ProHoster > Блог > Nchịkwa > Otu esi etinye ma jiri AIDE (Environment Nchọpụta Intrusion dị elu) na CentOS 8

Otu esi etinye ma jiri AIDE (Environment Nchọpụta Intrusion dị elu) na CentOS 8

Tupu mmalite nke usoro "Onye nchịkwa Linux" Anyị akwadola ntụgharị asụsụ nke ihe na-atọ ụtọ.

Otu esi etinye ma jiri AIDE (Environment Nchọpụta Intrusion dị elu) na CentOS 8

AIDE na-anọchi anya “Eluigwe Nchọpụta Environment Intrusion Environment” ma bụrụ otu n'ime sistemụ ama ama maka nleba anya mgbanwe na sistemụ arụmọrụ dabere na Linux. A na-eji AIDE echebe pụọ pụọ na malware, nje na ịchọpụta ihe omume na-akwadoghị. Iji nyochaa iguzosi ike n'ezi ihe faịlụ na ịchọpụta intrusions, AIDE na-emepụta nchekwa data nke ozi faịlụ ma jiri ọnọdụ nke usoro dị ugbu a tụnyere nchekwa data a. AIDE na-enyere aka belata oge nyocha ihe merenụ site n'ilekwasị anya na faịlụ ndị emezigharịrị.

Atụmatụ AIDE:

  • Na-akwado njirimara faịlụ dị iche iche, gụnyere: ụdị faịlụ, inode, uid, gid, ikike, ọnụọgụ njikọ, mtime, ctime na atime.
  • Nkwado maka mkpakọ Gzip, SELinux, XAttrs, Posix ACL na njirimara sistemụ faịlụ.
  • Na-akwado algọridim dị iche iche gụnyere md5, sha1, sha256, sha512, rmd160, crc32, wdg.
  • Na-eziga ọkwa site na email.

N'isiokwu a, anyị ga-eleba anya ka esi etinye na iji AIDE maka nchọpụta intrusion na CentOS 8.

Ihe ndị a chọrọ

  • Ihe nkesa na-agba CentOS 8, yana opekata mpe 2 GB nke RAM.
  • mgbọrọgwụ ohere

Na-amalite

A na-atụ aro ka ịmelite usoro mbụ. Iji mee nke a, gbaa iwu a.

dnf update -y

Mgbe emelitere, Malitegharịa ekwentị gị ka mgbanwe wee dị irè.

Ịwụnye AIDE

AIDE dị na ebe nchekwa CentOS 8 ndabara. Ị nwere ike ịwụnye ya ngwa ngwa site na iji iwu na-esonụ:

dnf install aide -y

Ozugbo echichi mechara, ị nwere ike ịlele ụdị AIDE site na iji iwu a:

aide --version

Ị ga-ahụ ihe ndị a:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Nhọrọ dị aide enwere ike ile ya anya dị ka ndị a:

aide --help

Otu esi etinye ma jiri AIDE (Environment Nchọpụta Intrusion dị elu) na CentOS 8

Ịmepụta na ịmalite nchekwa data

Ihe mbụ ị ga-eme mgbe ị wụnyechara AIDE bụ ibido ya. Mmalite nwere imepụta nchekwa data (snapshot) nke faịlụ na akwụkwọ ndekọ aha niile dị na sava ahụ.

Ka ibido nchekwa data, mee iwu a:

aide --init

Ị ga-ahụ ihe ndị a:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

Iwu dị n'elu ga-emepụta nchekwa data ọhụrụ aide.db.new.gz na katalọgụ /var/lib/aide. Enwere ike ịhụ ya site na iji iwu a:

ls -l /var/lib/aide

Nsonaazụ:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE agaghị eji faịlụ nchekwa data ọhụrụ a ruo mgbe akpọgharịrị aha ya aide.db.gz. Enwere ike ime nke a dị ka ndị a:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

A na-atụ aro ka ị na-emelite nchekwa data a kwa oge iji hụ na a na-enyocha mgbanwe nke ọma.

