Saturday, August 15, 2009

Aide (Advanced Intrusion Detection Environment) improvements

At the Karmic Ubuntu developer summit, we had a session on filesystem integrity checkers. The main purpose of the session was to see what the current state of them was, and if we needed to replace Aide in main with a newer alternative.

I don't traditionally like filesystem checkers. While they are very useful to detect files that get modified during an intrusion, an administrator needs to invest an incredible amount of time in analyzing the log files that they produce every day. This is compounded by the fact that servers don't remain static: they get security and stability software updates installed. The more that servers get updated, the more they divert from the original database that was generated by the integrity checker, and the more false positives get reported in the log.

Wouldn't it be great if the integrity checker was smart enough not to report on files that were changed by operating system updates?

I introduced this very feature in the Aide package in Karmic Koala. It is disabled by default. To activate it, simply modify the /etc/default/aide configuration file and set “FILTERUPDATES” to “yes”. I also recommend changing “COPYNEWDB” to “yes” in order to get changes reported only once.

This new configuration option will filter out files that were modified by operating system updates from the daily email sent to the administrator. It will not filter them out from the main log file.

Of course, overwriting the pristine database every day and filtering out the files changed by system updates may slightly reduce Aide's effectiveness, but I think it's a compromise worth having if the alternative is to not use Aide at all because of administrative overhead.

If you've never used Aide before on your Ubuntu server, and would like to give it a try on Karmic, here are the steps necessary to get started:

1- Install aide:

apt-get install aide


2- Create the initial database (this may take a while):

aideinit


3- Customize the MAILTO, COPYNEWDB and FILTERUPDATES parameters in /etc/default/aide

4- You should now get a daily email report on filesystem changes!

1 comment:

Anonymous said...

Nice Blog! Well most of your content and image is original and informative. /many thanks for sharing this, cheers.

Intrusion Detection