Solaris Forensic Analysis Tools: AIDE Essay Example

due to system configuration changes and which were due to intrusion damage.

While it is ideal to install AIDE on a clean, unused system, it can be installed on a system that is already in use, provided that care is taken to ensure that the current machine is not compromised (Westphal, 2001). Westphal suggests that in addition to scrutinizing the baseline snapshot to try to detect any anomalies, it is also possible to configure a test server with the same setup as the server having AIDE installed in order to use it as a “clean” baseline detection to try to determine if any anomalies are present. There are some limitations to what AIDE can do. It cannot prevent an intrusion, nor can it actively prevent system damage. It is primarily useful for damage control and period system monitoring (Messenger, 2003). Westphal suggests that AIDE should be installed in cases where non-administrative users are allowed root, on DMZ servers and servers outside the firewall, and where configuration consistency across a large number of servers is desired (Westphal, 2003).

She notes that while it cannot prevent an intrusion or a bad install, it can be a very fast way to focus on damage from an intrusion or an administration process that went awry (Westphal, 2003).Installation of AIDE requires only open source tools, including gnu gcc, make, flex, bison, and a backend database server such as postgreSQL (Messenger, 2003). In order to use some of the checksum algorithm facilities, you may require the mhash library as well (Messenger, 2003). The installation follows standard software installation procedures; it is downloaded as a tarball, untarred and unzipped and then installed

using make and then make install (Messenger, 2003).

This installation also installs user documentation, including man pages and a user manual (Messenger, 2003). Westphal (2001) recommends ensuring that all system tools used for the installation be updated to the latest version, even if the installation claims to be able to use an earlier version. Westphal also suggests establishing a separate user and group for the installation and ownership of AIDE rather than having root retain ownership. This not only lowers the chance of vulnerability if root is compromised, it allows for an easier way to track actions taken by the AIDE user (Westphal, 2001).Westphal addresses the setup and security of the installation.

Permissions should be set to 0700 for all files associated with the AIDE utility; authorized users will have to be logged in as the associated user to use the program, offering a secondary layer of security for the baseline snapshot (Westphal, 2001). Securing the database that stores the baselines and intermediate snapshots is a special problem. Westphal has suggestions for securing this information as well. For a single system, the files can be written to physical media after setup and baseline snapshot and then unmounted until it is required (Westphal, 2001).

For a multiple server or enterprise solution, Westphal suggests using cron to facilitate snapshot and storage across the network. The methodology she outlines is: copy the config and database files from each server being monitored and write to a centralized location on a single disk, separated by server name; compute an md5 or sha1 checksum for each file and store in a log file for intermediate reference; then unmount the drive and

move to offsite storage (Westphal, 2001). This secure backup can then be used for reference in integrity checks and periodic updates.While installation of the AIDE package is relatively standard and straightforward, configuration of the database is more complicated.

Configuration is determined by the aide.conf configuration file, which can be found in the code install directory (Messenger, 2003). The initial configuration file is mostly self-explanatory, with a few quirks. The first oddity is the use of the string /// to specify URL file format (Messenger, 2003). Another complicating factor is the specification of file attributes for AIDE to monitor. These are called selection codes; Messenger (2003) explains the full range of codes.

These includep: permissionsi: inoden: number of linksu: userg: groups: sizem: mtimea: atimec: ctimeS: check for growing sizemd5:  md5 checksumsha1:  sha1 checksumrmd160:   rmd160 checksumtiger:   tiger checksumR: p+i+n+u+g+s+m+c+md5L: p+i+n+u+gE: Empty group>: Growing logfile p+u+g+i+n+Scrc32: crc32 checksumhaval: haval checksumgost:  gost checksum (Messenger, 2003)The selection codes are applied to individual file types to specify which attributes should be monitored. For example, a string like “ReadOnly=p+i+n+u+g+s+m+md5” indicates that the files of type ReadOnly should be monitored for permissions, inode,  number of links, user, group, size, mtime and md5 checksum (Messenger, 2003). It is possible to configure AIDE to monitor to any depth of files, including system and user files; it can monitor read-write file as well as read-only files (Messenger, 2003). The configuration file also contains such attributes as original and new database location, log file location, report output location and a variety of other reporting and operation functions (Messenger, 2003). Westphal (2001) notes that the database configuration, while seemingly straightforward, can be complicated due to the necessity to

determine the analysis rules.

