Linux***检测之AIDE

常见的***检测软件：

• tripwire--操作比较复杂
• aide--用以代替tripwire的一款新产品
• aide网站：http://aide.sourceforge.net/
• 如果英语水平不是很菜，建议不要像我这样吃二手菜，看官方原版文档，什么都有！

 

一、AIDE的概述

AIDE(Adevanced Intrusion Detection Environment,高级***检测环境)是个***检测工具，主要用途是检查文本的完整性。

AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker.

What does it do?

It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info.

Features

• supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
• supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
• support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
• plain text configuration files and database for simplicity
• powerful regular expression support to selectively include or exclude files and directories to be monitored
• gzip database compression if zlib support is compiled in
• stand alone static binary for easy client/server monitoring configurations
• and many more

二、AIDE使用

wget http://mirrors.163.com/.help/CentOS6-Base-163.repo

rpm -ivh aide-0.14-3.el6_2.2.i686.rpm

yum install aide -y

mkdir test
cp /etc/passwd test/
mv /etc/aide.conf{ ,.bak} 
grep -v ^# /etc/aide.conf |grep -v ^$ > /etc/aide.conf

vim /etc/aide.conf

@@define DBDIR /var/lib/aide

@@define LOGDIR /var/log/aide

database=file:@@{DBDIR}/aide.db.gz

database_out=file:@@{DBDIR}/aide.db.new.gz

gzip_dbout=yes

verbose=5

report_url=file:@@{LOGDIR}/aide.log

report_url=stdout

ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger

EVERYTHING = R+ALLXTRAHASHES

NORMAL = R+rmd160+sha256

DIR = p+i+n+u+g+acl+selinux+xattrs

PERMS = p+i+u+g+acl+selinux

LOG = >

LSPP = R+sha256

DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

/root/test   NORMAL

!/var/log/and-httpd

/root/\..* PERMS

aide --help

aide -i

#初始化基准数据库

cp /var/lib/aide/aide.db.new.gz  /var/lib/aide/aide.db.gz

#以更新数据库作为基准数据库

echo "hello ,world " >> test/passwd

#改变被监控的文件
aide -c /etc/aide.conf --check

#检查是否有改变
aide -c /etc/aide.conf --update

#如果改变属于正常操作，更新数据库

cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

#以更新数据库作为新的基准数据库
/usr/sbin/aide  -c /etc/aide.conf --check |mail -s "test aide" xx@163.com

#检查如果监控的文件有变化，邮件通知管理员，当然也可以做成计划任务

转载于:https://blog.51cto.com/eblog/1390657