BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


FreeBSD Basics File Integrity and Anti-DDoS Utilities

by Dru Lavigne
04/03/2003

In my previous article, I walked you through the usage of tripwire. While tripwire is the most well-known of the file integrity utilities, it is not the only utility available for this purpose.

All file integrity utilities create a database of hashes representing a baseline of the files on a system. For this reason, the best time to create the database is just after installing and configuring the system and before connecting it to the Internet. When deciding upon which utility to use, the following factors come into play:

  • The license
  • The algorithm(s) used to create the hashes
  • Ease of use
  • Complexity of configuration file(s)

I've summarized the license and algorithms for three utilities in the following table:

UtilityLicenseAlgorithms
tripwireGPL, tripwireMD5, SHA, HAVAL, CRC32
aideGPLMD5, SHA-1, RMD160, TIGER, HAVAL
yaficBSDSHA-1

aide

As for the ease of use and complexity of the configuration files, let's check out aide and yafic and see how they compare to tripwire. I'll start with aide:

$ cd /usr/ports/security/aide
$ make install clean

Related Reading

The Complete FreeBSD
Documentation from the Source
By Greg Lehey

You'll note that both this build and the yafic build will be much quicker than tripwire, and you won't be prompted to agree to any licenses. Unlike tripwire, you also won't be prompted to create any keys. This is an important distinction, as it affects how you actually use the file-integrity utility.

tripwire introduced the ability to sign its databases two years ago with version 2.3.1. Before then, it was up to the administrator to place all tripwire files onto removable media, such as a floppy, and to ensure that media was actually removed from the computer. If you didn't remove the tripwire database, an intruder could simply update the database after modifying your files. You'll remember from the last article that the new system requires you to know both the local and the site passphrases to update the tripwire database. This means that you should be safe storing the database on the hard drive, if you choose secure passphrases.

This is where ease of use becomes a matter of preference, and your level of paranoia. With tripwire, you must generate keys and remember your passphrases. With other utilities, you instead must remember to move your database to a floppy, and then insert the floppy when you check the database and remove it when you are finished.

Let's return to aide. There are three main sources of documentation for this utility: man aide, man aide.conf, and www.cs.tut.fi/~rammer/aide/manual.html.

The install will create a /var/db/aide directory; by default, it only contains an empty databases/ subdirectory.

Unlike the tripwire install, an initial database is not initialized for you. To initialize the database:

$ cd /var/db/aide
$ aide --init
Cannot access config file:/var/db/aide/aide.conf:No such file or directory
No config defined
Configuration error

Note that you cannot initialize a database until you create a configuration file. Fortunately, a sample file is available. Unlike tripwire, which has separate policy and configuration files, aide only has one configuration file. I'll start by copying over the default configuration file, and then I'll repeat the initialization command:

$ cp /usr/local/etc/aide.conf.sample /var/db/aide/aide.conf
$ aide --init

This command creates an ASCII text file called /var/db/aide/databases/aide.db.new. Again, it is important to note the distinction between this database and a tripwire database. A tripwire database is not ASCII text and it can only be understood by the tripwire utilities. Furthermore, it is signed, meaning you have to know the correct passphrase in order to modify the database. An aide database is ASCII text and is unsigned; in short, anyone can modify this database. It is important that you move this database to a floppy and remove the floppy from your floppy drive. When you move the database, you'll also want to rename it like so:

$ mount -t msdos /dev/fd0 /mnt
$ mv databases/aide.db.new /mnt/aide.db
$ umount /mnt

To make your life easier when you use the database, you should also edit the configuration file to point to the floppy. Open aide.conf in your favorite editor and look for these two lines:

database=file:///var/db/aide/databases/aide.db
database_out=file:///var/db/aide/databases/aide.db.new

Change them to:

database=file:///mnt/aide.db
database_out=file:///mnt/aide.db.new
database_new=file:///mnt/aide.db.new

Now, whenever you want to check the database:

$ mnt -t msdos /dev/fd0 /mnt
$ aide --check

aide will display any changes it finds. If you're not a speed reader, you can use the compare switch to go through the changes:

$ aide --compare

You'll find the output to be very different from a tripwire report. If you are unfamiliar with mtime and ctime, you may find my understanding filesystems article useful.

Once you've resolved any changes, you can update the database with:

$ aide --update

When you're finished, don't forget to unmount the floppy and remove it from the floppy drive:

$ umount /mnt

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

I found that the default configuration file worked well without any changes, other than the edit to point to the floppy. Unlike tripwire, I didn't have to resolve any errors. I also found the syntax of the file a little more logical. Both tripwire and aide allow you to get as complex as you like in your configuration file; I'll leave it up to you to decide which file you consider to be easier to work with. On the plus side, I found the aide command-line utility much easier to use than tripwire.

I've successfully used aide in the past, but the current port has an error that prevents the successful write of the new database. I've emailed the maintainer, so it is quite likely that the error will have been resolved by the time you read this article.

Pages: 1, 2

Next Pagearrow





Sponsored by: