介紹
AIDE(Adevanced Intrusion Detection Environment)高級(jí)入侵檢測(cè)環(huán)境)是個(gè)入侵檢測(cè)工具凳寺,主要用途是檢查文本的完整性虑灰。AIDE能夠構(gòu)造一個(gè)指定文檔的數(shù)據(jù)庫(kù),使用aide.conf作為配置文檔。AIDE數(shù)據(jù)庫(kù)能夠保存文檔的各種屬性谷醉,包括:權(quán)限(permission)能颁、索引節(jié)點(diǎn)序號(hào)(inode number)若债、所屬用戶(user)充坑、所屬用戶組(group)蒂秘、文檔大小泽本、最后修改時(shí)間(mtime)、創(chuàng)建時(shí)間(ctime)姻僧、最后訪問時(shí)間(atime)规丽、增加的大小連同連接數(shù)。AIDE使用下列算法:sha256撇贺,sha512赌莺,rmd160,haval松嘶,gost艘狭,crc32,tiger翠订,以密文形式建立每個(gè)文檔的校驗(yàn)碼或散列號(hào)巢音。
AIDE是用以代替收費(fèi)商業(yè)版軟件tripwire的一款新產(chǎn)品。
文件系統(tǒng)入侵檢測(cè)的原理:
1尽超、當(dāng)系統(tǒng)處于健康狀態(tài)時(shí)官撼,把系統(tǒng)所有的文件做各種指紋的檢驗(yàn),得出一個(gè)檢驗(yàn)基準(zhǔn)數(shù)據(jù)庫(kù)似谁。
2傲绣、不是所有的文件都需要保存指紋,臨時(shí)文件(/var/log | /tmp | /var/tmp | /proc | /sys | /dev/shm...)
3巩踏、需要檢驗(yàn)文件是否被更改秃诵,只需要把基準(zhǔn)數(shù)據(jù)對(duì)應(yīng)指紋值做對(duì)比,就可以得知哪些文件被更改過塞琼。
4菠净、每天把檢驗(yàn)的結(jié)果以郵件或者其它方式發(fā)送管理員。
安裝
安裝AIDE可以直接從倉(cāng)庫(kù)中安裝:
admin@debian ~> sudo aptitude install aide
The following NEW packages will be installed:
aide aide-common{a}
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/836 kB of archives. After unpacking 2,416 kB will be used.
Do you want to continue? [Y/n/?]
安裝時(shí),會(huì)自動(dòng)生成常用配置文件嗤练,如下所示:
Creating config file /etc/aide/aide.conf.d/30_aide_apache2 with new version
Creating config file /etc/aide/aide.conf.d/31_aide_console-log with new version
Creating config file /etc/aide/aide.conf.d/31_aide_anacron with new version
Creating config file /etc/aide/aide.conf.d/31_aide_torrus with new version
Creating config file /etc/aide/aide.conf.d/70_aide_dev with new version
Creating config file /etc/aide/aide.conf.d/31_aide_amanda-client with new version
Creating config file /etc/aide/aide.conf.d/31_aide_privoxy with new version
Creating config file /etc/aide/aide.conf.d/31_aide_apache with new version
Creating config file /etc/aide/aide.conf.d/31_aide_fcron with new version
Creating config file /etc/aide/aide.conf.d/31_aide_x11-xkb-utils with new version
Creating config file /etc/aide/aide.conf with new version
Creating config file /etc/aide/aide.settings.d/31_aide_svn-server_settings with new version
Creating config file /etc/aide/aide.settings.d/31_aide_apt_settings with new version
Creating config file /etc/aide/aide.settings.d/31_aide_trac_settings with new version
Creating config file /etc/aide/aide.settings.d/10_aide_sourceslist with new version
Creating config file /etc/cron.daily/aide with new version
這些配置文件都是通過aide-common這個(gè)包生成的榛了,同時(shí)這個(gè)軟件包還包括aide的初始化工具aideinit,方便用戶使用煞抬。
AIDE的配置
AIDE的配置文件所在的位置為:/etc/aide/aide.conf霜大。
默認(rèn)的配置文件:
