AIDE to the Rescue -- An Open Source Security Tool

Arthur Messenger and Brian Gollsneider

The Advanced Intrusion Detection System (AIDE) is a multiple platform, open source, and GPL replacement for Tripwire. Both tools monitor system intrusions by building an initial database and doing file integrity checks against that database. AIDE came about because the original author Rami Lehti wanted to get past some of Tripwire's limitations. He didn't have the source for Tripwire, so he redid it from scratch. Lehti runs a CVS server over the Internet to take full advantage of the worldwide pool of programmers available to develop applications. In this article, we will look at AIDE installation and configuration, comparing it to Tripwire as necessary. If you decide to use AIDE, then you must read the man pages (man aide and man aide.conf) for the program. This article complements the documentation there.

The union of open source and security is one of the most natural marriages around, going far beyond the normal advantages of open source software. If you trust a tool to perform security on your system, you should be thoroughly familiar with what it is doing. The best way to do that is to read through the source code. The most important thing to remember about security tools, like AIDE and Tripwire, is to configure and run them immediately after installation and definitely before connection to a network. Otherwise, you might be watching the configuration of a compromised system. A second important rule is to move the AIDE files as quickly as possible to read-only media that is only accessible during the system check. It is easy to burn a CD-ROM and then run the program with files from the CD-ROM, especially after you have a fairly steady system. If your system is compromised, then the intruder could read and modify the configuration file or just rebuild the database after a rootkit has been installed.

Background

The AIDE tool monitors your system so that you can determine whether it has been compromised. It builds a database of critical files to build a snapshot, doing checksums with a variety of techniques (sha1, md5, rmd160, among others) to make the possibility of an undetected file change very remote. Understand what was just said -- this tool only helps the systems administrator discover whether a system has been compromised. It does not scan your system for open ports or do any other security functions.

One question to consider is the necessity of a tool like AIDE. If a systems administrator recorded the sizes and modification times of the critical files, wouldn't that be enough? Besides the fact that there are many, many critical system files (we scanned 122266 files on a small test system), it is very easy to hack a file so that the length is the same and to reset the modification time so it appears to be untouched. It is much harder to hack the file when you have a checksum on the file to outwit, and exponentially harder and debatably impossible to outwit multiple hashing schemes. That's what AIDE does -- it looks at the critical system files from multiple hashing schemes to ensure that they have not been changed. Obviously, there are times when system files do change, so this and other situations must be handled. This will be described later.

There are several different versions of Tripwire, one of which is included in many Linux distributions. AIDE is a free download with support provided by volunteers. To use it, AIDE must be downloaded and configured before running. Tripwire has a commercial version with professional support. Because this is officially pre-release software (version 0.9), the focus of AIDE developers has been on functionality, not documentation. Again, AIDE needs to be downloaded, compiled, and configured before it can be utilized.

Platform Support

Both AIDE and Tripwire support multiple platforms (Solaris, Linux, and BSD among others), but Tripwire has more extensive Microsoft Windows support. AIDE uses Cygwin as its base to do Windows support, so it will run on Windows 95 and newer. Tripwire supports Windows XP Professional, Windows 2000, and NT 4.0. Tripwire has multiple products with slight differences in support platforms.

Requirements

Before you can install AIDE, you must have several utilities: an ANSI C compiler like gcc, and GNU versions of flex, bison, and make. These can all be downloaded from:

http://www.gnu.org

Installation

AIDE's installation follows typical procedures. It comes as a compressed tarball, so we put it in /tmp and did a tar -xzvf aide-0.9.tar.gz to expand it. If you require the mhash library, download that and do the equivalent command to expand it. Change to the mhash library just created and do a ./configure, make, and make install to compile and install the library.

Once that is done, change to the aide-0.9 directory previously created by the tar command and do the ./configure, make, and make install commands to compile and install AIDE. The make file installs AIDE to /usr/local/bin and adds the man pages aide(1) and aide.conf(5). Another useful source of information is the user manual stored under aide-0.9/doc/manual.html. At this point, you have built AIDE and need to configure it. It is an excellent idea to place these binaries on read-only media if possible. You don't want a rootkit causing AIDE to give false reports.

Configuration

The next step is configuring AIDE to do what you want. Configuration is controlled by the aide.conf file. Listing 1 shows our initial control file with comments.

Some of this file makes sense at a glance while other parts are more cryptic. The line /bin ReadOnly is parsed by aide into three parts: a directive, which can be "=", "!", or ""; a regular expression /bin, which specifies the files to track; and a variable ReadOnly, which specifies what is to be tracked. The easiest way to think about this is by assuming that there is a ".*" added to the end of each regular expression that does not end in a $. This allows AIDE to do a depth-first search looking for files and directories under this regular expression path. The use of "=" and "!" are covered later.

The three forward slashes (///) used on several lines designate files in URL format. These files can also be specified to standard out or standard error. "Growing=>" is another cryptic line in the configuration file. Several different things are happening on that line. First, a variable named Growing is defined. Second, the value of it is set equal to ">", which is part of AIDE's predefined collection of attributes. It stands for the collection p+u+g+i+n+S, so it records the permissions (p), uid (u), gid (g), inode number (i), number of links (n), and checks for a growing file (S).

