FileIntegrityAIDE
|
Size: 7645
Comment: edits, and local resource table---jbs
|
Size: 9553
Comment: Reverted to version 9, page was incorrectly a copy of the StrongPasswords page.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 4: | Line 4: |
| Many security mechanisms present in Ubuntu and elsewhere require a password. Passwords are the most commonly used security tactic in computing, and are frequently used to protect sensitive information, such as your e-mail account, or your Ubuntu user account. Choosing a strong password for any application, or service which may require one is extremely important. If the password you choose is based on common information such as a dictionary word, an attacker may use a so-called "brute-force" method of determining your password, and subsequently compromise the account, or data protected with that password. | One of the many possible layers of security which may be applied to your Ubuntu computer is known as ''file integrity monitoring'', or ''file integrity verification''. The purpose of monitoring and/or verifying the integrity of key files including system binaries, and configuration files is to ensure the files have not been altered by unauthorized means. The unauthorized alteration of certain system files is one of the symptoms of an active attack, or compromise upon a system. Using file integrity monitoring is a pro-active means of being aware of any changes to critical system files. As with most tools, and utilities in the GNU/Linux community, there exist many different applications for use in monitoring, and verifying the integrity of files on your Ubuntu system. This guide will mention some of these tools, and go on to discuss installation, configuration, and usage of the tools on an Ubuntu system. |
| Line 6: | Line 6: |
| This guide demonstrates the generation of strong passwords with applications available to Ubuntu. This guide ''does not'' recommend a formal password policy, including rotation/change scheduling, re-use prevention strategies, and the like. Such principles are beyond the scope of this guide, and the reader is requested to see the resources presented at the end of this guide for further information on passwords, and formal password policies. | == Available Tools == While there are literally a dozen, or more solutions for monitoring, and verifying the integrity of critical files on a GNU/Linux computer system, this guide will focus only on the '''Advanced Intrusion Detection Environment''' ('''AIDE''') utility. Other possible tools, and utilities for monitoring, and/or verifying file integrity will be listed in the '''Resources''' section of this guide, however. The exploration, and use of these tools is left as an exercise for the reader of this guide. |
| Line 8: | Line 9: |
| == Target Audience == This guide is for anyone with sufficient experience with the GNU/Linux command-line, including installing packages using {{{apt-get}}}, and executing command-line tools who also has an interest in passwords, and generating strong passwords with a command-line utility. |
== AIDE == The Advanced Intrusion Detection Environment (AIDE) is a ''free'' replacement for the popular file integrity verification tool '''Tripwire'''. It creates a database from regular expression rules that it finds in a configuration file, and once this database is initialized, it can be used to verify the integrity of critical system, and user files. |
| Line 11: | Line 12: |
| == Strong Passwords == Applications, and libraries exist for your Ubuntu system to assist in generating, or enforcing strong passwords. A strong password is defined as any password which meets the following criteria: |
AIDE uses most of the popular message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) for checking file integrity. Additional algorithms may also be added easily. All of the traditional file system attributes may also be checked for inconsistencies as well. |
| Line 14: | Line 14: |
| * At least ''eight'' (8) characters in length * Does not contain your user name, real name, or organization name * Does not contain a complete dictionary word * Is significantly different from your previous password * Should contain ''three'' (3) of the following character types * Lowercase Alphabetical (a, b, c, etc.) * Uppercase Alphabetical (A, B, C, etc.) * Numerics (0, 1, 2, etc.) * Special Characters (@, %, !, etc.) |
