File Integrity and Anti-DDoS Utilities
by Dru Lavigne04/03/2003
In my previous
article, I walked you through the usage of tripwire. While
tripwire is the most well-known of the file integrity utilities,
it is not the only utility available for this purpose.
All file integrity utilities create a database of hashes representing a baseline of the files on a system. For this reason, the best time to create the database is just after installing and configuring the system and before connecting it to the Internet. When deciding upon which utility to use, the following factors come into play:
- The license
- The algorithm(s) used to create the hashes
- Ease of use
- Complexity of configuration file(s)
I've summarized the license and algorithms for three utilities in the following table:
| Utility | License | Algorithms |
|---|---|---|
tripwire | GPL, tripwire | MD5, SHA, HAVAL, CRC32 |
aide | GPL | MD5, SHA-1, RMD160, TIGER, HAVAL |
yafic | BSD | SHA-1 |
aide
As for the ease of use and complexity of the configuration files, let's
check out aide and yafic and see how they compare to
tripwire. I'll start with aide:
$ cd /usr/ports/security/aide
$ make install clean|
Related Reading 
The Complete FreeBSD |
You'll note that both this build and the yafic build will be
much quicker than tripwire, and you won't be prompted to agree to
any licenses. Unlike tripwire, you also won't be prompted to
create any keys. This is an important distinction, as it affects how you
actually use the file-integrity utility.
tripwire introduced the ability to sign its databases two years
ago with version 2.3.1. Before then, it was up to the administrator to place
all tripwire files onto removable media, such as a floppy, and to
ensure that media was actually removed from the computer. If you didn't remove
the tripwire database, an intruder could simply update the
database after modifying your files. You'll remember from the last article that
the new system requires you to know both the local and the site passphrases to
update the tripwire database. This means that you should be safe
storing the database on the hard drive, if you choose secure passphrases.
This is where ease of use becomes a matter of preference, and your level of
paranoia. With tripwire, you must generate keys and remember your
passphrases. With other utilities, you instead must remember to move your
database to a floppy, and then insert the floppy when you check the database and
remove it when you are finished.
Let's return to aide. There are three main sources of
documentation for this utility: man aide, man
aide.conf, and www.cs.tut.fi/~rammer/aide/manual.html.
The install will create a /var/db/aide directory; by default, it only contains an empty databases/ subdirectory.
Unlike the tripwire install, an initial database is not
initialized for you. To initialize the database:
$ cd /var/db/aide
$ aide --init
Cannot access config file:/var/db/aide/aide.conf:No such file or directory
No config defined
Configuration error Note that you cannot initialize a database until you create a configuration
file. Fortunately, a sample file is available. Unlike tripwire,
which has separate policy and configuration files, aide only has
one configuration file. I'll start by copying over the default configuration
file, and then I'll repeat the initialization command:
$ cp /usr/local/etc/aide.conf.sample /var/db/aide/aide.conf
$ aide --init This command creates an ASCII text file called
/var/db/aide/databases/aide.db.new. Again, it is important to note
the distinction between this database and a tripwire database. A
tripwire database is not ASCII text and it can only be understood
by the tripwire utilities. Furthermore, it is signed, meaning you
have to know the correct passphrase in order to modify the database. An
aide database is ASCII text and is unsigned; in short, anyone can
modify this database. It is important that you move this
database to a floppy and remove the floppy from your floppy drive. When you
move the database, you'll also want to rename it like so:
$ mount -t msdos /dev/fd0 /mnt
$ mv databases/aide.db.new /mnt/aide.db
$ umount /mntTo make your life easier when you use the database, you should also edit the configuration file to point to the floppy. Open aide.conf in your favorite editor and look for these two lines:
database=file:///var/db/aide/databases/aide.db
database_out=file:///var/db/aide/databases/aide.db.newChange them to:
database=file:///mnt/aide.db
database_out=file:///mnt/aide.db.new
database_new=file:///mnt/aide.db.newNow, whenever you want to check the database:
$ mnt -t msdos /dev/fd0 /mnt
$ aide --check aide will display any changes it finds. If you're not a speed
reader, you can use the compare switch to go through the changes:
$ aide --compare You'll find the output to be very different from a tripwire
report. If you are unfamiliar with mtime and ctime,
you may find my understanding
filesystems article useful.
Once you've resolved any changes, you can update the database with:
$ aide --updateWhen you're finished, don't forget to unmount the floppy and remove it from the floppy drive:
$ umount /mnt|
Also in FreeBSD Basics: |
I found that the default configuration file worked well without any
changes, other than the edit to point to the floppy. Unlike
tripwire, I didn't have to resolve any errors. I also found the
syntax of the file a little more logical. Both tripwire and
aide allow you to get as complex as you like in your configuration
file; I'll leave it up to you to decide which file you consider to be easier to
work with. On the plus side, I found the aide command-line utility
much easier to use than tripwire.
I've successfully used aide in the past, but the current port
has an error that prevents the successful write of the new database. I've
emailed the maintainer, so it is quite likely that the error will have been resolved by
the time you read this article.
Pages: 1, 2 |
