πΉIntegrity Check
How File Integrity Checkers work
Generally, file integrity checkers work in two phases. The first phase consists of generating a database made up of cryptographically strong hashes for all the critical files on a host. You can think of these hashes as being a unique fingerprint for each file; itβs impossible to change the file without changing its fingerprint. The database usually also contains additional file information such as size, ownership, permissions and modification dates for each file.
In the second phase, once an initial copy of this database is built (the Initial Baseline) the same calculation is periodically recalculated for the same critical files on the host. If a file has been tampered with (letβs say by an attacker who has compromised the host), one of these characteristics will have changed. Detecting these changes will allow the tampered file to be identified, providing a warning of the system compromise.
File Attributes
Inode Number: This is a unique integer that can be used to index into a data structure (known as an βinodeβ) that specifies many of the attributes of an active file on a file system. If a fileβs inode number changes, that means the file has been deleted and a new file created using the same name as the old one.
Type: Indicates whether the file is a data file, or a special file such as a named pipe or an interface to a device.
Owner: Unix associates a unique owner (a Unix account) to each file.
Group: Unix supports an object that collects multiple Unix accounts into a single entity, known as a βgroupβ. Unix associates a single group with every file.
Permission: Every file in unix has permission (Read, Write, Execute)
Timestamps: Three dates are associated with each file. They are the date and time the fileβs data was last modified, when the fileβs attributes (including its data) was last modified and the time it was last read.
Size: How large the file is, in bytes. Special files will be zero bytes in size.
Some Commonly Used Integrity Checkers:
TripWire
Advanced Intrusion Detection Environment (AIDE)
OSSEC
AIDE
Creating an Audit Database
Install AIDE:
apt install aide aide-common
Initiate the Database
While initializing the database aide will take an snapshot of all system libraries and binaries for future compare to see if anything changed or not copy the new created db in /var/lib/aide aide.db.new.gz
to aide.db.gz
do a check for all files for mismatches:
replace the old database with the new one:
Check Integrity
if there was a change we will see a warning
Update the DB
Updating the aide DB after checking the aide db:
This will reset the database to the current status of the /etc/sub-director
Config Files
conf file: /etc/aide.conf
log file: /etc/log/aide
db: /etc/lib/aid
Scheduling
determine if there is a cron job scheduled to run the aide check:
Run the following command:
crontab -u root -e
Add the following line to the crontab:
Last updated