# AIDE conf
# The daily cron job depends on these paths
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes
# Set to no to disable summarize_changes option.
summarize_changes=yes
# Set to no to disable grouping of files in report.
grouped=yes
# standard verbose level
verbose = 6
# Set to yes to print the checksums in the report in hex format
report_base16 = no
# if you want to sacrifice security for speed, remove some of these
# checksums. Whirlpool is broken on sparc and sparc64 (see #429180,
# #420547, #152203).
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger
# The checksums of the databases to be printed in the report
# Set to 'E' to disable.
database_attrs = Checksums
# check permissions, owner, group and file type
OwnerMode = p+u+g+ftype
# Check size and block count
Size = s+b
# Files that stay static
InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums
# Files that stay static but are copied to a ram disk on startup
# (causing different inode)
RamdiskData = InodeData-i
# Check everything
Full = InodeData+StaticFile
# Files that change their mtimes or ctimes but not their contents
VarTime = InodeData+Checksums
# Files that are recreated regularly but do not change their contents
VarInode = VarTime-i
# Files that change their contents during system operation
VarFile = OwnerMode+n+l+X
# Directories that change their contents during system operation
VarDir = OwnerMode+n+i+X
# Directories that are recreated regularly and change their contents
VarDirInode = OwnerMode+n+X
# Directories that change their mtimes or ctimes but not their contents
VarDirTime = InodeData
# Logs are special: they are continously written to, may be compressed
# have their file name changed in different, mutually incompatibly ways
# and apprear and vanish at will. Handling this is a a complex and error-
# prone issue.
#
# This is best broken down in a number of small tasks:
#
#
# (A)
# While a live log is being written to, it doesn't change its mode and
# inode and its size only increases.
#
# (B)
# When a live log is rotated for the first time, it should not change
# its mode, may change its inode, and its size decreases. The size
# decrease may not be noticed by aide if the file had size x at the last
# aide run, was rotated in the mean time and was written to so that it
# had a size > x at the next aide run.
#
# (C)
# When a log is compressed, this looks to aide like the uncompressed
# file vanished (or was replaced by another file) and the compressed
# file appeared out of the blue. There is (currently) no way to
# associate the (gone) uncompressed file's contents with the (new)
# compressed file's contents
#
# (D)
# The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without
# changing the other properties of the file
#
# (E)
# If only a given number of log generations is to be kept, foo.{y}.bar may
# vanish, but usually only when no foo.{z}.bar exists for z>y.
#
# (F)
# The set of files foo.{x}.bar to foo.{y}.bar is called a "log series"
# in aide terms, with the lowest x being called the "LoSerMember" element
# and the highest y being called the "HiSerMember" element, and the z
# with x<z<y simple called "SerMember". The Lo and Hi members need to
# be special cased in aide configuration.
#
#
# This is an example of the normal life of a log named foo in a logrotate
# configuration using a configuration at it is commonly used in Debian
# (from old to new):
# 1 logrotate deletes HiSerMember foo.