Checking File Integrity

Rationale

The concept of a “file integrity checker” might have originally been to be part of an “intrusion detection system”. However, it can be useful for more than just security that protects against attackers.

  • It can be used to identify files that get changed after a certain process, like installing a program.
  • Another example of when files may get changed is when running a program that checks a filesystem volume. (The AIDE manual (stable version) notes that the data files used by such software “can be used to find the real names and places of files that have been moved to lost+found directory by fsck.”)
  • For people who use virtual machines, one machine's hard drive may have started as a copy of another. This sort of software can describe changes that have occurred (to either machine) since an older database has been made (like when the copy was performed), as well as comparing the current state of the machines.

You'll need to choose a file integrity checker.

This guide is currently focused on AIDE, with just a bit of brief commentary, near the start, about others. At this time, this guide recommends using AIDE, namely because that is what this guide has the most tested information about. However, AIDE is not the only software capable of this sort of task, so this guide does start out by pointing out some details about some of the other software that is available

Rationale for choice of program

OpenBSD may come with some software called mtree. (The letter “m” may stand for the word “map”, based on the name shown by OpenBSD's man page for mtree.) This software is BSD-licensed, which does mean that there are basically fewer licensing restrictions than software that uses one of the GPL versions.

However, mtree may be a bit simpler, at the cost of some thoroughness. It simply checks less stuff.

This guide is focused more on using AIDE. AIDE is GPL software. So is Integrit, which is similar. However, AIDE does support some additional features, including signing a database (and a configuration file). (This signing can be done with SHA1, or the MD5 algorithm which has become less respected for cryptography purposes, which are purposes that MD5 may not have been initially intended/designed for.) Even though the current version of this guide does not discuss database signing in great detail (and perhaps neither does AIDE database and configuration signing), the possibility of this feature seems like a potential advantage. Also, AIDE uses RegExs, which does make some things easier than Integrit. Integrit's rebuttle is that RegExs can be used by other software programs that generate list files, which is quite true. Integrit's approach is more in line with the classic Unix philosophy of not trying to re-implement something that other tools could do. Despite that philosophical advantage, AIDE's approach is probably easier for performing some basic initial instructions.

People may disagree with making decisions based on the reasons just described, but those were the choices that were made, and the reasons behind those choices.

Specific software
Using mtree

This guide will quickly point out that a guide is at:

mtree section
Integrit

For now, this guide simply wishes to point out that information at File Integrity Checking is likely to be useful.

Although this guide was focused on AIDE, that was largely mandated by some time constraints (at the time when this guide was being made). The guide is largely based on “file integrity checking” section which actually has a lot of information designed to work with both AIDE and Integrit. The main reason that this guide isn't promising Integrit support is simply a lack of time to verify which instructions will also work well with Integrit. (It is quite likely that a future version of these instructions will focus on being able to use Integrit.)

AIDE
Most of this guide is looking at AIDE. After the upcoming section on installing the software, see the section on AIDE guide (Checking files using AIDE) for details about how to make the software be useful.
Installing the software

In some cases, and probably the vast majority of cases, the desired “file integrity checker” software is not bundled with the operating system, so it needs to be installed.

The following instructions may be assuming that support for a package manager has been sufficientl implemented by following the instructions at preparing package management software. If that guide does not cover an operating system, you may also check out software installation which may have some details.

Here are some instructions that may be specific to certain software.

pkg_tools

This might currently be assuming OpenBSD?

sudo -i pkg_add -ivv aide
echo ${?}
pkg_info -M aide

Now, here are some specific instructions for using one of these programs.

[#ckflaide]: AIDE guide (Checking files using AIDE)
Making a directory

If this is the first time that these instructions are being followed, then perform the following:

sudo mkdir /var/log/aide
sudo chmod g+w /var/log/aide

(This could also be done after the “Early steps” process. However, there's no reason to delay this, so this task may as well be performed right away, just to get it out of the way.)

Early steps

Follow AIDE early steps. Those steps adjust the configuration file, and then initialize the “database” file.

Perform a rotation

At this time, the recommended process is to perform a rotation of the file integrity checker's data files. See: rotating AIDE data files.

Compare and update AIDE databases

The first step is to perform a rotation of the database.

See: AIDE database update.

Reviewing report
After comparing and updating the AIDE database, see: AIDE “resulting report” showing (or the older method: viewing the AIDE report)