AIDE:文件的完整性功能校验工具
黑客可能会通过修改ps命令,来替换管理员通常使用的ps -aux命令,使管理员无法查到正在运行的木马程序,或者黑客替换掉crontab程序等等,由此可见检查系统的完整性很重要,目前市面上有两款检查文件完整性程序:Tripwire和AIDE,前者是一款商业软件,后者是一款免费软件。
安装AIDE工具:
yum install aide
# 通过光盘安装
[root@localhost yum.repos.d]#mount /dev/sr0 /mnt
mount: /dev/sr0 is write-protected, mounting read-only
查看AIDE的说明:
[root@localhost yum.repos.d]#rpm -qi aide
Name : aide
Version : 0.15.1
Release : 13.el7
Architecture: x86_64
Install Date: Fri 22 May 2020 04:41:04 PM CST
Group : Applications/System
Size : 318333
License : GPLv2+
Signature : RSA/SHA256, Thu 10 Aug 2017 10:56:17 PM CST, Key ID 24c6a8a7f4a80eb5
Source RPM : aide-0.15.1-13.el7.src.rpm
Build Date : Thu 03 Aug 2017 01:00:53 PM CST
Build Host : c1bm.rdu2.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://sourceforge.net/projects/aide
Summary : Intrusion detection environment
Description :
AIDE (Advanced Intrusion Detection Environment) is a file integrity
checker and intrusion detection program.
查看AIDE文件内容:
[root@localhost yum.repos.d]#rpm -ql aide
/etc/aide.conf
# 配置文件:选择让AIDE监测哪些内容
/etc/logrotate.d/aide
/usr/sbin/aide
/usr/share/doc/aide-0.15.1
/usr/share/doc/aide-0.15.1/AUTHORS
/usr/share/doc/aide-0.15.1/COPYING
/usr/share/doc/aide-0.15.1/ChangeLog
/usr/share/doc/aide-0.15.1/NEWS
/usr/share/doc/aide-0.15.1/README
/usr/share/doc/aide-0.15.1/README.quickstart
/usr/share/doc/aide-0.15.1/contrib
/usr/share/doc/aide-0.15.1/contrib/aide-attributes.sh
/usr/share/doc/aide-0.15.1/contrib/bzip2.sh
/usr/share/doc/aide-0.15.1/contrib/gpg2_check.sh
/usr/share/doc/aide-0.15.1/contrib/gpg2_update.sh
/usr/share/doc/aide-0.15.1/contrib/gpg_check.sh
/usr/share/doc/aide-0.15.1/contrib/gpg_update.sh
/usr/share/doc/aide-0.15.1/contrib/sshaide.sh
/usr/share/doc/aide-0.15.1/manual.html
/usr/share/man/man1/aide.1.gz
/usr/share/man/man5/aide.conf.5.gz
/var/lib/aide
# 样本库
/var/log/aide
# 日志
了解AIDE工作原理实验:
-
创建实验文件f1、f2、f3:
[root@localhost ~]#cd /data [root@localhost data]#cp /etc/fstab f1 [root@localhost data]#cp /etc/passwd f2 [root@localhost data]#cp /etc/shadow f3 [root@localhost data]#ll ... -rw-r--r-- 1 root root 541 May 24 10:45 f1 -rw-r--r-- 1 root root 2492 May 24 10:45 f2 ---------- 1 root root 1375 May 24 10:45 f3 # 实验时f2不监控、f1和f3监控多种属性设置 -
AIDE配置文件:
# 打开AIDE的配置文件 [root@localhost data]#vim /etc/aide.conf # Example configuration file for AIDE. @@define DBDIR /var/lib/aide # 定义了数据库路径 @@define LOGDIR /var/log/aide # The location of the database to be read. database=file:@@{DBDIR}/aide.db.gz # 比较文件位置,通过该文件比较其他文件是否完整 # The location of the database to be written. #database_out=sql:host:port:database:login_name:passwd:table #database_out=file:aide.db.new database_out=file:@@{DBDIR}/aide.db.new.gz # 新建的比较文件的位置 # Whether to gzip the output to database. gzip_dbout=yes # Default. verbose=5 report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr #NOT IMPLEMENTED report_url=mailto:[email protected] #NOT IMPLEMENTED report_url=syslog:LOG_AUTH # These are the default rules. # 默认的监控策略、用字母代表监控的内容: #p: permissions #i: inode: #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #acl: Access Control Lists #selinux SELinux security context #xattrs: Extended file attributes #md5: md5 checksum #sha1: sha1 checksum #sha256: sha256 checksum #sha512: sha512 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #haval: haval checksum (MHASH only) #gost: gost checksum (MHASH only) #crc32: crc32 checksum (MHASH only) #whirlpool: whirlpool checksum (MHASH only) FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 # 可以定义变量名并设置监控策略 # 