Intrusion Detection (aide review)

Jason jmtaylor90 at gmail.com
Wed Jan 2 19:38:45 UTC 2008 

Hey gang,

I was talking to Mike McGrath the other day on IRC and inquired about
the projects use of an IDS. Mike mentioned that project currently
employs only hosts.deny type stuff. I recently setup aide for use on a
personal server but it looked flexible enough for use in a more robust
type environment. The idea behind this write up is to see what others
think about employing something like this to give an idea of what aide
in particular is capable of.

The Name: AIDE (Advanced Intrusion Detection Environment)

What it Does: Constructs a database of files as specified in the
configuration file (aide.conf). The database stores file attributes
including permissions, inode number, user, group, file size, mtime,
ctime, atime, growing size, number of links and link name. Based on
options specified at compile time, acl, xattr and selinux attributes can
be stored as well. When initialized and when checks are run, aide
creates a crypto checksum/hash of each file watched using any number of
algorithms (e.g. sha1, sha256, etc.). 

The Config File: This is where the directories/files to be watched (and
what in particular is watched on the files) and the directories/files to
be excluded, reporting options (default goes to /var/log/aide/aide.log)

Misc. Notes: 

* Postgres can be used to store databases
* For usage in multiple machine environments, the database can be stored
in a central location and aide ran with --compare to limit resource
hogging.
* The database and config file can be signed, this makes it so that if a
change is manually made to either file, aide will refuse to use it, as
the signature will have been voided.
* Aide can be run with --update which will create a new database,
however it doesn't take effect until manually copied to the check
database. This allows updates to be frequently tracked but not put into
the check database.

The main weakness I noted was in the reporting capabilities. According
to the config file notes, reporting can be done via stdout, stdin,
stderr, file://, fd: (file descriptor).

I only have the one machine and it runs a pretty vanilla config as I
don't do anything too fancy with it. With the config I have it seems to
work as advertised. So there it is, thoughts?

Regards,
 Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20080102/9bc2a51e/attachment.sig>

More information about the Fedora-infrastructure-list mailing list