8/08/2011

File Integrity Check

File Integrity Check

We will use a program to check integrity to ensure that all my system files contain the right files and to ensure that i don't have back-doors (rootkit) and check changes in permissions,access time,inode modifying time ..etc.

AIDE (Advanced Intrusion Detection Environment)
This program use to check integrity of system files and create data base contains files information and i can reuse this data base to verify integrity on these files.

  • Installation:

1- install mhash latest version is mhash-0.9.9.9

tar -zxvf mhash-0.9.9.9.tar.gz
cd mhash-0.9.9.9
./configure
make
make install

2- install aide latest version is aide-0.15.1

tar -zxvf aide-0.15.1.tar.gz
cd aide-0.15.1
./configure
make
make install

  • Configuration:

you will find aide.conf in aide-0.15.1/doc/
1- uncomment this line
database=file:/home/example/aide.db.new
this line to specify the location of data base .
2- add files you want to save it's details and check it's integrity ,
for example : if i want to check etc file 
add /etc R  in aide.conf 
save your changes and copy configuration file to your home directory 

  • Create  data base :
by command aide  -c  aide.conf  --init (on /etc file)
AIDE, version 0.15.1

### AIDE database at aide.db.new initialized.

now it's create a file in my home directory aide.db.new
now you can save three files on CD (aide binary , aide.conf , aide.db.new)
 

Now let's test 
i will change in a configuration file located in /etc such as hosts
nano /etc/hosts 

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               example localhost.localdomain localhost
::1   

I will add this line 
# 127.0.0.1 localhost 

now let's check integrity on /etc file

aide -c aide.conf  --check

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2011-08-08 08:51:40

Summary:
  Total number of files:        2486
  Added files:                  0
  Removed files:                0
  Changed files:                2


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/hosts
changed: /etc/sysconfig/networking/profiles/default/hosts

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /etc/hosts
 Size     : 194                              , 216
 Mtime    : 2011-08-07 01:27:39              , 2011-08-08 08:42:27
 Ctime    : 2011-08-07 01:27:39              , 2011-08-08 08:42:27
 MD5      : 02FfBTSv7TnxZkxsS9VL3g==         , 5p1GYAT86+ChpPhP3T5Rzg==

File: /etc/sysconfig/networking/profiles/default/hosts
 Size     : 194                              , 216
 Mtime    : 2011-08-07 01:27:39              , 2011-08-08 08:42:27
 Ctime    : 2011-08-07 01:27:39              , 2011-08-08 08:42:27
 MD5      : 02FfBTSv7TnxZkxsS9VL3g==         , 5p1GYAT86+ChpPhP3T5Rz

it's works right 

if i want to make this change on /etc/hosts is to be add to aide data base 
aide -c aide.conf --update 

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

### New AIDE database written to aide.db.new

if i recheck integrity aide -c aide.conf  --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!
Finally i recommend to use this program frequently and check integrity of these files (/bin /boot /etc /lib /usr /sbin) 
Add to aide.conf
/bin     R
/boot   R
/etc     R
/lib      R
/usr     R
/sbin    R

Hint1 : if you want to create data base for (/) file add / R
Hint2 : if you want to make a compressed data base uncomment 
# gzip_dbout=no and change it's value to yes  and create new data base (will create compressed data base).