Ị nwere ike ịgbanwe ebe nchekwa data site na ịgbanwe oke DBDIR na faịlụ /etc/aide.conf.

Na-eme nyocha

AIDE adịla njikere ugbu a iji nchekwa data ọhụrụ. Gbaa nlele mbụ AIDE na-emeghị mgbanwe ọ bụla:

aide --check

Iwu a ga-ewe oge iji wuchaa ya dabere na nha sistemụ faịlụ gị yana ọnụọgụ RAM dị na sava gị. Ozugbo nyocha ahụ mechara, ị ga-ahụ ihe ndị a:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Ihe mmepụta a dị n'elu na-ekwu na faịlụ na akwụkwọ ndekọ aha dakọtara na nchekwa data AIDE.

Nnwale AIDE

Site na ndabara, AIDE anaghị eso ndekọ ndekọ mgbọrọgwụ Apache ndabara /var/www/html. Ka anyị hazie AIDE ka ịlele ya. Iji mee nke a, ịkwesịrị ịgbanwe faịlụ ahụ /etc/aide.conf.

nano /etc/aide.conf

Tinye n'elu ahịrị "/root/CONTENT_EX" ndị a:

/var/www/html/ CONTENT_EX

Ọzọ, mepụta faịlụ aide.txt na katalọgụ /var/www/html/iji iwu a:

echo "Test AIDE" > /var/www/html/aide.txt

Ugbu a, mee nyocha AIDE wee hụ na achọpụtara faịlụ emepụtara.

aide --check

Ị ga-ahụ ihe ndị a:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Anyị na-ahụ na achọpụtara faịlụ emepụtara aide.txt.
Mgbe nyochachara mgbanwe achọpụtara, melite nchekwa data AIDE.

aide --update

Mgbe emelitere, ị ga-ahụ ihe ndị a:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Iwu dị n'elu ga-emepụta nchekwa data ọhụrụ aide.db.new.gz na katalọgụ 

/var/lib/aide/

Ị nwere ike ịhụ ya site na iwu a:

ls -l /var/lib/aide/

Nsonaazụ:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Ugbu a nyegharịa ọdụ data ọhụrụ aha ọzọ ka AIDE jiri nchekwa data ọhụrụ wee soro mgbanwe ndị ọzọ. Ị nwere ike ịnyegharị ya aha dịka ndị a:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Megharịa nlele ahụ ọzọ iji hụ na AIDE na-eji nchekwa data ọhụrụ:

aide --check

Ị ga-ahụ ihe ndị a:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Anyị na-akpaghị aka ego

Ọ bụ ezi echiche ịme nlele AIDE kwa ụbọchị wee ziga akụkọ ahụ. Enwere ike ịmegharị usoro a site na iji cron.

nano /etc/crontab

Iji mee nlele AIDE kwa ụbọchị na 10:15, tinye ahịrị a na njedebe nke faịlụ:

15 10 * * * root /usr/sbin/aide --check

AIDE ga-agwa gị ugbu a site na mail. Ị nwere ike ịlele ozi gị site na iwu a:

tail -f /var/mail/root

Enwere ike ịlele ndekọ AIDE site na iji iwu a:

tail -f /var/log/aide/aide.log

nkwubi

N'edemede a, ị mụtara ka esi eji AIDE chọpụta mgbanwe faịlụ ma chọpụta ohere nkesa na-enweghị ikike. Maka ntọala ndị ọzọ, ị nwere ike dezie faịlụ nhazi /etc/aide.conf. Maka ihe nchekwa, a na-atụ aro ka ịchekwa nchekwa data na faịlụ nhazi na mgbasa ozi na-agụ naanị. Enwere ike ịchọta ozi ndị ọzọ na akwụkwọ ahụ AIDE Doc.

Mụtakwuo maka nkuzi ahụ.

isi: www.habr.com

Tinye a comment