Pulogalamu ya ProHoster > Blog > Ulamuliro > Momwe Mungayikitsire ndi Kugwiritsa Ntchito AIDE (Advanced Intrusion Detection Environment) pa CentOS 8

Momwe Mungayikitsire ndi Kugwiritsa Ntchito AIDE (Advanced Intrusion Detection Environment) pa CentOS 8

Asanayambe maphunziro "Linux Administrator" Takonza zomasulira za zinthu zosangalatsa.

Momwe Mungayikitsire ndi Kugwiritsa Ntchito AIDE (Advanced Intrusion Detection Environment) pa CentOS 8

AIDE imayimira "Advanced Intrusion Detection Environment" ndipo ndi imodzi mwazinthu zodziwika bwino zowunikira kusintha kwa machitidwe opangira Linux. AIDE imagwiritsidwa ntchito kuteteza ku pulogalamu yaumbanda, ma virus ndikuwona zochitika zosaloledwa. Kuti muwonetsetse kukhulupirika kwa mafayilo ndikuzindikira zolowera, AIDE imapanga nkhokwe ya zidziwitso zamafayilo ndikufanizira momwe dongosololi liliri ndi database iyi. AIDE imathandizira kuchepetsa nthawi yofufuza zochitika poyang'ana mafayilo omwe asinthidwa.

Zinthu za AIDE:

  • Imathandizira mafayilo osiyanasiyana, kuphatikiza: mtundu wa fayilo, inode, uid, gid, zilolezo, kuchuluka kwa maulalo, mtime, ctime ndi atime.
  • Kuthandizira kupsinjika kwa Gzip, SELinux, XAttrs, Posix ACL ndi mawonekedwe amtundu wamafayilo.
  • Imathandizira ma aligorivimu osiyanasiyana kuphatikiza md5, sha1, sha256, sha512, rmd160, crc32, etc.
  • Kutumiza zidziwitso ndi imelo.

M'nkhaniyi, tiwona momwe tingakhazikitsire ndikugwiritsa ntchito AIDE pozindikira kuti alowa pa CentOS 8.

Zofunikira

  • Seva yomwe ili ndi CentOS 8, yokhala ndi 2 GB ya RAM.
  • kupeza mizu

Kuyamba

Ndibwino kuti musinthe kachitidwe kaye. Kuti muchite izi, yendetsani lamulo lotsatirali.

dnf update -y

Pambuyo pokonzanso, yambitsaninso dongosolo lanu kuti zosintha zichitike.

Kukhazikitsa AIDE

AIDE ikupezeka m'malo osakhazikika a CentOS 8. Mutha kuyiyika mosavuta poyendetsa lamulo ili:

dnf install aide -y

Kukhazikitsa kukamaliza, mutha kuwona mtundu wa AIDE pogwiritsa ntchito lamulo ili:

aide --version

Muyenera kuwona zotsatirazi:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Zosankha zomwe zilipo aide zitha kuwonedwa motere:

aide --help

Momwe Mungayikitsire ndi Kugwiritsa Ntchito AIDE (Advanced Intrusion Detection Environment) pa CentOS 8

Kupanga ndi kuyambitsa database

Chinthu choyamba chomwe muyenera kuchita mukakhazikitsa AIDE ndikuyiyambitsa. Kuyambitsa kumaphatikizapo kupanga nkhokwe (chithunzi) cha mafayilo onse ndi zolemba pa seva.

Kuti muyambitse database, yesani lamulo ili:

aide --init

Muyenera kuwona zotsatirazi:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

Lamulo lomwe lili pamwambapa lipanga database yatsopano aide.db.new.gz mu katalogu /var/lib/aide. Itha kuwoneka pogwiritsa ntchito lamulo ili:

ls -l /var/lib/aide

Zotsatira:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE sigwiritsa ntchito fayilo yatsopanoyi mpaka itasinthidwa kukhala aide.db.gz. Izi zitha kuchitika motere:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Ndibwino kuti musinthe databaseyi nthawi ndi nthawi kuti muwonetsetse kuti zosintha zikuyang'aniridwa bwino.

