在CentOS6.5上配置基于主机的入侵检测系统(IDS)
项目背景:
AIDE (“高级入侵检测环境”的简称)是一个开源的基于主机的入侵检测系统。AIDE通过检查大量文件属性的不一致性来检查系统二进制文件和基本配置文件的完整性,这些文件属性包括权限、文件类型、索引节点、链接数、链接名、用户、组、文件大小、块计数、修改时间、添加时间、创建时间、acl、SELinux安全上下文、xattrs,以及md5/sha校验值在内的各种特征。
AIDE通过扫描一台(未被篡改)的Linux服务器的文件系统来构建文件属性数据库,以后将服务器文件属性与数据库中的进行校对,然后在服务器运行时对被修改的索引了的文件发出警告。出于这个原因,AIDE必须在系统更新后或其配置文件进行合法修改后重新对受保护的文件做索引。
实验环境:
vmware workstation 11
centos6.5的系统下
服务器:ip:192.168.0.57
aide-0.14-7.el6.x86_64
SecureCRT (ssh远程连接软件)
通常我们需要在刚装好的系统上,干净的环境!
实验流程
一、软件下载
[root@localhost ~]# yum install aide -y
二、软件下载成功以后网络关闭
[root@localhost ~]# service network stop
三、AIDE数据库初始化
[root@localhost Desktop]# aide --init
AIDE, version 0.14
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
四、数据库文件重命名,不然的话AIDE读不出来
[root@localhost Desktop]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
五、软件检查
直接在命令行输入aide (输入以后得等很久~~~~)
[root@localhost Desktop]# aide
AIDE found differences between database and filesystem!!
Start timestamp: 2016-03-22 03:09:05
Summary:
Total number of files:85618
Added files:0
Removed files:0
Changed files:39
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /usr/sbin
changed: /usr/libexec
changed: /usr/libexec/openssh
changed: /usr/libexec/gnome-screensaver
changed: /usr/libexec/awk
changed: /usr/libexec/gcc/x86_64-redhat-linux/4.4.4
changed: /usr/libexec/gnome-applets
changed: /usr/libexec/gstreamer-0.10
changed: /usr/libexec/file-roller
changed: /usr/libexec/polkit-1
changed: /usr/libexec/utempter
changed: /usr/libexec/pulse
changed: /usr/libexec/getconf
changed: /usr/libexec/webkitgtk
changed: /usr/lib/cups/driver
changed: /usr/lib/cups/filter
changed: /usr/lib64
changed: /usr/lib64/nspluginwrapper
changed: /usr/lib64/vte
changed: /usr/lib64/firefox
changed: /usr/lib64/seahorse
changed: /usr/lib64/pm-utils/bin
changed: /usr/lib64/udev
changed: /usr/lib64/gnome-session/helpers
changed: /usr/lib64/nss/unsupported-tools
changed: /usr/lib64/libv4l
changed: /usr/lib64/libgphoto2
changed: /usr/lib64/festival/etc
changed: /usr/lib64/perl5/CORE
changed: /usr/lib64/sa
changed: /usr/lib64/xulrunner
changed: /usr/lib64/gthumb
changed: /usr/lib64/hal/scripts
changed: /usr/bin
changed: /lib/udev
changed: /lib64
changed: /lib64/dbus-1
changed: /bin
changed: /sbin
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /usr/sbin
Mtime : 2016-03-22 02:44:18 , 2016-03-22 02:57:45
Ctime : 2016-03-22 02:44:18 , 2016-03-22 02:57:45
Directory: /usr/libexec
Mtime : 2016-03-22 02:44:34 , 2016-03-22 02:58:06
Ctime : 2016-03-22 02:44:34 , 2016-03-22 02:58:06
Directory: /usr/libexec/openssh
Mtime : 2016-03-22 02:44:35 , 2016-03-22 02:58:06
Ctime : 2016-03-22 02:44:35 , 2016-03-22 02:58:06
Directory: /usr/libexec/gnome-screensaver
Mtime : 2016-03-22 02:44:35 , 2016-03-22 02:58:07
Ctime : 2016-03-22 02:44:35 , 2016-03-22 02:58:07
Directory: /usr/libexec/awk
Mtime : 2016-03-22 02:44:35 , 2016-03-22 02:58:07
Ctime : 2016-03-22 02:44:35 , 2016-03-22 02:58:07
Directory: /usr/libexec/gcc/x86_64-redhat-linux/4.4.4
Mtime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Ctime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Directory: /usr/libexec/gnome-applets
Mtime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Ctime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Directory: /usr/libexec/gstreamer-0.10
Mtime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Ctime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Directory: /usr/libexec/file-roller
Mtime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Ctime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Directory: /usr/libexec/polkit-1
Mtime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Ctime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Directory: /usr/libexec/utempter
