source