🥇Maitirwo ekuisa nekushandisa AIDE (Advanced Intrusion Detection Environment) muCentOS 8

Kusati kwatanga kosi "Linux Administrator" Takagadzirira shanduro yezvinyorwa zvinonakidza.

AIDE inomirira "Advanced Intrusion Detection Environment" uye ndeimwe yeanonyanya kufarirwa masisitimu ekutarisa shanduko muLinux-based masisitimu anoshanda. AIDE inoshandiswa kudzivirira kubva kune malware, mavhairasi uye kuona zvisingatenderwe zviitiko. Kuti uone kutendeseka kwefaira uye kuona mapindiro, AIDE inogadzira dhatabhesi reruzivo rwefaira uye inoenzanisa mamiriro azvino ehurongwa nedatabase iyi. AIDE inobatsira kuderedza nguva yekuferefeta chiitiko nekutarisa mafaera akagadziridzwa.

AIDE zvinhu:

Inotsigira akasiyana faira maitiro, anosanganisira: faira mhando, inode, uid, gid, mvumo, nhamba yezvinongedzo, mtime, ctime uye atime.
Tsigiro yeGzip compression, SELinux, XAttrs, Posix ACL uye faira system maitiro.
Inotsigira akasiyana algorithms anosanganisira md5, sha1, sha256, sha512, rmd160, crc32, nezvimwe.
Kutumira zviziviso neemail.

Muchikamu chino, tichatarisa maitiro ekuisa nekushandisa AIDE yekuona intrusion paCentOS 8.

Zvinotarisirwa

Server inomhanya CentOS 8, ine ingangoita 2 GB ye RAM.
midzi yekuwana

Kutanga

Inokurudzirwa kugadzirisa system kutanga. Kuti uite izvi, shandisa murairo unotevera.

dnf update -y

Mushure mekugadzirisa, tangazve system yako kuti shanduko dziite.

Kuisa AIDE

AIDE inowanikwa mune yakasarudzika CentOS 8 repository. Unogona kuiisa zviri nyore nekumhanyisa murairo unotevera:

dnf install aide -y

Kana kuiswa kwapera, unogona kuona iyo AIDE vhezheni uchishandisa unotevera kuraira:

aide --version

Iwe unofanirwa kuona zvinotevera:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Zvisarudzo zviripo aide inogona kuonekwa sezvinotevera:

aide --help

Kugadzira uye kutanga dhatabhesi

Chinhu chekutanga chaunofanirwa kuita mushure mekuisa AIDE kuitanga. Kutanga kunosanganisira kugadzira dhatabhesi (snapshot) yemafaira ese uye madhairekitori pane server.

Kuti utange dhatabhesi, mhanya unotevera kuraira:

aide --init

Iwe unofanirwa kuona zvinotevera:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

Murairo wepamusoro uchagadzira dhatabhesi nyowani aide.db.new.gz mubhuku /var/lib/aide. Inogona kuonekwa uchishandisa murairo unotevera:

ls -l /var/lib/aide

Mhinduro:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE haizoshandisa iyi faira re database kusvika yatumidzwa zita rekuti aide.db.gz. Izvi zvinogona kuitwa sezvinotevera:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Zvinokurudzirwa kuti uvandudze iyi dhatabhesi nguva nenguva kuti uone kuti shanduko dzinotariswa nemazvo.

Iwe unogona kushandura nzvimbo ye database nekushandura parameter DBDIR mufaira /etc/aide.conf.

Kumhanyisa scan

AIDE ikozvino yakagadzirira kushandisa dhatabhesi nyowani. Mhanya yekutanga AIDE cheki pasina kuita chero shanduko:

aide --check

Uyu murairo uchatora nguva kuti upedze zvichienderana nehukuru hwefaira system yako uye huwandu hwe RAM pane server yako. Kana scan yapera iwe unofanirwa kuona zvinotevera:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Izvo zviri pamusoro apa zvinoti mafaera ese nemadhairekitori anofanana neAIDE dhatabhesi.

Kuedza AIDE

Nekumisikidza, AIDE haiteedzere default Apache midzi dhairekitori /var/www/html. Ngatigadzirise AIDE kuti tiione. Kuti uite izvi unoda kuchinja faira /etc/aide.conf.

nano /etc/aide.conf

Wedzera pamusoro mutsara "/root/CONTENT_EX" zvinotevera:

/var/www/html/ CONTENT_EX

Zvadaro, gadzira faira aide.txt mubhuku /var/www/html/uchishandisa murairo unotevera:

echo "Test AIDE" > /var/www/html/aide.txt

Zvino mhanyisa cheki yeAIDE uye ita shuwa kuti iyo yakagadzirwa faira yaonekwa.

aide --check

Iwe unofanirwa kuona zvinotevera:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Isu tinoona kuti iyo yakagadzirwa faira inoonekwa aide.txt.
Mushure mekuongorora shanduko dzakaonekwa, gadziridza database yeAIDE.

aide --update

Mushure mekuvandudza iwe uchaona zvinotevera:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Murairo wepamusoro uchagadzira dhatabhesi nyowani aide.db.new.gz mubhuku

/var/lib/aide/

Unogona kuzviona nemurairo unotevera:

ls -l /var/lib/aide/

Mhinduro:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Iye zvino tumidza zita idzva zvakare kuitira kuti AIDE ishandise dhatabhesi nyowani kuronda dzimwe shanduko. Unogona kuitumidza zita sezvinotevera:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Mhanya cheki zvakare kuti uone kuti AIDE iri kushandisa dhatabhesi nyowani:

aide --check

Iwe unofanirwa kuona zvinotevera:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

We otomatiki cheki

Ipfungwa yakanaka kumhanyisa cheki yeAIDE mazuva ese uye kutumira iyo report. Iyi nzira inogona kuve otomatiki uchishandisa cron.

nano /etc/crontab

Kumhanyisa cheki yeAIDE mazuva ese na10:15, wedzera mutsara unotevera kumagumo efaira:

15 10 * * * root /usr/sbin/aide --check

AIDE ikozvino ichakuzivisa iwe netsamba. Unogona kutarisa tsamba yako nemurairo unotevera:

tail -f /var/mail/root

Iyo AIDE log inogona kutariswa uchishandisa murairo unotevera:

tail -f /var/log/aide/aide.log

mhedziso

Muchinyorwa chino, wakadzidza kushandisa AIDE kuona shanduko yefaira uye kuona isina kutenderwa server kuwana. Kuti uwane mamwe marongero, unogona kugadzirisa iyo /etc/aide.conf configuration file. Nezvikonzero zvekuchengetedza, zvinokurudzirwa kuchengetedza dhatabhesi uye faira yekumisikidza pane yekuverenga-chete midhiya. Rumwe ruzivo runogona kuwanikwa mune zvinyorwa AIDE Doc.

Dzidza zvakawanda nezvekosi.

Source: www.habr.com

Maitiro ekuisa uye kushandisa AIDE (Advanced Intrusion Detection Environment) paCentOS 8

Zvinotarisirwa

Kutanga

Kuisa AIDE

Kugadzira uye kutanga dhatabhesi

Kumhanyisa scan

Kuedza AIDE

We otomatiki cheki

mhedziso

Voeg kukanzura mhinduro