Mtime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Ctime : 2016-03-22 02:44:36 , 2016-03-22 02:58:08
Directory: /usr/libexec/pulse
Mtime : 2016-03-22 02:44:36 , 2016-03-22 02:58:09
Ctime : 2016-03-22 02:44:36 , 2016-03-22 02:58:09
Directory: /usr/libexec/getconf
Mtime : 2016-03-22 02:44:36 , 2016-03-22 02:58:09
Ctime : 2016-03-22 02:44:36 , 2016-03-22 02:58:09
Directory: /usr/libexec/webkitgtk
Mtime : 2016-03-22 02:44:38 , 2016-03-22 02:58:10
Ctime : 2016-03-22 02:44:38 , 2016-03-22 02:58:10
Directory: /usr/lib/cups/driver
Mtime : 2016-03-22 02:44:38 , 2016-03-22 02:58:11
Ctime : 2016-03-22 02:44:38 , 2016-03-22 02:58:11
Directory: /usr/lib/cups/filter
Mtime : 2016-03-22 02:44:39 , 2016-03-22 02:58:12
Ctime : 2016-03-22 02:44:39 , 2016-03-22 02:58:12
Directory: /usr/lib64
Mtime : 2016-03-22 02:45:51 , 2016-03-22 02:59:15
Ctime : 2016-03-22 02:45:51 , 2016-03-22 02:59:15
Directory: /usr/lib64/nspluginwrapper
Mtime : 2016-03-22 02:45:52 , 2016-03-22 02:59:16
Ctime : 2016-03-22 02:45:52 , 2016-03-22 02:59:16
Directory: /usr/lib64/vte
Mtime : 2016-03-22 02:46:05 , 2016-03-22 02:59:31
Ctime : 2016-03-22 02:46:05 , 2016-03-22 02:59:31
Directory: /usr/lib64/firefox
Mtime : 2016-03-22 02:46:10 , 2016-03-22 02:59:36
Ctime : 2016-03-22 02:46:10 , 2016-03-22 02:59:36
Directory: /usr/lib64/seahorse
Mtime : 2016-03-22 02:46:12 , 2016-03-22 02:59:39
Ctime : 2016-03-22 02:46:12 , 2016-03-22 02:59:39
Directory: /usr/lib64/pm-utils/bin
Mtime : 2016-03-22 02:46:12 , 2016-03-22 02:59:39
Ctime : 2016-03-22 02:46:12 , 2016-03-22 02:59:39
Directory: /usr/lib64/udev
Mtime : 2016-03-22 02:46:12 , 2016-03-22 02:59:39
Ctime : 2016-03-22 02:46:12 , 2016-03-22 02:59:39
Directory: /usr/lib64/gnome-session/helpers
Mtime : 2016-03-22 02:46:13 , 2016-03-22 02:59:40
Ctime : 2016-03-22 02:46:13 , 2016-03-22 02:59:40
Directory: /usr/lib64/nss/unsupported-tools
Mtime : 2016-03-22 02:46:14 , 2016-03-22 02:59:41
Ctime : 2016-03-22 02:46:14 , 2016-03-22 02:59:41
Directory: /usr/lib64/libv4l
Mtime : 2016-03-22 02:46:15 , 2016-03-22 02:59:42
Ctime : 2016-03-22 02:46:15 , 2016-03-22 02:59:42
Directory: /usr/lib64/libgphoto2
Mtime : 2016-03-22 02:46:15 , 2016-03-22 02:59:42
Ctime : 2016-03-22 02:46:15 , 2016-03-22 02:59:42
Directory: /usr/lib64/festival/etc
Mtime : 2016-03-22 02:46:17 , 2016-03-22 02:59:44
Ctime : 2016-03-22 02:46:17 , 2016-03-22 02:59:44
Directory: /usr/lib64/perl5/CORE
Mtime : 2016-03-22 02:46:18 , 2016-03-22 02:59:45
Ctime : 2016-03-22 02:46:18 , 2016-03-22 02:59:45
Directory: /usr/lib64/sa
Mtime : 2016-03-22 02:46:20 , 2016-03-22 02:59:47
Ctime : 2016-03-22 02:46:20 , 2016-03-22 02:59:47
Directory: /usr/lib64/xulrunner
Mtime : 2016-03-22 02:46:27 , 2016-03-22 02:59:53
Ctime : 2016-03-22 02:46:27 , 2016-03-22 02:59:53
Directory: /usr/lib64/gthumb
Mtime : 2016-03-22 02:46:27 , 2016-03-22 02:59:54
Ctime : 2016-03-22 02:46:27 , 2016-03-22 02:59:54
Directory: /usr/lib64/hal/scripts
Mtime : 2016-03-22 02:46:27 , 2016-03-22 02:59:54
Ctime : 2016-03-22 02:46:27 , 2016-03-22 02:59:54
Directory: /usr/bin
Mtime : 2016-03-22 02:47:27 , 2016-03-22 03:01:02
Ctime : 2016-03-22 02:47:27 , 2016-03-22 03:01:02
Directory: /lib/udev
Mtime : 2016-03-22 02:54:03 , 2016-03-22 03:07:19
Ctime : 2016-03-22 02:54:03 , 2016-03-22 03:07:19
Directory: /lib64
Mtime : 2016-03-22 02:54:09 , 2016-03-22 03:07:25
Ctime : 2016-03-22 02:54:09 , 2016-03-22 03:07:25
Directory: /lib64/dbus-1
Mtime : 2016-03-22 02:54:10 , 2016-03-22 03:07:26
Ctime : 2016-03-22 02:54:10 , 2016-03-22 03:07:26
Directory: /bin
Mtime : 2016-03-22 02:54:13 , 2016-03-22 03:07:30
Ctime : 2016-03-22 02:54:13 , 2016-03-22 03:07:30
Directory: /sbin
Mtime : 2016-03-22 02:54:20 , 2016-03-22 03:07:36
Ctime : 2016-03-22 02:54:20 , 2016-03-22 03:07:36
可以看到会有大量的输出!
总结:这是一款开源的入侵检测系统,相信你在自己的生产环境中会用到!
知识在于分享 谢谢大家