AIDE（高级入侵检测环境）——就是讲文件的hash值存到db中，然后比较是否被篡改过

AIDE（高级入侵检测环境）基本应用

一、AIDE介绍

在生产环境下，面对黑客的攻击时，我们往往要采取一些行之有效的方法来避免，甚至被入侵后及时的发现黑客修改了系统的那些文件，并找到进行及时修复，这时对于系统的文件或是关键文件的检查是很有必要的。针对上诉问题我们可以使用一款开源的文件检测工具AIDE（高级入侵检测环境），其主要用途是检查文件的完整性，审计计算机上那些文件被修改过。
AIDE能够构造出一个指定文档的数据库，并使用aide.conf作为其配置文件。AIDE数据库能够保存文件的各种属性，包括：权限（permission）、索引节点序号（inode number）、所属用户（user）、所属用户组（group）、文件大小、最后修改（mtime）等。AIDE同时也使用下列算法：sha1、md5、rmd160、tiger，以密文形式建立每个文件的效验码或散列号。在建立检验基准数据库时建议不要将经常变动性变动的文档信息等进行保存，例如：日志文件、邮件、/proc文件系统、用户起始目录以及临时目录。

---

二、 AIDE工作目录及使用操作

yum安装AIDE

[root@CentOS7 ~]#rpm -qf aide
error: file /root/aide: No such file or directory
[root@CentOS7 ~]#yum install -y aide

[root@CentOS7 ~]#rpm -ql aide
/etc/aide.conf  #配置文件
/etc/logrotate.d/aide  #程序目录
/usr/sbin/aide
/usr/share/doc/aide-0.15.1
/usr/share/doc/aide-0.15.1/AUTHORS
/usr/share/doc/aide-0.15.1/COPYING
/usr/share/doc/aide-0.15.1/ChangeLog
/usr/share/doc/aide-0.15.1/NEWS
/usr/share/doc/aide-0.15.1/README
/usr/share/doc/aide-0.15.1/README.quickstart
/usr/share/doc/aide-0.15.1/contrib
/usr/share/doc/aide-0.15.1/contrib/aide-attributes.sh
/usr/share/doc/aide-0.15.1/contrib/bzip2.sh
/usr/share/doc/aide-0.15.1/contrib/gpg2_check.sh
/usr/share/doc/aide-0.15.1/contrib/gpg2_update.sh
/usr/share/doc/aide-0.15.1/contrib/gpg_check.sh
/usr/share/doc/aide-0.15.1/contrib/gpg_update.sh
/usr/share/doc/aide-0.15.1/contrib/sshaide.sh
/usr/share/doc/aide-0.15.1/manual.html
/usr/share/man/man1/aide.1.gz
/usr/share/man/man5/aide.conf.5.gz
/var/lib/aide  #数据库
/var/log/aide  #日志文件

更改配置文件，定义要检测那些文件

[root@CentOS7 ~]#vim /etc/aide.conf
# Example configuration file for AIDE.

@@define DBDIR /var/lib/aide #基准数据库文件
@@define LOGDIR /var/log/aide

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz #基准数据库文件

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz  #更新数据库文件

# Whether to gzip the output to database.
gzip_dbout=yes

# Default.
verbose=5

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules.
#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum

#haval:  haval checksum (MHASH only)
#gost:   gost checksum (MHASH only)
#crc32:  crc32 checksum (MHASH only)
#whirlpool:     whirlpool checksum (MHASH only)

FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L:             p+i+n+u+g+acl+selinux+xattrs
#E:             Empty group
#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger

# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES

# Sane, with one good hash.
# NORMAL = sha256
NORMAL = sha256

# For directories, don't bother doing hashes.
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only.
PERMS = p+u+g+acl+selinux+xattrs

# Access + inode changes + file type.
STATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype

# Logfiles only check access w/o xattrs.
LOG = p+u+g+n+acl+selinux+ftype

# Content + file type.
CONTENT = sha256+ftype

# Extended content + file type + access.
CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes.
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

# Next decide what directories/files you want in the database. Aide
# uses a first match system. Put file specific instructions before generic
# matches. e.g. Put file matches before directories.

在其尾部自定义添加需检测文件路径及规则

 95 # Next decide what directories/files you want in the data
    base. Aide
 96 # uses a first match system. Put file specific instructio
    ns before generic
 97 # matches. e.g. Put file matches before directories.
 98 /app R

初始基准数据库并将其改名确保基准数据库文件更新正确

[root@CentOS7 /app]#aide -i

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

[root@CentOS7 /app]#cd /var/lib/aide/
[root@CentOS7 /var/lib/aide]#ls
aide.db.gz  aide.db.new.gz
[root@CentOS7 /var/lib/aide]#mv aide.db.new.gz aide.db.gz
mv: overwrite ‘aide.db.gz’? y

将其检测的目录下文件修改确保其配置生效

[root@CentOS7 /app]#echo >> passwd
[root@CentOS7 /app]#aide -C
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2017-09-13 10:01:35

Summary:
  Total number of files:        10
  Added files:                  0
  Removed files:                0
  Changed files:                1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /app/passwd

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /app/passwd
 Size     : 1281                             , 1282
 Mtime    : 2017-09-13 08:55:14              , 2017-09-13 10:01:11
 Ctime    : 2017-09-13 08:55:14              , 2017-09-13 10:01:11
 MD5      : hhoBvjUQriuz/NL+5h34WQ==         , RmK+YcfsYoD0gG/KN2BZww==
[root@CentOS7 /app]#

可以看到检测到上述md5发生变化

如果管理员修改文件导致检测文件异常，这时我们可以更新基准数据库确保其非为正确修改。（注意：基准数据库更新后需将新生成的数据库改名）

[root@CentOS7 /app]#cd /var/lib/aide/
[root@CentOS7 /var/lib/aide]#rm -rf aide.db.gz 
[root@CentOS7 /var/lib/aide]#mv aide.db.new.gz aide.db.gz
[root@CentOS7 /var/lib/aide]#aide -C

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!