=== Installing AIDE === To install AIDE from a terminal prompt, ensure that your Internet connection is working, and enter the following command: |
| Line 24: | Line 17: |
| == Generating Strong Passwords in Ubuntu == Now that we've establish what constitutes a strong password. How do we have our computers help generate strong passwords automatically? This section will cover the ''Automatic Password Generator'' application (APG) which is available in Ubuntu via System Administration (universe). APG does precisely what its name implies: ''automatically generates passwords''. Not only does APG generate passwords, it will generate ''strong passwords'' for you as well. If you wish to study APG further, you may find all information at the APG website. (''see '''Resources''' section of this guide'') |
{{{sudo apt-get install aide}}} |
| Line 27: | Line 19: |
| attachment:IconsPage/IconTip.png ''It should be noted here that Ubuntu's password functions for user accounts do provide some means of enforcing strong passwords for user accounts, but there are cases, and applications where the strength of the password cannot be enforced in this manner, and so this guide exists to help the user generate acceptable strong passwords''. | Enter your password, and upon successful authentication, the AIDE package should be fetched, and installed. |
| Line 29: | Line 21: |
| === Installing APG === To install APG, ensure you have enabled the Universe Packages, (''see UniversePackages'') and a have live connection to the Internet, then issue the following command at a command prompt: |
During installation, an '''Ubuntu Configuration''' window will appear notifying you that daily reports are mailed to the ''root'' user by default, and that this behavior may be changed by editing the {{{/etc/default/aide}}} configuration file. Press '''ENTER''' to acknowledge this message. You will then be asked if the AIDE database should be initialized. Select '''Yes''' here, and press '''ENTER'''. The next confirmation dialog asks you to examine {{{/var/lib/aide/aide.db.new}}} before replacing any existing database. If this is your first time installing AIDE on the system in question, select '''Yes''' here, and press '''ENTER'''. |
| Line 32: | Line 23: |
| {{{ sudo apt-get install apg}}} | === Configuring AIDE === There are two primary configuration files for AIDE: |
| Line 34: | Line 26: |
| You will be prompted for a password. The password being requested is ''your user password'', or the same password you use when issuing commands with the {{{sudo}}} command. After authentication, the APG package will be downloaded, and installed. You are now ready to begin using, and further configuring APG to your liking. | ||{{{/etc/default/aide}}}||The AIDE general configuration file|| ||{{{/etc/aide/aide.conf}}}||The AIDE rules configuration file|| |
| Line 36: | Line 29: |
| === Using APG === The default behavior of APG installed on Ubuntu via apt-get when executed, is to prompt for random data from standard input (typically the keyboard) and upon pressing enter, display ''six'' (6) strong "pronounceable" passwords. They are referred to as "pronounceable" because the passwords may actually be pronounced like regular words. In fact, APG includes the pronunciation in parentheses () to the right of each password. Additionally, they are ''strong passwords'' because they include a mix of lowercase, uppercase, and numeric characters. An example of executing {{{apg}}} and the the default output of APG is presented here: |
Some general settings, and behaviors for AIDE may be modified by editing the {{{{/etc/default/aide}}} configuration file. For example, if you would like to have all of AIDE's daily reports e-mailed to the user {{{breandon}}} instead of the default root user, simply use {{{sudo}}} with your favorite editor, and modify the line: |
| Line 39: | Line 31: |
| {{{apg}}} | ||{{{MAILTO=root}}}|| |
| Line 41: | Line 33: |