Deciding to what level monitoring needs to happen and how many and which files need to be monitored is a balancing act between disk space, operation time and organizational requirements. Westphal (2003) explains how the configuration file affects the operation of AIDE and how it selects which files to monitor. The configuration file, which is case-sensitive but not white space-sensitive, contains three different types of control lines: configuration lines, which set operation parameters and variables; selection lines, which control which files are monitored; and macro lines, which specify how the files specified in the selection lines are monitored (Westphal, 2001). AIDE uses regular expressions to parse the configuration file to determine which files need to be monitored, and how they should be monitored (Westphal, 2001).

One configuration line in particular is useful in troubleshooting the configuration – setting the –verbose=255 variable will allow the maximum amount of system information to be output, allowing the configuration to be monitored (Westphal, 2001).The next step after installation and configuration of the AIDE utility is taking the initial baseline snapshot. This should be performed before the server being monitored has been connected to a network (Messenger, 2003, Westphal, 2001). The first step in obtaining the baseline snapshot is creating the database. By default, the baseline database is called aide.

db (Messenger, 2003, Westphal 2001).  In order to build the database, issue the command aide --config=./aide.conf –init at the command line (Messenger, 2003). Depending on the configuration file and the depth to which the system is being monitored, this database build can take up to several hours (Messenger, 2003). As Messenger notes, immediately on completion of this

database build the files associated with it should be moved off the file system onto read-only media and backed up, as it is now a critical system file.

This step should be repeated after any intentional change in the configuration of the system; otherwise, it can be difficult to determine which changes were intentional and which are outside damage in the event of an intrusion event (Messenger, 2003). Messenger also notes that the AIDE database is an unencrypted ASCII file and is not secure against intruders if left on the system.After the installation, configuration and initial baseline database snapshot of AIDE, continued operation is straightforward. Simply issue the command aide --config=.

/aide.conf –check (Messenger, 2003). The output can also be redirected to a file for logging or comparison; because the process doesn’t create any logs, this is essential when the snapshot is automated using cron (Westphal, 2001). This will create a new snapshot of the monitored files, creating a database called aide.db.new and compare the output to the original database.

A successful run will indicate that nothing has changed (Messenger, 2003). If there are changes indicated, Messenger suggests scrutinizing the output very carefully – it is possible that there were system configuration changes that were not logged with the creation of a new baseline snapshot, but it is also possible that the system has been compromised. One useful feature of AIDE is that a check run will find dead symbolic links as well as changed system files; setting the warn_dead_symlinks=yes configuration file variable will allow AIDE to detect and notify these links, which can then be removed (Messenger, 2003). This process can be scheduled through cron

in order to provide consistent monitoring (Messenger, 2003).It may be necessary to adjust the configuration file after the initial setup if the run is not capturing the information the administrator requires, or if it is capturing too much information (for example, user files which are frequently updated or changed).

It is important that only the essential information is monitored, in order to prevent evidence of intrusion or system corruption from being lost in an excess of changes in inessential files (Messenger, 2003). In order to adjust the configuration file, simply make the required changes according to the initial setup procedures and rerun the initial setup, creating a new baseline database (Messenger, 2003). Then perform all backup and data isolation processes as noted above. Westphal (2001) suggests a few methods for refining the rule set in the configuration file to meet the needs of the organization. Her first suggestion is to simply start by monitoring everything; then, weed out the inessentials until the balance between security and usability has been achieved.

