Ua ntej pib ntawm chav kawm Peb tau npaj ib qho kev txhais cov ntaub ntawv nthuav.
AIDE sawv cev rau "Advanced Intrusion Detection Ib puag ncig" thiab yog ib qho ntawm cov kab ke nrov tshaj plaws rau kev saib xyuas kev hloov pauv hauv Linux-based operating systems. AIDE yog siv los tiv thaiv malware, kab mob thiab ntes cov haujlwm uas tsis tau tso cai. Txhawm rau txheeb xyuas cov ntaub ntawv ncaj ncees thiab tshawb xyuas kev nkag mus, AIDE tsim cov ntaub ntawv ntawm cov ntaub ntawv cov ntaub ntawv thiab sib piv cov xwm txheej tam sim no ntawm lub kaw lus nrog cov ntaub ntawv no. AIDE pab txo lub sijhawm tshawb nrhiav qhov xwm txheej los ntawm kev tsom mus rau cov ntaub ntawv uas tau hloov kho.
AIDE nta:
- Txhawb ntau yam ntaub ntawv cwj pwm, suav nrog: hom ntaub ntawv, inode, uid, gid, kev tso cai, tus lej txuas, mtime, ctime thiab atime.
- Kev them nyiaj yug rau Gzip compression, SELinux, XAttrs, Posix ACL thiab cov yam ntxwv ntawm cov ntaub ntawv.
- Txhawb ntau yam algorithms xws li md5, sha1, sha256, sha512, rmd160, crc32, thiab lwm yam.
- Xa cov ntawv ceeb toom los ntawm email.
Hauv tsab xov xwm no, peb yuav saib yuav ua li cas rau nruab thiab siv AIDE txhawm rau txhawm rau txhawm rau tshawb pom ntawm CentOS 8.
Yam yuavtsum tau kawm uantej
- Server khiav CentOS 8, nrog tsawg kawg 2 GB ntawm RAM.
- hauv paus nkag
Pib
Nws raug pom zoo kom hloov kho qhov system ua ntej. Txhawm rau ua qhov no, khiav cov lus txib hauv qab no.
dnf update -yTom qab hloov kho, rov pib dua koj lub kaw lus kom cov kev hloov pauv siv tau.
Txhim kho AIDE
AIDE muaj nyob rau hauv lub neej ntawd CentOS 8 repository.
dnf install aide -yThaum lub installation tiav lawm, koj tuaj yeem saib AIDE version siv cov lus txib hauv qab no:
aide --versionKoj yuav tsum pom cov hauv qab no:
Aide 0.16
Compiled with the following options:
WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"
Muaj kev xaiv aide tuaj yeem saib raws li hauv qab no:
aide --help
Tsim thiab pib lub database
Thawj qhov koj yuav tsum tau ua tom qab txhim kho AIDE yog pib nws. Initialization muaj kev tsim cov ntaub ntawv (snapshot) ntawm tag nrho cov ntaub ntawv thiab cov npe ntawm cov neeg rau zaub mov.
Txhawm rau pib lub database, khiav cov lus txib hauv qab no:
aide --initKoj yuav tsum pom cov hauv qab no:
Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 49472
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : 4N79P7hPE2uxJJ1o7na9sA==
SHA1 : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
RMD160 : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
TIGER : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
SHA256 : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
xWXT2iaEHgQ=
SHA512 : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
nDw6lgDNI/ls2esijukliQ==
End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)
Cov lus txib saum toj no yuav tsim cov ntaub ntawv tshiab aide.db.new.gz hauv phau ntawv teev khoom /var/lib/aide. Nws tuaj yeem pom tau siv cov lus txib hauv qab no:
ls -l /var/lib/aideTshwm sim:
total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz
AIDE yuav tsis siv cov ntaub ntawv tshiab no kom txog thaum nws tau hloov npe rau aide.db.gz. Qhov no tuaj yeem ua tau raws li hauv qab no:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzNws raug nquahu kom koj hloov kho cov ntaub ntawv no ib ntus kom ntseeg tau tias cov kev hloov pauv raug saib xyuas kom raug.
Koj tuaj yeem hloov qhov chaw ntawm cov ntaub ntawv los ntawm kev hloov qhov parameter DBDIR hauv cov ntaub ntawv /etc/aide.conf.