{y}.gz
# 2 logrotate rotates SerMember foo.{z-1}.gz to foo.{z}.gz for all
# z with 3<z<=y. This includes rotation of foo.{y-1}.gz to
# foo.{y}.gz and foo.2.gz to foo.3.gz
# 3 logrotate compresses foo.1 to foo.2.gz, creating LoSerMember foo.2.gz
# 4 logrotate rotates foo to foo.1 (a simple rename)
# 5 logrotate creates new, empty foo
# 6 foo daemon logs to foo - foo grows in size
#
# we need the following rules:
# /var/log/foo$ Log
# /var/log/foo$ FreqRotLog
# this takes care of the growing live log (step 7). The "Log" rule
# is appropriate for logs that are not rotated daily as rotation
# might be reported (if the file size has decreased since the last
# aide run). For daily rotated logs, the "FreqRotLog" may be more
# appropriate.
# /var/log/foo\.1$ LowLog
# this takes care of step 5.
# /var/log/foo\.2\.gz$ LoSerMemberLog
# this allows yet unknown new files to appear with a \.2\.gz extension,
# covering step 3.
# /var/log/foo\.[3..y-1]\.gz$ SerMemberLog
# this watches the log files as they wander through the Series,
# changing only their file name but not their contents or metadata,
# covering step 2.
# Please note that [3..y-1] needs to be a manually crafted regexp covering
# all numbers between 3 and y-1.
# /var/log/foo\.y\.gz$ HiSerMemberLog
# finally, the last element of the Series is allowed to vanish without
# being reported, covering step 1.
#
# Please note that these example rules need to be adapted to the logrotate
# configuration for the log. Compression may be disabled or lead to a different
# extension, the dateext option may be used, old logs might be held in a
# different place, a log series does not necessarily need to be compressed etc.
#
# Please note that savelog rotates the live log to .0 and not to .1 as it
# is logrotates (changeable) default.
# Logs grow in size. Log rotation of these logs will be reported, so
# this should only be used for logs that are not rotated daily.
Log = OwnerMode+n+S+X
# Logs that are frequently rotated
FreqRotLog = Log-S
# The first instance of a rotated log: After the log has stopped being
# written to, but before rotation
LowLog = Log-S
# Rotated logs change their file name but retain all their other properties
SerMemberLog = Full+I
# The first instance of a compressed, rotated log: After a LowLog was
# compressed.
LoSerMemberLog = SerMemberLog+ANF
# The last instance of a compressed, rotated log: After this name, a log
# will be removed
HiSerMemberLog = SerMemberLog+ARF
# Not-yet-compressed log created by logrotate's dateext option:
# These files appear one rotation (renamed from the live log) and are gone
# the next rotation (being compressed)
LowDELog = SerMemberLog+ANF+ARF
# Compressed log created by logrotate's dateext option: These files appear
# once and are not touched any more.
SerMemberDELog = Full+ANF
# For daemons that log to a variable file name and have the live log
# hardlinked to a static file name
LinkedLog = Log-n
根據(jù)配置文件的說明,可以將需要監(jiān)控的文件以及需要監(jiān)控的等級(jí)寫入配置文件中
比如需要對(duì)/etc目錄下的所有配置做全面的監(jiān)控革答,可以寫:
/etc Full
參考配置文件中的說明战坤,可以對(duì)log文件進(jìn)行監(jiān)控,可以使用正則表達(dá)式來精確定位文件:
/var/log/foo$ Log
在這里残拐,F(xiàn)ull 和Log都對(duì)應(yīng)規(guī)則途茫,截取配置文件中的內(nèi)容:
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger
# check permissions, owner, group and file type
OwnerMode = p+u+g+ftype
# Check size and block count
Size = s+b