Another approach, she states, is to consider what the operating system level monitoring priorities are – which files need to be monitored for business purposes, which are considered to be targets for hackers, how much storage space is available for monitoring and log storage and how long monitoring data will need to be retained (Westphal, 2001). Finally, she recommends that directories such as /tmp, which change frequently, are not good candidates for monitoring, as they will almost always show a large number of changes from the baseline files (Westphal, 2001).A final consideration in installation, configuration and use of AIDE is the requirement to update database

software from underneath the existing baseline database. Messenger details the procedure for updating the database software. He states that it is not necessary to update the baseline file when it is time for a database software update; the command aide --config=.

/aide.conf –update will create an updated baseline file; this needs to be moved to the location specified in the control file by the database=file variable and the backup and isolation procedure detailed above repeated (Messenger, 2003).Because AIDE is an open-source replacement for Tripwire, another popular database-based host based IDS, it is appropriate to compare the two systems. AIDE was reverse-engineered by its creator, Rami Lehtl, because he wanted to make some improvements to Tripwire, but the source code was not available (Tripwire used to be an open-source program, but has since been closed and offered commercially to most users) (Messenger, 2003). These improvements included distributed CVS to allow multiple developers to improve the code, as well as reporting and ease of use features (Messenger, 2003).

Messenger reports that the configuration of AIDE is indeed easier than that of Tripwire, and the reports are easier to read and understand; this is a big advantage to a complicated system. However, one advantage that Tripwire has that AIDE does not is that of an encrypted database file; a plain-text ASCII format means that the database is human-readable and unprotected and, if left open, can easily be compromised (Messenger, 2003). Westphal (2001) notes that deployment and monitoring of AIDE on an enterprise basis may be difficult to coordinate and monitor; if a very large enterprise installation is required, the monitoring and deployment tools included in Tripwire Enterprise Edition may

be a deciding factor in tool choice.A host-based intrusion detection system (HIDS) such as AIDE (or Tripwire) cannot prevent intrusions, nor is it necessarily the most effective detection system, depending on frequency of snapshot comparison and the length of time required to run the process. However, AIDE and other HIDS have a strong advantage over network-based IDS programs; they can determine with ease precisely which files and directories may have been compromised, speeding recovery and allowing the investigator to tightly focus his or her efforts on the compromised data rather than spending time determining where damage may have occurred (Messenger, 2003).There are other benefits to utilities such as AIDE, as well.

These benefits include monitoring the system not against intruders, but against disk-based corruption, unintended changes due to confusion of test and production systems, and monitoring changes made by members of a large administration team. Change management and monitoring is a vital task in today’s administration environment, particularly in certification environments such as ISO 9000 and in organizations that fall under Sarbanes-Oxley reporting requirements. AIDE can assist in change detection and management as well as intrusion detection and system recovery (Westphal, 2001, Messenger, 2003). Implementation of AIDE is not free of challenges, however. These include the difficulty of deployment across a large or complicated network environment, the greater complication of deploying AIDE in an existing server setup as compared to a new server configuration and the fine-tuning of configuration required in most environments to determine the correct level of monitoring for that environment.

Overall, AIDE is an excellent addition to the Solaris forensics toolkit. It is free and open-source, which confers a number of benefits on

the user. The freedom of the software lowers implementation costs, removing the cost of the license from the equation. Its open-source nature means that a distributed software team is continually updating it and it is more agile than a commercial product and can adapt more quickly to a changing threat. It also means that the administrator or security personnel can customize the software to fit the organization’s environment, for example, in order to use a different database or to add a new feature or modify an existing feature.

It is also highly configurable, allowing the user to choose his or her own level of monitoring and availability, based on an equation of available disk space, time and organizational requirements. Other benefits include easy to read output reports  and the ability to monitor dead symbolic links. While some improvements, such as an encrypted database format rather than plain text ASCII and logging capabilities, could be made, AIDE is a robust and useful piece of software as it is today.