Shulou(Shulou.com)06/01 Report--

Reference: http://www.iamle.com/archives/1664.html

The usage of AIDE is similar to tripwire. All by generating a database of document fingerprints and then comparing them. Therefore, we'd better install this tool as soon as we have installed the system and get a clean document fingerprint.

Installation and configuration

Yum-y install aide

The main documents are as follows:

Main program: / usr/sbin/aide

File fingerprint library: / var/lib/aide

Log: / var/log/aide

Cp / etc/aide.conf / etc/aide.conf_bak

The vim / etc/aide.conf content is as follows:

# Example configuration file for AIDE.

@ @ define DBDIR / var/lib/aide # benchmark database directory

@ @ define LOGDIR / var/log/aide # log directory

# The location of the database to be read.

Database=file:@@ {DBDIR} / aide.db.gz # basic database file

# The location of the database to be written.

# database_out=sql:host:port:database:login_name:passwd:table

# database_out=file:aide.db.new

Database_out=file:@@ {DBDIR} / aide.db.new.gz # updates the database file

# Whether to gzip the output to database

Gzip_dbout=yes

# Default.

Verbose=5

Report_url=file:@@ {LOGDIR} / aide.log

Report_url=stdout

# report_url=stderr

# NOTIMPLEMENTED report_url=mailto:root@foo.com

# NOTIMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules. Here are the rules.

#

# p: permissions

# i: inode:

# n: number of links

# u: user

# g: group

# s: size

# b: block count

# m: mtime

# a: atime

# c: ctime

# S: check for growing size

# acl: Access Control Lists

# selinux SELinux security context

# xattrs: Extended file attributes

# md5: md5 checksum

# sha1: sha1 checksum

# sha256: sha256 checksum

# sha512: sha512 checksum

# rmd160:rmd160 checksum

# tiger: tiger checksum

# haval: haval checksum (MHASH only)

# gost: gost checksum (MHASH only)

# crc32: crc32 checksum (MHASH only)

# whirlpool: whirlpool checksum (MHASH only)

Here is the combinatorial representation of the parameters

# R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

# L: p+i+n+u+g+acl+selinux+xattrs

# E: Empty group

# >: Growing logfilep+u+g+i+n+S+acl+selinux+xattrs

R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

L = p+i+n+u+g+acl+selinux+xattrs

> = p+u+g+i+n+S+acl+selinux+xattrs

# You can create custom rules like this.

# With MHASH...

# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32

ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger

# Everything but access time (Ie. All changes)

EVERYTHING = R+ALLXTRAHASHES

# Sane, with multiple hashes

# NORMAL = R+rmd160+sha256+whirlpool

NORMAL = R+rmd160+sha256

# For directories, don't bother doing hashes

DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only

PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change

LOG = >

# Just do md5 and sha256 hashes

LSPP = R+sha256

# Some files get updated automatically, so the inode/ctime/mtime change

# but we want to know when the data inside them changes

DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

# the following is the configuration to monitor the changes of files in which directories

# Next decide what directories/files you want in the database.

/ boot NORMAL

/ bin NORMAL

/ sbin NORMAL

/ lib NORMAL

/ lib64 NORMAL

/ opt NORMAL

/ usr NORMAL

/ root NORMAL

# These are too volatile

! / usr/src

! / usr/tmp

! / usr/share # add an exclamation point before the file path! To exclude the monitoring of this path, please customize

