AIDE 学习笔记
参考:http://www.iamle.com/archives/1664.html
AIDE的用法和tripwire类似。都是通过生成一份文件指纹的数据库,然后对比。所以,我们最好在刚安装完系统后,就安装这个工具,获取一份干净的文件指纹。
安装与配置
yum -y install aide
主要文件如下:
主程序:/usr/sbin/aide
文件指纹库:/var/lib/aide
日志:/var/log/aide
cp /etc/aide.conf /etc/aide.conf_bak
vim /etc/aide.conf内容如下:
#Example configuration file for AIDE.
@@define DBDIR /var/lib/aide #基准数据库目录
@@define LOGDIR /var/log/aide #日志目录
#The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz #基础数据库文件
#The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz #更新数据库文件
#Whether to gzip the output to database
gzip_dbout=yes
#Default.
verbose=5
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOTIMPLEMENTED report_url=mailto:root@foo.com
#NOTIMPLEMENTED report_url=syslog:LOG_AUTH
#These are the default rules.?? 下面这些这是规则说明
#
#p:????? permissions
#i:????? inode:
#n:????? number of links
#u:????? user
#g:????? group
#s:????? size
#b:????? block count
#m:??? ??mtime
#a:????? atime
#c:????? ctime
#S:????? check for growing size
#acl:?????????? Access Control Lists
#selinux??????? SELinux security context
#xattrs:??????? Extended file attributes
#md5:??? md5 checksum
#sha1:?? sha1 checksum
#sha256:??????? sha256 checksum
#sha512:??????? sha512 checksum
#rmd160:rmd160 checksum
#tiger:? tiger checksum
#haval:? haval checksum (MHASH only)
#gost:?? gost checksum (MHASH only)
#crc32:? crc32 checksum (MHASH only)
#whirlpool:???? whirlpool checksum (MHASH only)
下面是参数的组合表示法
#R:????????????p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L:???????????? p+i+n+u+g+acl+selinux+xattrs
#E:???????????? Empty group
#>:???????????? Growing logfilep+u+g+i+n+S+acl+selinux+xattrs
R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
L = p+i+n+u+g+acl+selinux+xattrs
> = p+u+g+i+n+S+acl+selinux+xattrs
#You can create custom rules like this.
#With MHASH...
#ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
#Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
#Sane, with multiple hashes
#NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
#For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
#Access control only
PERMS = p+i+u+g+acl+selinux
#Logfile are special, in that they often change
LOG = >
#Just do md5 and sha256 hashes
LSPP = R+sha256
#Some files get updated automatically, so the inode/ctime/mtime change
#but we want to know when the data inside them changes
DATAONLY =?p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger
#下面是配置监控哪些目录下的文件异动情况
#Next decide what directories/files you want in the database.
/boot?? NORMAL
/bin??? NORMAL
/sbin?? NORMAL
/lib??? NORMAL
/lib64? NORMAL
/opt??? NORMAL
/usr?? ?NORMAL
/root?? NORMAL
#These are too volatile?
!/usr/src
!/usr/tmp
!/usr/share #通过文件路径前面加感叹号 ! 排除这个路径的监控,请自定义
#Check only permissions, inode, user and group for /etc, but
#cover some important files closely.
/etc??? PERMS
!/etc/mtab
#Ignore backup files
!/etc/.*~
/etc/exports? NORMAL
/etc/fstab??? NORMAL
/etc/passwd?? NORMAL
/etc/group??? NORMAL
/etc/gshadow? NORMAL
/etc/shadow?? NORMAL
/etc/security/opasswd?? NORMAL
/etc/hosts.allow?? NORMAL
/etc/hosts.deny??? NORMAL
/etc/sudoers????NORMAL
/etc/skel????NORMAL
/etc/logrotate.d????NORMAL
/etc/resolv.conf????DATAONLY
/etc/nscd.conf????NORMAL
/etc/securetty????NORMAL
#Shell/X starting files
/etc/profile????NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/????NORMAL
/etc/X11/????NORMAL
#Pkg manager
/etc/yum.conf????NORMAL
/etc/yumex.conf????NORMAL
/etc/yumex.profiles.conf????NORMAL
/etc/yum/????NORMAL
/etc/yum.repos.d/????NORMAL
/var/log?? LOG
/var/run/utmp????LOG
#This gets new/removes-old filenames daily
!/var/log/sa
#As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
#LSPP rules...
#AIDE produces an audit record, so this becomes perpetual motion.
#/var/log/audit/ LSPP
/etc/audit/????LSPP
/etc/libaudit.conf????LSPP
/usr/sbin/stunnel? ? LSPP
/var/spool/at????LSPP
/etc/at.allow????LSPP
/etc/at.deny????LSPP
/etc/cron.allow????LSPP
/etc/cron.deny????LSPP
/etc/cron.d/????LSPP
/etc/cron.daily/????LSPP
/etc/cron.hourly/????LSPP
/etc/cron.monthly/????LSPP
/etc/cron.weekly/????LSPP
/etc/crontab????LSPP
/var/spool/cron/root????LSPP
/etc/login.defs????LSPP
/etc/securetty????LSPP
/var/log/faillog????LSPP
/var/log/lastlog????LSPP
/etc/hosts????LSPP
/etc/sysconfig????LSPP
/etc/inittab????LSPP
/etc/grub/????LSPP
/etc/rc.d????LSPP
/etc/ld.so.conf????LSPP
/etc/localtime????LSPP
/etc/sysctl.conf????LSPP
/etc/modprobe.conf????LSPP
/etc/pam.d????LSPP
/etc/security????LSPP
/etc/aliases????LSPP
/etc/postfix????LSPP
/etc/ssh/sshd_config????LSPP
/etc/ssh/ssh_config????LSPP
/etc/stunnel????LSPP
/etc/vsftpd.ftpusers????LSPP
/etc/vsftpd????LSPP
/etc/issue????LSPP
/etc/issue.net????LSPP
/etc/cups????LSPP
#With AIDE's default verbosity level of 5, these would give lots of
#warnings upon tree traversal. It might change with future version.
#
#=/lost\+found??? DIR
#=/home?????????? DIR
#Ditto /var/log/sa reason...
!/var/log/and-httpd
#Admins dot files constantly change, just check perms
/root/\..*PERMS
# 初始化监控数据库
aide -c /etc/aide.conf --init ??
这步的时间较长,完成后会在/var/lib/aide下面生成一个名为:aide.db.new.gz的文件
# 把当前初始化的数据库作为开始的基础数据库
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# 在终端中查看检测结果
aide --check
下图是我添加一个账户账户,执行aide --check 的结果的部分截图。
# 如果确认文件变动是正常的改动更新改动到基础数据库
aide --update
cd /var/lib/aide/
mv aide.db.new.gz aide.db.gz? # 覆盖替换旧的数据库
# 检查文件改动保存到文件
aide --check --report=file:/tmp/aide-report-`date +%Y%m%d`.txt
# 定时任务执行aide检测报告和自动邮件发送aide检测报告
echo '0 8 * * * /usr/sbin/aide -C -V4 | mail -s "AIDE REPORT $(date+%Y%m%d)"? xxx@gmail.com' >> /var/spool/cron/root
注意:需要先配置好发邮件的程序。
-C参数和–check是一个意思
-V报告的详细程度可以通过-V选项来调控,级别为0-255, -V0 最简略,-V255 最详细。
腾讯云开发者
