Name : Rahul Sachdeva ID : 101388636

COMP4055 Assignment 2 - Linux Filesystem Integrity Check with

HASH and AIDE
Objectives
In this lab, you will test Linux filesystem integrity by HASH and AIDE.

Required Resources
 RedHat Enterprise Linux VM with Internet access.

Part 1: Creating Hashes with OpenSSL

(2 points)
OpenSSL can be used as a standalone tool for hashing. To create a hash of a text file, follow the steps below:

Step 1: Hashing a Text File

a. In the RedHat virtual machine, open a terminal window.
b. In the current user’s Home directory, create a lab file – named t1.txt.
touch t1.txt
c. Type the command below to list the contents of the t1.txt text file on the screen:
echo This letter to thank you for the gift you sent me. > t1.txt

d. Still from the terminal window, issue the command below to hash the text file. The command will use MD5
as hashing algorithm to generate a hash of the text file. The hash will be displayed on the screen after
OpenSSL has computed it.
openssl md5 t1.txt
Note down or screenshot the output:

Notice the format of the output. OpenSSL displays the hashing algorithm used, MD5, followed by the
name of file used as input data. The MD5 hash itself is displayed after the equal (‘=’) sign.
 Hash functions are useful for verifying the integrity of the data regardless of whether it is an image, a
song, or a simple text file. The smallest change results in a completely different hash. Hashes can be
calculated before and after transmission, and then compared. If the hashes do not match, then data was
modified during transmission.

Let’s modify the t1.txt text file and recalculate the MD5 hash. Click ApplicationAccessoriesText
Editor.
In Text Edit Window, Click Open Other Document Home to open t1.txt file.

Change the word gift to gifts, and then save the t1.txt file.
e. Now that the file has been modified and saved, run the same command again to generate a MD5 hash of
the file.
openssl md5 t1.txt
 Note down or screenshot the output:

Is the new hash different than hash calculated in item (d)? How different?

f. MD5 hashes are considered weak and susceptible to attacks. More robust hashing algorithms include
SHA-1 and SHA-2. To generate a SHA-1 hash of the letter_to_grandma.txt file, use the command below:
openssl sha1 t1.txt

Note down or screenshot the output:

Note: Other tools exist to generate hashes. Namely, md5sum, sha1sum, and sha256sum can be used to
generate MD5, SHA-1 and SHA-2-256 hashes, respectively. Issue man openssl command to find the
HASH options, list here: _

________________________________________.
 g. Use md5sum and sha1sum to generate MD5 and SHA-1 hash of the letter_to_grandma.txt file:
md5sum t1.txt
Note down or screenshot the output:

sha1sum t1.txt
Note down or screenshot the output:

Do the hashes generated with md5sum and sha1sum match the images generated in items (e) and (f),
respectively? Explain.
Yes,

Note: While SHA-1 has not yet been effectively compromised, computers are becoming more and more
powerful. It is expected that this natural evolution will soon make it possible for attackers to break SHA-1.
In a proactive move, SHA-2 is now the recommended standard for hashing. It is also worth noting that
SHA-2 is in fact, a family of hashing algorithms. The SHA-2 family is comprised of six hash functions,
namely SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. These functions generate
hash values that are 224, 256, 384 or 512 bits long, respectively.

Part 2: Advanced Intrusion Detection Environment (AIDE)

(2 points per step)

Advanced Intrusion Detection Environment (AIDE) is a powerful open-source intrusion detection tool that uses
predefined rules to check the integrity of files and directories in the Linux operating system.

Step 1:
a. Now, work as root user. Run su root command, key in password.
b. Before using yum, register your system with an entitlement server by the following command.
(Note: the username and password are based on your account that you signed up in RedHat Developer portal
https://developers.redhat.com/?source=sso. Consult with RHEL Download and VM Installation file sign up
account info from installation steps.)
subscription-manager register --username username --password password --auto-attach

In the output, do you see the Status as Subscribed? __yes____.

c. To see which installed packages on your system have updates available, use the following command:
 yum check-update
Do you any packages installed on your Linux?

d. Install AIDE, type y to confirm the installation.

yum install aide

Note down or screenshot the output:

Step 2: Build the baseline database for AIDE

AIDE has its own database to check the integrity of files and directories.
Build the baseline database for AIDE.
aide --init (Be patient, it takes few minutes.)
Note down or screenshot the output:

Verify the database creation. Do you see the following DB file?

ls -l /var/lib/aide/aide.db.new.gz
Copy the .db file to a production location with the right name as /var/lib/aide/aide.db.gz
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Verity the file and its name by ls -l /var/lib/aide/aide.db.gz

Note down or screenshot the output:

Step 3: Testing AIDE Functionality

AIDE helps monitor those files that are recently changed or modified. You can keep track of
files or directories when someone tries to modify or change them.

