Intrusion Detection (aide review)
Elliot Lee
sopwith at gmail.com
Wed Jan 2 20:11:28 UTC 2008
Hey Jason, just a couple of ideas that may help you improve your proposal...
On Jan 2, 2008 11:38 AM, Jason <jmtaylor90 at gmail.com> wrote:
> What it Does: Constructs a database of files as specified in the
> configuration file (aide.conf). The database stores file attributes
> including permissions, inode number, user, group, file size, mtime,
> ctime, atime, growing size, number of links and link name. Based on
> options specified at compile time, acl, xattr and selinux attributes can
> be stored as well. When initialized and when checks are run, aide
> creates a crypto checksum/hash of each file watched using any number of
> algorithms (e.g. sha1, sha256, etc.).
Not that this type of functionality isn't a good part of intrusion
detection, but I think these days intrusion detection really has to
focus on more than just watching for changes on files... In addition,
RPM already has a database that checks for all these things and knows
how to do verification. A quick & dirty solution for file integrity
checking could be to just run rpm -Va every night, and then keep good
records of the rpm database md5sum and any package
installations/upgrades/removals.
I think in the Fedora environment, intrusion detection might mean also
being able to detect that host X has repeatedly tried to login to
these three machines and failed, or that Mike McGrath has logged in
from a domain or IP range that he has never connected from before, or
that the resource utilization of a particular service has changed
drastically in the past few days because someone set up a warez site
on the Fedora boxes, or that there's a lot of traffic going over
network ports that we didn't know were supposed to have traffic on
them... And so on and so forth. None of this stuff is covered by file
integrity checking (which is still an important thing).
> The main weakness I noted was in the reporting capabilities. According
> to the config file notes, reporting can be done via stdout, stdin,
> stderr, file://, fd: (file descriptor).
Sounds like AIDE already does some postgres stuff - it might be fairly
easy to have it dump more info into the DB so that one can create a
simple web reporting interface using standard tools.
I remember a long time ago when I had Tripwire installed on a system,
the biggest problem was that it generated a lot of false positives. A
file integrity checker is only good if it generates useful low-noise
results, so this makes intelligent reporting tools very important.
Best,
-- Elliot
More information about the Fedora-infrastructure-list
mailing list