AIDE(Advanced Intrusion Detection Environment高级入侵检测环境)是一个入侵检测工具,主要用途是检查文件的完整性,审计计算机上的那些文件被更改过了
AIDE能够构造一个指定文件的数据库,它使用aide.conf作为其配置文件。AIDE数据库能够保存文件的各种属性,包括:权限(permission)、索引节点序号(inode number)、所属用户(user)、所属用户组(group)、文件大小、最后修改时间(mtime)、创建时间(ctime)、最后访问时间(atime)、增加的大小以及连接数。AIDE还能够使用下列算法:sha1、md5、rmd160、tiger,以密文形式建立每个文件的校验码或散列号
包:aide
安装AIDE
yum -y install aide
配置文件指定对那些文件进行检测
vim /etc/aide.conf
示例:
#定义监控项权限+索引节点+链接数+用户+组+大小+最后一次修改时间+创建时间+md5校验值
R=p+i+n+u+g+s+m+c+md5
NORMAL = R+rmd60+sha256
/data/test.txt R
/bin/ps R+a
/usr/bin/crontab R+a
/etc PERMS
!/etc/mtab #“!”表示忽略这个文件的检查
初始化默认的AIDE的库
/usr/local/bin/aide -i|--init
生成检查数据库
cd /var/lib/aide
mv aide.db.new.gz aide.db.gz
检测
/usr/local/bin/aide -C|--check
aide -u | --update
范例:
[root@centos8 ~]#yum -y install aide
[root@centos8 ~]#rpm -ql aide
[root@centos8 ~]#cd /data/
[root@centos8 data]#cp /etc/passwd f1
[root@centos8 data]#cp /etc/fstab f2
[root@centos8 data]#cp /etc/centos-release f3
[root@centos8 ~]#vim /etc/aide.conf
#在NORMAL = FIPSR+sha512下添加内容:
m42 = p+u+s+sha512
将# Next decide what directories/files you want in the database.注释内容后的所有行删除,添加下面内容:
/data m42
!/data/f1
保存退出
[root@centos8 ~]#aide --init
Start timestamp: 2020-09-08 16:36:13 +0800 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 3
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : 9cab032NkKPKdauvxBrWww==
SHA1 : s45eCIQbJliJfEY32Hl/cbdgfVo=
RMD160 : qLQsGwsbBVfaX7YBcGpm1cG/hLM=
TIGER : IWoARQ1npzdLoAheeIzK1EYxF6ELd+NQ
SHA256 : yshxS7AHCE/+OdPDc022RfREWtfKcuSD
5cy7FGUxM3M=
SHA512 : hXPssHkXERh1nGBExCWCBGtWkSHZFAg9
GGq7RX/9iVosML6y0yBC/+2E1e0k3ePJ
uiPY1jTfV7i3cXGMd02bKQ==
End timestamp: 2020-09-08 16:36:13 +0800 (run time: 0m 0s)
[root@centos8 data]#ll
total 12
-rw-r--r-- 1 root root 1122 Sep 8 16:41 f1
-rw-r--r-- 1 root root 655 Sep 8 16:49 f2
-rw-r--r-- 1 root root 38 Sep 8 16:35 f3
[root@centos8 data]#aide -C
Start timestamp: 2020-09-08 16:51:34 +0800 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
Number of entries: 3
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : crGvNmhXmIyUhnL6+/7RGg==
SHA1 : s0XNVm7cWIdt1lyrjpAn9u1nVvg=
RMD160 : IvIQwH1qI2wG/D6pg/8pvfkjCS4=
TIGER : n6wJ2Tt6Y6lkoeblRUU0Aw2mgwEOkdG0
SHA256 : PsUh/smr86wBD5J4lAGevuWSp0WSeFgu
FBUAY8zjX8o=
SHA512 : mZAodaKSoOCOO4CS3eKVHCrd1tUp4I/1
AMOFQ++tJsNpSqoy9Np2ghtq7SLbVXsg
wXZJfZr2rrZwMe0JSUHkfQ==
End timestamp: 2020-09-08 16:51:34 +0800 (run time: 0m 0s)
[root@centos8 ~]#vim /data/f1
#删除一行内容
[root@centos8 ~]#vim /data/f2
#修改一些内容
[root@centos8 ~]#chown kobe /data/f3
[root@centos8 ~]#ll /data/
total 12
-rw-r--r-- 1 root root 1122 Sep 8 16:41 f1
-rw-r--r-- 1 root root 26 Sep 8 16:41 f2
-rw-r--r-- 1 kobe root 38 Sep 8 16:35 f3
[root@centos8 ~]#