| APG prompts for the input of random keyboard keys, and then, after pressing '''ENTER''', produces output similar to this: | so that it reflects your choice of user ({{{breandon}}} in our example) as such: |
| Line 43: | Line 35: |
| {{{ queafWodEis5 (queaf-Wod-Eis-FIVE) WoudElIc6 (Woud-El-Ic-SIX) GorIacNewt8 (Gor-Iac-Newt-EIGHT) ShratUplEov7 (Shrat-Upl-E-ov-SEVEN) hexLyafByff1 (hex-Lyaf-Byff-ONE) Irkyorn9 (Irk-yorn-NINE) }}} |
||{{{MAILTO=breandon}}}|| |
| Line 52: | Line 37: |
| If you would like to enforce different behavior from APG, there are many options you may pass to the '''apg''' command for the purpose of changing the default output, and behavior of APG. For example, to generate ''random character passwords'' instead of the ''pronounceable'' passwords, you may invoke APG with the '''-a 1''' option, where '''-a''' is the ''algorithm'' APG uses, and '''1''' selects random mode. The following command would produce ''six'' (6) random character passwords with no prompting to input random data: | Read the comments in {{{/etc/default/aide}}} to see what the other configuration directives control, and change them accordingly to suit your installation's requirements. |
| Line 54: | Line 39: |
| {{{ apg -a 1}}} | The other configuration file, {{{/etc/aide/aide.conf}}} controls the rules for the directories, files, and attributes of files which AIDE uses to determine changes when scanning. For example, in the default {{{/etc/aide/aide.conf}}} file, all member directories and files of the Group definition {{{BinLib}}} are checked for permissions, inode, number of links, user, group, size, block count, mtime, ctime, md5 checksum, and sha1 checksum (p+i+n+u+g+s+b+m+c+md5+sha1) whereas all member directories, and files in the Group definition Databases are checked only for permissions, number of links, user, and group (p+n+u+g). |
| Line 56: | Line 41: |
| Upon executing the above command, APG outputs a list of ''six'' (6) random character passwords similar to these: | The member directories of a particular Group definition are added by specifying one entry per line, in the form of : |
| Line 58: | Line 43: |
| {{{ S:w[AOe< !_IlD#_G/~ )lL`avASe6 SgzlI:lU?h ~Wc(0b"{ '4fU25w%} }}} |
||{{{directory}}} {{{Group definition}}}|| |
| Line 67: | Line 45: |
| If you wish to always enforce prompting for random data from standard input (keyboard), to ensure the most secure passwords possible, you should explicitly tell APG to do so with the {{{-s}}} option. | For example, to make the directory {{{/opt/local/bin}}} part of the {{{BinLib}}} Group definition, a line would be added in the appropriate section of the {{{/etc/aide/aide.conf}}} configuration file resembling the following: |
| Line 69: | Line 47: |
| Another example would be the generation of four (4) WiFi Protected Access (WPA) Pre Shared Keys (WPA PSKs) having the maximum supported WPA PSK length of 63 random characters for use with modern WiFi equipment, such as a Wireless Access Point (WAP). To generate such a sequence, and use random data prompting, issue the following command at a command prompt: | ||{{{/opt/local/bin BinLib}}}|| |
| Line 71: | Line 49: |
| {{{apg -s -a 1 -m 63 -n 4}}} | Another example of a clever use for AIDE is to monitor the system's crontabs. System crontabs control the scheduled system activities which are executed on a schedule by the cron daemon. To ensure these files are not altered in such a way as to introduce the automatic, scheduled execution of a malicious application, simply use the {{{sudo}}} command to edit the {{{/etc/aide/aide.conf}}} file with your favorite editor and locate the following section of the file : |
| Line 73: | Line 51: |
| After supplying the random keyboard data, and pressing '''ENTER''' a list of strong WPA PSKs will be presented, similar to these: | ||{{{# Check crontabs}}}|| |
| Line 75: | Line 53: |
| {{{ +DIaz*<DmO6VAFR/cQ>B^'[mtB;J1ABi*n"B<=|_My"5bZv#*iRJH!0oCcf!,@Z os#?3;sC2}/A>lG^e*9%9}pd^&A\'eLkdC,lk#jB,bcg70I|q@U:^VZP"}>3z?G rj??<_Ej%-:2LW;4q_?53$ab$U_~1I(({`^LN1Hd&&gKj+Dw;EqR<\qH_VQ{`s! "x3up};b~/jU6Vo,t">Dr~f_U`NSNr30JmOD@c'Y:p2wvc"0s?$MtT<S5Qr\AZi }}} |
