Discover LinuxSecurity Features
AIDE and CHKROOTKIT
Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit.
Chkrootkit does a good job checking of every part of the system trying to search rootkits or LKM trojans. Let's download the package from the official home page of the project: https://www.chkrootkit.org. When I wrote this article the latest version is 0.43 that contain some improvements as new rootkits detection (AjaKit and zaRwT), new CGI backdoors detection , the new function "-n" used to skip NFS mounted directories and many minor bugs corrections. A complete list of all the trojans and CGI backdoors detected is available from the home page of the project. Once downloaded the package we are ready to compile it. Let's unpacking with the command "tar xzf chkrootkit.tar.gz" and enter in the new directory with "cd chkrootkit-0.43/". At this point give "make sense" to compile the program and after that we are really ready to lunch "./chkrootkit" to test immediately the integrity of our system. But this isn't all. Chkrootkit allow the use of other interesting functions, as showed in picture 1.
The complete list of the functions allowed from Chkrootkit.
It is able to in fact, makes controls on ps , tar, ls binaries or any other things making inquiries of something that isn't to its location and understand if the network is in promiscuous mode or not then if our network is under a sniffing attack. We can do this with the command ""./chkrootkit ps tar ls sniffer" as root user. On our machine, equipped with Linux Netwosix and 2.6.6 kernel, as showed in table 1 evidently hasn' been checked.
Chkrootkit: bash-2.05b# ./chkrootkit ps tar ls sniffer ROOTDIR is `/' Checking `ps'... not infected Checking `tar'... not infected Checking `ls'... not infected Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Moreover is possible testing any binaries with the command " ./chkrootkit -x | more". In this way we can checking the integrity of our binaries. The function "-p" is also interesting. If you don't want to check all the system it's possible to verify the integrity of only a part or a directory of your system. You can test this with the command "./chkrootkit -p /home/". Instead with the command "./chkrootkit -p /home/:/mnt" , then with the switch ":" at the end of every patch, we have the possibility to check either "/home" or "/mnt". After the checking of the system , paying attention to the output messages given from chkrootkik, it will be possible to understand what don't work in our system or what isn't gone for the right way. It's useful, therefore, to understand the output messages that chkrootkit gives to us. They are all showed in picture 2.
Chkrootkit's output messages.
AIDE (Advanced Intrusion Detection Environment)
Now we have arrived to the chapter dedicated to AIDE, a powerful and useful intrusion detection software. Aide, as we can read on the official readme pages and website, is a Tripwire replacement and file integrity checker. Aide has been created to improve the functions of Tripwire, building and implementing new ones. Aide was born as a file integrity checker but its functions, as we will see during this chapter, moves forward. First to start with the compilation of the package let's make sure that this packages are available on our system, otherwise we could download them from freshmeat.net and compile them: GNU Flex, GNU Bison, GNU Make, ANSI C-Compiler, Mhash library (available from https://schumann.cx/mhash).
Notes on LibMhash
On some systems you could verify some errors on the recognition and the best compilation of the Mhash library. The problem could be verified when we lunch the "./configure" of Aide package with the following output messages:
checking for mhash_get_block_size in -lmhash... no configure: error:
You must have libmhash properly installed.
To solve this problem it's necessary to be secure that the "/usr/local/lib" patch is in the "/etc/ld.so.conf" file. Otherwise you must insert the line "/usr/local/lib" at the end of file, save and run ldconfig. If after this Aide continues to suggest that can't see the Mhash library is necessary to take a look to the "config.log" file in the Aide main directory (aide-0.10) and to understand where the problem is verified.
Now we are ready to compile AIDE. Download the sources and compile the package: "tar xzf aide-0.10.tar.gz", "cd aide-0.10", "./configure", "make", "su root", "make install". After that, AIDE, will locate its configuration file in the directory "$prefix/etc/" with name "aide.conf". Now you should move to the directory created and edit it with your preferite editor to start the configurations of AIDE according to your requirements.
There are three types of lines in aide.conf:
- configuration lines - used to set configuration parameters and define/undefined variables
- selection lines - indicate which files will be added to the database
- macro lines - define or undefined variables within the the config file
In the configuration file are located all the parts of the system that could be take under control and some default rules sets.
Some AIDE functions p: permissions i: inode n: number of links u: user g: group s: size b: block count m: mtime a: atime c: ctime S: check for growing size md5: md5 checksum sha1: sha1 checksum rmd160: rmd160 checksum tiger: tiger checksum R: p+i+n+u+g+s+m+c+md5 L: p+i+n+u+g E: Empty group
Now we will configure step by step our aide.conf and clarify its functions. We can take as an example that is showed in picture 3. Following also the guide line of AIDE manual we have created our configuration file according to our system requirements. It's obvious that these rules aren't valid for all the linux system but only for educative/demonstrative purposes. It's your duty , once assimilated the main functions of Aide, to configure better your system. As we shall see we have realized our rules set (SAMAGRule = p+i+n+u+g+s+b+m+c+md5+sha1) that allow us to unwind all the controls according to that we have already noticed in Table 2. In particular we will take under control : permissions, number of links, inodes, file size, md5 checksum, last time change, sha1 checksum et cetera.
Once configured, let's start AIDE
To verify, after an intrusion, that our system has been attacked and the file integrity of every part of our system it's necessary to build our own database from which we will get the required information. Aide permits to do this using the command "aide --init". With this command will be created a database of every files that we have chosen to take under control in the configuration file (aide.conf). It could be useful to move the aide database to removable support or to backup device. In this way you could avoid to have the system and the database compromised. After this, when we will realize that our system has been compromised or we have only a simple perception, we can verify the system integrity checking every files with that it is contained into our backup database. If you have caused modifications to some files contained into the database and you want to upgrade it, use the command "aide --update". The use of this command, as written on the AIDE manual, it depends only from your paranoia. You can use this command every 10 or 15 minutes or launch it on every system booting or on every weekend. It's very important to use it when you completely have the certainty that you have modified something contained into your aide database. Obviously once upgraded move it to the removable backup devices. A great security rule should start the command "aide --init" at each system booting and hosts of our network and/or to move the aide database to a special machine , used to store it. At this point it's necessary to verify the integrity of the system, then launch the command "aide --compare" to compare our files with these, integrals, contained into the database. In case that there are some problems, aide will let us know.
About the Author