准备
AIDE:Advanced Intrusion Detection Environment,是一款入侵检测工具,主要用途是检查文件的完整性。AIDE在本地构造了一个基准的数据库,一旦操作系统被入侵,可以通过对比基准数据库而获取文件变更记录,使用aide.conf作为其配置文档。AIDE数据库能够保存文档的各种属性,包括:权限(permission)、索引节点序号(inode number)、所属用户(user)、所属用户组(group)、文档大小、最后修改时间(mtime)、创建时间(ctime)、最后访问时间(atime)、增加的大小连同连接数。AIDE还能够使用下列算法:sha1、md5、rmd160、tiger,以密文形式建立每个文档的校验码或散列号。
安装aide
sudo yum install aide -y
测试
sudo aide -c /etc/aide.conf -i # 按照aide.conf配置文件初始化
#输出的结果,时间很久
Start timestamp: 2021-02-18 21:01:53 +0800 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 139897
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : ch1chDvEcQPzwNJhC8Chzw==
SHA1 : IZFt4fDvYdfQDrAOA1zQmrmv3z4=
RMD160 : cuT0spyPggygjlf4d8nrWx1gq24=
TIGER : ywAmKOrqyysx+/i0HywRXj9kj36ovLfZ
SHA256 : 9ERjvX9YQb8o0YbqrUyVNcgwVJI17W7a
qQv5pLjubD4=
SHA512 : eIioEjfVjT6jD6BStNkicGDv+zvyMR8w
ojtUd13ba2mdQitJ5fy11F/jUpwURjsH
jHd3xQgsFAjD+Q/hGvEgeg==
End timestamp: 2021-02-18 21:13:39 +0800 (run time: 11m 46s)
# 修改某一个文件,然后执行aide --check
root@localhost mywork]# aide --check
Start timestamp: 2021-02-18 21:19:27 +0800 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 139897
Added entries: 0
Removed entries: 0
Changed entries: 2
---------------------------------------------------
Changed entries:
---------------------------------------------------
f ... .C... : /etc/cups/subscriptions.conf
f ... .C... : /etc/cups/subscriptions.conf.O
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/cups/subscriptions.conf
SHA512 : c9HK7SWwyNt0blwrqVIUlfR7j+2u5OJ0 | h7zYo0az+l8IZho8/jUzFlojeYGzczDr
01gdmpaJ2gNA8ND92wPa5k1NfCy4b+d4 | PoE0azd7kykN+/aqm8u4EBQ17kiauE2p
sq25GKl0Zq5epDDrzu5hOw== | 9TCiebeGQcQilq0e1SXb6Q==
File: /etc/cups/subscriptions.conf.O
SHA512 : rE7ihF3k4HvRgMbKCqj/4ATA6PQnXNMs | c9HK7SWwyNt0blwrqVIUlfR7j+2u5OJ0
CEag5UCAAsLW7U7patnTlDP/z75h+IwF | 01gdmpaJ2gNA8ND92wPa5k1NfCy4b+d4
kKA0b6g0R8ves0fjWa6Wnw== | sq25GKl0Zq5epDDrzu5hOw==
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : ch1chDvEcQPzwNJhC8Chzw==
SHA1 : IZFt4fDvYdfQDrAOA1zQmrmv3z4=
RMD160 : cuT0spyPggygjlf4d8nrWx1gq24=
TIGER : ywAmKOrqyysx+/i0HywRXj9kj36ovLfZ
SHA256 : 9ERjvX9YQb8o0YbqrUyVNcgwVJI17W7a
qQv5pLjubD4=
SHA512 : eIioEjfVjT6jD6BStNkicGDv+zvyMR8w
ojtUd13ba2mdQitJ5fy11F/jUpwURjsH
jHd3xQgsFAjD+Q/hGvEgeg==
End timestamp: 2021-02-18 21:20:06 +0800 (run time: 0m 39s)
# 如果需要修改文件,需要对AIDE数据库进行更新aide --update
root@localhost mywork]# aide --update
Start timestamp: 2021-02-18 21:21:29 +0800 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary:
Total number of entries: 139897
Added entries: 0
Removed entries: 0
Changed entries: 2
---------------------------------------------------
Changed entries:
---------------------------------------------------
f ... .C... : /etc/cups/subscriptions.conf
f ... .C... : /etc/cups/subscriptions.conf.O
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/cups/subscriptions.conf
SHA512 : c9HK7SWwyNt0blwrqVIUlfR7j+2u5OJ0 | h7zYo0az+l8IZho8/jUzFlojeYGzczDr
01gdmpaJ2gNA8ND92wPa5k1NfCy4b+d4 | PoE0azd7kykN+/aqm8u4EBQ17kiauE2p
sq25GKl0Zq5epDDrzu5hOw== | 9TCiebeGQcQilq0e1SXb6Q==
File: /etc/cups/subscriptions.conf.O
SHA512 : rE7ihF3k4HvRgMbKCqj/4ATA6PQnXNMs | c9HK7SWwyNt0blwrqVIUlfR7j+2u5OJ0
CEag5UCAAsLW7U7patnTlDP/z75h+IwF | 01gdmpaJ2gNA8ND92wPa5k1NfCy4b+d4
kKA0b6g0R8ves0fjWa6Wnw== | sq25GKl0Zq5epDDrzu5hOw==
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : ch1chDvEcQPzwNJhC8Chzw==
SHA1 : IZFt4fDvYdfQDrAOA1zQmrmv3z4=
RMD160 : cuT0spyPggygjlf4d8nrWx1gq24=
TIGER : ywAmKOrqyysx+/i0HywRXj9kj36ovLfZ
SHA256 : 9ERjvX9YQb8o0YbqrUyVNcgwVJI17W7a
qQv5pLjubD4=
SHA512 : eIioEjfVjT6jD6BStNkicGDv+zvyMR8w
ojtUd13ba2mdQitJ5fy11F/jUpwURjsH
jHd3xQgsFAjD+Q/hGvEgeg==
/var/lib/aide/aide.db.new.gz
MD5 : H8wggkixschKJUDUi7MJbA==
SHA1 : n8Q2ehTG57zP3Eyh1N7BGpXfa6k=
RMD160 : rK/7BvOPgbBpNyz5ct9GDXJwoO4=
TIGER : 13+Q08fK4nfJFX5eyUkuqQTAFin+L4Ts
SHA256 : qK7b0jYHLjX4+OszBxYahNhJkPTxXchA
t3sCgJUY0r4=
SHA512 : a3nrdBFIe5XvcdZJpZZhaUWfpnz1YUCy
zmTg79Cg816WyPko7/BgDB6moGL2Rw15
qOd3SMEAF5yKBw4mEpK7Nw==
End timestamp: 2021-02-18 21:22:12 +0800 (run time: 0m 43s)