Kahor bilowga koorsada Waxaan diyaarinay tarjumaad waxyaabo xiiso leh.
AIDE waxa ay u taagan tahay “Deeq Detection Horusocod oo Hormarsan” waana mid ka mid ah nidaamyada ugu caansan ee lagula socdo isbeddelada nidaamyada hawlgalka ku salaysan Linux. AIDE waxa loo istcmaalaa in laga ilaaliyo malware-ka, fayrasyada iyo in lagu ogaado dhaqdhaqaaqyada aan la ogolayn. Si loo xaqiijiyo daacadnimada faylka oo loo ogaado faragelinta, AIDE waxay abuurtaa kaydka xogta faylka waxayna barbar dhigaysaa xaalada nidaamka hadda iyo xogtan. AIDE waxay gacan ka geysataa dhimista waqtiga baaritaanka shilka iyadoo diiradda saareysa faylasha la bedelay.
Tilmaamaha AIDE:
- Waxay taageertaa sifooyin faylal kala duwan, oo ay ku jiraan: nooca faylka, inode, uid, gid, ogolaanshaha, tirada xiriirinta, mtime, ctime iyo atime.
- Taageerada isku-dhafka Gzip, SELinux, XAttrs, Posix ACL iyo sifooyinka nidaamka faylka.
- Waxay taageertaa algorithms kala duwan oo ay ku jiraan md5, sha1, sha256, sha512, rmd160, crc32, iwm.
- Ku diritaanka ogeysiisyada iimaylka
Maqaalkan, waxaan ku eegi doonaa sida loo rakibo oo loo isticmaalo AIDE ogaanshaha faragelinta ee CentOS 8.
Shuruudaha
- Adeegaha ku shaqeeya CentOS 8, oo leh ugu yaraan 2 GB oo RAM ah.
- xidid helitaanka
Bilaabashada
Waxaa lagu talinayaa in la cusboonaysiiyo nidaamka marka hore. Si tan loo sameeyo, socodsii amarka soo socda.
dnf update -yKadib cusboonaysiinta, dib u billow nidaamkaaga si isbedeladu u dhaqan galaan.
Ku rakibida AIDE
AIDE waxay ku jirtaa kaydka caadiga ah ee CentOS 8. Waxaad si fudud u rakibi kartaa adiga oo socodsiinaya amarka soo socda:
dnf install aide -yMarka rakibiddu dhammaato, waxaad arki kartaa nooca AIDE adoo isticmaalaya amarka soo socda:
aide --versionWaa inaad aragto kuwan soo socda:
Aide 0.16
Compiled with the following options:
WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"
Fursadaha la heli karo aide waxaa loo arki karaa sida soo socota:
aide --help
Abuuritaanka iyo bilaabista xogta xogta
Waxa ugu horreeya ee aad u baahan tahay inaad sameyso ka dib markaad rakibto AIDE waa inaad bilawdo. Bilawga waxa ay ka kooban tahay abuurista xog ururin (sawir sawir) dhammaan faylasha iyo hagayaasha server-ka.
Si aad u bilawdo kaydka xogta, socodsii amarka soo socda:
aide --initWaa inaad aragto kuwan soo socda:
Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 49472
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : 4N79P7hPE2uxJJ1o7na9sA==
SHA1 : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
RMD160 : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
TIGER : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
SHA256 : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
xWXT2iaEHgQ=
SHA512 : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
nDw6lgDNI/ls2esijukliQ==
End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)
Amarka kore wuxuu abuuri doonaa xog-ururin cusub aide.db.new.gz buugga ku yaal /var/lib/aide. Waxaa lagu arki karaa iyadoo la isticmaalayo amarka soo socda:
ls -l /var/lib/aideNatiijada:
total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz
AIDE ma isticmaali doonto faylkan cusub ee xogta ilaa laga bedelayo aide.db.gz. Tan waxaa loo samayn karaa sida soo socota:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzWaxaa lagugula talinayaa inaad cusboonaysiiso xogtan si loo hubiyo in isbeddelada si sax ah loola socdo.
