linux进阶-AIDE命令小结

AIDE 环境检查⼊侵检测⼯具

Aide通过扫描对应文件的相关信息,存放到数据库中,后期和在数据库信息进行对比,判断文件是否有变动。
aide的配置文件为/etc/aide.conf, 里面定义了检测的相关信息和对应目录的指定配置规则。
使用 
aide --init 生成信息数据库
aide --update 更新数据库
aide --check 进行检测比对

1.安装aide 并查看软件信息

[root@centos7 ~]# yum -y install aide
[root@centos7 ~]# rpm -qi aide
Name        : aide
Version     : 0.15.1
Release     : 13.el7
Architecture: x86_64
Install Date: Sun 10 Nov 2019 02:42:23 PM CST
Group       : Applications/System
Size        : 318333
License     : GPLv2+
Signature   : RSA/SHA256, Thu 10 Aug 2017 10:56:17 PM CST, Key ID 24c6a8a7f4a80eb5
Source RPM  : aide-0.15.1-13.el7.src.rpm
Build Date  : Thu 03 Aug 2017 01:00:53 PM CST
Build Host  : c1bm.rdu2.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem 
Vendor      : CentOS
URL         : http://sourceforge.net/projects/aide
Summary     : Intrusion detection environment
Description :
AIDE (Advanced Intrusion Detection Environment) is a file integrity
checker and intrusion detection program.

2.在node1服务器上创建/data⽬录,在data中创建dir1⽂件夹和f1⽂件

[root@centos7 ~]# mkdir -pv /data
[root@centos7 ~]# mkdir -pv /data/dir1
mkdir: created directory ‘/data/dir1’
[root@centos7 ~]# echo hello > /data/f1
[root@centos7 ~]# cd /data/
[root@centos7 data]# ll
total 2676
drwxr-xr-x  2 root root        6 Nov 10 15:00 dir1
drwx------  5  501 games    8192 Nov 10 14:09 dropbear-2019.78
-rw-r--r--  1 root root  2708659 Mar 27  2019 dropbear-2019.78.tar.bz2
-rw-r--r--  1 root root        6 Nov 10 15:00 f1

3.然后在aide的配置⽂件最下⾯添加下⾯的配置信息,让其检测/data/⽬录下的内容,不检查dir1下的内容

[root@centos7 data]# vim /etc/aide.conf

#文件中加入
/data/ CONTENT
!/data/dir1

4.然后执⾏aide数据初始化

[root@centos7 etc]# aide --init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

5.然后对f1⽂件进⾏修改, 执⾏检测,发现f1⽂件被篡改

[root@centos7 etc]# cd /var/lib/aide/
[root@centos7 aide]# ll
total 7456
-rw------- 1 root root 7631170 Nov 10 15:19 aide.db.new.gz
[root@centos7 aide]# mv aide.db.new.gz aide.db.gz
[root@centos7 aide]# cd
[root@centos7 ~]# echo "hello world" > /data/f1
[root@centos7 ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2019-11-10 15:27:51

Summary:
  Total number of files:	199171
  Added files:			0
  Removed files:		0
  Changed files:		1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /data/f1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /data/f1
 SHA256   : WJG1tSLV3whtD/CxEPvZ0hu0/HFjrzTQ , qUiQTy8PR5uPgZdpSzAYSw0u0cHNKh7A

6.在dir1中创建⽂件, 更新aide数据信息:

[root@centos7 ~]# echo fff > /data/dir1/ss
[root@centos7 ~]# aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2019-11-10 15:34:48

Summary:
  Total number of files:	199171
  Added files:			0
  Removed files:		0
  Changed files:		1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /data/f1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /data/f1
 SHA256   : WJG1tSLV3whtD/CxEPvZ0hu0/HFjrzTQ , qUiQTy8PR5uPgZdpSzAYSw0u0cHNKh7A

7.修改对应的数据⽂件

[root@centos7 aide]# rm -rf aide.db.gz 
[root@centos7 aide]# mv aide.db.new.gz aide.db.gz 

8.然后修改dir1中的ss⽂件内容,进⾏检测
结果没有发现ss⽂件被修改过,因为在配置⽂件中定义了!/data/dir1

[root@centos7 aide]# echo sss > /data/dir1/ss
[root@centos7 aide]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

你可能感兴趣的:(linux进阶)