Uncomment all of the lines beginning with {{{#/var/spool}}} under the {{{# Check crontabs}}} heading, and save the file. You should examine the file {{{/etc/aide/aide.conf}}} closely, observing the commented sections in particular, for other possible uses of AIDE, and read the {{{aide.conf}}} manual page, in addition to reading the HTML version of the AIDE manual for further uses of AIDE which may be specified in this configuration file. |
| Line 82: | Line 56: |
| Many other options are available. You should consult the APG manual page, and the APG website for further information. (''see '''Resources''' section of this guide'') | When you've made configuration changes, and you would like them used immediately, issue the following command at the terminal prompt to update the AIDE configuration: |
| Line 84: | Line 58: |
| {{{sudo update-aide.conf}}} Otherwise, AIDE's daily crontab will do the same thing, so if you have made changes, but do not need to run aide manually, and immediately you can be assured the configuration will be updated by the daily crontab automatically before the daily run of AIDE by the daily crontab. === Using AIDE === To begin using AIDE, you must make sure the database is present: {{{ls /var/lib/aide}}} If you see the file {{{aide.db}}} in the output of the {{{ls}}} command, then proceed to the initialization step. If instead, you see the file {{{aide.db.new}}} then you need to rename the {{{aide.db.new}}} file to {{{aide.db}}} using this command: {{{sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db}}} Once the AIDE database is in place, you can initialize the database with the following command from a terminal prompt: {{{sudo aide --init}}} At the end of this process, you should see the line: ||{{{### AIDE database initialized}}}|| You may run an initial check of the directories and files as defined in {{{/etc/aide/aide.conf}}} by entering the following command at a terminal prompt: {{{sudo aide --check}}} If all is well in the directories, and files being monitored, you will see this message when the check completes: ||{{{### All files match AIDE database. Looks okay!}}}|| AIDE will also run each day from the {{{/etc/cron.daily/aide}}} crontab, and the output of this run will be mailed to the user specified in the {{{MAILTO=}}} directive of the {{{/etc/default/aide}}} configuration file as detailed above. |
|
| Line 86: | Line 90: |
| Additional password information, command information, and formal password policy guidelines are available via the following resources: | Additional information on AIDE, and file integrity monitoring, and verification is available via the following resources: |
| Line 90: | Line 94: |
| ||<style="background:#F1F1ED;">{{{man apg}}}|| System manual page for the {{{apg}}} command|| ||<style="background:#F1F1ED;">{{{man passwd}}}|| System manual page for the {{{passwd}}} command|| |
||<style="background:#F1F1ED;">{{{man aide}}}|| System manual page for the {{{aide}}} command|| ||<style="background:#F1F1ED;">{{{man aide.conf}}}|| System manual page for the {{{aide.conf}}} configuration file|| ||<style="background:#F1F1ED;">{{{man aideinit}}}|| System manual page for the {{{aideinit}}} command|| ||<style="background:#F1F1ED;">{{{man update-aide.conf}}}|| System manual page for the {{{update-aide.conf}}} command|| ||<style="background:#F1F1ED;">{{{/usr/share/doc/aide/manual.html}}}|| The AIDE manual in HTML format|| ||<style="background:#F1F1ED;">{{{/etc/default/aide}}}|| The AIDE general configuration file|| ||<style="background:#F1F1ED;">{{{/etc/aide/aide.conf}}}|| The AIDE rules configuration file|| ||<style="background:#F1F1ED;">{{{/etc/cron.daily/aide}}}|| Daily AIDE cron scripts|| |
| Line 93: | Line 103: |
| === Other File Integrity Monitoring and Verification Tools === * '''BSign''' : Corruption and Intrusion Detection using embedded hashes * '''Integrit''' : Small footprint, unattended monitoring of file integrity with cascading rulesets [http://integrit.sourceforge.net/ Integrit Website] * '''Samhain''' : Standalone, or Client-Server file integrity monitoring solution [http://la-samhna.de/samhain/ Samhain Website] * '''Systraq''' : Monitors, and alerts on file changes [http://mdcc.cx/systraq/ Systraq Website] |
|
| Line 96: | Line 112: |
| [http://www.adel.nursat.kz/apg/ APG website] | [http://sourceforge.net/projects/aide AIDE Website] |
