Ngaphambi kokuqala kwekhosi Siye salungiselela inguqulelo yombandela obangelβ umdla.
I-AIDE imele "Imeko-bume yokuBoniwa kokuNgena okuPhambili" kwaye yenye yezona nkqubo zidumileyo zokuhlola utshintsho kwiinkqubo ezisekelwe kwi-Linux. I-AIDE isetyenziselwa ukukhusela i-malware, iintsholongwane kwaye ibone imisebenzi engagunyaziswanga. Ukuqinisekisa ukuthembeka kwefayile kunye nokubona ukungena, i-AIDE idala i-database yolwazi lwefayile kwaye ithelekisa imeko yangoku yenkqubo kunye nale database. I-AIDE inceda ukunciphisa ixesha lophando lwesiganeko ngokugxila kwiifayile ezitshintshiweyo.
Iimpawu ze-AIDE:
- Ixhasa iimpawu ezahlukeneyo zefayile, kubandakanya: uhlobo lwefayile, inode, uid, gid, iimvume, inani lamakhonkco, mtime, ctime kunye nexesha.
- Inkxaso yoxinzelelo lwe-Gzip, i-SELinux, i-XAttrs, i-Posix ACL kunye neempawu zenkqubo yefayile.
- Ixhasa ii-algorithms ezahlukeneyo kubandakanya md5, sha1, sha256, sha512, rmd160, crc32, njl.
- Ukuthumela izaziso nge-imeyile.
Kweli nqaku, siza kujonga indlela yokufaka kunye nokusebenzisa i-AIDE ekubhaqweni kokungena kwi-CentOS 8.
Izinto ezifunekayo kuqala
- Umncedisi oqhuba i-CentOS 8, ubuncinane kunye ne-2 GB ye-RAM.
- ukufikelela kweengcambu
Qala
Kucetyiswa ukuhlaziya inkqubo kuqala. Ukwenza oku, sebenzisa lo myalelo ulandelayo.
dnf update -yEmva kokuhlaziya, qala kwakhona inkqubo yakho ukuze utshintsho lusebenze.
Kufakelwa i-AIDE
I-AIDE iyafumaneka kwindawo yokugcina ye-CentOS 8. Ungayifaka ngokulula ngokusebenzisa lo myalelo ulandelayo:
dnf install aide -yNje ukuba ufakelo lugqityiwe, unokujonga inguqulelo ye-AIDE usebenzisa lo myalelo ulandelayo:
aide --versionKuya kufuneka ubone oku kulandelayo:
Aide 0.16
Compiled with the following options:
WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"
Iinketho ezikhoyo aide inokujongwa ngolu hlobo lulandelayo:
aide --help
Ukudala kunye nokuqaliswa kwesiseko sedatha
Into yokuqala ekufuneka uyenzile emva kokufaka i-AIDE kukuyiqala. Ukuqaliswa kubandakanya ukudala idatabase (umfanekiso okhawulezayo) wazo zonke iifayile kunye nabalawuli kumncedisi.
Ukuqalisa isiseko sedatha, sebenzisa lo myalelo ulandelayo:
aide --initKuya kufuneka ubone oku kulandelayo:
Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 49472
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : 4N79P7hPE2uxJJ1o7na9sA==
SHA1 : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
RMD160 : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
TIGER : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
SHA256 : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
xWXT2iaEHgQ=
SHA512 : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
nDw6lgDNI/ls2esijukliQ==
End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)
Lo myalelo ungentla uza kwenza isiseko sedatha esitsha aide.db.new.gz kwikhathalogu /var/lib/aide. Inokubonwa kusetyenziswa lo myalelo ulandelayo:
ls -l /var/lib/aideIsiphumo:
total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz
I-AIDE ayizukusebenzisa le fayile yedatha entsha de ithiywe igama elitsha aide.db.gz. Oku kunokwenziwa ngolu hlobo lulandelayo:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzKucetyiswa ukuba uhlaziye le database ngamaxesha athile ukuqinisekisa ukuba utshintsho lubekwe esweni ngokufanelekileyo.
