AIDE:文件的完整性功能校验工具
黑客可能会通过修改ps命令,来替换管理员通常使用的ps -aux命令,使管理员无法查到正在运行的木马程序,或者黑客替换掉crontab程序等等,由此可见检查系统的完整性很重要,目前市面上有两款检查文件完整性程序:Tripwire和AIDE,前者是一款商业软件,后者是一款免费软件。
安装AIDE工具:
yum install aide
# 通过光盘安装
[root@localhost yum.repos.d]#mount /dev/sr0 /mnt
mount: /dev/sr0 is write-protected, mounting read-only
查看AIDE的说明:
[root@localhost yum.repos.d]#rpm -qi aide
Name : aide
Version : 0.15.1
Release : 13.el7
Architecture: x86_64
Install Date: Fri 22 May 2020 04:41:04 PM CST
Group : Applications/System
Size : 318333
License : GPLv2+
Signature : RSA/SHA256, Thu 10 Aug 2017 10:56:17 PM CST, Key ID 24c6a8a7f4a80eb5
Source RPM : aide-0.15.1-13.el7.src.rpm
Build Date : Thu 03 Aug 2017 01:00:53 PM CST
Build Host : c1bm.rdu2.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://sourceforge.net/projects/aide
Summary : Intrusion detection environment
Description :
AIDE (Advanced Intrusion Detection Environment) is a file integrity
checker and intrusion detection program.
查看AIDE文件内容:
[root@localhost yum.repos.d]#rpm -ql aide
/etc/aide.conf
# 配置文件:选择让AIDE监测哪些内容
/etc/logrotate.d/aide
/usr/sbin/aide
/usr/share/doc/aide-0.15.1
/usr/share/doc/aide-0.15.1/AUTHORS
/usr/share/doc/aide-0.15.1/COPYING
/usr/share/doc/aide-0.15.1/ChangeLog
/usr/share/doc/aide-0.15.1/NEWS
/usr/share/doc/aide-0.15.1/README
/usr/share/doc/aide-0.15.1/README.quickstart
/usr/share/doc/aide-0.15.1/contrib
/usr/share/doc/aide-0.15.1/contrib/aide-attributes.sh
/usr/share/doc/aide-0.15.1/contrib/bzip2.sh
/usr/share/doc/aide-0.15.1/contrib/gpg2_check.sh
/usr/share/doc/aide-0.15.1/contrib/gpg2_update.sh
/usr/share/doc/aide-0.15.1/contrib/gpg_check.sh
/usr/share/doc/aide-0.15.1/contrib/gpg_update.sh
/usr/share/doc/aide-0.15.1/contrib/sshaide.sh
/usr/share/doc/aide-0.15.1/manual.html
/usr/share/man/man1/aide.