ProHoster > Pūnaewele > Nā Administration > Pehea e hoʻouka ai a hoʻohana i ka AIDE (Advanced Intrusion Detection Environment) ma CentOS 8

Pehea e hoʻouka ai a hoʻohana i ka AIDE (Advanced Intrusion Detection Environment) ma CentOS 8

Ma mua o ka hoʻomaka ʻana o ka papa "Ka Luna Hoʻokele Linux" Ua hoʻomākaukau mākou i kahi unuhi o nā mea hoihoi.

Pehea e hoʻouka ai a hoʻohana i ka AIDE (Advanced Intrusion Detection Environment) ma CentOS 8

Kū ʻo AIDE no "Advanced Intrusion Detection Environment" a ʻo ia kekahi o nā ʻōnaehana kaulana loa no ka nānā ʻana i nā loli i nā ʻōnaehana hana Linux. Hoʻohana ʻia ʻo AIDE no ka pale ʻana i ka malware, virus a me ka ʻike ʻana i nā hana ʻae ʻole. No ka hōʻoia ʻana i ka pono o ka faila a ʻike i nā komo ʻana, hana ʻo AIDE i kahi waihona o ka ʻike faila a hoʻohālikelike i ke kūlana o kēia manawa o ka ʻōnaehana me kēia waihona. Kōkua ʻo AIDE i ka hōʻemi ʻana i ka manawa hoʻokolokolo hanana ma ka nānā ʻana i nā faila i hoʻololi ʻia.

Nā hiʻohiʻona AIDE:

  • Kākoʻo i nā ʻano faila like ʻole, me: ʻano faila, inode, uid, gid, ʻae, helu o nā loulou, mtime, ctime a me ka manawa.
  • Kākoʻo no ka Gzip compression, SELinux, XAttrs, Posix ACL a me nā ʻano ʻōnaehana faila.
  • Kākoʻo i nā algorithms like ʻole me md5, sha1, sha256, sha512, rmd160, crc32, etc.
  • Ka hoʻouna ʻana i nā leka uila.

Ma kēia ʻatikala, e nānā mākou pehea e hoʻokomo ai a hoʻohana i ka AIDE no ka ʻike intrusion ma CentOS 8.

Nā Pono

  • Ke holo nei ke kikowaena CentOS 8, me ka liʻiliʻi o 2 GB o RAM.
  • komo aʻa

Ua hoʻomaka

Manaʻo ʻia e hōʻano mua i ka ʻōnaehana. No ka hana ʻana i kēia, e holo i kēia kauoha.

dnf update -y

Ma hope o ka hoʻonui ʻana, e hoʻomaka hou i kāu ʻōnaehana no ka hoʻololi ʻana.

Hoʻokomo ʻia ʻo AIDE

Loaʻa ka AIDE ma ka waihona waihona CentOS 8. Hiki iā ʻoe ke hoʻokomo iā ia ma ka holo ʻana i kēia kauoha:

dnf install aide -y

Ke pau ka hoʻouka ʻana, hiki iā ʻoe ke nānā i ka mana AIDE me ka hoʻohana ʻana i kēia kauoha:

aide --version

Pono ʻoe e ʻike i kēia mau mea:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Nā koho i loaʻa aide hiki ke nānā ʻia penei:

aide --help

Pehea e hoʻouka ai a hoʻohana i ka AIDE (Advanced Intrusion Detection Environment) ma CentOS 8

Ka hana ʻana a me ka hoʻomaka ʻana i ka waihona

ʻO ka mea mua āu e hana ai ma hope o ka hoʻokomo ʻana iā AIDE, ʻo ia ka hoʻomaka ʻana. Hoʻomaka ka hana ʻana i kahi waihona (snapshot) o nā faila a me nā papa kuhikuhi ma ke kikowaena.

No ka hoʻomaka ʻana i ka waihona, e holo i kēia kauoha:

aide --init

Pono ʻoe e ʻike i kēia mau mea:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

ʻO ke kauoha i luna e hana i kahi waihona hou aide.db.new.gz i ka papa kuhikuhi /var/lib/aide. Hiki ke ʻike ʻia me ka hoʻohana ʻana i kēia kauoha:

ls -l /var/lib/aide

Hualoaʻa:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

ʻAʻole e hoʻohana ʻo AIDE i kēia faila waihona hou a hiki i kona inoa hou ʻana i aide.db.gz. Hiki ke hana penei:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Manaʻo ʻia ʻoe e hoʻololi i kēia waihona i kēlā me kēia manawa e hōʻoia i ka nānā pono ʻana o nā loli.