# Files that stay static
InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums
# Check everything
Full = InodeData+StaticFile
規(guī)則列表參考如下,參考在線手冊(cè)
# Here are all the things we can check - these are the default rules
#
#p: permissions
#ftype: file type
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#R: p+ftupe+i+l+n+u+g+s+m+c+md5
#L: p+ftype+i+l+n+u+g
#E: Empty group
#>: Growing file p+ftype+l+u+g+i+n+S
#The following are available if you have mhash support enabled:
#gost: gost checksum
#whirlpool: whirlpool checksum
#The following are available and added to the default groups R, L and >
#only when explicitly enabled using configure:
#acl: access control list
#selinux SELinux security context
#xattrs: extended file attributes
#e2fsattrs: file attributes on a second extended file system
# You can also create custom rules - my home made rule definition goes like this
# 你可以創(chuàng)建屬于自己的規(guī)則:
MyRule = p+i+n+u+g+s+b+m+c+md5+sha1
數(shù)據(jù)庫(kù)初始化
使用aide 的-i參數(shù)溪食,對(duì)數(shù)據(jù)庫(kù)進(jìn)行初始化:
sudo aide -c /etc/aide/aide.conf -i
admin@debian ~> sudo aide -c /etc/aide/aide.conf -i
Start timestamp: 2018-01-08 01:29:02 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6
Number of entries: 51972
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new
RMD160 : DNBI9Ac01S2jSxe61datOzbAy0A=
TIGER : rnQ7OHB3rqryyWHf9qAIo7LmU7rmer0/
SHA256 : 3/oFTjV+IIkHpeb5JwcRpdbkot5EEWEf
U83L3ng5ZSc=
SHA512 : ZzAOSgA3l2GYXYXCUrJCAkjP+UWruyNz
6WC2HkKJT3XzjLKwVyPSLvq/+YbcymTY
HMRhJi1jsYNssiHPaKD9wQ==
CRC32 : jkFdSw==
HAVAL : uc8r8sSDbIAWzz2mGBLiBVIplZKnmd6F
mYTF2cwMf5I=
GOST : hn7RfiLqK53ufMUz7ko99L+dzQlcEsnz
s6FR76hjp1Y=
End timestamp: 2018-01-08 01:31:21 -0500 (run time: 2m 19s)
初始化后囊卜,需要將數(shù)據(jù)庫(kù)修改一下
cd /var/lib/aide/
sudo cp aide.db.new aide.db
檢查文件是否被篡改
使用-C參數(shù)或者--check,檢查文件是否被篡改错沃。
admin@debian /v/l/aide> sudo aide -c /etc/aide/aide.conf -C
Start timestamp: 2018-01-08 02:06:11 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
Verbose level: 6
Number of entries: 51972
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : DNBI9Ac01S2jSxe61datOzbAy0A=
TIGER : rnQ7OHB3rqryyWHf9qAIo7LmU7rmer0/
SHA256 : 3/oFTjV+IIkHpeb5JwcRpdbkot5EEWEf
U83L3ng5ZSc=
SHA512 : ZzAOSgA3l2GYXYXCUrJCAkjP+UWruyNz
6WC2HkKJT3XzjLKwVyPSLvq/+YbcymTY
HMRhJi1jsYNssiHPaKD9wQ==
CRC32 : jkFdSw==
HAVAL : uc8r8sSDbIAWzz2mGBLiBVIplZKnmd6F
mYTF2cwMf5I=
GOST : hn7RfiLqK53ufMUz7ko99L+dzQlcEsnz
s6FR76hjp1Y=
End timestamp: 2018-01-08 02:08:32 -0500 (run time: 2m 21s)
也可以將輸出保存到指定文件中栅组,例如:
sudo aide -c /etc/aide/aide.conf -C --report=file:/tmp/aide-report-`date +%Y%m%d`.txt
-V 參數(shù)報(bào)告的詳細(xì)程度可以通過-V選項(xiàng)來調(diào)控,級(jí)別為0-255枢析, -V0 最簡(jiǎn)略玉掸,-V255 最詳細(xì)。
正常修改系統(tǒng)文件醒叁,可以使用update來更新數(shù)據(jù)庫(kù):
#如果是正常的改動(dòng) 更新改動(dòng)到基礎(chǔ)數(shù)據(jù)庫(kù)
aide --update -c /etc/aide/aide.conf
cd /var/lib/aide/
#覆蓋替換舊的數(shù)據(jù)庫(kù)
mv aide.db.new aide.db
關(guān)于aide-common
aide-common是debian為aide方便部署而提供的一個(gè)組件司浪,其中包括了aideinit腳本,update-aide.conf自動(dòng)生成配置腳本把沼,以及在/etc/aide/aide.conf.d中一系列常規(guī)配置文件啊易。
在使用時(shí),可以直接執(zhí)行
# aideinit -y
其會(huì)自動(dòng)在/var/lib/aide/下生成aide.conf.autogenerated 配置文件饮睬,并生成數(shù)據(jù)庫(kù)aide.db.new與aide.db认罩。
aide.conf.autogenerated 配置文件的自動(dòng)生成依賴與/etc/aide/aide.conf.d目錄下的文件。如果你不小心刪除了其中的文件续捂,可以重新安裝aide-common這個(gè)軟件包獲得。
在使用aideinit過程時(shí)宦搬,可能會(huì)遇到語(yǔ)法報(bào)錯(cuò)的情況牙瓢。一般可以根據(jù)輸出來定位到是aide.conf.autogenerated文件的哪一行,再對(duì)其進(jìn)行排查解決间校。
