Sun Solaris Forensics

Solaris Forensic Analysis Tools : AIDE

One of the most complex problems in forensic analysis seems to be simple : what , exactly , has changed ? Minor changes such as access timestamps or a slight change in permissions or content can be the only indication of an intrusion or malicious attack . In the event of a successful intrusion , knowing what has been damaged is a vital part of recovery efforts . Host integrity tools , or HIDS , are intended to monitor the configuration and contents of each system . AIDE , which stands for Advanced Intrusion Detection System , is one

tool that allows change tracking and system monitoring . It is an open-source , GPL-licensed replacement for Tripwire , a popular intrusion detection and change tracking system (Messenger

AIDE is based on a snapshot methodology - a picture of the server including permissions , mtime , ctime , linkage and checksums for each using a method such as md5 or sha1 is stored in a database (Westphal 2001 , Messenger 2003 . Intermediate snapshots can then be taken in to facilitate intrusion detection , as well as to determine what damage or system compromise has occurred in the event of an intrusion (Messenger , 2003 . Messenger (2003 ) notes that it is important to take the baseline snapshot immediately on configuration of the server , before connection to a network or access by users otherwise , the subsequent snapshots may be comparing to a baseline that is already compromised . Westphal (2001 ) remarks that it is also important to re-run the baseline snapshot after configuration changes on the server otherwise , it will be difficult to use the original snapshot to compare system changes in the event of an intrusion , because it won 't be clear what changes were due to system configuration changes and which were due to intrusion damage . While it is ideal to install AIDE on a clean , unused system , it can be installed on a system that is already in use , provided that care is taken to ensure that the current machine is not compromised (Westphal , 2001 . Westphal suggests that in addition to scrutinizing the baseline snapshot to try to detect any anomalies , it is also possible to configure a test server with the same setup as the server having AIDE installed in to use it as a clean ' baseline detection to try to determine if any anomalies are present . There are some limitations to what AIDE can do . It cannot prevent an intrusion nor can it actively prevent system damage . It is primarily useful for damage control and period system monitoring (Messenger , 2003 . Westphal suggests that AIDE should be installed in cases where non-administrative users are allowed root , on DMZ servers and servers outside the firewall and where configuration consistency across a large number of servers is desired (Westphal , 2003 . She notes that while it cannot prevent an intrusion or a bad install , it can be a very fast way to focus on damage from an intrusion or an administration process that went awry (Westphal 2003

Installation of AIDE requires only open...