# Check only permissions, inode, user and group for / etc, but

# cover some important files closely.

/ etc PERMS

! / etc/mtab

# Ignore backup files

! / etc/.*~

/ etc/exports NORMAL

/ etc/fstab NORMAL

/ etc/passwd NORMAL

/ etc/group NORMAL

/ etc/gshadow NORMAL

/ etc/shadow NORMAL

/ etc/security/opasswd NORMAL

/ etc/hosts.allow NORMAL

/ etc/hosts.deny NORMAL

/ etc/sudoers NORMAL

/ etc/skel NORMAL

/ etc/logrotate.d NORMAL

/ etc/resolv.conf DATAONLY

/ etc/nscd.conf NORMAL

/ etc/securetty NORMAL

# Shell/X starting files

/ etc/profile NORMAL

/ etc/bashrc NORMAL

/ etc/bash_completion.d/ NORMAL

/ etc/login.defs NORMAL

/ etc/zprofile NORMAL

/ etc/zshrc NORMAL

/ etc/zlogin NORMAL

/ etc/zlogout NORMAL

/ etc/profile.d/ NORMAL

/ etc/X11/ NORMAL

# Pkg manager

/ etc/yum.conf NORMAL

/ etc/yumex.conf NORMAL

/ etc/yumex.profiles.conf NORMAL

/ etc/yum/ NORMAL

/ etc/yum.repos.d/ NORMAL

/ var/log LOG

/ var/run/utmp LOG

# This gets new/removes-old filenames daily

! / var/log/sa

# As we are checking it, we've truncated yesterdays size to zero.

! / var/log/aide.log

# LSPP rules...

# AIDE produces an audit record, so this becomes perpetual motion.

# / var/log/audit/ LSPP

/ etc/audit/ LSPP

/ etc/libaudit.conf LSPP

/ usr/sbin/stunnel LSPP

/ var/spool/at LSPP

/ etc/at.allow LSPP

/ etc/at.deny LSPP

/ etc/cron.allow LSPP

/ etc/cron.deny LSPP

/ etc/cron.d/ LSPP

/ etc/cron.daily/ LSPP

/ etc/cron.hourly/ LSPP

/ etc/cron.monthly/ LSPP

/ etc/cron.weekly/ LSPP

/ etc/crontab LSPP

/ var/spool/cron/root LSPP

/ etc/login.defs LSPP

/ etc/securetty LSPP

/ var/log/faillog LSPP

/ var/log/lastlog LSPP

/ etc/hosts LSPP

/ etc/sysconfig LSPP

/ etc/inittab LSPP

/ etc/grub/ LSPP

/ etc/rc.d LSPP

/ etc/ld.so.conf LSPP

/ etc/localtime LSPP

/ etc/sysctl.conf LSPP

/ etc/modprobe.conf LSPP

/ etc/pam.d LSPP

/ etc/security LSPP

/ etc/aliases LSPP

/ etc/postfix LSPP

/ etc/ssh/sshd_config LSPP

/ etc/ssh/ssh_config LSPP

/ etc/stunnel LSPP

/ etc/vsftpd.ftpusers LSPP

/ etc/vsftpd LSPP

/ etc/issue LSPP

/ etc/issue.net LSPP

/ etc/cups LSPP

# With AIDE's default verbosity level of 5, these would give lots of

# warnings upon tree traversal. It might change with future version.

#

# = / lost\ + found DIR

# = / home DIR

# Ditto / var/log/sa reason...

! / var/log/and-httpd

# Admins dot files constantly change, just check perms

/ root/\.. * PERMS

# initialize the monitoring database

Aide-c / etc/aide.conf-- init

This step takes a long time. After completion, a file named aide.db.new.gz will be generated under / var/lib/aide.

# use the current initialized database as the starting base database

Cp / var/lib/aide/aide.db.new.gz / var/lib/aide/aide.db.gz

# View the test result in the terminal

Aide-check

The picture below is a partial screenshot of the result of aide-check when I add an account.

# if you confirm that the file change is normal, update the change to the underlying database

Aide-update

Cd / var/lib/aide/

Mv aide.db.new.gz aide.db.gz # overwrite and replace the old database

# check file changes and save to file

Aide--check-- report=file:/tmp/aide-report- `date +% Y% m% d`.txt

# scheduled tasks to execute aide detection reports and automatic email to send aide detection reports

Echo'08 * / usr/sbin/aide-C-V4 | mail-s "AIDE REPORT $(date+%Y%m%d)" xxx@gmail.com' > > / var/spool/cron/root

Note: you need to configure the email program first.

-C parameter and-check have the same meaning.

The level of detail of the-V report can be adjusted by the-V option, with a level of 0-255, with-V0 being the simplest and-V255 the most detailed.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.