Configure the Advanced Intrusion detection tool AIDE on the Solaris Server

Article Title: configure the Advanced Intrusion detection tool AIDE on the Solaris server. Linux is a technology channel of the IT lab in China. Including desktop applications, Linux system management, kernel research, embedded systems and open source, and other basic categories. AIDE is Advanced Intrusion Detection Environment, is a file integrity detection tool. AIDE can construct a database for a specified file. It uses aide. conf as its configuration file. The databases generated by AIDE can save various attributes of files, including permission, inode number, user, and group) file Size, last modification time (mtime), Creation Time (ctime), last access time (atime), increased size, and number of connections. AIDE can also use the following algorithms: sha1, md5, rmd160, and tiger, to create a checkcode or hash for each file in the form of ciphertext.

Once a computer system is attacked, all information will be exposed to attackers. if attackers can well hide traces, the fact of intrusion is very difficult to find. Over time, attackers will discover more and more useful information. The administrator can use this program to create a new AIDE database after installing the system and connecting to the network. This AIDE database is a snapshot of the system and the principle of system upgrade in the future. The database should contain at least this information: key system binary executable programs, dynamic connection libraries, header files, and other files that are always unchanged. (Of course, some flexible policies can also be used. For example, many terminal devices under/dev only change permisson, so as long as the permission check is removed during the check, it will not be overwhelmed by alarms .) Once the system has been intruded, the system administrator will use ls, lsof, ps, netstat, last, who, and other system tools to check the system, however, all these system tools may be replaced by rootkit programs. As you can imagine, the modified ls program and ps do not show any information about the intrusion process, or even a program with backdoor tasks. Even if the system administrator is afraid that they will never be able to know whether they have been modified through simple file attributes, because the file date, size, and other information are very easy to change, such as using touch. The system administrator needs to install intrusion detection tools to improve information security. AIDE, an Advanced Intrusion Detection Environment, is a file integrity detection tool and a type of intrusion detection program. using AIDE, attributes related to important files and files in the system, such as permissions, inode numbers, users, user groups, and links, also, the encryption and verification of each file will be created into a database.

Ii. AIDE'sWorkflowCheng

　　

AIDE Workflow

The AIDE workflow includes the following steps:

(1) set aide. conf

(2) create database files based on aide. conf

(3) execute a file review to confirm integrity, and check whether there is any exception in the file system

(4) return exception

(5) check whether the exception is normal

(6) reset aide. conf, update database files, or take safe remedial measures.

[1] [2] [3] [4] [5] Next page