20061102
From Wsms
previous next
GO TO:
Linux Class Notes
Basic log files and security tools
Contents |
AIDE
We are going to install aide.
On a linux based system, it is useful to keep an eye over various file attributes.
- A few of the parameters we will be interested in are
- Ownership
- Size
- Location (inode)
- Modification (creation)
- Some of the directories we will be carefully tracking are (these and others)
- The following directories only can change if you install new aplications or do updates
- /usr/bin
- /bin
- /usr/sbin
- The following directories should only change via administrator-approved modifications (change password or something)
- /etc (with some exceptions such as /etc/mtab, /etc/shadow)
- We should be expecting the files in this directory getting larger
- /var/log
[edit]Installing and working with aide
In our particular case, in our classroom system, we are going to be able to see the file /etc/aide.conf. <cb/> We need to run the intrusion detection system (aide, in our case) in a special mode that is the initialization mode (--init). When we do this, the ids views the configuration file, and takes a snapshot of the system, and generates a database.
From the point of init, forward, we run aide in another mode, that comapres the file system with the database, and reports any changes.
There are a couple of things critical here:Joe asks us to read the documentation of the aide software, that has been copied to /usr/share/doc/aide-0.11. We will read the README, and the README.quickstart files, in order to get used to the system.
- The /etc/aide.conf and the database are also subject of attack. So, in more robust versions of aide, these files are encrypted. Now we don't have them available, but there are products that offer that feature. (For example mdf5sum, that encrypts a file) (other way is to generate a digital signature for these files)
Install aide with:# yum install aideThen, we run aide --init, and aide will create a new file called /var/lib/aide/aide.db.new.gz, wich is a database with the snapshot of the system.
[edit]Running aide
There are a lot of issues that are not automated with this free product:Here is some documentation in spanish, about aide: http://www.gentoo.org/doc/es/security/security-handbook.xml?part=1&chap=13&style=printable#doc_chap1
- We check manually if there have been any changes in the system, compared with the database.
- We create a new file from /var/lib/aide/aide.db.new.gz using cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
- Then we run aide --check that creates a new /var/lib/aide/aide.db.new.gz, and a file /var/lib/aide.log, that will tell us if there were some changes.
Now, we have to make aide check daily. So, if I want it to run on a daily basis, I have to write a script and store it in the crontab.daily directory. Since I want it to run in the last place, after all things that run daily, I[edit]AIDE step-by-step
Login as root. On our virtual server, we have to restart networking daily, then install aid. Note: if you su to root, be sure to use su - so that your PATH will include /sbin /usr/sbin and so on.
[ggeller@arthur ~]$ su - Password: [root@arthur ~]# service network restart ... [root@arthur ~]# yum -y install aide ...Run aide to create the initial database:
[root@arthur ~]# aide --init AIDE, version 0.11 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.Copy the database file:
[root@arthur ~]# cd /var/lib/aide/ [root@arthur aide]# cp aide.db.new.gz aide.db.gzRun aide in the check mode:
[root@arthur aide]# aide --check AIDE, version 0.11 ### All files match AIDE database. Looks okay!If is shows some changes that are OK, you should update the database:
# aide --update # cd /var/lib/aide/ # cp aide.db.new.gz aide.db.gzYou may also want to edit /etc/aide.conf to decrease or increase the number of files that are audited.
[edit]AIDE automation
We will add a script to /etc/cron.daily that will make aide run every night. The scripts in /etc/cron.daily are run in alphabetical order, so we want to name it something like z_aide
#!/bin/bash # This runs the aide intrusion detection system nightly # J. McGerald 11/02/06 /usr/sbin/aide --checkThen make the file executable
# chmod +x z_aideDo we then want to add /var/log/aide.log to logwatch? Do we want the standard output to go somewhere special?
[edit]Online sources of information for aide
online manual
The url file:///usr/share/doc/manual.html is the same manual on our hard disk.
email list archive
After you install aide:
$ man aide<br /> $ man aide.conf<br /> $ more /usr/share/doc/aide-0.11/README<br /> $ more /usr/share/doc/aide-0.11/README.quickstart<br />Moving the database files around as described in manual.html aide is something the tripwire handles more automagically. Also in the manual, it mentions that the verbose level can go up to 255. The level set in /etc/aide.conf is 5.
md5 checksums
We need to be sure that our file have not been changed. So, we have to use some programs that guarantee us that the file we are looking at, is the same file we left there time ago.
In order to do so, we use the md5sum program.
Another place where you find checksums used is when you go to a site where you want to download some data (for example, apache) and download something, I have to be sure that I have downloaded a valid file, and the checksum is used to do that.
The md5sum is used for checking the integrity of files. See man md5sum. You can use md5sum to confirm that your local file hasn't changed. It also works for downloaded files, for which the creator often provides an md5 signature. There is also a sha1sum program that works the same way from the user's point of view, but uses a different internal algorithm. Here's a simple example of using md5sum:[sabrina@localhost ~]$ cat myfile.text hello world [sabrina@localhost ~]$ md5sum myfile.text > myfile.text.md5 [sabrina@localhost ~]$ cat myfile.text.md5 6f5902ac237024bdd0c176cb93063dc4 myfile.text [sabrina@localhost ~]$ md5sum --check myfile.text.md5 myfile.text: OK [sabrina@localhost ~]$ cat >> myfile.text line 2 of the file [sabrina@localhost ~]$ md5sum --check myfile.text.md5 myfile.text: FAILED md5sum: WARNING: 1 of 1 computed checksum did NOT matchThere isn't an md5sum built into Windows. There are free download of md5sum utilities for Windows. Be aware that the md5sum for a text file will change when it is transferred from Unix to Windows. That's because Window and Unix use different line terminators.
How do you know yum is installing legitimate software?
Q. When you use yum, how do you know that it is going out to a safe repository?
A. Because the packages are signed. Another answer is that you can user RHEL an update from a secure server instead. see http://www.fedora.redhat.com/docs/yum/en/sn-software-management-concepts.html which has more information on the first point:
Packages also include a digital signature to prove their source. Software management utilities verify this digital signature by using a GPG public key. The yum and rpm utilities share a common keyring that stores all of the public keys for approved package sources. The system administrator configures these approved package sources.
By default, RPM won't install a file without checking the digital signature. You can see which signatures it has with:
[ggeller@ws06 ~]$ rpm -qa gpg-pubkey* gpg-pubkey-db42a60e-37ea5438 gpg-pubkey-4f2a6fd2-3f9d9d3b gpg-pubkey-1ac70ce6-41bebeef
You can also do man rpm for more information. And, in case you forgot, yum is just an fancy frontend for rpm.
looking at what the server is doing
We found that some students where starting vncserver sessions on the wrong port. You can get some information with a commands like:
[ggeller@rop ~]$ pstree -pu | more [ggeller@rop ~]$ netstat -pant | more
Buhe command you really want is:
[ggeller@rop ~]$ ps ax | grep Xvnc | more 24783 ? S 0:00 Xvnc :1 -desktop rop.ncc.sdccd.net:1 (jvitug) -httpd /usr/share/vnc/classes -auth /home/jvitug/.Xauthority -geometry 1024x768 -depth 16 -rfbwait 30000 -rfbauth /home/jvitug/.vnc/passwd -rfbport 5901 -pn
Which shows that the user jvitug is running Xvnc on port 1.
