[Wolves] A modern AIDE equivalent

Fri Oct 11 12:00:07 UTC 2024

On Fri, 11 Oct 2024 at 11:36, Simon Burke via Wolves
<wolves at mailman.lug.org.uk> wrote:
>
> Hi,
>
> Thought the list has been a bit quiet, so I'd pose a work related question.
>
> Can anyone recommend a modern equivalent to AIDE, or software that can do a reasonable job of monitoring files for changes/updates and notifying. We have fairly heavyweight things we can use, but I'm looking for something that's straightforward to manage.
>
> We could just use git in theory, but a truly malicious agent could easily get around that.
>
> For context we are replacing our old estate, and I've come across a vendor that was given root access to a few servers. Since they've had access there has been a rather ominous 'vi ~/.bash_history' in roots bash_history.
>
> In this case I know its fairly innocuous, and not malicious. As it's someone whos trying to hide the fact that they don't know what they are doing.
>
> But it does raise the question of how we best keep track and/or protect services when people you don't necessarily fully trust  have privileged access.
>

Security is a huge subject.
The best goal to this is to change the way the system is supported and
managed by preventing anyone from logging into the servers (except the
break glass scenario).
This is achieved by doing a full failure mode analysis on the server,
and then coming up with a set of pre-canned scripts that would be used
to fix all possible failure modes.
For example, anything a vendor might need, turn it into a few scripts,
some of the scripts do the "collect all the information the vendor
needs at once" to start their diagnosis. and then other scripts that
cover all the actions they might need to do to the server processes.
Start/Stop the vendors service etc.

Some stepping stones towards this:
1) adjusting the audit configuration on the server so that it logs
every command that is executed and which uid did it.
Make sure logging is all sent to a separate server and that those logs
are physically protected. This used to be called "Protective
monitoring".
2) Move to an "immutable" infrastructure.  I.e. make all systems OS
folders read only, and deploy a new "immutable" image for each
upgrade. If you are readonly, even malicious actors should not be able
to change things, so things like AIDE are not so much needed. You then
don't need to look for "changes", you just need to check that nothing
has changed.
3) Ensure only certified applications are able to run in RAM, and
continually monitor RAM to un-expected applications/libraries running.
4) Reboot servers regularly to automatically clear all
unwanted/malicious applications from RAM. This mitigates the
"persistent thread" risks.
5) Have the mindset not be that you are protecting from someone
getting root, it is more that you are protecting the valuable data
from being stolen.
6) Always do test restores on all backups periodically. This mitigates
"ransomware" attacks.  I.e. if you have a backup that you can be 100%
has not been encrypted without you knowing, you will never need to pay
a ransom to get your data back.
7) If you have matured the system processes enough such that the only
things being run are pre-canned scripts, malicious activity is much
much easier to spot.

So, although I have not answered your question about AIDE, I have
suggested other changes that would then not need AIDE.