ProHoster > Π‘Π»ΠΎΠ³ > Administrasi > Cara Instal lan Gunakake AIDE (Advanced Intrusion Detection Environment) ing CentOS 8

Cara Instal lan Gunakake AIDE (Advanced Intrusion Detection Environment) ing CentOS 8

Sadurunge miwiti kursus "Linux Administrator" Kita wis nyiapake terjemahan materi sing menarik.

Cara Instal lan Gunakake AIDE (Advanced Intrusion Detection Environment) ing CentOS 8

AIDE stands for "Advanced Intrusion Detection Environment" lan minangka salah sawijining sistem sing paling populer kanggo ngawasi owah-owahan ing sistem operasi berbasis Linux. AIDE digunakake kanggo nglindhungi saka malware, virus lan ndeteksi aktivitas sing ora sah. Kanggo verifikasi integritas file lan ndeteksi gangguan, AIDE nggawe database informasi file lan mbandhingake kahanan sistem saiki karo database iki. AIDE mbantu nyuda wektu investigasi kedadeyan kanthi fokus ing file sing wis diowahi.

Fitur AIDE:

  • Ndhukung macem-macem atribut file, kalebu: jinis file, inode, uid, gid, ijin, jumlah tautan, mtime, ctime lan atime.
  • Dhukungan kanggo kompresi Gzip, SELinux, XAttrs, Posix ACL lan atribut sistem file.
  • Ndhukung macem-macem algoritma kalebu md5, sha1, sha256, sha512, rmd160, crc32, lsp.
  • Ngirim kabar liwat email.

Ing artikel iki, kita bakal ndeleng carane nginstal lan nggunakake AIDE kanggo deteksi intrusi ing CentOS 8.

Prasyarat

  • Server sing nganggo CentOS 8, kanthi paling ora 2 GB RAM.
  • akses root

Miwiti

Disaranake nganyari sistem dhisik. Kanggo nindakake iki, jalanake printah ing ngisor iki.

dnf update -y

Sawise nganyari, miwiti maneh sistem supaya owah-owahan bisa ditrapake.

Nginstal AIDE

AIDE kasedhiya ing repositori standar CentOS 8. Sampeyan bisa nginstal kanthi gampang kanthi nggunakake printah ing ngisor iki:

dnf install aide -y

Sawise instalasi rampung, sampeyan bisa ndeleng versi AIDE nggunakake printah ing ngisor iki:

aide --version

Sampeyan kudu ndeleng ing ngisor iki:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

opsi kasedhiya aide bisa dideleng kaya ing ngisor iki:

aide --help

Cara Instal lan Gunakake AIDE (Advanced Intrusion Detection Environment) ing CentOS 8

Nggawe lan miwiti database

Babagan pisanan sing kudu ditindakake sawise nginstal AIDE yaiku miwiti. Initialization kalebu nggawe database (snapshot) kabeh file lan direktori ing server.

Kanggo miwiti database, jalanake printah ing ngisor iki:

aide --init

Sampeyan kudu ndeleng ing ngisor iki:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

Printah ing ndhuwur bakal nggawe database anyar aide.db.new.gz ing katalog /var/lib/aide. Bisa dideleng nggunakake printah ing ngisor iki:

ls -l /var/lib/aide

Asil:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE ora bakal nggunakake file database anyar iki nganti diganti jeneng kanggo aide.db.gz. Iki bisa ditindakake kaya ing ngisor iki:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Disaranake sampeyan nganyari database iki sacara periodik kanggo mesthekake yen owah-owahan dipantau kanthi bener.

Sampeyan bisa ngganti lokasi database kanthi ngganti parameter DBDIR ing file /etc/aide.conf.

Mlaku scan

AIDE saiki siyap nggunakake database anyar. Jalanake pamriksa AIDE pisanan tanpa owah-owahan:

aide --check

Printah iki mbutuhake sawetara wektu kanggo ngrampungake gumantung saka ukuran sistem file lan jumlah RAM ing server sampeyan. Sawise scan rampung, sampeyan kudu ndeleng ing ngisor iki:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Output ing ndhuwur nyatakake yen kabeh file lan direktori cocog karo database AIDE.

Testing AIDE

Kanthi gawan, AIDE ora nglacak direktori root Apache standar /var/www/html. Ayo konfigurasi AIDE kanggo ndeleng. Kanggo nindakake iki, sampeyan kudu ngganti file /etc/aide.conf.

nano /etc/aide.conf

Tambah baris ndhuwur "/root/CONTENT_EX" ing ngisor iki:

/var/www/html/ CONTENT_EX

Sabanjure, nggawe file aide.txt ing katalog /var/www/html/nggunakake printah ing ngisor iki:

echo "Test AIDE" > /var/www/html/aide.txt

Saiki mbukak mriksa AIDE lan priksa manawa file sing digawe dideteksi.

aide --check

Sampeyan kudu ndeleng ing ngisor iki:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Kita weruh yen file sing digawe dideteksi aide.txt.
Sawise nganalisa owah-owahan sing dideteksi, nganyari database AIDE.

aide --update

Sawise nganyari sampeyan bakal weruh ing ngisor iki:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Printah ing ndhuwur bakal nggawe database anyar aide.db.new.gz ing katalog 

/var/lib/aide/

Sampeyan bisa ndeleng kanthi printah ing ngisor iki:

ls -l /var/lib/aide/

Asil:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Saiki ganti jeneng database anyar maneh supaya AIDE nggunakake database anyar kanggo trek owah-owahan luwih. Sampeyan bisa ngganti jeneng kaya ing ngisor iki:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Bukak mriksa maneh kanggo mesthekake yen AIDE nggunakake database anyar:

aide --check

Sampeyan kudu ndeleng ing ngisor iki:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

We ngotomatisasi mriksa

Apike kanggo mriksa AIDE saben dina lan ngirim laporan kasebut. Proses iki bisa otomatis nggunakake cron.

nano /etc/crontab

Kanggo mbukak pamriksa AIDE saben dina jam 10:15, tambahake baris ing ngisor iki menyang mburi file:

15 10 * * * root /usr/sbin/aide --check

AIDE saiki bakal menehi kabar liwat mail. Sampeyan bisa mriksa mail sampeyan nganggo printah ing ngisor iki:

tail -f /var/mail/root

Log AIDE bisa dideleng nganggo printah ing ngisor iki:

tail -f /var/log/aide/aide.log

kesimpulan

Ing artikel iki, sampeyan sinau carane nggunakake AIDE kanggo ndeteksi owah-owahan file lan ngenali akses server ora sah. Kanggo setelan tambahan, sampeyan bisa ngowahi file konfigurasi /etc/aide.conf. Kanggo alasan keamanan, dianjurake kanggo nyimpen database lan file konfigurasi ing media mung diwaca. Informasi liyane bisa ditemokake ing dokumentasi AIDE Dok.

Sinau luwih lengkap babagan kursus kasebut.

Source: www.habr.com

Add a comment