| Line 98: | Line 114: |
| [http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci916934,00.html?track=sap805 Bad Password Policies] [http://www.sans.org/resources/policies/Password_Policy.pdf SANS Password Policy Guideline (PDF Document)] [http://www.sans.org/rr/whitepapers/authentication/1636.php Simple Formula For Strong Passwords (PDF Document)] [http://www.smat.us/sanity/pwdilemma.html#anchor12895273 Strong Password Policies] |
[http://www.linuxsecurity.com/content/view/101882/49/ Guide on CHKROOTKIT and AIDE] |
ContentsBRTableOfContents(3) |
Introduction
One of the many possible layers of security which may be applied to your Ubuntu computer is known as file integrity monitoring, or file integrity verification. The purpose of monitoring and/or verifying the integrity of key files including system binaries, and configuration files is to ensure the files have not been altered by unauthorized means. The unauthorized alteration of certain system files is one of the symptoms of an active attack, or compromise upon a system. Using file integrity monitoring is a pro-active means of being aware of any changes to critical system files. As with most tools, and utilities in the GNU/Linux community, there exist many different applications for use in monitoring, and verifying the integrity of files on your Ubuntu system. This guide will mention some of these tools, and go on to discuss installation, configuration, and usage of the tools on an Ubuntu system.
Available Tools
While there are literally a dozen, or more solutions for monitoring, and verifying the integrity of critical files on a GNU/Linux computer system, this guide will focus only on the Advanced Intrusion Detection Environment (AIDE) utility. Other possible tools, and utilities for monitoring, and/or verifying file integrity will be listed in the Resources section of this guide, however. The exploration, and use of these tools is left as an exercise for the reader of this guide.
AIDE
The Advanced Intrusion Detection Environment (AIDE) is a free replacement for the popular file integrity verification tool Tripwire. It creates a database from regular expression rules that it finds in a configuration file, and once this database is initialized, it can be used to verify the integrity of critical system, and user files.
AIDE uses most of the popular message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) for checking file integrity. Additional algorithms may also be added easily. All of the traditional file system attributes may also be checked for inconsistencies as well.
Installing AIDE
To install AIDE from a terminal prompt, ensure that your Internet connection is working, and enter the following command:
sudo apt-get install aide
Enter your password, and upon successful authentication, the AIDE package should be fetched, and installed.
During installation, an Ubuntu Configuration window will appear notifying you that daily reports are mailed to the root user by default, and that this behavior may be changed by editing the /etc/default/aide configuration file. Press ENTER to acknowledge this message. You will then be asked if the AIDE database should be initialized. Select Yes here, and press ENTER. The next confirmation dialog asks you to examine /var/lib/aide/aide.db.new before replacing any existing database. If this is your first time installing AIDE on the system in question, select Yes here, and press ENTER.
Configuring AIDE
There are two primary configuration files for AIDE:
/etc/default/aide |
The AIDE general configuration file |
/etc/aide/aide.conf |
The AIDE rules configuration file |
Some general settings, and behaviors for AIDE may be modified by editing the {/etc/default/aide configuration file. For example, if you would like to have all of AIDE's daily reports e-mailed to the user breandon instead of the default root user, simply use sudo with your favorite editor, and modify the line:
MAILTO=root |
so that it reflects your choice of user (breandon in our example) as such:
MAILTO=breandon |
Read the comments in /etc/default/aide to see what the other configuration directives control, and change them accordingly to suit your installation's requirements.
