AIDE (Advanced intrusion
detection environment) is an intrusion detection program. More specifically a
file integrity checker.
AIDE constructs a database of the
files specified in aide.conf, AIDE's configuration file. The AIDE database
stores various file attributes including: permissions, inode number, user,
group, file size, mtime and ctime, atime, growing size, number of links and
link name. AIDE also creates a cryptographic checksum or hash of each file
using one or a combination of the following message digests algorithms: sha1,
sha256, sha512, md5, rmd160, tiger (gost and whirlpool can be compiled in if
mhash support is available). Additionally, the extended attributes acl, xattr
and selinux can be used when explicitly enabled during compile time.
Typically, a system administrator
will create an AIDE database on a new system before it is brought onto the
network. This first AIDE database is a snapshot of the system in its normal
state and the yardstick by which all subsequent updates and changes will be
measured. The database should contain information about key system binaries,
libraries, header files, all files that are expected to remain the same over
time. The database probably should not contain information about files which
change frequently like log files, mail spools, proc filesystems, user's home
directories, or temporary directories.
After a break-in, an
administrator may begin by examining the system using system tools like ls, ps,
netstat, and who --- the very tools most likely to be trojaned. Imagine that ls
has been doctored to not show any file named "sniffedpackets.log" and
that ps and netstat have been rewritten to not show any information for a
process named "sniffdaemond". Even an administrator who had
previously printed out on paper the dates and sizes of these key system files
cannot be certain by comparison that they have not been modified in some way.
File dates and sizes can be manipulated; some better root-kits make this trivial.
While it is possible to
manipulate file dates and sizes, it is much more difficult to manipulate a
single cryptographic checksum like md5, and exponentially more difficult to
manipulate each of the entire arrays of checksums that AIDE supports. By rerunning
AIDE after a break-in, a system administrator can quickly identify changes to
key files and have a fairly high degree of confidence as to the accuracy of
these findings.
To know about the courses CLICK HERE..!!
Contact US CLICK HERE..!!
To know about the courses CLICK HERE..!!
Contact US CLICK HERE..!!
That is great information for linux training
ReplyDeleteI really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful.
ReplyDelete