Shulou(Shulou.com)06/03 Report--

Brief introduction

AIDE (Advanced incoming qin Inspection Environment) is a file integrity checker and an inbound qin checker.

Characteristics

The main purpose is to check the integrity of files and audit which files have been changed on the computer. AIDE creates the database based on the regular expression rules found in the / etc/aide.conf configuration file. Once the database is initialized, it can be used to verify the integrity of the file. You can also check for inconsistencies in all the usual file properties. It can read older or newer versions of the database. The AIDE database can save a variety of attributes of a file, including: permissions (permission), Inode serial number (inode number), user (user), user group (group), file size, last modification time (mtime), creation time (ctime), last access time (atime), increased size, and number of connections. AIDE can also use the following algorithms: sha1, md5, rmd160, tiger, to establish a check code or hash number for each file in ciphertext. This database should not hold file information that changes frequently, such as log files, mail, / proc file system, user actual directories, and temporary directories. Background

When a qin entrant enters your system and plants wooden ma, he will usually find a way to hide the wooden ma (except for some hidden features of wooden ma itself, he will try to set up obstacles to the process of checking the system). Usually, the qin entrant will modify some files, such as the administrator usually uses ps aux to view the system process, so the qin entrant is likely to replace the ps program on your system with his own modified ps program. The running wooden ma program cannot be found using the ps command. If the qin entrant finds that the administrator is running a crontab job, it is also possible to replace the crontab program, and so on. So it can be seen that it is necessary to check the system files or key files. At present, there are two tools for system integrity check: Tripwire and AIDE, the former is a commercial software, and the latter is a free but powerful tool.

Procedure to install [root@CentOS7 ~] # yum-y install aide modify configuration file

/ etc/aide.conf

/ etc/aide.conf default configuration file path / usr/sbin/aide default binary executable file path / var/lib/aide default database file path / var/log/aide default log file path initializes the default AIDE library: `which aide`-after init performs this operation, a database file named "aide.db.new.gz" will be generated under the default database path / var/lib/aide The rules defined in / etc/aide.conf are written to the database file. Generate check database (it is recommended that the initialization database be stored in a safe place) mv / var/lib/aide/aide.db {.new,} .gz because aide reads the rules defined in the / etc/aide.conf file from the aide.db.gz database file by default to check the integrity of the file, so you need to rename the initialized library file. Check `which aide`-check update database `which aide`-update needs to update the file database after detection, otherwise the rules will be read from the old file database to check the integrity of the file. You also need to rename the database file AIDE default rule # # p: permissions#i: inode:#n: number of links#u: user#g: group#s: size#b: block count#m: mtime#a: atime#c: ctime#S: check for growing size#acl: Access Control Lists#selinux SELinux security Context#xattrs: Extended file attributes#md5: md5 checksum#sha1: sha1 checksum#sha256: sha256 checksum#sha512: sha512 checksum#rmd160: rmd160 checksum#tiger: tiger checksum#haval: haval checksum (MHASH only) # gost: gost checksum (MHASH only) # crc32: crc32 checksum (MHASH only) # whirlpool: whirlpool checksum (MHASH only) AIDE rule definition and use rule definition format: rule name = specific rule [example] : TEST = a+m+c rules use format: file / directory rule name [example]: / dir1 TEST Note: if the file or directory is preceded by "!" Ignore detection of AIDE rule validation

The following rules are defined in the / etc/aide.conf file, where the / dir1 directory is initially empty.

TEST = a+c+m/dir1 TES

Test 1:

Create a new file file1 in this directory and write "hello aide" [root@CentOS7 ~] # aide-- checkAIDE, version 0.15.1 download # All files match AIDE database. Looks okay! [root@CentOS7 ~] # echo "hello aide" > / dir1/file1 [root@CentOS7 ~] # aide-- checkAIDE 0.15.1 found differences between database and filesystem starting timestamp: 2019-11-10 19:12:57Summary: Total number of files: 3 Added files: 1 Removed files: 0 Changed files: 1 Murray- -Added files:---added: / dir1/file1-- -Changed files:---changed: / dir1- -Detailed information about changes:---Directory: / dir1 Mtime: 2019-11-10 19:12:00 2019-11-10 19:12:55 Ctime: 2019-11-10 19:12:00, 2019-11-10 19:12:55 output indicates that file1 files have been added in the / dir1 directory And modified the Ctime and Mtime properties of the / dir1 directory

Test 2:

Modify the content of / dir1/file1 file from "hello aide" to "hello world" [root@CentOS7 ~] # sed-I'/ hello/c hello world' / dir1/file1 Cat / dir1/file1hello world [root@CentOS7 ~] # aide-- checkAIDE 0.15.1 found differences between database and filesystem starting timestamp: 2019-11-10 19:14:34Summary: Total number of files: 3 Added files: 1 Removed files: 0 Changed files: 1 Murray- -Added files:---added: / dir1/file1 -Changed files:---changed: / dir1---Detailed information about changes: -Directory: / dir1 Atime: 2019-11-10 19:12:02 2019-11-10 19:12:57 Mtime: 2019-11-10 19:12:00, 2019-11-10 19:14:31 Ctime: 2019-11-10 19:12:00, 2019-11-10 19:14:31 this time the Atime,Mtime,Ctime of the / dir1 directory has been modified.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.