Shulou(Shulou.com)06/01 Report--

First install the aide file monitoring tool

Yum install aide-y

/ etc/aide.conf configuration file

3 @ @ define DBDIR / var/lib/aide

4 @ @ define LOGDIR / var/log/aide and above are its variables

7 database=file:@@ {DBDIR} / aide.db.gz is compressed in .gz format, where the compressed database is stored in the / var/lib/aide directory.

12databaseoutput outbound file output @ {DBDIR} / file output.

15 gzip_dbout=yes file compression format is compressed in gzip format, default yes

18 A maximum of 5 copies of verbose=5 system documents shall be retained.

20 report_url=file:@@ {LOGDIR} / aide.log log file

The following is to define which directories or files to monitor:

88/boot NORMAL

89/bin NORMAL

90/sbin NORMAL

91/lib NORMAL

92/lib64 NORMAL

93/opt NORMAL

94 / usr NORMAL

95/root NORMAL

The following meaning of NORMAL is explained in the configuration file. Let me give you an example:

68 NORMAL = R+rmd160+sha256

The detailed explanation of this R is also available in the configuration file, please see below:

54#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

55#L: p+i+n+u+g+acl+selinux+xattrs

56#E: Empty group

5 minutes >: Growing logfilep+u+g+i+n+S+acl+selinux+xattrs

The detailed explanation of the following p is also as follows:

28#p: permissions

29#i: inode:

30#n: number of links

31#u: user

32#g: group

33#s: size

34#b: block count

35#m: mtime

36#a: atime

37#c: ctime

38#S: check for growing size

39#acl: Access Control Lists

Of course, these are only some of the functions and information, and there are other more relevant information in the configuration file.

In other words, as long as you write NORMAL, you can monitor a lot of information you want to monitor, such as permissions, file size, owner, ownership group, etc.

Add it to the front of the file if you don't want to monitor it! (exclamation point) is fine, for example:

96 # These are too volatile

97!/usr/src

98!/usr/tmp

Aide-- init generation database

Aide-check monitoring checks whether the file has been maliciously modified (the name of the newly generated database file must be changed, otherwise it will be prompted that it is being read when using this command, but there must be that database file)

/ dir monitors this directory and all files and directories under it

= / dir only monitors the directory itself, not the following subdirectories

! / dir skips this directory and does not monitor this directory

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.