最後更新: 2016-06-14
介紹
AIDE: Advanced Intrusion Detection Environment
目錄
- Install
- aide 使用
Install
# Centos 7
yum install aide
# Checking
aide -v
Aide 0.15.1 Compiled with the following options: WITH_MMAP WITH_POSIX_ACL WITH_SELINUX WITH_PRELINK WITH_XATTR WITH_E2FSATTRS WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_GCRYPT WITH_AUDIT CONFIG_FILE = "/etc/aide.conf"
aide 使用
0. 修改設定檔
# --config-check, -D
aide -D
13:syntax error: 13:Error while reading configuration: Configuration error
1. 建立DB
# --init, -i # 建立校檢DB, 位置由 "database_out" 設定
aide -i
2. 將新建立的 db 用作次後校對
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
3. 檢測
# --check, -C # 不帶參數時預設執行它
aide
4. 之後更新 DB
aide -i
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
設定
設定檔位置:
# 可用 "aide -v" 查看位置
/etc/aide.conf
DB 設定:
@@define DBDIR /var/lib/aide @@define LOGDIR /var/log/aide # DB database=file:@@{DBDIR}/aide.db.gz # new database is written to database_out=file:@@{DBDIR}/aide.db.new.gz # for --compare is read database_new=file:@@{DBDIR}/aide.db.new.gz # gzip_dbout=yes # Log report_url=file:@@{LOGDIR}/aide.log report_url=stdout
可以 Verify 什麼:
- Checksums = md5 # 另有: crc32, md5, sha1, sha256 ...
- OwnerMode = p+u+g # permissions, user, group
- time = m # mtime
- Size = s+b # size and block
- File type = ftype #
DEFAULT GROUPS
-
ANF: allow new files
new files are added to the new database, but are ignored in the report. - ARF: allow removed files
Rules(selection lines)
CONTENT = sha256+ftype # 不檢查什麼 !/var/www/html/tmp/ # 用 CONTENT rule 檢此路徑 /var/www/html/ CONTENT
Path Selection
"/"
Every regular expression has to start with a "/". An implicit ^ is added in front of each regular expression.
"!"
中 regular expression 的將會被 ignore, 不論新增或減少
"="
If selection lines start with '=' then only that specific folder gets monitored for attributes.
Its sub-folders and files are not automatically included.
regular expression
# Regex for exactly one sub-directory
^/[^/]+/$
[^/]+ means "One or more characters except slashes".
# Regex for exactly two sub-directories
^/[^/]+/[^/]+/$
Pitfalls
/ R =/var/log/messages$ R+a !/var/log/messages.*
However since the negative selection rules are checked last and <- last win
.* can match to an empty string /var/log/messages is not added to the database.
# 正確寫法
/ R =/var/log/messages$ R+a !/var/log/messages\.[0-9]$
My Setting
mv /etc/aide.conf /etc/aide.conf.bak
/etc/aide.conf
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
database=file:@@{DBDIR}/aide.db.gz
database_out=file:@@{DBDIR}/aide.db.new.gz
database_new=file:@@{DBDIR}/aide.db.new.gz
gzip_dbout=yes
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
CONTENT = sha256+ftype
# Path
@@define MyWeb /home/vhosts/datahunter.org/web
@@{MyWeb}/ CONTENT
!@@{MyWeb}/wp-content/cache/
!@@{MyWeb}/wp-content/uploads/
Cron Job
/etc/cron.daily/aide
建議自行建立 cron jobs
/root/scripts/dailycheck.sh
#!/bin/bash aide_result=/tmp/md5_check_result.txt [email protected] /usr/sbin/aide > $aide_result cat $aide_result | mail -s "`hostname` website daily check" $admin_email
DB File format
@@begin_db # This file was generated by Aide, version 0.15.1 # Time of generation was 2021-06-23 16:54:21 @@db_spec name lname attr perm inode sha256 ...