Mutha kusintha malo a database posintha parameter DBDIR mu file /etc/aide.conf.

Kuthamanga sikani

AIDE tsopano yakonzeka kugwiritsa ntchito nkhokwe yatsopano. Yendetsani cheke choyamba cha AIDE osasintha:

aide --check

Lamuloli litenga nthawi kuti lithe kutengera kukula kwa fayilo yanu komanso kuchuluka kwa RAM pa seva yanu. Mukamaliza jambulani muyenera kuwona zotsatirazi:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Zomwe zili pamwambazi zikuti mafayilo onse ndi zolemba zimagwirizana ndi database ya AIDE.

Kuyesa kwa AIDE

Mwachikhazikitso, AIDE samatsata chikwatu cha Apache chokhazikika /var/www/html. Tiyeni tikonze AIDE kuti tiwone. Kuti muchite izi muyenera kusintha fayilo /etc/aide.conf.

nano /etc/aide.conf

Onjezani pamwamba pamzere "/root/CONTENT_EX" Otsatirawa:

/var/www/html/ CONTENT_EX

Kenako, pangani fayilo aide.txt mu katalogu /var/www/html/pogwiritsa ntchito lamulo ili:

echo "Test AIDE" > /var/www/html/aide.txt

Tsopano yendetsani cheke cha AIDE ndikuwonetsetsa kuti fayilo yomwe idapangidwa yapezeka.

aide --check

Muyenera kuwona zotsatirazi:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Tikuwona kuti fayilo yomwe idapangidwa idapezeka aide.txt.
Pambuyo posanthula zosintha zomwe zapezeka, sinthani database ya AIDE.

aide --update

Pambuyo pakusintha muwona zotsatirazi:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Lamulo lomwe lili pamwambapa lipanga database yatsopano aide.db.new.gz mu katalogu 

/var/lib/aide/

Mutha kuziwona ndi lamulo ili:

ls -l /var/lib/aide/

Zotsatira:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Tsopano sinthaninso nkhokwe yatsopano kuti AIDE igwiritse ntchito nkhokwe yatsopano kuti iwonetse zosintha zina. Mutha kuyitchanso motere:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Yambitsaninso cheke kuti muwonetsetse kuti AIDE ikugwiritsa ntchito nkhokwe yatsopano:

aide --check

Muyenera kuwona zotsatirazi:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Timayendetsa cheke

Ndibwino kuyendetsa cheke cha AIDE tsiku lililonse ndikutumiza lipotilo. Izi zitha kukhala zokha pogwiritsa ntchito cron.

nano /etc/crontab

Kuti muyendetse cheke cha AIDE tsiku lililonse nthawi ya 10:15, onjezani mzerewu kumapeto kwa fayilo:

15 10 * * * root /usr/sbin/aide --check

AIDE tsopano akudziwitsani ndi imelo. Mutha kuyang'ana imelo yanu ndi lamulo ili:

tail -f /var/mail/root

Logi ya AIDE ikhoza kuwonedwa pogwiritsa ntchito lamulo ili:

tail -f /var/log/aide/aide.log

Pomaliza

M'nkhaniyi, mwaphunzira momwe mungagwiritsire ntchito AIDE kuti muwone kusintha kwamafayilo ndikuzindikira mwayi wosaloledwa wa seva. Pazokonda zina, mutha kusintha fayilo /etc/aide.conf configuration. Pazifukwa zachitetezo, tikulimbikitsidwa kusunga nkhokwe ndi fayilo yosinthira pa media yowerengera. Zambiri zitha kupezeka muzolemba AIDE Doc.

Dziwani zambiri za maphunzirowa.

Source: www.habr.com

Kuwonjezera ndemanga