[root@centos8 ~]#mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[root@centos8 ~]#aide --check
Start timestamp: 2020-09-08 16:44:20 +0800 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 3
Added entries: 0
Removed entries: 0
Changed entries: 2
---------------------------------------------------
Changed entries:
---------------------------------------------------
f > .. C : /data/f2
f = .u . : /data/f3
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /data/f2
Size : 23 | 26
SHA512 : iMk0LkwqI+Ya8hi5tmgIkl3p0rC9bus0 | EJo0mS+mWj20W6ybDTCJ3Nq+sQNNBcsr
E/+YKdgpWynFiK7UutUOJiX7GrYQsbF0 | gqSDAPBmH2acV/qFCBWil+puK3IhY+Jf
VoSjpj8OwdQdSXpbBmi0cg== | iY6tpzwYzW1gfeyF3yMO5A==
File: /data/f3
Uid : 0 | 1000
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : 9cab032NkKPKdauvxBrWww==
SHA1 : s45eCIQbJliJfEY32Hl/cbdgfVo=
RMD160 : qLQsGwsbBVfaX7YBcGpm1cG/hLM=
TIGER : IWoARQ1npzdLoAheeIzK1EYxF6ELd+NQ
SHA256 : yshxS7AHCE/+OdPDc022RfREWtfKcuSD
5cy7FGUxM3M=
SHA512 : hXPssHkXERh1nGBExCWCBGtWkSHZFAg9
GGq7RX/9iVosML6y0yBC/+2E1e0k3ePJ
uiPY1jTfV7i3cXGMd02bKQ==
End timestamp: 2020-09-08 16:44:20 +0800 (run time: 0m 0s)
[root@centos8 data]#cd /var/lib/aide/
[root@centos8 aide]#aide -u
Start timestamp: 2020-09-08 16:53:53 +0800 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Number of entries: 3
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : crGvNmhXmIyUhnL6+/7RGg==
SHA1 : s0XNVm7cWIdt1lyrjpAn9u1nVvg=
RMD160 : IvIQwH1qI2wG/D6pg/8pvfkjCS4=
TIGER : n6wJ2Tt6Y6lkoeblRUU0Aw2mgwEOkdG0
SHA256 : PsUh/smr86wBD5J4lAGevuWSp0WSeFgu
FBUAY8zjX8o=
SHA512 : mZAodaKSoOCOO4CS3eKVHCrd1tUp4I/1
AMOFQ++tJsNpSqoy9Np2ghtq7SLbVXsg
wXZJfZr2rrZwMe0JSUHkfQ==
/var/lib/aide/aide.db.new.gz
MD5 : mO11YzB/S3XBvPvy2Wfy7A==
SHA1 : VxxnqJgcvO2+pQGQNUmOtZboaZk=
RMD160 : TGvEssctBmR+zhBBtdwPZqE8X+o=
TIGER : 2Lltm0TRwUrADVv+k9jTTjDLtmE1voPj
SHA256 : B32Gv7eX+kQG2JeUHpoUgXsOrl8h5Oxl
Vq3u4s8bImo=
SHA512 : iFzz0p7+JUx2iaZJZNPWUJ7A+1QezznW
QvIx/6ddiquYDmVzsDuqpfxqflxq/d5+
/COn3ggd4UgDMPtJV0d2iw==
End timestamp: 2020-09-08 16:53:53 +0800 (run time: 0m 0s)
[root@centos8 aide]#ls
aide.db.gz aide.db.new.gz
[root@centos8 aide]#mv aide.db.new.gz aide.db.gz
mv: overwrite 'aide.db.gz'? y
[root@centos8 aide]#
[root@centos8 aide]#aide -C
Start timestamp: 2020-09-08 16:55:15 +0800 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
Number of entries: 3
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : mO11YzB/S3XBvPvy2Wfy7A==
SHA1 : VxxnqJgcvO2+pQGQNUmOtZboaZk=
RMD160 : TGvEssctBmR+zhBBtdwPZqE8X+o=
TIGER : 2Lltm0TRwUrADVv+k9jTTjDLtmE1voPj
SHA256 : B32Gv7eX+kQG2JeUHpoUgXsOrl8h5Oxl
Vq3u4s8bImo=
SHA512 : iFzz0p7+JUx2iaZJZNPWUJ7A+1QezznW
QvIx/6ddiquYDmVzsDuqpfxqflxq/d5+
/COn3ggd4UgDMPtJV0d2iw==
End timestamp: 2020-09-08 16:55:15 +0800 (run time: 0m 0s)