Creating an AIDE Configuration File

After AIDE has been installed, the first thing you'll want to do is create a configuration file. Unlike most other software in Linux, AIDE doesn't include a default configuration file from which you can build a customized version. There is a sample configuration file in the <AiDE-source>/doc/ directory, but it explicitly states that you shouldn't use it as a system-wide configuration file. Therefore, you'll have to build one of your own. Don't worry, I'm here to help.

The AIDE configuration file is normally called aide.conf and is located in /etc/. Comments within the AIDE configuration file begin with a pound sign (#). There are three categories of lines within the AIDE configuration file: configuration lines, macro lines, and selection lines. The heart of the AIDE configuration file is the selection lines that you use to determine what objects on the filesystem will be monitored. Configuration lines are also important in determining how AIDE will operate, and macro lines are important for creating advanced configurations. AIDE uses a series of parameter =value directives to indicate the type of checking to perform on a given object. Table 12.1 lists those directives.

Table 12.1. AIDE Configuration Directives

DIRECTIVE DESCRIPTION

Table 12.1. AIDE Configuration Directives

DIRECTIVE DESCRIPTION

p

permissions

i

inode

n

number of links

u

user

g

group

s

size

b

block count

m

Mtime

a

Atime

c

Ctime

S

check for growing size

md5

md5 checksum

shal

sha1 checksum

rmd16C

rmd16 0 checksum

tiger

tiger checksum

R

p+i+n+u+g+s+m+c+md5

L

p+i+n+u+g

E

Empty group

>

Growing logfile p+u+g+i+n+s

haval

haval checksum

gost

gost checksum

crc32

crc32 checksum

Thisdocumentis createdwithtrialversion of CHM2PDF Pilot 2.15.72.g the default groups. Doing so can save you time and improve the readability of the configuration file. You might use a custom group to combine other groups of commonly used checks. For example, to create a group called MyGroup with commonly used types of checks, it's as simple as this:

MyGroup p+i+n+m+md5

These groupings, whether default or custom, are used to determine the type of check that will be performed on a given selection. You also configure the files and directories to be checked using a selection line in the configuration file. Selection lines consist of the object to be checked together with the type of check to be performed. The object can be a file, a directory, a regular expression, or more commonly a combination of a file along with some regular expression syntax. I'll take a glance at regular expressions in a later section, but for now I'll show simple examples of the selection process.

The following selection line would examine everything in the /etc directory, specifically looking at the number of links, the user who owns a given file, the group who owns a given file, and the size of the file:

A change to one of those attributes that occurs unexpectedly might indicate tampering. The next example uses a custom group called MyGroup as the check for the files within the /bin directory:

/bin MyGroup

Objects can be ignored or skipped by using an exclamation point (ยก), as in the following example, which causes AIDE to ignore everything in /var/log:

Ignoring objects that change frequently can drastically reduce the number of irrelevant lines that appear in the AIDE report. However, you should be careful so as not to ignore too much; otherwise, you might miss important filesystem changes.

Rule lines in the configuration file use regular expressions to enable powerful matching capabilities. Don't worry if you're not familiar with the black magic involved in regular expressions; I'll go easy on you here.

A primary concern with matching files in AIDE is that you don't leave room for an attacker to circumvent the file integrity checker. This could occur if you specified a filename without fully qualifying the file. For example, if you wanted to skip checking a file in the /var/log/ directory because it changes, you might use this (seemingly correct) syntax:

!/var/log/maillog

However, due to the regular expression matching that occurs, an attacker could create a file called this:

/var/log/maillog.crack

Because you've excluded /var/log/maillog already, AIDE will not check anything that begins with /var/log/maillog. To solve this problem you add a dollar sign ($) to the end of the file. In regular expression syntax, a $ indicates the end-of-line. Therefore, by changing the syntax for the file you want to exclude and adding a $, you use the most specific match for that filesystem check:

!/var/log/maillog$

By default, AIDE will create a file-based database in /usr/ioCai/etc/ called aide.db.new. This file is then moved (manually) to /usr/local/etc/aide.db for future checks. Therefore, there's not really a need to alter this behavior within the context of the configuration file; however, you certainly can change the path and name of this file using the configuration options:

This documentiscreatedwith trial version of CHM2PDF Pilot 2.15.72.

database out=file: <filename>

AIDE can also use an SQL database server such as PostgreSQL to store database contents, although that configuration is beyond the scope of this book.

Continue reading here: Sample AIDE Configuration File

Was this article helpful?

+1 0