Linux Ultra-practical aide (advanced intrusion detection system)

Niche Blog: http://xsboke.blog.51cto.com

Niche Q q:1770058260

-------Thank you for your reference, if you have any questions, please contact

I. Introduction of Aide

1. Role

2. Principle

3. Installation

Ii. introduction of aide Documents

Three, aide operation process

I. introduction of AIDE

1. Role

AIDE(advanced intrusion Detection Environment, high-level intrusion detection environment), mainly used to detect file integrity.

2. Principle

to generate the initial checksum (document database) for the system files, and then each time the check command is executed,aide will compare the checksum of the previous generation with the checksum of the current file, and output the report, mainly checking the class three files (modified, newly added, deleted)

3. Installation

Install aide directly using yum (yum–y installed aide)

Ii. introduction of AIDE documents

default configuration file:/etc/aide.conf

Default Document database file storage location:/var/lib/aide/

default intrusion Detection report storage location:/var/log/aide/

1./etc/aide.conf Master Profile instance,aide checks almost all directories and their files by default, here is a aide Master profile that I have removed configuration information from

# Example configuration file for AIDE. @ @define dbdir/var/lib/aide // Defining Variables Dbdir @ @define logdir/var/log/aide // Defining Variables LogDir # The location of the database is read. database=file:@@{dbdir}/aide.db.gz //aide The storage path of the file database (signature file) read when performing the check and its file name # The location of the database is written. #database_out =sql:host:port:database:login_name:passwd:table #database_out =file:aide.db.new database_out=file:@@{dbdir}/aide.db.new.gz // the storage path after the file database (signature file) is generated and its file name # Whether to gzip the output to database. Gzip_dbout=yes # Default. Verbose=5 report_url=file:@@{logdir}/aide.log // log file path report_url=stdout // The comparison results are standard output to the screen #report_url =stderr #NOT implemented Report_url=mailto:[email protected] #NOT implemented Report_url=syslog:log_auth # These is the default rules. # #p: Permissions // specifies that the letter P represents the permission #i: inode: // Specifies that the letter I represents the index node #n: Number of links // specifies that the letter n represents the number of links #u: User // specifies that the letter U represents the user #g: Group // Specify the letter G for the group #s: Size // specifies that the letter s represents the size #b: Block count // Specify the letter B to represent the number of blocks #m: Mtime // Specifies that m represents the content modification time #a: Atime // Specifies that a represents the last access time #c: CTime // Specifies that C represents a change in the properties or permissions of the file, and the time of the update #S: Check for growing size #acl: Access Control Lists #selinux SELinux Security Context #xattrs: Extended file attributes #md5: MD5 Checksum #sha1: SHA1 Checksum #sha256: sha256 Checksum #sha512: sha512 Checksum #rmd160: rmd160 Checksum #tiger: Tiger Checksum #haval: Haval checksum (Mhash only) #gost: Gost checksum (Mhash only) #crc32: CRC32 checksum (Mhash only) #whirlpool: Whirlpool Checksum (Mhash only) FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 #R: P+I+N+U+G+S+M+C+ACL+SELINUX+XATTRS+MD5 #L: P+i+n+u+g+acl+selinux+xattrs #E: Empty Group #>: Growing logfile P+u+g+i+n+s+acl+selinux+xattrs # You can create a custom rules like this. # with Mhash ... # allxtrahashes = Sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 Allxtrahashes = Sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. All changes) everything = R+allxtrahashes # Sane, with one good hash. # NORMAL = sha256 NORMAL = sha256 /usr/local/mysql/normal // define the directory to be detected and what information is detected, normal is defined above /opt/normal !/usr/local/mysql/tttt.txt // exclamation point indicates what is not detected

Third, the general aide operation Process

1. Initialize the file database first (generate a checksum for the files that need to be monitored)

   aide  --init

at this time in the directory of the file database to produce a name: " " aide

MV Aide.db.new.gz aide.db.gz

2. Check System files

Aide--check--report=file:/tmp/aide-report-20120426.txt

--report: Specify output Check report to a file or not, check report standard output to screen

3. The file database needs to be updated after the check, otherwise the next comparison of the file database is the old file database

Aide--update

MV Aide.db.new.gz aide.db.gz

This article is from the "Niche blog" blog, please be sure to keep this source http://xsboke.blog.51cto.com/12096269/1979229

Linux Ultra-practical aide (advanced intrusion detection system)