欢迎光临
我们一直在努力

使用AIDE监控Linux系统文件入侵检测

AIDE 简介

  • AIDE(Advanced Intrusion Detection Environment,高级入侵检测环境)是个入侵检测工具,主要用途是检查文档的完整性。
  • 安装和配置基于主机的IDS(入侵检测系统)“AIDE”(高级入侵检测环境)

安装

[root@u22e.com ~]# yum -y install aide

修改配置文件

vim /etc/aide.conf

# Example configuration file for AIDE.

@@define DBDIR /var/lib/aide #基准数据库目录
@@define LOGDIR /var/log/aide #日志目录

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz #基础数据库文件

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz #更新数据库文件

# Whether to gzip the output to database
gzip_dbout=yes

# Default.
verbose=5

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules.
#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum

#haval:  haval checksum (MHASH only)
#gost:   gost checksum (MHASH only)
#crc32:  crc32 checksum (MHASH only)
#whirlpool:     whirlpool checksum (MHASH only)

#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L:             p+i+n+u+g+acl+selinux+xattrs
#E:             Empty group
#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
L = p+i+n+u+g+acl+selinux+xattrs
> = p+u+g+i+n+S+acl+selinux+xattrs


# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES

# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only
PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change
LOG = >

# Just do md5 and sha256 hashes
LSPP = R+sha256

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

# Next decide what directories/files you want in the database.

/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
/lib    NORMAL
/lib64  NORMAL
/opt    NORMAL
/usr    NORMAL
/root   NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
!/usr/share #通过文件路径前面加感叹号 ! 排除这个路径的监控,请自定义
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc    PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports  NORMAL
/etc/fstab    NORMAL
/etc/passwd   NORMAL
/etc/group    NORMAL
/etc/gshadow  NORMAL
/etc/shadow   NORMAL
/etc/security/opasswd   NORMAL

/etc/hosts.allow   NORMAL
/etc/hosts.deny    NORMAL

/etc/sudoers NORMAL
/etc/skel NORMAL

/etc/logrotate.d NORMAL

/etc/resolv.conf DATAONLY

/etc/nscd.conf NORMAL
/etc/securetty NORMAL

# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL

# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL

/var/log   LOG
/var/run/utmp LOG

# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log

# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP

/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP

/etc/hosts LSPP
/etc/sysconfig LSPP

/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP

/etc/ld.so.conf LSPP

/etc/localtime LSPP

/etc/sysctl.conf LSPP

/etc/modprobe.conf LSPP

/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP

/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP

/etc/stunnel LSPP

/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP

/etc/issue LSPP
/etc/issue.net LSPP

/etc/cups LSPP

# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found    DIR
#=/home           DIR

# Ditto /var/log/sa reason...
!/var/log/and-httpd

# Admins dot files constantly change, just check perms
/root/\..* PERMS

使用方法

#初始化监控数据库(这需要一些时间)
/usr/sbin/aide -c /etc/aide.conf --init
 
#把当前初始化的数据库作为开始的基础数据库
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
 
#如果是正常的改动 更新改动到基础数据库
aide --update
cd /var/lib/aide/
#覆盖替换旧的数据库
mv aide.db.new.gz aide.db.gz
 
#在终端中查看检测结果
aide --check
 
#检查文件改动 保存到文件
aide --check --report=file:/tmp/aide-report-`date +%Y%m%d`.txt
 
#定时任务执行aide检测报告和自动邮件发送aide检测报告
(如果没有mail, yum install mail,还需要有本地邮件服务支持, 
yum install sendmail;/etc/init.d/sendmail start)
crontab -e
00 02 * * * /usr/sbin/aide -C -V4 | /bin/mail -s "AIDE REPORT $(date +%Y%m%d)"  root@localhost

使用中遇到的问题 错误

执行 /usr/sbin/aide -c /etc/aide.conf –init 或者 aide -i 后报错

lgetfilecon_raw failed for /var/log/yum.log:No data available
lgetfilecon_raw failed for /var/log/messages.2:No data available
lgetfilecon_raw failed for /var/log/cron:No data available
lgetfilecon_raw failed for /var/log/messages.3:No data available
lgetfilecon_raw failed for /var/log/messages.1:No data available
lgetfilecon_raw failed for /var/log/sdsvrd.log:No data available
lgetfilecon_raw failed for /var/log/spooler.3:No data available
lgetfilecon_raw failed for /var/log/cron.3:No data available
lgetfilecon_raw failed for /var/log/cron.1:No data available
lgetfilecon_raw failed for /var/log/sdupdate.log:No data available
lgetfilecon_raw failed for /var/log/rsyncd.log:No data available
lgetfilecon_raw failed for /var/log/maillog.3:No data available
lgetfilecon_raw failed for /var/log/rpmpkgs.3:No data available
lgetfilecon_raw failed for /var/log/pm/suspend.log:No data available
lgetfilecon_raw failed for /var/log/prelink/prelink.log:No data available

以下配置项改为如下.

#/etc/aide.conf
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES
NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256
DIR = p+i+n+u+g+acl+xattrs
PERMS = p+i+u+g+acl
LOG = p+u+g+i+n+S+acl+xattrs
LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger

 

赞(0) 打赏
未经允许不得转载:运维那些事 » 使用AIDE监控Linux系统文件入侵检测

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续给力更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