Introduction to AIDE – Advanced Intrusion Detection Environment

Wally_Gator_PhotoEver heard of AIDE, neither had I. Apparently its a simple intrusion detection application that can be used to monitor file changes.  It can be confired to monitor permission, ownership, timestamp, or content changes.

Lets install it. Its in the stock Redhat repos, so its a piece of cake to install via yum.

 

[root@localhost ~]# yum -y install aide

Once installed, you can tweak the config file (/etc/aide.conf) to your liking. The stock config is pretty robust, so I am going to trim it down a bit and just monitor /etc for permission changes, and /bin for what are defined as normal changes. Normal looks at file hashes to see if the files have been modified.

/bin    NORMAL
/etc    PERMS
 

Now lets start aide

[root@localhost ~]# aide –init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

 

Now this part is silly, we need to rename the database created above to the name that aide is configured to use.

[root@localhost ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

 

Now lets check for changes.

[root@localhost ~]# aide –check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

Hey no changes. Now lets monkey with something and see if aide catches it. In this example we are creating a new file in /etc. As seen below aide catches the new file and reports on it.

 

[root@localhost ~]# touch /etc/aide.test.change
[root@localhost ~]# aide –check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2014-07-15 19:51:14

Summary:
  Total number of files:        5054
  Added files:                  1
  Removed files:                0
  Changed files:                0

—————————————————
Added files:
—————————————————

added: /etc/aide.test.change

 

So now lets re-initialize the database, which is pretty much a snapshot.

[root@localhost ~]# aide –init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

 

Don't forget to overwrite the old database.

[root@localhost ~]# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
cp: overwrite ‘/var/lib/aide/aide.db.gz’? yes

Now lets change the permissions on our test file and see if aide catches the change.  I'll spare you the suspense and let you know that aide did its job. See below.

 

[root@localhost ~]# chmod 777 /etc/aide.test.change
[root@localhost ~]# aide –check                    
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2014-07-15 19:54:09

Summary:
  Total number of files:        5054
  Added files:                  0
  Removed files:                0
  Changed files:                2

—————————————————
Changed files:
—————————————————

changed: /etc/aide.test.change
changed: /root/.mozilla/firefox/8u03e3hs.default/sessionstore.js

—————————————————
Detailed information about changes:
—————————————————

File: /etc/aide.test.change
 Perm     : -rw-r–r–                       , -rwxrwxrwx
 ACL      : old = A:
—-
user::rw-
group::r–
other::r–
—-
                  D: <NONE>
            new = A:
—-
user::rwx
group::rwx
other::rwx
—-
                  D: <NONE>

Now aide on its own is just a simple tool, but run via cron with a bit of tuning and a bit more logic behind it and I can see it being a very useful tool. Looking forward to playing with it more.

Related articles

How To Install Aide on a DigitalOcean VPS
RHEL6 – How to Setup an Anonymous Download Only FTP Server
Advertisements

Solaris HBA Notes

Below is a cheat sheet that I put together of commands that are helpful for managing HBAs on Solaris.

Helpful Commands

  • luxadm probe
  • luxadm -e port
  • devfsadm

More Helpful Commands

  • To show Sun/Qlogic HBA’s:

luxadm qlgc

  • To show all vendor HBA’s — see sample output below:

luxadm fcode_download -p

Found Path to 0 FC100/S Cards

Complete

Found Path to 5 FC100/P, ISP2200, ISP23xx Devices

Opening Device: /devices/pci@9,600000/SUNW,qlc@2/fp@0,0:devctl

Detected FCode Version:       ISP2200 FC-AL Host Adapter Driver: 1.14 01/11/20

Opening Device: /devices/pci@8,700000/SUNW,qlc@5,1/fp@0,0:devctl

Detected FCode Version:       ISP2312 Host Adapter Driver: 1.14.09 03/08/04

Opening Device: /devices/pci@8,700000/SUNW,qlc@3,1/fp@0,0:devctl

Detected FCode Version:       ISP2312 Host Adapter Driver: 1.14.09 03/08/04

Opening Device: /devices/pci@8,700000/SUNW,qlc@3/fp@0,0:devctl

Detected FCode Version:       ISP2312 Host Adapter Driver: 1.14.09 03/08/04

Opening Device: /devices/pci@8,700000/SUNW,qlc@5/fp@0,0:devctl

Detected FCode Version:       ISP2312 Host Adapter Driver: 1.14.09 03/08/04

Complete

  • Another Method of doing the same thing as above:

prtpicl -v > filename

  • To show link status of card:

luxadm -e port

  • See WWNS:

To see the WWN’s (using address given to you from previous commands), it is
the last one that specifies it is a HBA, so the port WWN here is 210000e08b100d16

# luxadm -e dump_map /devices/pci@1f,0/pci@1/SUNW,qlc@1/fp@0,0:devctl

Pos Port_ID Hard_Addr Port WWN Node WWN Type

0 10600 0 224100015d210900 220000015d210900 0x1f (Unknown Type)

1 10700 0 210000e08b103417 200000e08b103417 0x1f (Unknown Type)

2 10800 0 210000e08b100d16 200000e08b100d16 0x1f (Unknown Type,Host Bus Adapter

Configuring storage online

  • List unconfigured disks

cfgadm -al

Ap_Id Type Receptacle Occupant Condition

c0 scsi-bus connected configured unknown

c0::dsk/c0t0d0 disk connected configured unknown

c0::dsk/c0t2d0 CD-ROM connected configured unknown

c1 fc-fabric connected unconfigured unknown

c1::210000e08b103417 unknown connected unconfigured unknown

c1::224100015d210900 unknown connected unconfigured unknown

c2 fc-fabric connected unconfigured unknown

c2::210100e08b303417 unknown connected unconfigured unknown

c2::223100015d210900 unknown connected unconfigured unknown

So we can see that c1 and c2 are both unconfigured disks, so we now run the command below to configure them.

# cfgadm -f -c configure c1 c2

You can now run devfsadm.

Example cfgadm -al

c1                             fc-private

c1::21000020379cb9bb           disk         connected    configured   unknown

c4                             fc-fabric    connected    unconfigured unknown

c5                             fc           connected    unconfigured unknown

C1 is a 280r internal controller
C4 is a HBA attached to a switch with no targets
C5 is a HBA that has nothing connected

More Good Stuff

1) The command cfgadm -al

2) look for the fc-fabric

c2                             fc-fabric    connected

c3                             fc-fabric    connected

3) and then cfgadm -cconfigure c2 c3

4) Now you see the LUN

A Magical File – Check it Out

/kernel/drv/sd.conf

Checking IO on Fibre Cards

iostat -xcn 5

San Foundation Kit

You get this from Sun, install it after you install the drivers
There is no SAN foundation kit for Solaris 10. Installing the SAN foundation
kit will do bad things. It’s only for Solaris 8 and Solaris 9.

Get the WWN

 Method 1:

 

$ luxadm probe
$ luxadm -e port

$ luxadm -e dump_map <xyz> where xyz= your connected port.

Method 2:

bash-2.03# cat /var/adm/messages | grep -i WWN

Sep 20 18:23:28 alautpnc003 qlc: [ID 657001 kern.info] Qlogic qlc(0) WWPN=210000e08b934ead : WWNN=200000e08b934ead

Sep 20 18:23:39 alautpnc003 qlc: [ID 657001 kern.info] Qlogic qlc(1) WWPN=210100e08bb34ead : WWNN=200100e08bb34ead

Method 3:

#modinfo | grep SunFC

46 10274e94 20010 172 1 fcp (SunFC FCP v20050926-1.86)

47 10269923 8204 – 1 fctl (SunFC Transport v20050926-1.36)

51 1028b850 15e28 171 1 fp (SunFC Port v20050926-1.53)

53 10300f09 c5024 175 1 qlc (SunFC Qlogic FCA v20051013-2.08)

Method 4:

cfgadm -o show_FCP_dev -al

Method 5:

prtconf -pv | grep -i wwn | grep -i port