Waxaad bedeli kartaa goobta kaydka xogta adiga oo bedelaya cabbirka DBDIR faylka ku jira /etc/aide.conf.
Samaynta iskaanka
AIDE hadda waxay diyaar u tahay inay isticmaasho xogta cusub. Samee jeegaga ugu horeeya ee AIDE adoon samaynin wax isbedel ah:
aide --checkAmarkani wuxuu qaadan doonaa wakhti in la dhammaystiro iyadoo ku xidhan xajmiga nidaamka faylkaaga iyo xaddiga RAM ee server-kaaga. Marka iskaanka la dhammeeyo waa inaad aragto kuwan soo socda:
Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!Soosaarka kore wuxuu sheegayaa in dhammaan faylasha iyo hagayaasha ay ku habboon yihiin kaydinta xogta AIDE.
Tijaabada AIDE
Sida caadiga ah, AIDE ma raadraacdo tusaha asalka ah ee Apache rootiga /var/www/html. Aynu habeyno AIDE si aan u aragno. Si aad tan u samayso waxaad u baahan tahay inaad beddesho faylka /etc/aide.conf.
nano /etc/aide.conf
Ku dar xariiqda sare "/root/CONTENT_EX" soo socda:
/var/www/html/ CONTENT_EX
Marka xigta, samee fayl aide.txt buugga ku yaal /var/www/html/adoo isticmaalaya amarka soo socda:
echo "Test AIDE" > /var/www/html/aide.txtHadda maamul hubinta AIDE oo hubi in faylka la abuuray la helay.
aide --checkWaa inaad aragto kuwan soo socda:
Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 49475
Added entries: 1
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /var/www/html/aide.txt
Waxaan aragnaa in faylka la abuuray la ogaado aide.txt.
Ka dib marka la falanqeeyo isbeddelada la ogaaday, cusboonaysii xogta AIDE.
aide --updateCusboonaysiinta ka dib waxaad arki doontaa kuwan soo socda:
Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary:
Total number of entries: 49475
Added entries: 1
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /var/www/html/aide.txt
Amarka kore wuxuu abuuri doonaa xog-ururin cusub aide.db.new.gz buugga ku yaal
/var/lib/aide/Waxaad ku arki kartaa amarka soo socda:
ls -l /var/lib/aide/Natiijada:
total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gzHadda dib u magacow xogta cusub mar labaad si AIDE ay u isticmaasho xogta cusub si ay ula socoto isbedelada kale. Waxaad u magacaabi kartaa sidan soo socota:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzMar kale samee jeegga si aad u hubiso in AIDE isticmaalayso xogta cusub:
aide --checkWaa inaad aragto kuwan soo socda:
Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!Waxaan si otomaatig ah u samaynaa jeegga
Waa fikrad wanaagsan inaad sameyso jeeg AIDE maalin kasta oo aad boostada ku dirto warbixinta. Habkan waxaa si toos ah loo isticmaali karaa iyadoo la isticmaalayo cron.
nano /etc/crontabSi aad u socodsiiso jeegga AIDE maalin kasta 10:15, ku dar xariiqda soo socota dhammaadka faylka:
15 10 * * * root /usr/sbin/aide --checkAIDE waxay hadda kuugu soo ogeysiin doontaa boostada. Waxaad ku hubin kartaa fariintaada amarka soo socda:
tail -f /var/mail/rootDiiwaanka AIDE waxaa lagu arki karaa iyadoo la adeegsanayo amarka soo socda:
tail -f /var/log/aide/aide.loggunaanad
Maqaalkan, waxaad ku baratay sida loo isticmaalo AIDE si loo ogaado isbeddelada faylka oo loo aqoonsado gelitaanka server-ka aan la oggolayn. Dejinta dheeraadka ah, waxaad wax ka beddeli kartaa faylka qaabeynta /etc/aide.conf. Sababo ammaan dartood, waxaa lagu talinayaa in lagu kaydiyo xogta xogta iyo faylka qaabeynta warbaahinta akhri-kaliya. Macluumaad dheeraad ah ayaa laga heli karaa dukumeentiyada .
Source: www.habr.com