The most cryptic line is "ReadOnly=p+i+n+u+g+s+m+md5". This line is a list of codes separated by "+" to specify what is to be tracked. Using the selection codes specified in Listing 2, it can be seen that p+i+n+u+g+s+m+md5 tracks permissions, inode number, number of links, user, group, modification time (mtime), and an MD5 sum on the contents of the file.

Initial Run

We have now covered several of the required phases of working with AIDE. Next, we will describe how to run AIDE for the first time to build the system database and take the system snapshot. Again, the key rule is to run AIDE before the system has been connected to a network.

Type aide --config=./aide.conf --init to build the database. This could take a while to run, depending on your system. This AIDE database is now an especially critical system file and should be moved to read-only media, and off the system if possible, for several reasons. First, with the current state of AIDE, the database is unencrypted and is in straight ASCII format. Second, from general security ideas, always keep key files away from prying eyes. You will need to make the appropriate change in the configuration file to read the database from the appropriate location.

Checking

Once the initial database is done, you can check whether there are changes between the initial database and the current file system by using aide --config=./aide.conf -check. If nothing has changed, the current system state will match the snapshot. If it doesn't, examine the output of the comparison very carefully. Maybe you added a user or made a system change that you forgot about, or maybe your system has been compromised. Listing 3 shows the truncated but typical output for one run.

This check took a little more than 14 minutes and created a 12-MB database file. AIDE checked 122226 files and found 9 new files and 21 changed files in this run. It found some dead symlinks, so we removed them. A very interesting observation from this run is the directory "mrtg", which holds the Multi-Router Traffic Grapher. We had forgotten about this program until the AIDE run but have now removed it. Since it showed up in the initial run, we updated aide.conf to specifically look at that directory. After scanning the full output from the initial run, we realized it would also be useful to look at additions and deletions to /home.

Updating the Control File

We updated the configuration file based on our observations from the first run. The new file, without comments, is shown in Listing 4. We also took this opportunity to move the files to the CD-ROM.

There are several interesting things to note about this file. The line =/etc/mrtg$ ReadOnly is parsed into three parts: a directive, =; a regular expression, /etc/mrtg$; and the variable ReadOnly. Part of the power of AIDE comes from its ability to understand regular expressions. The "=" sign tells AIDE to check only the directory "mrtg" and none of the files in the directory. This is great, but AIDE does a depth-first search for directories. That is, it assumes there is a .* on the end of /etc/mrtg and searches for subdirectories to process first. The "=" sign only controls the files in the directory specified. You must tell AIDE that there is to be no depth search for subdirectories. To do this, use the regular expression /etc/mrtg$. The "$" means the end of the search string, so AIDE does not look for other directories. This "$" at the end of the regular expression accomplishes the same function as (recurse=false) in Tripwire. The ReadOnly specifies the characteristics of files to be tracked.

Next, note the line !/var/log/[^/]*[0-9]$, which is parsed into three parts: a directive, !; a regular expresssion, /var/log/[^/]*[0-9]$ that specifies the files to select; and the variable ReadOnly. The "!" means not, so in other words, do not add files matching the regular expression to the database. The expression [^/]*[0-9]$ matches the files in /var/log that end in a digit, which are the rotated log files. This regular expression also stops AIDE from looking at the subdirectory test0, which was added to see what would happen but does not stop it from looking in other subdirectories.

Finally, a new database was created with aide --config=./aide.conf -init, and then we ran aide --config=./aide.conf -check to be sure we added the changes correctly. Note that a new CD-ROM will have to be burned.

Updating the Database

Occasionally, new versions of programs are installed. The technique to handle this is to update the current database. You do not need to initialize a new database. This is done with the command aide --config=./aide.conf -update. This produces a new database, which is placed in the file specified by database_out=file:///AIDE/Work/aide.db.new in aide.conf. You must move this file to the location specified by the database=file:///mnt/cdrom/aide.db entry and burn a new CD-ROM if you are working from read-only media (which we strongly suggest).

Conclusions

AIDE is a very nice multiple platform, open source, GPL tool that can perform intrusion detection on your system. It is still officially in pre-release but will be very useful when released. The biggest improvement for the future is the encryption of the AIDE database. Although Tripwire is a very useful program, AIDE is easier to configure, and its reports are easier to read. We found AIDE to be a useful tool to help maintain security on small numbers of systems.

AIDE Useful Commands

aide -init -- Build database

aide -check -- Check system state

aide -update -- Checks system state and creates a new database

aide --verbose=255 -- Run AIDE in verbose mode (useful for debugging aide.conf)

aide --config=./aide.conf -- Specify the configuration file

Resources

AIDE -- http://www.cs.tut.fi/~rammer/aide.html

Tripwire -- http://www.tripwire.com (commercial product) or http://sourceforge.net/projects/tripwire (open source for Linux only; www.tripwire.org is not active at this time)

mhash library -- mhash.sourceforge.net

GNU utilities -- http://www.gnu.org

Cygwin download -- http://www.cygwin.com

Arthur M. Messenger is a retired UNIX systems administrator who answers questions for friends and works part-time for Learning Tree International. When not teaching, he lives with his wife in Haymarket, Virginia.

Brian Gollsneider is working on a Ph.D. in Electrical Engineering from the University of Maryland. When not buried in research, he is a UNIX instructor for Learning Tree International. He can be contacted at: gollsneb@glue.umd.edu.