The other configuration file, /etc/aide/aide.conf controls the rules for the directories, files, and attributes of files which AIDE uses to determine changes when scanning. For example, in the default /etc/aide/aide.conf file, all member directories and files of the Group definition BinLib are checked for permissions, inode, number of links, user, group, size, block count, mtime, ctime, md5 checksum, and sha1 checksum (p+i+n+u+g+s+b+m+c+md5+sha1) whereas all member directories, and files in the Group definition Databases are checked only for permissions, number of links, user, and group (p+n+u+g).
The member directories of a particular Group definition are added by specifying one entry per line, in the form of :
directory Group definition |
For example, to make the directory /opt/local/bin part of the BinLib Group definition, a line would be added in the appropriate section of the /etc/aide/aide.conf configuration file resembling the following:
/opt/local/bin BinLib |
Another example of a clever use for AIDE is to monitor the system's crontabs. System crontabs control the scheduled system activities which are executed on a schedule by the cron daemon. To ensure these files are not altered in such a way as to introduce the automatic, scheduled execution of a malicious application, simply use the sudo command to edit the /etc/aide/aide.conf file with your favorite editor and locate the following section of the file :
# Check crontabs |
Uncomment all of the lines beginning with #/var/spool under the # Check crontabs heading, and save the file. You should examine the file /etc/aide/aide.conf closely, observing the commented sections in particular, for other possible uses of AIDE, and read the aide.conf manual page, in addition to reading the HTML version of the AIDE manual for further uses of AIDE which may be specified in this configuration file.
When you've made configuration changes, and you would like them used immediately, issue the following command at the terminal prompt to update the AIDE configuration:
sudo update-aide.conf
Otherwise, AIDE's daily crontab will do the same thing, so if you have made changes, but do not need to run aide manually, and immediately you can be assured the configuration will be updated by the daily crontab automatically before the daily run of AIDE by the daily crontab.
Using AIDE
To begin using AIDE, you must make sure the database is present:
ls /var/lib/aide
If you see the file aide.db in the output of the ls command, then proceed to the initialization step. If instead, you see the file aide.db.new then you need to rename the aide.db.new file to aide.db using this command:
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Once the AIDE database is in place, you can initialize the database with the following command from a terminal prompt:
sudo aide --init
At the end of this process, you should see the line:
### AIDE database initialized |
You may run an initial check of the directories and files as defined in /etc/aide/aide.conf by entering the following command at a terminal prompt:
sudo aide --check
If all is well in the directories, and files being monitored, you will see this message when the check completes:
### All files match AIDE database. Looks okay! |
AIDE will also run each day from the /etc/cron.daily/aide crontab, and the output of this run will be mailed to the user specified in the MAILTO= directive of the /etc/default/aide configuration file as detailed above.
Resources
Additional information on AIDE, and file integrity monitoring, and verification is available via the following resources:
Local System Resources
man aide |
System manual page for the aide command |
man aide.conf |
System manual page for the aide.conf configuration file |
man aideinit |
System manual page for the aideinit command |
man update-aide.conf |
System manual page for the update-aide.conf command |
/usr/share/doc/aide/manual.html |
The AIDE manual in HTML format |
/etc/default/aide |
The AIDE general configuration file |
/etc/aide/aide.conf |
The AIDE rules configuration file |
/etc/cron.daily/aide |
Daily AIDE cron scripts |
Other File Integrity Monitoring and Verification Tools
BSign : Corruption and Intrusion Detection using embedded hashes
Integrit : Small footprint, unattended monitoring of file integrity with cascading rulesets [http://integrit.sourceforge.net/ Integrit Website]
Samhain : Standalone, or Client-Server file integrity monitoring solution [http://la-samhna.de/samhain/ Samhain Website]
Systraq : Monitors, and alerts on file changes [http://mdcc.cx/systraq/ Systraq Website]
WWW Resources
[http://sourceforge.net/projects/aide AIDE Website]
[http://www.linuxsecurity.com/content/view/101882/49/ Guide on CHKROOTKIT and AIDE]
FileIntegrityAIDE (last edited 2008-08-06 16:40:00 by localhost)