Hiki iāʻoe ke hoʻololi i kahi o ka waihona ma ka hoʻololiʻana i ka palena DBDIR ma ka waihona /etc/aide.conf.

Ke holo nei i kahi scan

Ua mākaukau ʻo AIDE e hoʻohana i ka ʻikepili hou. E holo i ka hōʻoia AIDE mua me ka hoʻololi ʻole:

aide --check

E hoʻopau kēia kauoha ma muli o ka nui o kāu ʻōnaehana faila a me ka nui o ka RAM ma kāu kikowaena. Ke pau ka scan, pono ʻoe e ʻike i kēia:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Ke ʻōlelo nei ka mea i hōʻike ʻia ma luna nei, pili nā faila a me nā papa kuhikuhi i ka waihona AIDE.

Ke ho'āʻo nei i ke kōkua

Ma ka paʻamau, ʻaʻole ʻike ʻo AIDE i ka papa kuhikuhi kumu Apache paʻamau /var/www/html. E hoʻonohonoho kāua iā AIDE e nānā iā ia. No ka hana ʻana i kēia, pono ʻoe e hoʻololi i ka faila /etc/aide.conf.

nano /etc/aide.conf

Hoʻohui i ka laina ma luna "/root/CONTENT_EX" Eia kēia mau mea:

/var/www/html/ CONTENT_EX

A laila, hana i kahi faila aide.txt i ka papa kuhikuhi /var/www/html/me ka hoʻohana ʻana i kēia kauoha:

echo "Test AIDE" > /var/www/html/aide.txt

I kēia manawa, e holo i ka ʻike AIDE a e hōʻoia i ka ʻike ʻia o ka faila i hana ʻia.

aide --check

Pono ʻoe e ʻike i kēia mau mea:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

ʻIke mākou ua ʻike ʻia ka faila i hana ʻia aide.txt.
Ma hope o ka nānā ʻana i nā loli i ʻike ʻia, e hoʻohou i ka waihona AIDE.

aide --update

Ma hope o ka hōʻano hou e ʻike ʻoe i kēia:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

ʻO ke kauoha i luna e hana i kahi waihona hou aide.db.new.gz i ka papa kuhikuhi 

/var/lib/aide/

Hiki iā ʻoe ke ʻike iā ia me kēia kauoha:

ls -l /var/lib/aide/

Hualoaʻa:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

E hoʻololi hou i ka ʻikepili hou i hiki ai iā AIDE ke hoʻohana i ka ʻikepili hou e nānā i nā loli hou aʻe. Hiki iā ʻoe ke hoʻololi i ka inoa penei:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

E holo hou i ka nānā no ka hōʻoia ʻana e hoʻohana ana ʻo AIDE i ka waihona waihona hou:

aide --check

Pono ʻoe e ʻike i kēia mau mea:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Hoʻokaʻawale mākou i ka nānā

He manaʻo maikaʻi e holo i kahi hōkeo AIDE i kēlā me kēia lā a leka uila i ka hōʻike. Hiki ke hoʻohana ʻia kēia kaʻina hana me ka cron.

nano /etc/crontab

No ka holo ʻana i ka nānā AIDE i kēlā me kēia lā ma 10:15, hoʻohui i kēia laina i ka hope o ka faila:

15 10 * * * root /usr/sbin/aide --check

E haʻi aku ʻo AIDE iā ʻoe ma ka leka uila. Hiki iā ʻoe ke nānā i kāu leka uila me kēia kauoha:

tail -f /var/mail/root

Hiki ke nānā ʻia ka log AIDE me ka hoʻohana ʻana i kēia kauoha:

tail -f /var/log/aide/aide.log

hopena

Ma kēia ʻatikala, ua aʻo ʻoe pehea e hoʻohana ai i ka AIDE no ka ʻike ʻana i nā loli faila a ʻike i ke komo ʻana o ka server ʻae ʻole. No nā hoʻonohonoho hou, hiki iā ʻoe ke hoʻoponopono i ka faila hoʻonohonoho /etc/aide.conf. No nā kumu palekana, makemake ʻia e mālama i ka waihona a me ka faila hoʻonohonoho ma ka media heluhelu wale nō. Hiki ke loaʻa nā ʻike hou aku ma ka palapala KOKUA Doc.

E aʻo hou e pili ana i ka papa.

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka