ProHoster > Blog > Tsamaiso > Mokhoa oa ho kenya le ho sebelisa AIDE (Tikoloho e tsoetseng pele ea ho lemoha ha Intrusion) ho CentOS 8

Mokhoa oa ho kenya le ho sebelisa AIDE (Tikoloho e tsoetseng pele ea ho lemoha ha Intrusion) ho CentOS 8

Pele thupelo e qala "Linux Administrator" Re lokiselitse phetolelo ea boitsebiso bo thahasellisang.

Mokhoa oa ho kenya le ho sebelisa AIDE (Tikoloho e tsoetseng pele ea ho lemoha ha Intrusion) ho CentOS 8

AIDE e emetse "Advanced Intrusion Detection Environment" mme ke e 'ngoe ea litsamaiso tse tsebahalang haholo tsa ho beha leihlo liphetoho lits'ebetsong tsa ts'ebetso tse thehiloeng ho Linux. AIDE e sebelisoa ho sireletsa khahlanong le malware, livaerase le ho bona mesebetsi e sa lumelloeng. Ho netefatsa botšepehi ba faele le ho lemoha ho kenella, AIDE e etsa polokelo ea boitsebiso ba faele mme e bapisa boemo ba hona joale ba tsamaiso le database ena. AIDE e thusa ho fokotsa nako ea lipatlisiso tsa liketsahalo ka ho tsepamisa maikutlo ho lifaele tse fetotsoeng.

Lintlha tsa AIDE:

  • E ts'ehetsa litšobotsi tse fapaneng tsa faele, ho kenyelletsa: mofuta oa faele, inode, uid, gid, tumello, palo ea likhokahano, mtime, ctime le atime.
  • Ts'ehetso bakeng sa khatello ea Gzip, SELinux, XAttrs, Posix ACL le litšobotsi tsa sistimi ea faele.
  • E ts'ehetsa li-algorithms tse fapaneng ho kenyelletsa md5, sha1, sha256, sha512, rmd160, crc32, jj.
  • Ho romella litsebiso ka lengolo-tsoibila.

Sehloohong sena, re tla sheba mokhoa oa ho kenya le ho sebelisa AIDE bakeng sa ho lemoha ho kenella ho CentOS 8.

Lintho tse hlokahalang

  • Seva e sebelisang CentOS 8, e nang le bonyane 2 GB ea RAM.
  • phihlello ya motso

Qala

Ho khothalletsoa ho nchafatsa sistimi pele. Ho etsa sena, tsamaisa taelo e latelang.

dnf update -y

Kamora ho ntlafatsa, qala sistimi ea hau bocha hore liphetoho li tle li sebetse.

Ho kenya AIDE

AIDE e fumaneha sebakeng sa kamehla sa CentOS 8. U ka e kenya habonolo ka ho sebelisa taelo e latelang:

dnf install aide -y

Hang ha ts'ebetso e felile, u ka sheba mofuta oa AIDE u sebelisa taelo e latelang:

aide --version

U lokela ho bona tse latelang:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Likhetho tse fumanehang aide e ka talingoa ka tsela e latelang:

aide --help

Mokhoa oa ho kenya le ho sebelisa AIDE (Tikoloho e tsoetseng pele ea ho lemoha ha Intrusion) ho CentOS 8

Ho theha le ho qala database

Ntho ea pele eo u hlokang ho e etsa kamora ho kenya AIDE ke ho e qala. Ho qala ho kenyelletsa ho theha database (snapshot) ea lifaele tsohle le li-directory ho seva.

Ho qala database, tsamaisa taelo e latelang:

aide --init

U lokela ho bona tse latelang:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

Taelo e ka holimo e tla theha database e ncha aide.db.new.gz lenaneng /var/lib/aide. E ka bonoa ho sebelisoa taelo e latelang:

ls -l /var/lib/aide

Sephetho:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE e ke ke ea sebelisa faele ena e ncha ea database ho fihlela e rehoa lebitso ho aide.db.gz. Sena se ka etsoa ka tsela e latelang:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Ho kgothaletswa hore o ntjhafatse database ena nako le nako ho netefatsa hore diphetoho di behwa leihlo ka nepo.

U ka fetola sebaka sa database ka ho fetola parameter DBDIR ka faele /etc/aide.conf.

Ho etsa scan

AIDE e se e loketse ho sebelisa database e ncha. Etsa tlhahlobo ea pele ea AIDE ntle le ho etsa liphetoho:

aide --check

Taelo ena e tla nka nako ho phethoa ho latela boholo ba sistimi ea hau ea faele le palo ea RAM ho seva sa hau. Hang ha scan e phethiloe, u lokela ho bona tse latelang:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Tlhahiso e ka holimo e re lifaele tsohle le li-directory li lumellana le database ea AIDE.

AIDE ea liteko

Ka ho sa feleng, AIDE ha e latele bukana ea motso oa Apache ea kamehla /var/www/html. Ha re lokiseng AIDE ho e sheba. Ho etsa sena o hloka ho fetola faele /etc/aide.conf.

nano /etc/aide.conf

Kenya ka holimo mola "/root/CONTENT_EX" e latelang:

/var/www/html/ CONTENT_EX

E latelang, etsa faele aide.txt lenaneng /var/www/html/sebelisa taelo e latelang:

echo "Test AIDE" > /var/www/html/aide.txt

Joale tsamaisa cheke ea AIDE 'me u netefatse hore faele e entsoeng e fumanoe.

aide --check

U lokela ho bona tse latelang:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Re bona hore faele e entsoeng e fumanoe aide.txt.
Kamora ho sekaseka liphetoho tse bonoeng, ntlafatsa database ea AIDE.

aide --update

Ka mor'a ntlafatso u tla bona tse latelang:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Taelo e ka holimo e tla theha database e ncha aide.db.new.gz lenaneng 

/var/lib/aide/

U ka e bona ka taelo e latelang:

ls -l /var/lib/aide/

Sephetho:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Joale reha lebitso la database hape e le hore AIDE e sebelise database e ncha ho latela liphetoho tse ling. U ka e reha bocha ka tsela e latelang:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Etsa cheke hape ho netefatsa hore AIDE e sebelisa database e ncha:

aide --check

U lokela ho bona tse latelang:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Re iketsetsa cheke

Ke mohopolo o motle ho etsa tlhahlobo ea AIDE letsatsi le letsatsi le ho romella tlaleho. Ts'ebetso ena e ka etsoa ka boiketsetso ho sebelisa cron.

nano /etc/crontab

Ho tsamaisa cheke ea AIDE letsatsi le leng le le leng ka 10:15, eketsa mola o latelang qetellong ea faele:

15 10 * * * root /usr/sbin/aide --check

Hona joale AIDE e tla u tsebisa ka lengolo-tsoibila. O ka sheba lengolo la hau ka taelo e latelang:

tail -f /var/mail/root

Log ea AIDE e ka bonoa ho sebelisoa taelo e latelang:

tail -f /var/log/aide/aide.log

fihlela qeto e

Sehloohong sena, u ithutile ho sebelisa AIDE ho bona liphetoho tsa faele le ho tseba phihlello ea seva e sa lumelloeng. Bakeng sa litlhophiso tse ling, o ka hlophisa faele ea tlhophiso ea /etc/aide.conf. Ka mabaka a tshireletso, ho kgothaletswa ho boloka polokelongtshedimosetso le faele ya tlhophiso mecheng ya ditaba e balwang feela. Lintlha tse ling li ka fumanoa litokomaneng AIDE Doc.

Ithute haholoanyane ka thupelo.

Source: www.habr.com

Eketsa ka tlhaloso