Ungatshintsha indawo yesiseko sedatha ngokutshintsha iparameter DBDIR kwifayile /etc/aide.conf.
Ukuqhuba iskena
I-AIDE ngoku ikulungele ukusebenzisa i-database entsha. Qhuba utsheki lokuqala lwe-AIDE ngaphandle kokwenza naluphi na utshintsho:
aide --checkLo myalelo uya kuthatha ixesha ukugqiba ngokuxhomekeke kubungakanani benkqubo yakho yefayile kunye nesixa se-RAM kumncedisi wakho. Nje ukuba iskena sigqityiwe kufuneka ubone oku kulandelayo:
Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!Le mveliso ingasentla ithi zonke iifayile kunye nabalawuli bahambelana nedatha ye-AIDE.
Uvavanyo lwe-AIDE
Ngokungagqibekanga, i-AIDE ayilandeleli ulawulo lweengcambu ze-Apache /var/www/html. Masiqwalasele i-AIDE ukuyijonga. Ukwenza oku kufuneka utshintshe ifayile /etc/aide.conf.
nano /etc/aide.conf
Yongeza umgca ongentla "/root/CONTENT_EX" okulandelayo:
/var/www/html/ CONTENT_EX
Emva koko, yenza ifayile aide.txt kwikhathalogu /var/www/html/usebenzisa lo myalelo ulandelayo:
echo "Test AIDE" > /var/www/html/aide.txtNgoku sebenzisa itshekhi ye-AIDE kwaye uqinisekise ukuba ifayile eyenziweyo ifunyenwe.
aide --checkKuya kufuneka ubone oku kulandelayo:
Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 49475
Added entries: 1
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /var/www/html/aide.txt
Siyabona ukuba ifayile eyenziweyo ifunyenwe aide.txt.
Emva kokuhlalutya utshintsho olufunyenweyo, hlaziya i-database ye-AIDE.
aide --updateEmva kohlaziyo uya kubona oku kulandelayo:
Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary:
Total number of entries: 49475
Added entries: 1
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /var/www/html/aide.txt
Lo myalelo ungentla uza kwenza isiseko sedatha esitsha aide.db.new.gz kwikhathalogu
/var/lib/aide/Ungayibona ngalo myalelo ulandelayo:
ls -l /var/lib/aide/Isiphumo:
total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gzNgoku yithiya ngokutsha isiseko sedatha kwakhona ukuze i-AIDE isebenzise isiseko sedatha entsha ukulandelela utshintsho olongezelelweyo. Ungayiqamba ngokutsha ngolu hlobo lulandelayo:
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzYenza itshekhi kwakhona ukuqinisekisa ukuba i-AIDE isebenzisa isiseko sedatha entsha:
aide --checkKuya kufuneka ubone oku kulandelayo:
Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!Sitshintsha itshekhi
Licebo elilungileyo ukuqhuba i AIDE itshekhi yonke imihla kwaye uthumele ingxelo. Le nkqubo inokwenziwa ngokuzenzekelayo usebenzisa i-cron.
nano /etc/crontabUkujonga i-AIDE yonke imihla ngo-10:15, yongeza umgca olandelayo ekupheleni kwefayile:
15 10 * * * root /usr/sbin/aide --checkI-AIDE ngoku iya kukwazisa ngeposi. Ungayijonga imeyile yakho ngalo myalelo ulandelayo:
tail -f /var/mail/rootIlog ye-AIDE inokujongwa ngokusebenzisa lo myalelo ulandelayo:
tail -f /var/log/aide/aide.logisiphelo
Kweli nqaku, ufunde indlela yokusebenzisa i-AIDE ukubona utshintsho lwefayile kunye nokuchonga ukufikelela kweseva okungagunyaziswanga. Ngeseto ezongezelelweyo, ungahlela /etc/aide.conf ifayile yoqwalaselo. Ngenxa yezizathu zokhuseleko, kuyacetyiswa ukuba ugcine idatabase kunye nefayile yoqwalaselo kwimidiya yokufunda kuphela. Ulwazi oluninzi lunokufumaneka kumaxwebhu .
umthombo: www.habr.com