0

I set up a pretty simple server and tried to make it secure using some tools and some guidelines which I think are not too bad.

I came up using AIDE, which is fast as an implementation of an intrusion detection system. I perform a daily check which mails me the results of file system level mismatches between a frozen system state, the database, and the current system state. Works out nicely.

In the following I assume that the AIDE database is placed on a read-only device, like a write-locked USB drive.

Now some scenarios which I came up with. An attacker enters the system on some way and notices that AIDE is running on the system. This clever guy already has a nice tool, which replaces the executable of AIDE, so that his work is not shown to me by mail but the normal system changes, like log file changes. Should be doable. Or simply he changes the AIDE configuration, so that his changes are excluded from the check.

Given that, I see AIDE only as some kind of a burden the attacker has to deal with, but effectively does not hurt him that much.

Am I wrong?

Does AIDE only protect my system from attackers that do not have the right amount of permissions on the system?

Is there any sense in performing the check more frequently than once a day?

(Remember that this is big amount of disk IO)

Citizen
  • 1,103
  • 1
  • 10
  • 19
maxik
  • 111
  • 1
  • 5
  • Welcome to the site. I modified you text a bit. Have a look to ensure I didn't change the spirit of your question. Thanks for the contribution and cheers! – Citizen Jun 17 '16 at 08:35
  • @Citizen Thanks for that. Feeling bad about the mistakes... ;) – maxik Jun 17 '16 at 08:38
  • Please don't. I've had dozens of questions cleaned up a bit by the community. It's a part of the process here. It is fine! Have a great day and feel free to fix questions or answers you run into that might need a bit of cleanup. Take care! – Citizen Jun 17 '16 at 08:47

1 Answers1

1

Am I wrong?

Your analysis is correct, but i think there is nuance here.

Is there any sense in performing the check more frequently than once a day?

The frequency of the check determines the granularity of the change detection. More frequent == detect changes faster, but what time is of the essence for you? In my own work daily is normal, but less often is used when the system has a lot of disk to scan.

Does AIDE only protect my system from attackers that do not have the right amount of permissions on the system?

This is the important question.

First of all, recognize that this is only a detective control. It doesn't fix anything, it only alerts you that something is off. The "protection" it supplies is subject to false positive and false negative -- either it alerts about a change you don't care about (which is a tuning issue and can be addressed in other ways) or it doesn't alert you about a change you care about, usually because it can't see it [because the tool has been altered or the database has been altered] or because the change was designed to not be visible to the tool (e.g. they cleverly designed a change with the same size and hash). I'm going to ignore that last possibility in what follows, since that's usually a tuning issue as well.

Back to the question. What AIDE can do is scan a system for changes. I think many people use it with the DB and scanning engine on the host itself, and this allows for identification of changes without a lot of effort. This is helpful in the case that the change agent isn't aware of or doesn't have the permissions to change the AIDE binary and database. That's a pretty common case, actually, and its really helpful in the 99% of cases where you don't have an APT with nation state resources. Mail out a report of the changes, and maybe even reset the database so you don't report the changes twice. Life is pretty good.

As you point out, if a malicious change agent has access to the AIDE binary and/or the database and/or the libraries that open files from disk (i.e. AIDE opens the file, and the library says "no changes, no sir!" no matter what the disk looks like) you are also out of luck. There are some things you can do in that kind of APT scenario. Lots of people have the database on write-once media stored offline, for example, and only mount the AIDE binaries, DB, and such during a maintenance window. An even better approach: clone the actual disk via a mechanism that isn't visible to the OS, and boot a system from a separate gold copy host where the AIDE binary, DB, and disk access libraries are stored; mount the disk, and then run the report on that cloned copy. I suspect there are probably still scenarios that can cause false negatives, but I don't see one offhand.

It all depends on how much work you are willing to do, given that its just a detective control. Who is your adversary? How much money you got? What's the impact of a compromise in integrity? Are there any other approaches?

AIDE is an incredibly useful tool. I've written other tooling around it. But its not perfection.

Woody Weaver
  • 101
  • 1
  • 2
  • 7