Khiav ib qho scan
AIDE tam sim no npaj siv cov ntaub ntawv tshiab. Khiav thawj AIDE check yam tsis tau hloov pauv:
aide --checkCov lus txib no yuav siv sijhawm qee lub sijhawm los ua kom tiav nyob ntawm qhov loj ntawm koj cov ntaub ntawv kaw lus thiab tus nqi ntawm RAM ntawm koj lub server. Thaum lub scan tiav lawm koj yuav tsum pom cov hauv qab no:
Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!Cov zis saum toj no hais tias tag nrho cov ntaub ntawv thiab cov npe sib tw nrog AIDE database.
Kev xeem AIDE
Los ntawm lub neej ntawd, AIDE tsis taug qab Apache hauv paus directory /var/www/html. Cia peb teeb tsa AIDE los saib nws. Ua li no koj yuav tsum tau hloov cov ntaub ntawv /etc/aide.conf.
nano /etc/aide.conf
Ntxiv kab saum toj no "/root/CONTENT_EX" Cov hauv qab no:
/var/www/html/ CONTENT_EX
Tom ntej no, tsim ib cov ntaub ntawv aide.txt hauv phau ntawv teev khoom /var/www/html/siv cov lus txib hauv qab no:
echo "Test AIDE" > /var/www/html/aide.txtTam sim no khiav AIDE check thiab xyuas kom meej tias cov ntaub ntawv tsim tau raug kuaj pom.
aide --checkKoj yuav tsum pom cov hauv qab no:
Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 49475
Added entries: 1
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /var/www/html/aide.txt
Peb pom tias cov ntaub ntawv tsim tau raug kuaj pom aide.txt.
Tom qab txheeb xyuas cov kev hloov pauv, hloov kho AIDE database.
aide --updateTom qab hloov tshiab koj yuav pom cov hauv qab no:
Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary:
Total number of entries: 49475
Added entries: 1
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /var/www/html/aide.txt
Cov lus txib saum toj no yuav tsim cov ntaub ntawv tshiab aide.db.new.gz hauv phau ntawv teev khoom
/var/lib/aide/Koj tuaj yeem pom nws nrog cov lus txib hauv qab no:
ls -l /var/lib/aide/Tshwm sim:
total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gzTam sim no hloov npe cov ntaub ntawv tshiab dua kom AIDE siv cov ntaub ntawv tshiab los taug qab cov kev hloov pauv ntxiv. Koj tuaj yeem hloov npe nws raws li hauv qab no:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzKhiav daim tshev dua kom paub meej tias AIDE siv cov ntaub ntawv tshiab:
aide --checkKoj yuav tsum pom cov hauv qab no:
Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!Peb automate daim tshev
Nws yog ib lub tswv yim zoo los khiav AIDE daim tshev txhua hnub thiab xa tsab ntawv ceeb toom. Cov txheej txheem no tuaj yeem ua tiav siv cron.
nano /etc/crontabTxhawm rau khiav AIDE kuaj txhua hnub ntawm 10:15, ntxiv cov kab hauv qab no rau qhov kawg ntawm cov ntaub ntawv:
15 10 * * * root /usr/sbin/aide --checkAIDE tam sim no yuav ceeb toom koj los ntawm kev xa ntawv. Koj tuaj yeem tshawb xyuas koj cov ntawv nrog cov lus txib hauv qab no:
tail -f /var/mail/rootLub AIDE log tuaj yeem saib tau siv cov lus txib hauv qab no:
tail -f /var/log/aide/aide.logxaus
Hauv tsab xov xwm no, koj tau kawm yuav ua li cas siv AIDE txhawm rau txheeb xyuas cov ntaub ntawv hloov pauv thiab txheeb xyuas cov neeg siv tsis raug cai nkag mus. Rau kev teeb tsa ntxiv, koj tuaj yeem hloov kho cov ntaub ntawv /etc/aide.conf configuration. Rau kev nyab xeeb vim li cas, nws raug nquahu kom khaws cov ntaub ntawv khaws cia thiab cov ntaub ntawv teeb tsa ntawm kev nyeem ntawv nkaus xwb. Xav paub ntau ntxiv tuaj yeem pom hauv cov ntaub ntawv .
Tau qhov twg los: www.hab.com