文件完整性安全检查AIDE(Advanced Intrusion Detection Environment)

AIDE(Advanced Intrusion Detection Environment高级入侵检测环境)是一个入侵检测工具,主要用途是检查文件的完整性,审计计算机上的那些文件被更改过了

AIDE能够构造一个指定文件的数据库,它使用aide.conf作为其配置文件。AIDE数据库能够保存文件的各种属性,包括:权限(permission)、索引节点序号(inode number)、所属用户(user)、所属用户组(group)、文件大小、最后修改时间(mtime)、创建时间(ctime)、最后访问时间(atime)、增加的大小以及连接数。AIDE还能够使用下列算法:sha1、md5、rmd160、tiger,以密文形式建立每个文件的校验码或散列号

文件完整性安全检查AIDE(Advanced Intrusion Detection Environment)_第1张图片
包:aide
安装AIDE
yum -y install aide

配置文件指定对那些文件进行检测
vim /etc/aide.conf
示例:

#定义监控项权限+索引节点+链接数+用户+组+大小+最后一次修改时间+创建时间+md5校验值
R=p+i+n+u+g+s+m+c+md5
NORMAL = R+rmd60+sha256
/data/test.txt R
/bin/ps R+a
/usr/bin/crontab R+a
/etc PERMS
!/etc/mtab #“!”表示忽略这个文件的检查

初始化默认的AIDE的库

/usr/local/bin/aide -i|--init

生成检查数据库

cd /var/lib/aide
mv aide.db.new.gz aide.db.gz

检测

/usr/local/bin/aide -C|--check
aide -u | --update

范例:

[root@centos8 ~]#yum -y install aide
[root@centos8 ~]#rpm -ql aide
[root@centos8 ~]#cd /data/
[root@centos8 data]#cp /etc/passwd f1
[root@centos8 data]#cp /etc/fstab f2
[root@centos8 data]#cp /etc/centos-release f3
[root@centos8 ~]#vim /etc/aide.conf 
#在NORMAL = FIPSR+sha512下添加内容:
m42 = p+u+s+sha512

将# Next decide what directories/files you want in the database.注释内容后的所有行删除,添加下面内容:
/data m42
!/data/f1
保存退出

[root@centos8 ~]#aide --init
Start timestamp: 2020-09-08 16:36:13 +0800 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	3

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 9cab032NkKPKdauvxBrWww==
  SHA1     : s45eCIQbJliJfEY32Hl/cbdgfVo=
  RMD160   : qLQsGwsbBVfaX7YBcGpm1cG/hLM=
  TIGER    : IWoARQ1npzdLoAheeIzK1EYxF6ELd+NQ
  SHA256   : yshxS7AHCE/+OdPDc022RfREWtfKcuSD
             5cy7FGUxM3M=
  SHA512   : hXPssHkXERh1nGBExCWCBGtWkSHZFAg9
             GGq7RX/9iVosML6y0yBC/+2E1e0k3ePJ
             uiPY1jTfV7i3cXGMd02bKQ==


End timestamp: 2020-09-08 16:36:13 +0800 (run time: 0m 0s)

[root@centos8 data]#ll
total 12
-rw-r--r-- 1 root root 1122 Sep  8 16:41 f1
-rw-r--r-- 1 root root  655 Sep  8 16:49 f2
-rw-r--r-- 1 root root   38 Sep  8 16:35 f3

[root@centos8 data]#aide -C
Start timestamp: 2020-09-08 16:51:34 +0800 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	3

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : crGvNmhXmIyUhnL6+/7RGg==
  SHA1     : s0XNVm7cWIdt1lyrjpAn9u1nVvg=
  RMD160   : IvIQwH1qI2wG/D6pg/8pvfkjCS4=
  TIGER    : n6wJ2Tt6Y6lkoeblRUU0Aw2mgwEOkdG0
  SHA256   : PsUh/smr86wBD5J4lAGevuWSp0WSeFgu
             FBUAY8zjX8o=
  SHA512   : mZAodaKSoOCOO4CS3eKVHCrd1tUp4I/1
             AMOFQ++tJsNpSqoy9Np2ghtq7SLbVXsg
             wXZJfZr2rrZwMe0JSUHkfQ==


End timestamp: 2020-09-08 16:51:34 +0800 (run time: 0m 0s)


[root@centos8 ~]#vim /data/f1 
#删除一行内容
[root@centos8 ~]#vim /data/f2
#修改一些内容
[root@centos8 ~]#chown kobe /data/f3
[root@centos8 ~]#ll /data/
total 12
-rw-r--r-- 1 root root 1122 Sep  8 16:41 f1
-rw-r--r-- 1 root root   26 Sep  8 16:41 f2
-rw-r--r-- 1 kobe root   38 Sep  8 16:35 f3
[root@centos8 ~]#
[root@centos8 ~]#mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 
[root@centos8 ~]#aide --check
Start timestamp: 2020-09-08 16:44:20 +0800 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	3
  Added entries:		0
  Removed entries:		0
  Changed entries:		2

