Lead Image © rudall30, 123RF.com

Lead Image © rudall30, 123RF.com

File Integrity Checks with AIDE

Detection

Article from ADMIN 84/2024
By
If an attacker gains access to systems by working around your defenses, you need to discover the attacker's tracks in good time, at least to mitigate the further risk of damage. We show you how to monitor changes to files with the Linux AIDE tool.

Advanced Intrusion Detection Environment (AIDE) uses various techniques to detect the manipulation of files, starting with regular expressions for selecting the files to be included in the integrity checks. The files are then processed with hashing tools to generate checksums. Additionally, the associated filesystem properties, such as access rights, inodes, SELinux, Amazon Elastic File System (EFS), and other extended attributes, are also taken into account.

Setup and Use

To use AIDE for integrity checks, you first need to install the tool with your distribution's package manager. AIDE is included in all the popular distributions; if your environment is not supported, you can easily download the release from the GitHub project [1].

After the install, launch AIDE directly; you will need to be root, use sudo, or launch a root shell. Launching AIDE without passing in command-line arguments starts a check directly or complains that no database for the check exists below the path specified in the configuration. To prepare the AIDE database with the current status, trigger the database init with the command:

aide --init

In our lab, this took north of one and a half minutes for around 318,000 files. AIDE consumed virtually no resources on a CPU with 12 cores. The file /var/lib/aide/aide.db.new was created and had to be renamed aide.db for use in checks. The output will contain the checksums of the various hash procedures that are supported. Of course, you also need to keep an eye on these checksums to detect potential manipulation. Because several hashes are generated, an attacker cannot simply leverage potential vulnerabilities in individual hash functions to manipulate data without you noticing.

If you now run a check directly after creating the database,

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

comments powered by Disqus