什么是AIDE?
AIDE(Adevanced Intrusion Detection Environment,高级入侵检测环境)是个入侵检测工具,主要用途是检查文本的完整性
为什么需要AIDE?
Aide通过检查数据文件的权限、时间、大小、哈希值等,校验数据的完整性。
使用Aide需要在数据没有被破坏前,对数据完成初始化校验,生成校验数据库文件,在被攻击后,可以使用数据库文件,快速定位被人篡改的文件。
AIDE的方案
- 安装aide软件
- 执行初始化校验操作,生成校验数据库文件
- 备份数据库文件到安全的地方
- 使用数据库执行入侵检测操作
1.修改配置文件(配置那一些文件需要校验)
vim /etc/aide.conf
@@define DBDIR /var/lib/aide #数据库目录
@@define LOGDIR /var/log/aide #日志目录
database_out=file:@@{DBDIR}/aide.db.new.gz #数据库文件名
/boot NORMAL #对哪些目录进行什么校验
#一下内容为可以检查的项目(权限,用户,组,大小,哈希值等)
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
#为了校验的效率,这里将所有默认的校验目录与文件都注释
#!/usr/src #使用[!],设置不校验的目录
#批量化注释:利用可视快
ctrl +V --> shift + i --> # --> ESC
2.初始化数据库,入侵后检测
入侵前对数据进行校验,生成初始化数据库
[root@server ~]# aide --init
AIDE, version 0.15.1
AIDE database at /var/lib/aide/aide.db.new.gz initialized.
初始好的数据库存放在:/var/lib/aide/目录下
3.入侵后检测
[root@server~]# cd /var/lib/aide/
[root@server~]# mv aide.db.new.gz aide.db.gz
[root@server~]# aide --check #检查哪些数据发生了变化
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2018-04-16 14:09:19
Summary:
Total number of files: 8822
Added files: 0 #添加过文件
Removed files: 0 #移除过
Changed files: 2 #改变过
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /root/.viminfo
changed: /root/a.txt #文件被修改过
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
I like what you guys are up also. Such smart work and reporting! Carry on the excellent works guys I¡¦ve incorporated you guys to my blogroll. I think it’ll improve the value of my website 🙂
Great website. A lot of helpful information here. I am sending it to some buddies ans additionally sharing in delicious. And certainly, thank you on your effort!
tlmhfjnyhjn,Wonderful one thank you so much !
hcrvyguqj,Wonderful one thank you so much !
egrfsh,If you are going for best contents like I do, just go to see this web page daily because it offers quality contents, thanks!
wjtmazjyr,If you are going for best contents like I do, just go to see this web page daily because it offers quality contents, thanks!
ocheexrfk,Thanks for ones marvelous posting! I actually enjoyed reading it, you will be a great author.I will always bookmark your blog and will vbjljxsoc,come back from now on. I want to encourage that you continue your great writing, have a nice afternoon!