---------------------------------------------------
Changed entries:
---------------------------------------------------

f > ..      C    : /data/f2
f = .u      .    : /data/f3

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /data/f2
  Size     : 23                               | 26
  SHA512   : iMk0LkwqI+Ya8hi5tmgIkl3p0rC9bus0 | EJo0mS+mWj20W6ybDTCJ3Nq+sQNNBcsr
             E/+YKdgpWynFiK7UutUOJiX7GrYQsbF0 | gqSDAPBmH2acV/qFCBWil+puK3IhY+Jf
             VoSjpj8OwdQdSXpbBmi0cg==         | iY6tpzwYzW1gfeyF3yMO5A==

File: /data/f3
  Uid      : 0                                | 1000


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : 9cab032NkKPKdauvxBrWww==
  SHA1     : s45eCIQbJliJfEY32Hl/cbdgfVo=
  RMD160   : qLQsGwsbBVfaX7YBcGpm1cG/hLM=
  TIGER    : IWoARQ1npzdLoAheeIzK1EYxF6ELd+NQ
  SHA256   : yshxS7AHCE/+OdPDc022RfREWtfKcuSD
             5cy7FGUxM3M=
  SHA512   : hXPssHkXERh1nGBExCWCBGtWkSHZFAg9
             GGq7RX/9iVosML6y0yBC/+2E1e0k3ePJ
             uiPY1jTfV7i3cXGMd02bKQ==


End timestamp: 2020-09-08 16:44:20 +0800 (run time: 0m 0s)

[root@centos8 data]#cd /var/lib/aide/
[root@centos8 aide]#aide -u
Start timestamp: 2020-09-08 16:53:53 +0800 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Number of entries:	3

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : crGvNmhXmIyUhnL6+/7RGg==
  SHA1     : s0XNVm7cWIdt1lyrjpAn9u1nVvg=
  RMD160   : IvIQwH1qI2wG/D6pg/8pvfkjCS4=
  TIGER    : n6wJ2Tt6Y6lkoeblRUU0Aw2mgwEOkdG0
  SHA256   : PsUh/smr86wBD5J4lAGevuWSp0WSeFgu
             FBUAY8zjX8o=
  SHA512   : mZAodaKSoOCOO4CS3eKVHCrd1tUp4I/1
             AMOFQ++tJsNpSqoy9Np2ghtq7SLbVXsg
             wXZJfZr2rrZwMe0JSUHkfQ==

/var/lib/aide/aide.db.new.gz
  MD5      : mO11YzB/S3XBvPvy2Wfy7A==
  SHA1     : VxxnqJgcvO2+pQGQNUmOtZboaZk=
  RMD160   : TGvEssctBmR+zhBBtdwPZqE8X+o=
  TIGER    : 2Lltm0TRwUrADVv+k9jTTjDLtmE1voPj
  SHA256   : B32Gv7eX+kQG2JeUHpoUgXsOrl8h5Oxl
             Vq3u4s8bImo=
  SHA512   : iFzz0p7+JUx2iaZJZNPWUJ7A+1QezznW
             QvIx/6ddiquYDmVzsDuqpfxqflxq/d5+
             /COn3ggd4UgDMPtJV0d2iw==


End timestamp: 2020-09-08 16:53:53 +0800 (run time: 0m 0s)
[root@centos8 aide]#ls
aide.db.gz  aide.db.new.gz
[root@centos8 aide]#mv aide.db.new.gz aide.db.gz 
mv: overwrite 'aide.db.gz'? y
[root@centos8 aide]#
[root@centos8 aide]#aide -C
Start timestamp: 2020-09-08 16:55:15 +0800 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Number of entries:	3

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : mO11YzB/S3XBvPvy2Wfy7A==
  SHA1     : VxxnqJgcvO2+pQGQNUmOtZboaZk=
  RMD160   : TGvEssctBmR+zhBBtdwPZqE8X+o=
  TIGER    : 2Lltm0TRwUrADVv+k9jTTjDLtmE1voPj
  SHA256   : B32Gv7eX+kQG2JeUHpoUgXsOrl8h5Oxl
             Vq3u4s8bImo=
  SHA512   : iFzz0p7+JUx2iaZJZNPWUJ7A+1QezznW
             QvIx/6ddiquYDmVzsDuqpfxqflxq/d5+
             /COn3ggd4UgDMPtJV0d2iw==


End timestamp: 2020-09-08 16:55:15 +0800 (run time: 0m 0s)

你可能感兴趣的:(Linux运维,linux)