zoukankan      html  css  js  c++  java
  • AIDE(高级入侵检测环境)——就是讲文件的hash值存到db中,然后比较是否被篡改过

    AIDE(高级入侵检测环境)基本应用

    一、AIDE介绍

    在生产环境下,面对黑客的攻击时,我们往往要采取一些行之有效的方法来避免,甚至被入侵后及时的发现黑客修改了系统的那些文件,并找到进行及时修复,这时对于系统的文件或是关键文件的检查是很有必要的。针对上诉问题我们可以使用一款开源的文件检测工具AIDE(高级入侵检测环境),其主要用途是检查文件的完整性,审计计算机上那些文件被修改过。
    AIDE能够构造出一个指定文档的数据库,并使用aide.conf作为其配置文件。AIDE数据库能够保存文件的各种属性,包括:权限(permission)、索引节点序号(inode number)、所属用户(user)、所属用户组(group)、文件大小、最后修改(mtime)等。AIDE同时也使用下列算法:sha1、md5、rmd160、tiger,以密文形式建立每个文件的效验码或散列号。在建立检验基准数据库时建议不要将经常变动性变动的文档信息等进行保存,例如:日志文件、邮件、/proc文件系统、用户起始目录以及临时目录。


    二、 AIDE工作目录及使用操作

    yum安装AIDE

    [root@CentOS7 ~]#rpm -qf aide
    error: file /root/aide: No such file or directory
    [root@CentOS7 ~]#yum install -y aide
    
    [root@CentOS7 ~]#rpm -ql aide
    /etc/aide.conf  #配置文件
    /etc/logrotate.d/aide  #程序目录
    /usr/sbin/aide
    /usr/share/doc/aide-0.15.1
    /usr/share/doc/aide-0.15.1/AUTHORS
    /usr/share/doc/aide-0.15.1/COPYING
    /usr/share/doc/aide-0.15.1/ChangeLog
    /usr/share/doc/aide-0.15.1/NEWS
    /usr/share/doc/aide-0.15.1/README
    /usr/share/doc/aide-0.15.1/README.quickstart
    /usr/share/doc/aide-0.15.1/contrib
    /usr/share/doc/aide-0.15.1/contrib/aide-attributes.sh
    /usr/share/doc/aide-0.15.1/contrib/bzip2.sh
    /usr/share/doc/aide-0.15.1/contrib/gpg2_check.sh
    /usr/share/doc/aide-0.15.1/contrib/gpg2_update.sh
    /usr/share/doc/aide-0.15.1/contrib/gpg_check.sh
    /usr/share/doc/aide-0.15.1/contrib/gpg_update.sh
    /usr/share/doc/aide-0.15.1/contrib/sshaide.sh
    /usr/share/doc/aide-0.15.1/manual.html
    /usr/share/man/man1/aide.1.gz
    /usr/share/man/man5/aide.conf.5.gz
    /var/lib/aide  #数据库
    /var/log/aide  #日志文件
    

    更改配置文件,定义要检测那些文件

    [root@CentOS7 ~]#vim /etc/aide.conf
    # Example configuration file for AIDE.
    
    @@define DBDIR /var/lib/aide #基准数据库文件
    @@define LOGDIR /var/log/aide
    
    # The location of the database to be read.
    database=file:@@{DBDIR}/aide.db.gz #基准数据库文件
    
    # The location of the database to be written.
    #database_out=sql:host:port:database:login_name:passwd:table
    #database_out=file:aide.db.new
    database_out=file:@@{DBDIR}/aide.db.new.gz  #更新数据库文件
    
    # Whether to gzip the output to database.
    gzip_dbout=yes
    
    # Default.
    verbose=5
    
    report_url=file:@@{LOGDIR}/aide.log
    report_url=stdout
    #report_url=stderr
    #NOT IMPLEMENTED report_url=mailto:root@foo.com
    #NOT IMPLEMENTED report_url=syslog:LOG_AUTH
    
    # These are the default rules.
    #
    #p:      permissions
    #i:      inode:
    #n:      number of links
    #u:      user
    #g:      group
    #s:      size
    #b:      block count
    #m:      mtime
    #a:      atime
    #c:      ctime
    #S:      check for growing size
    #acl:           Access Control Lists
    #selinux        SELinux security context
    #xattrs:        Extended file attributes
    #md5:    md5 checksum
    #sha1:   sha1 checksum
    #sha256:        sha256 checksum
    #sha512:        sha512 checksum
    #rmd160: rmd160 checksum
    #tiger:  tiger checksum
    
