Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to monitor Linux file changes, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Overview

In the nix system, everything is a file, and the change of the system file often reflects the change of the system, such as the update of the system application, the operation activity of the system (which can be determined by the security audit) or the system being hacked. According to bug maintenance experience over the years, one of the most obvious features of system hacking is the change of system files, including not limited to:

/ bin (replace basic tools with malicious Trojans, such as netstat,ps, etc.)

/ sbin (replace basic tools with malicious Trojans, such as sshd,lsof,ss, etc.)

/ usr/bin (replace basic tools with malicious Trojans, such as sshd,lsof,ss, etc.)

/ usr/sbin (replace basic tools with malicious Trojans, such as sshd,lsof,ss, etc.)

/ etc/init.d (modify boot task and add malicious script to boot)

/ etc/

/ etc/cront.d (modify scheduled tasks and add malicious scripts for regular execution)

/ etc/crontab (modify scheduled tasks and add malicious scripts for regular execution)

~ / .ssh / directory (injected public key)

/ etc/sysconfig (modify iptables configuration, etc., open network restrictions)

/ etc/ssh/ (modify ssh configuration)

Web directory (modify website)

The files in the directory are replaced or illegal files are added.

Strengthening the monitoring of these directories and files can, to a certain extent, prevent the system from being hacked and problems that cannot be found.

Find-mtime directory file change

The easiest and most common way to monitor system changes is to use the find command, where-mtime indicates a file that has changed recently.

For example, to view files that have changed in the / usr/bin directory within a day, you can use the

Find / usr/bin-m-1

To see the details of these files, you can use xargs or-exec to display these changes files in ls-al, such as:

Find / var-type f-mtime-1-exec ls-al {}\

RPM monitors changes in system files

RPM is an application package of Linux, which you may be familiar with using RPM to install applications. In fact, RPM is also a system package database and provides package verification capabilities that can be used to detect changes in the original installation package. The basic command for RPM application package file verification is rpm-V. For example, query verification nginx package can use rpm-V nginx:

The first few attributes of the result of the command are verified. Indicates that the attribute is normal, and other signs indicate that the attribute has changed. If the file is deleted, it will prompt "missing..." . The meaning of the specific attribute is as follows:

The results show that the size of the default.conf file in the nginx package, the md5 hash value, and the file modification time have all changed.

Note: the middle bit in the figure above also has a letter c flag, which represents the attributes of the file, and c indicates that the file is a configuration file. Other flags are: d% doc description document; g% ghost should not contain documents, which may be problematic; l% license license file; r% readme readme description file.

By adding-a to the-V option, you can list all the changed package files after installation in the current system, which can be used to check the integrity and security of the package. We use grep to further examine the results to get specific files, such as to get files that have changed from the bin directory system files:

Inotify monitors file changes

Another common method is to use Inotify to monitor file changes. Inotify is a system event monitoring mechanism built into the Linux kernel (2.6.13). One of the advantages of Inotify is that it is based on kernel event notification mechanism and does not need to actively detect the file state regularly, so it is simple and reliable. Another advantage is that when there is a file change notification, you can record the user and event process at that time. Inotify-based tools include inotify-tools, sersync, lsyncd, and so on. Here we briefly introduce the use of inotify-tools.

Inotify-tools installation

Installation is relatively simple. Take centos as an example, add the epel source first, and then

Yum install inotify-tools

Inotify-tools usage

Inotify-tools is installed with two tools, inotifywait and inotifywatch. The inotifywait tool is used to add file or directory monitoring, and supports some operation events on files, such as open, close, delete, etc., and the system is blocked after running. The parameters of inotifywait and the corresponding event list are shown in the following figure:

For security reasons, focus on file changes and creation times, that is, modify and create events.

The inotifywatch tool is used to view statistics of events occurring in monitored files.

Let's give an example to illustrate that we use inotifywait to monitor the changes of files in the / var directory:

Inotifywait-mre modify / var

To make it easier to read, we add some log and time format parameters:

Inotifywait-mrq-- timefmt'% d%m%y% HVA% M'-- format'% T% w% f'-e modify-e create / var

To count the changes in the system within 30 seconds, you can use inotifywatch:

Inotifywatch-v-t 30-r / proc

The use of inotifywatch is not described in detail here.

Self-built script for file Md5 monitoring

Another method is to calculate the md5 hash for a specific directory (such as the Web directory) at the beginning, then calculate the md5 at a fixed time and then compare it, and find that the md5 hash is inconsistent, indicating that the file has been tampered with. In this regard, the bug previously wrote a script MD5Check (github: / bollwarm/MD5Check) in Perl based on this principle, which can be used directly or as a reference.

MD5Check installation is very simple, you can use the clone file directly under the Perl environment (depending on Digest::MD5), or you can install it using cpanm

Cpanm MD5Check

Use:

Using the method, execute the perl bin/init.pl web directory (custom) and initialize the MD5 value.

Then check the file using the md5 hash saved in the previous perl bin/check.pl.

For more examples, see init.pl and check.pl under the bin directory.

After cpanm is installed, you can directly use the perl one-line program to check the use of

Initialize:

Perl-MMD5Check-e'init ("/ web")'> file

Check:

Perl-MMD5Check-e 'print md5check (file)'

Example: let's take a wordexpree website as an example:

Perl init.pl / web > webmd5.20161027

Check:

Perl check.pl webmd5.20161027 thank you for reading this article carefully. I hope the article "how to monitor changes in Linux files" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.