1、aide介绍
AIDE(Adevanced Intrusion Detection Environment,高级入侵检测环境)是个入侵检测工具,主要用途是检查文本的完整性。
AIDE能够构造一个指定文档的数据库,他使用aide.conf作为其配置文档。AIDE数据库能够保存文档的各种属性,包括:权限(permission)、索引节点序号(inode number)、所属用户(user)、所属用户组(group)、文档大小、最后修改时间(mtime)、创建时间(ctime)、最后访问时间(atime)、增加的大小连同连接数。AIDE还能够使用下列算法:sha1、md5、rmd160、tiger,以密文形式建立每个文档的校验码或散列号。
常见的入侵检测软件: tripwire–操作比较复杂,aide–用以代替tripwire,比较简单.
2、aide安装 配置使用
#yum rpm二进制安装
yum -y install aide
我的配置文件mv?/etc/aide.conf?/etc/aide.conf.bakvim /etc/aide.conf
# Example configuration file for AIDE.@@define DBDIR /var/lib/aide #基准数据库目录@@define LOGDIR /var/log/aide #日志目录# The location of the database to be read.database=file:@@{DBDIR}/aide.db.gz #基础数据库文件# The location of the database to be written.#database_out=sql:host:port:database:login_name:passwd:table#database_out=file:aide.db.newdatabase_out=file:@@{DBDIR}/aide.db.new.gz #更新数据库文件# Whether to gzip the output to databasegzip_dbout=yes# Default.verbose=5report_url=file:@@{LOGDIR}/aide.logreport_url=stdout#report_url=stderr#NOT IMPLEMENTED report_url=mailto:root@foo.com#NOT IMPLEMENTED report_url=syslog:LOG_AUTH# These are the default rules.##p: permissions#i: inode:#n: number of links#u: user#g: group#s: size#b: block count#m: mtime#a: atime#c: ctime#S: check for growing size#acl: Access Control Lists#selinux SELinux security context#xattrs: Extended file attributes#md5: md5 checksum#sha1: sha1 checksum#sha256: sha256 checksum#sha512: sha512 checksum#rmd160: rmd160 checksum#tiger: tiger checksum#haval: haval checksum (MHASH only)#gost: gost checksum (MHASH only)#crc32: crc32 checksum (MHASH only)#whirlpool: whirlpool checksum (MHASH only)#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5#L: p+i+n+u+g+acl+selinux+xattrs#E: Empty group#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrsR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5L = p+i+n+u+g+acl+selinux+xattrs> = p+u+g+i+n+S+acl+selinux+xattrs# You can create custom rules like this.# With MHASH...# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger# Everything but access time (Ie. all changes)EVERYTHING = R+ALLXTRAHASHES# Sane, with multiple hashes# NORMAL = R+rmd160+sha256+whirlpoolNORMAL = R+rmd160+sha256# For directories, don't bother doing hashesDIR = p+i+n+u+g+acl+selinux+xattrs# Access control onlyPERMS = p+i+u+g+acl+selinux# Logfile are special, in that they often changeLOG = ># Just do md5 and sha256 hashesLSPP = R+sha256# Some files get updated automatically, so the inode/ctime/mtime change# but we want to know when the data inside them changesDATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger# Next decide what directories/files you want in the database./boot NORMAL/bin NORMAL/sbin NORMAL/lib NORMAL/lib64 NORMAL/opt NORMAL/usr NORMAL/root NORMAL# These are too volatile!/usr/src!/usr/tmp!/usr/share #通过文件路径前面加感叹号 ! 排除这个路径的监控,请自定义# Check only permissions, inode, user and group for /etc, but# cover some important files closely./etc PERMS!/etc/mtab# Ignore backup files!/etc/.*~/etc/exports NORMAL/etc/fstab NORMAL/etc/passwd NORMAL/etc/group NORMAL/etc/gshadow NORMAL/etc/shadow NORMAL/etc/security/opasswd NORMAL/etc/hosts.allow NORMAL/etc/hosts.deny NORMAL/etc/sudoers NORMAL/etc/skel NORMAL/etc/logrotate.d NORMAL/etc/resolv.conf DATAONLY/etc/nscd.conf NORMAL/etc/securetty NORMAL# Shell/X starting files/etc/profile NORMAL/etc/bashrc NORMAL/etc/bash_completion.d/ NORMAL/etc/login.defs NORMAL/etc/zprofile NORMAL/etc/zshrc NORMAL/etc/zlogin NORMAL/etc/zlogout NORMAL/etc/profile.d/ NORMAL/etc/X11/ NORMAL# Pkg manager/etc/yum.conf NORMAL/etc/yumex.conf NORMAL/etc/yumex.profiles.conf NORMAL/etc/yum/ NORMAL/etc/yum.repos.d/ NORMAL/var/log LOG/var/run/utmp LOG# This gets new/removes-old filenames daily!/var/log/sa# As we are checking it, we've truncated yesterdays size to zero.!/var/log/aide.log# LSPP rules...# AIDE produces an audit record, so this becomes perpetual motion.