    #haval:  haval checksum (MHASH only)
    #gost:   gost checksum (MHASH only)
    #crc32:  crc32 checksum (MHASH only)
    #whirlpool:     whirlpool checksum (MHASH only)
    
    FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
    
    #R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
    #L:             p+i+n+u+g+acl+selinux+xattrs
    #E:             Empty group
    #>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
    
    # You can create custom rules like this.
    # With MHASH...
    # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
    ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
    
    # Everything but access time (Ie. all changes)
    EVERYTHING = R+ALLXTRAHASHES
    
    # Sane, with one good hash.
    # NORMAL = sha256
    NORMAL = sha256
    
    # For directories, don't bother doing hashes.
    DIR = p+i+n+u+g+acl+selinux+xattrs
    
    # Access control only.
    PERMS = p+u+g+acl+selinux+xattrs
    
    # Access + inode changes + file type.
    STATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype
    
    # Logfiles only check access w/o xattrs.
    LOG = p+u+g+n+acl+selinux+ftype
    
    # Content + file type.
    CONTENT = sha256+ftype
    
    # Extended content + file type + access.
    CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs
    
    # Some files get updated automatically, so the inode/ctime/mtime change
    # but we want to know when the data inside them changes.
    DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
    
    # Next decide what directories/files you want in the database. Aide
    # uses a first match system. Put file specific instructions before generic
    # matches. e.g. Put file matches before directories.
    

    在其尾部自定义添加需检测文件路径及规则

     95 # Next decide what directories/files you want in the data
        base. Aide
     96 # uses a first match system. Put file specific instructio
        ns before generic
     97 # matches. e.g. Put file matches before directories.
     98 /app R
    

    初始基准数据库并将其改名确保基准数据库文件更新正确

    [root

    将其检测的目录下文件修改确保其配置生效

    [root@CentOS7 /app]#echo >> passwd
    [root@CentOS7 /app]#aide -C
    AIDE 0.15.1 found differences between database and filesystem!!
    Start timestamp: 2017-09-13 10:01:35
    
    Summary:
      Total number of files:        10
      Added files:                  0
      Removed files:                0
      Changed files:                1
    
    
    ---------------------------------------------------
    Changed files:
    ---------------------------------------------------
    
    changed: /app/passwd
    
    ---------------------------------------------------
    Detailed information about changes:
    ---------------------------------------------------
    
    
    File: /app/passwd
     Size     : 1281                             , 1282
     Mtime    : 2017-09-13 08:55:14              , 2017-09-13 10:01:11
     Ctime    : 2017-09-13 08:55:14              , 2017-09-13 10:01:11
     MD5      : hhoBvjUQriuz/NL+5h34WQ==         , RmK+YcfsYoD0gG/KN2BZww==
    [root@CentOS7 /app]#
    

    可以看到检测到上述md5发生变化

    如果管理员修改文件导致检测文件异常,这时我们可以更新基准数据库确保其非为正确修改。(注意:基准数据库更新后需将新生成的数据库改名)

    [root@CentOS7 /app]#cd /var/lib/aide/
    [root@CentOS7 /var/lib/aide]#rm -rf aide.db.gz 
    [root@CentOS7 /var/lib/aide]#mv aide.db.new.gz aide.db.gz
    [root@CentOS7 /var/lib/aide]#aide -C
    
    AIDE, version 0.15.1
    
    ### All files match AIDE database. Looks okay!
  • 相关阅读:
    RxSwift 核心
    用 @media 控制图片显示大小
    关于媒体查询 @media 的用法
    再次搞懂弹性盒模型
    由淘宝想起,在css无法加载的情况下 依旧可以点击链接调整
    nth-child()和nth-of-type 用法
    如何消除img间的默认间隙
    由淘宝鼠标经过显示头像想起的 定位分析
    水平居中和垂直居中
    position 和 transform【鼠标经过显示一个div滑过】&导航效果应用 以及定位自己的总结
  • 原文地址:https://www.cnblogs.com/bonelee/p/13043561.html
Copyright © 2011-2022 走看看