定义名为TEST的策略: TEST = p+md5+u+g #R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 #L: p+i+n+u+g+acl+selinux+xattrs #E: Empty group #>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs # You can create custom rules like this. # With MHASH... # 这下面有人家帮你定义好的各种监控模板: # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. all changes) EVERYTHING = R+ALLXTRAHASHES # Sane, with one good hash. # NORMAL = sha256 NORMAL = sha256 # For directories, don't bother doing hashes. DIR = p+i+n+u+g+acl+selinux+xattrs # Access control only. PERMS = p+u+g+acl+selinux+xattrs # Access + inode changes + file type. STATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype # Logfiles only check access w/o xattrs. LOG = p+u+g+n+acl+selinux+ftype # Content + file type. CONTENT = sha256+ftype # Extended content + file type + access. CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes. DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 # Next decide what directories/files you want in the database. Aide # 需要监视完整性的路径及监控策略配置 # uses a first match system. Put file specific instructions before generic # matches. e.g. Put file matches before directories. # /boot/ CONTENT_EX # /bin/ CONTENT_EX # /sbin/ CONTENT_EX # /lib/ CONTENT_EX # /lib64/ CONTENT_EX # /opt/ CONTENT # 配置我们要监控的策略 /data TEST !/data/f2 # Admin's dot files constantly change, just check perms. # 还支持正则表达式 # /root/\..* PERMS # Otherwise get all of /root. # /root/ CONTENT_EX # These are too volatile. # !/usr/src/ # !/usr/tmp/ # !号表示不监控 # 以下是默认监控内容配置,这里不再赘述: -
生成监控状态数据库:
[root@localhost data]#ll /var/lib/aide total 0 # 此时数据库中是没有文件的 [root@localhost aide]#aide --init AIDE, version 0.15.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. # 在当前文件生成你要监视的文件的属性样板库 [root@localhost aide]#ll total 448 -rw------- 1 root root 458752 May 24 11:20 aide.db.new.gz -
实验:更改文件的权限信息并开始比对
[root@localhost aide]#chmod 700 /data/f1 /data/f2 [root@localhost aide]#ll /data/ total 12 -rwx------ 1 root root 541 May 24 11:15 f1 -rwx------ 1 root root 2492 May 24 11:15 f2 ---------- 1 root root 1375 May 24 11:15 f3 # 注意f2没有监控 # 开始比对 # 第一步:将aide.db.new.gz改为aide.db.gz才能开始比较 [root@localhost aide]#cd /var/lib/aide/ [root@localhost aide]#mv aide.db.new.gz aide.db.gz # 开始比较: [root@localhost aide]#aide --check AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2020-05-24 11:31:18 Summary: Total number of files: 4 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /data/f1 --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /data/f1 Perm : -rw------- , -rwx------ # 检测到f1文件由600权限改为700权限 # 将权限改回600,再重新检查,查看是否正常 [root@localhost aide]#chmod 600 /data/f1 /data/f2 [root@localhost aide]#aide --check AIDE, version 0.15.1 ### All files match AIDE database. Looks okay! # 一切看起来很OK呀 # 更改内容,是否有md5变化 [root@localhost aide]#vim /data/f1 [root@localhost aide]#aide --check AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2020-05-24 11:34:40 Summary: Total number of files: 4 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /data/f1 --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /data/f1 MD5 : gDB5fbfk/E9xwYZYv9Zi9Q== , Q3eLsB9rSdgFnla/1CrOiQ== # 已经检测出哈希值发生变化 # 如果更改文件是必要的,那么也很简单,更新数据库即可 [root@localhost aide]#aide --update AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2020-05-24 11:36:16 Summary: Total number of files: 4 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /data/f1 --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /data/f1 MD5 : gDB5fbfk/E9xwYZYv9Zi9Q== , Q3eLsB9rSdgFnla/1CrOiQ== # 将新生成的aide.db.new.gz改为aide.db.gz即可