Detection

Advanced Intrusion Detection Environment (AIDE) uses various techniques to detect the manipulation of files, starting with regular expressions for selecting the files to be included in the integrity checks. The files are then processed with hashing tools to generate checksums. Additionally, the associated filesystem properties, such as access rights, inodes, SELinux, Amazon Elastic File System (EFS), and other extended attributes, are also taken into account.

Setup and Use

To use AIDE for integrity checks, you first need to install the tool with your distribution's package manager. AIDE is included in all the popular distributions; if your environment is not supported, you can easily download the release from the GitHub project [1].

After the install, launch AIDE directly; you will need to be root, use sudo, or launch a root shell. Launching AIDE without passing in command-line arguments starts a check directly or complains that no database for the check exists below the path specified in the configuration. To prepare the AIDE database with the current status, trigger the database init with the command:

aide --init

In our lab, this took north of one and a half minutes for around 318,000 files. AIDE consumed virtually no resources on a CPU with 12 cores. The file /var/lib/aide/aide.db.new was created and had to be renamed aide.db for use in checks. The output will contain the checksums of the various hash procedures that are supported. Of course, you also need to keep an eye on these checksums to detect potential manipulation. Because several hashes are generated, an attacker cannot simply leverage potential vulnerabilities in individual hash functions to manipulate data without you noticing.

If you now run a check directly after creating the database, you would naturally expect AIDE not to find any changes to the files. However, even after a short wait, changes to folders or files can occur on the basis of the default configuration, which AIDE will then show. Of course, you can also trigger output as shown in Figure 1 by simply changing one of the files to be checked yourself. Try out various changes and get a feel for the output and how you can use it. Checking the hashes of the uncompressed database during each run is also important.

Figure 1: Test how AIDE reacts when you make changes to a file.

In this example, the /etc/security/access.conf file is modified. Of course, this prompts changes to the /etc and /etc/security folders, which AIDE reports under the Changed entries section. The letter d at the head of the lines stands for "directory," and f stands for "file." The = sign means no files have been added or removed from the folder, which would be shown by the > and < symbols (size increased, size decreased), respectively.

The individual dots are placeholders for the various checks performed by AIDE. The letters m and c show changes to the timestamps in the filesystem for the "modification time" (for changes to the file/directory contents) and the "change time" (for changes to the filesystem status information). The indicators i and h for the file itself show a change in the inode and a discrepancy in at least one of the hashes that was checked. Further details for each change follow this summary.

If you automate the use of AIDE, you will definitely need to evaluate the program's return values. Like (virtually) any application, a return value of 0 means that everything worked correctly with no errors during execution. If you check or update the database, values 1 through 7 are returned if successful. AIDE uses these three bits to inform you whether files were created, deleted, or modified. In AIDE, error codes start with return values greater than or equal to 14.

Configuration and Updates

The configuration file for AIDE resides in /etc/aide/ and contains the documentation for the available check procedures and predefined combinations for different file types, such as configuration files, binary files, or logfiles. The files you want AIDE to check are then defined by regular expressions. An exclamation mark ! to the left of the expression means that files that were included with previous rules are ignored later.

In production, you will need some time to get set up and will repeatedly need to exclude files on your systems from the check if they are subject to regular changes during normal operation. Both binary files and configuration files change, particularly when the software you use is updated. In these cases, you need to update the AIDE database after the software update.

Of course, you could also simply initialize a new database, but then you would not get an overview of modified files. Obviously, you need to make sure that only the updated files have changed at the time of the update. The command

aide --update

lets you update the database and outputs the modified files.

Manipulation Protection

Unfortunately, AIDE does not scan remote files by default, which means an attacker could change the AIDE binary and, for example, manipulate the output in such a way that malicious changes are not displayed. To rule this possibility out, you can secure the binary with checksums and compare the values before starting. As is always the case with host-based attack detection, this strategy does not make things 100 percent secure, but it significantly limits the attacker's options.