Security Stuff!!
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode
  1. Hamza Megahed
  2. /
  3. File Integrity Check

File Integrity Check

AIDE (Advanced Intrusion Detection Environment)

We will use a program to check integrity to ensure that all my system files contain the right files and to ensure that i don’t have back-doors (rootkit) and check changes in permissions,access time,inode modifying time ..etc.
This program use to check integrity of system files and create database contains files information and i can reuse this data base to verify integrity on these files.

Installation

1- install mhash
tar -zxvf mhash-0.9.9.9.tar.gz
cd mhash-0.9.9.9
./configure
make
make install
2- install aide
tar -zxvf aide-0.15.1.tar.gz
cd aide-0.15.1
./configure
make
make install

Configuration

aide.conf located in aide-0.15.1/doc/
1- uncomment this line database=file:/home/example/aide.db.new which specify the location of your database.
2- Add directories you want to save its details and check its integrity, for example if you want to check /etc directory add /etc R in aide.conf, then save the changes and copy the configuration file to your home directory.

Create database

By using command aide -c aide.conf --init (on /etc directory)

AIDE, version 0.15.1  
AIDE database at aide.db.new initialized.

Now aide.db.new is created in my home directory, let’s test
I will make changes in a file located in /etc such as hosts nano /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               example localhost.localdomain localhost
::1

I will add this line # 127.0.0.1 localhostthen let's check the integrity on /etc directoryaide -c aide.conf –check`

AIDE 0.15.1 found differences between database and file system!!  
Start timestamp: 2011-08-08 08:51:40  

Summary:  
Total number of files:       2486  
Added files:                  0  
Removed files:                0  
Changed files:                2  
---------------------------------------------------  
Changed files:  
---------------------------------------------------  
changed: /etc/hosts  
changed: /etc/sysconfig/networking/profiles/default/hosts  
---------------------------------------------------  
Detailed information about changes:  
---------------------------------------------------  
File: /etc/hosts  
Size  :       194                         , 216  
Mtime :       2011-08-07 01:27:39         , 2011-08-08 08:42:27  
Ctime :       2011-08-07 01:27:39         , 2011-08-08 08:42:27  
MD5   :       02FfBTSv7TnxZkxsS9VL3g==    , 5p1GYAT86+ChpPhP3T5Rzg==
File: /etc/sysconfig/networking/profiles/default/hosts  
Size  :       194                         , 216  
Mtime :       2011-08-07 01:27:39         , 2011-08-08 08:42:27  
Ctime :       2011-08-07 01:27:39         , 2011-08-08 08:42:27  
MD5   :       02FfBTSv7TnxZkxsS9VL3g==    , 5p1GYAT86+ChpPhP3T5Rzg==

it’s working, if i want to make this change on /etc/hosts is to be add to aide database aide -c aide.conf --update

AIDE, version 0.15.1
### All files match AIDE database. Looks okay!
### New AIDE database written to aide.db.new

If i recheck the integrity again aide -c aide.conf --check

AIDE, version 0.15.1
### All files match AIDE database. Looks okay!

Finally i recommend to use this program frequently and check the integrity of these directories (/bin, /boot, /etc, /lib, /usr, /sbin) by adding them aide.conf

/bin   R  
/boot  R  
/etc   R  
/lib   R  
/usr   R  
/sbin  R
Note 1: If you want to create database for / root directory add / R
Note 2: if you want to make a compressed database (backup) then uncomment # gzip_dbout=no and change it to yes.