AIDE File Integrity and Intrusion Detection on Mac OS X

I read about the recent hacking contest at CanSecWest in Vancouver, where Charlie Miller hacked a fully-patched Mac OS X machine in just a few seconds. There's a great interview with Miller over on Tom's Hardware. The discussion about the economic value of bugs sounds pretty bang-on to me.

The most important part of getting compromised is to know when it has happened. And what changed on your computer. I don't know if a file integrity monitor will do the trick, but odds are if you're compromised some new and unexpected file or set of files will appear on the filesystem. If not, a simple reboot may be all you need.

AIDE, a file integrity monitor

I like using AIDE (a Tripwire clone) because it's so simple to use. It is a security tool, a file integrity monitor that monitors changes on a filesystem. It's an open-source project which means that it's free to use. You tell it what to monitor, it creates a database of file and directory attributes, and then you tell it periodically (perhaps in a cron job) to check the system against that database and alert you to changes. The trick is in choosing what to monitor and predicting where an attacker might put his files. Seems pretty simple, right?

The easiest way to install AIDE is download the source and compile it. Of course you need the XCode tools from Apple, the ones that came with your Leopard install disc is fine. On the latest Mac OS X Leopard (10.5.6 as I write this), you do need to use some custom compile options to get things running on the Mac:

./configure --with-mhash --disable-static --with-zlib
--disable-lfs

Then create the directory /usr/local/etc and inside there create the file aide.conf.

# Format:                       [!|=] entry [ignore-flags]
#
# where:         '!' signifies the entry is to be pruned (inclusive) from
#                               the list of files to be scanned.
#                '=' signifies the entry is to be added, but if it is
#                               a directory, then all its contents are pruned
#                               (useful for /tmp).
#
# where:        entry is the absolute pathname of a file or a directory
#
# where ignore-flags are in the format:
#               [template][ [+|-][pinugsam...] ... ]
#
#       - :  ignore the following atributes
#       + :  do not ignore the following attributes
#
#       p :  permission and file mode bits      a: access timestamp
#       i :  inode number                       m: modification timestamp
#       n :  number of links (ref count)        c: inode creation timestamp
#       u :  user id of owner                 md5: MD5 signature
#       g :  group id of owner              tiger: tiger signature
#       s :  size of file                  rmd160: RMD160 signature
#                                            sha1: SHA1 signature
#
# Ex:   The following entry will scan all the files in /etc, and report
#       any changes in mode bits, inode number, reference count, uid,
#       gid, modification and creation timestamp, and the signatures.
#       However, it will ignore any changes in the access timestamp.
#
#       /etc    +p+i+n+u+g+s+m+md5+tiger+rmd160+sha1-a
#
# The following templates have been pre-defined to make these long ignore
# mask descriptions unecessary.
#
# Templates: 
# (default) R :  [R]ead-only (+p+i+n+u+g+s+m+md5+tiger+rmd160+sha1-a)
#       L :  [L]og file (+p+i+n+u+g-s-a-m-md5-tiger-rmd160-sha1)
#       N :  ignore [N]othing (+p+i+n+u+s+g+s+a+m+c+md5+tiger+rmd160+sha1)
#       E :  ignore [E]verything (-p-i-n-u-s-g-s-a-m-c-md5-tiger-rmd160-sha1)
#
# By default, Tripwire uses the R template -- it ignores
# only the access timestamp.
#
#       /etc    +p+i+n+u+g+s+m+md5+tiger+rmd160+sha1-a
#
# The following templates have been pre-defined to make these long ignore
# mask descriptions unecessary.
#
# Templates: 
# (default) R :  [R]ead-only (+p+i+n+u+g+s+m+md5+tiger+rmd160+sha1-a)
#       L :  [L]og file (+p+i+n+u+g-s-a-m-md5-tiger-rmd160-sha1)
#       N :  ignore [N]othing (+p+i+n+u+s+g+s+a+m+c+md5+tiger+rmd160+sha1)
#       E :  ignore [E]verything (-p-i-n-u-s-g-s-a-m-c-md5-tiger-rmd160-sha1)
#
# By default, Tripwire uses the R template -- it ignores
# only the access timestamp.
#
# You can use templates with modifiers, like:
#       Ex:  /etc/lp    E+u+g
#
#       Example configuration file:
#               /etc            R       # all system files
#               !/etc/lp        R       # ...but not those logs
#               =/tmp           N       # just the directory, not its files
#
# Note the difference between pruning (via "!") and ignoring everything
# (via "E" template):  Ignoring everything in a directory still monitors
# for added and deleted files.  Pruning a directory will prevent Tripwire
# from even looking in the specified directory.

database=file:///var/db/aide/databases/aide.db
database_out=file:///var/db/aide/databases/aide.db.new

/Users/myusername                              R
/Users/myusername/.bash_history                L
!/Users/myusername/Library/Mail                L
/Users/myusername/Library                      R-s-m-c-i-n
!/Users/myusername/Library/Caches              R
!/Users/myusername/Library/Cookies             R
!/Users/myusername/Library/Preferences         R
/Users/myusername/Library/Safari               R-s-m-c-i

/Applications                           R-s-m-c-i
/Library/StartupItems                   R
/System/Library/StartupItems            R

I know this ruleset could use some fine tuning. But it's a start, and certainly better than nothing. I'd like to write a tool that uses Apple's mds Spotlight capabilities to watch for changes in my home folder and notify me as required. Maybe one day I'll get to it. For now, if you have some thoughts or suggestions on using AIDE with Mac OS X, please e-mail me and let me know.