Enter to root home directory

cd ~

To verity if AIDE works as expected, now make some changes on your filesystem (by creating new files
and/or changing permissions of existing files.)

Now, create some new lab files as in the following:

touch newt{1,2,3}.txt

ls -l new* Note down or screenshot the output:

Now, issue command of aide --check ( Be patient, it takes few minutes.)

Do you see the Added files information in Summary (first part of the output)? _3___
Note down or screenshot the output:

Create sample files- labf{1,2,3,4,5,6} by command of touch labf{1,2,3,4,5,6}.

Then change any one file’s permissions from current ones to rw-rw-rw- .
List your command: _chmod 666 labf1______________
To verify the new permissions, issue command of __ls -l_______. Are the Permissions changed? _yes__.

To check, issue command of aide --check ( Be patient, it takes few minutes.)

Do you see the Changed files in addition to the new files added information in Summary? ____

Note down or screenshot the output:

Now update the AIDE database as a new baseline by command of

Aide --update ( Be patient, it takes few minutes.)
Note: All updates apply to the /var/lib/aide/aide.db.new.gz file, still you need to issue the copy command to
use the updated DB file (named as aide.db.gz) as new baseline.
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
 (key in yes to confirm the overwrite operation)

You have created sample files- newt{1,2,3}, now delete any of these files.
Delete some sample files as the following:
rm newt3.txt
rm newt2.txt
Modify the content of newt5.txt text file as the following:
echo New content added for integrity testing. >>newt1.txt
cat newt1.txt

To check against the new baseline, issue command of

aide --check ( Be patient, it takes few minutes.)
Do you see the Removed and Changed file information in Summary? ___yes_
Note down or screenshot the output:

Step 4: AIDE for Users

 a. To access the command line, right click the main window page and choose Open Terminal.

Issue command su root, key in the same password of the above account.

Do you have a new prompt as [root@localhost username]# yes.

Note: $ (dollar sign) indicates regular user privilege. If a ‘#’ (hashtag or pound sign) is displayed
at the prompt, it indicates elevated privilege (root user).

b. Issue command useradd to add new user account in Linux. (Example, useradd jack)
c. Issue command passwd to create a password for the above new user. (Example, passwd
jack)
d. Create two more user accounts with passwords, list here:

Username Password

alex passalex

jack passjack

e. Issue command cat /etc/passwd to verify the above accounts. (Example, jack account)
jack:x:1001:1001::/home/jack:/bin/bash
 The line has the following characteristics:

o It begins with the user name jack.

o A UID greater than 999 is created. Under Red Hat Enterprise Linux 7, UIDs below 1000
are reserved for system use and should not be assigned to users.
o A GID greater than 999 is created. Under Red Hat Enterprise Linux 7, GIDs below 1000
are reserved for system use and should not be assigned to users.
o An optional information is left blank. The field can be used to provide additional
information about the user, such as their full name or phone number.
o The home directory for jack is set to /home/jack/.
o The default shell is set to /bin/bash
o There is an x for the password field indicating that the system is using shadow
passwords. The ‘X’ in the second field indicates that password information is stored in a
separate file called /etc/shadow, which can only be accessed by root.
As you are root user now, issue command cat /etc/shadow to check the new accounts. Do you see
the $id$salt$hashedinformation in the second field? _yes___.
Research on $id to figure out which HASH it is for HASH value generation: _______________
Screenshot the output of alex and jack entries:

Issue command groups to verify the group membership of the new accounts. (Example,
groups jack). List your new user account group outputs.

If your Linux VM lab username is alex, how do you modify /etc/aide.conf file to allow AIDE to perform
PERMS group checks on /home/alex directory?
_______________yes_______________________________

Test it with screenshots:

Summary
Hashing is the “one way” transformation of a string of characters into a usually shorter fixed-length value or
key that represents the original string. Advanced Intrusion Detection Environment (AIDE) is a powerful open-
source intrusion detection tool.

Reference
https://www.redhat.com/sysadmin/linux-security-aide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/
sec-using-aide