Tuesday, September 20, 2011

AIDE - Simple intrusion detection software

I'm a programming geek, not hardware, OS, network administrator or security geek. So, I like my security tools simple. Just trusting that the virus checker is working away is fine and all, but if I can actually know how something works, I'm all the happier for it. Which brings me to my latest security software find: AIDE.

I was setting up a new server and wanted to put Tripwire on it. Or, at least I thought I did, until I learned that Tripwire had apparently gotten a lot more complex than when I first learned about it years ago. The idea behind Tripwire was that you ran it once to capture the checksum of most files on your system. You could then run it anytime you wanted, and it alerted you to any changes found.

These changes are an excellent place to start searching for an attack. Like when I had a server compromised years ago by a rootkit, and /bin/ps and other binary files had been replaced with evil twins.

Tripwire apparently has split into a commercial and OpenSource version, and even then I wasn't sure if it still did what I thought it did. Luckily, I found AIDE, and it continues the tradition of simplicity. Even the "web site" explaining AIDE is old school text. I love it.

AIDE really only does two things: (1) it'll generate that snapshot of what the system currently looks like, (2) it'll check that snapshot against the current system.

So far, I've been using AIDE in two ways. First off, I manually generated the snapshot (using the --init option), and nightly, I run the check to see if anything has changed. It's taken a bit of tuning, but I've managed to get rid of most of the false positives. Now, I get a nightly report that alerts me to any unexpected system changes.

This is useful against basic attacks, but there's a doomsday scenario where a hacker breaks in a tampers with AIDE itself. Heck, they could just turn off cron and it would never run. To deal with that, I've copied the AIDE database to an offsite location. I guess if I was a true sysadmin, I might copy onto the thumbdrive on my keychain and rest a little easier knowing that it's always at hand. Personally, I'm fine with the offsite location. During either a regular security audit, or if I think something fishy is going on, I can always grab a fresh copy if AIDE and check the files against the pristine database stored elsewhere.

Like I said, I'm not a security guru, so take what I've written above with a grain of salt. Still, it just looks simple enough that it might actually work.

No comments:

Post a Comment