# /var/log/audit/ LSPP/etc/audit/ LSPP/etc/libaudit.conf LSPP/usr/sbin/stunnel LSPP/var/spool/at LSPP/etc/at.allow LSPP/etc/at.deny LSPP/etc/cron.allow LSPP/etc/cron.deny LSPP/etc/cron.d/ LSPP/etc/cron.daily/ LSPP/etc/cron.hourly/ LSPP/etc/cron.monthly/ LSPP/etc/cron.weekly/ LSPP/etc/crontab LSPP/var/spool/cron/root LSPP/etc/login.defs LSPP/etc/securetty LSPP/var/log/faillog LSPP/var/log/lastlog LSPP/etc/hosts LSPP/etc/sysconfig LSPP/etc/inittab LSPP/etc/grub/ LSPP/etc/rc.d LSPP/etc/ld.so.conf LSPP/etc/localtime LSPP/etc/sysctl.conf LSPP/etc/modprobe.conf LSPP/etc/pam.d LSPP/etc/security LSPP/etc/aliases LSPP/etc/postfix LSPP/etc/ssh/sshd_config LSPP/etc/ssh/ssh_config LSPP/etc/stunnel LSPP/etc/vsftpd.ftpusers LSPP/etc/vsftpd LSPP/etc/issue LSPP/etc/issue.net LSPP/etc/cups LSPP# With AIDE's default verbosity level of 5, these would give lots of# warnings upon tree traversal. It might change with future version.##=/lost\+found DIR#=/home DIR# Ditto /var/log/sa reason...!/var/log/and-httpd# Admins dot files constantly change, just check perms/root/\..* PERMS
#初始化监控数据库(这需要一些时间)/usr/sbin/aide -c /etc/aide.conf --init?#把当前初始化的数据库作为开始的基础数据库cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz?#如果是正常的改动 更新改动到基础数据库aide --updatecd /var/lib/aide/#覆盖替换旧的数据库mv aide.db.new.gz aide.db.gz?#在终端中查看检测结果aide --check?#检查文件改动 保存到文件aide --check --report=file:/tmp/aide-report-`date +%Y%m%d`.txt?#定时任务执行aide检测报告和自动邮件发送aide检测报告(如果没有mail, yum install mail,还需要有本地邮件服务支持, yum install sendmail;/etc/init.d/sendmail start)crontab -e00 02 * * * /usr/sbin/aide -C -V4 | /bin/mail -s "AIDE REPORT $(date +%Y%m%d)" ?root@localhost
-C参数和 –check是一个意思-V 报告的详细程度可以通过-V选项来调控,级别为0-255, -V0 最简略,-V255 最详细。[root@dev ~]# aide –helpAide 0.14Usage: aide [options] commandCommands:? -i, –initInitialize the database? -C, –checkCheck the database? -u, –updateCheck and update the database non-interactively? ? ? –compareCompare two databasesMiscellaneous:? -D, –config-checkTest the configuration file? -v, –versionShow version of AIDE and compilation options? -h, –helpShow this help messageOptions:? -c [cfgfile]–config=[cfgfile]Get config options from [cfgfile]? -B “OPTION”–before=”OPTION”Before configuration file is read define OPTION? -A “OPTION”–after=”OPTION”After configuration file is read define OPTION? -r [reporter]–report=[reporter]Write report output to [reporter] url? -V[level]–verbose=[level]Set debug message level to [level]4、使用中遇到的问题 错误
执行?/usr/sbin/aide -c /etc/aide.conf –init 或者 aide -i 后报错
lgetfilecon_raw failed for /var/log/yum.log:No data availablelgetfilecon_raw failed for /var/log/messages.2:No data availablelgetfilecon_raw failed for /var/log/cron:No data availablelgetfilecon_raw failed for /var/log/messages.3:No data availablelgetfilecon_raw failed for /var/log/messages.1:No data availablelgetfilecon_raw failed for /var/log/sdsvrd.log:No data availablelgetfilecon_raw failed for /var/log/spooler.3:No data availablelgetfilecon_raw failed for /var/log/cron.3:No data availablelgetfilecon_raw failed for /var/log/cron.1:No data availablelgetfilecon_raw failed for /var/log/sdupdate.log:No data availablelgetfilecon_raw failed for /var/log/rsyncd.log:No data availablelgetfilecon_raw failed for /var/log/maillog.3:No data availablelgetfilecon_raw failed for /var/log/rpmpkgs.3:No data availablelgetfilecon_raw failed for /var/log/pm/suspend.log:No data availablelgetfilecon_raw failed for /var/log/prelink/prelink.log:No data available
以下配置项改为如下.
#/etc/aide.confALLXTRAHASHES = sha1+rmd160+sha256+sha512+tigerEVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHESNORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256DIR = p+i+n+u+g+acl+xattrsPERMS = p+i+u+g+aclLOG = p+u+g+i+n+S+acl+xattrsLSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
参考来源:How to Fix Aide “lgetfilecon_raw failed for / : No data available” errors
5、参考官网?http://aide.sourceforge.net/AIDE –Linux高级入侵检测?http://gupt12.blog.51cto.com/7651206/1263183
原文地址:使用AIDE做Linux高级入侵检测文件监控, 感谢原作者分享。 旅行要学会随遇而安,淡然一点,走走停停,