參考:http://www.iamle.com/archives/1664.html
AIDE的用法和tripwire類似。都是通過生成一份檔案指紋的資料庫,然後對比。是以,我們最好在剛安裝完系統後,就安裝這個工具,擷取一份幹淨的檔案指紋。
安裝與配置
yum -y install aide
主要檔案如下:
主程式:/usr/sbin/aide
檔案指紋庫:/var/lib/aide
日志:/var/log/aide
cp /etc/aide.conf /etc/aide.conf_bak
vim /etc/aide.conf内容如下:
#Example configuration file for AIDE.
@@define DBDIR /var/lib/aide #基準資料庫目錄
@@define LOGDIR /var/log/aide #日志目錄
#The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz #基礎資料庫檔案
#The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz #更新資料庫檔案
#Whether to gzip the output to database
gzip_dbout=yes
#Default.
verbose=5
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOTIMPLEMENTED report_url=mailto:[email protected]
#NOTIMPLEMENTED report_url=syslog:LOG_AUTH
#These are the default rules. 下面這些這是規則說明
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160:rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
下面是參數的組合表示法
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfilep+u+g+i+n+S+acl+selinux+xattrs
R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
L = p+i+n+u+g+acl+selinux+xattrs
> = p+u+g+i+n+S+acl+selinux+xattrs
#You can create custom rules like this.
#With MHASH...
#ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
#Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
#Sane, with multiple hashes
#NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
#For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
#Access control only
PERMS = p+i+u+g+acl+selinux
#Logfile are special, in that they often change
LOG = >
#Just do md5 and sha256 hashes
LSPP = R+sha256
#Some files get updated automatically, so the inode/ctime/mtime change
#but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger
#下面是配置監控哪些目錄下的檔案異動情況
#Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
#These are too volatile
!/usr/src
!/usr/tmp
!/usr/share #通過檔案路徑前面加感歎号 ! 排除這個路徑的監控,請自定義
#Check only permissions, inode, user and group for /etc, but
#cover some important files closely.
/etc PERMS
!/etc/mtab
#Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
#Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
#Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL
/var/log LOG
/var/run/utmp LOG
#This gets new/removes-old filenames daily
!/var/log/sa
#As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
#LSPP rules...
#AIDE produces an audit record, so this becomes perpetual motion.
#/var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
/etc/hosts LSPP
/etc/sysconfig LSPP
/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP
/etc/ld.so.conf LSPP
/etc/localtime LSPP
/etc/sysctl.conf LSPP
/etc/modprobe.conf LSPP
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
/etc/stunnel LSPP
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
/etc/issue LSPP
/etc/issue.net LSPP
/etc/cups LSPP
#With AIDE's default verbosity level of 5, these would give lots of
#warnings upon tree traversal. It might change with future version.
#=/lost\+found DIR
#=/home DIR
#Ditto /var/log/sa reason...
!/var/log/and-httpd
#Admins dot files constantly change, just check perms
/root/\..*PERMS
# 初始化監控資料庫
aide -c /etc/aide.conf --init
這步的時間較長,完成後會在/var/lib/aide下面生成一個名為:aide.db.new.gz的檔案
# 把目前初始化的資料庫作為開始的基礎資料庫
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# 在終端中檢視檢測結果
aide --check
下圖是我添加一個賬戶賬戶,執行aide --check 的結果的部分截圖。
<a href="http://s1.51cto.com/wyfs02/M00/8A/22/wKiom1goM1HTKjCQAAA-_Uw_KZ4862.png" target="_blank"></a>
# 如果确認檔案變動是正常的改動更新改動到基礎資料庫
aide --update
cd /var/lib/aide/
mv aide.db.new.gz aide.db.gz # 覆寫替換舊的資料庫
# 檢查檔案改動儲存到檔案
aide --check --report=file:/tmp/aide-report-`date +%Y%m%d`.txt
# 定時任務執行aide檢測報告和自動郵件發送aide檢測報告
echo '0 8 * * * /usr/sbin/aide -C -V4 | mail -s "AIDE REPORT $(date+%Y%m%d)" [email protected]' >> /var/spool/cron/root
注意:需要先配置好發郵件的程式。
-C參數和–check是一個意思
-V報告的詳細程度可以通過-V選項來調控,級别為0-255, -V0 最簡略,-V255 最詳細。
本文轉自 lirulei90 51CTO部落格,原文連結:http://blog.51cto.com/lee90/1872377,如需轉載請自行聯系原作者
![ACS基本配置-權限等級管理[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)