如何在RHEL 8/CentOS 8上安装和配置基于AIDE主机的IDS
时间:2020-02-23 14:30:33 来源:igfitidea点击:
AIDE(高级入侵检测环境)是用于检查文件完整性的基于主机的入侵检测系统(HIDS)。 AIDE在"初始运行"中创建文件的基准数据库,然后在后续运行中对照系统检查该数据库。
可以检查的文件属性包括:inodePermissions修改时间文件内容等。
请注意,AIDE不会检查rootkit或者分析日志文件是否存在可疑活动。为此,我们可以使用其他HIDS系统,例如OSSEC。
如何在RHEL 8上安装AIDE
AIDE软件包在默认的RHEL 8存储库中可用。只需执行以下命令进行安装。
sudo yum -y install aide
查看更多包装细节。
$rpm -qi aide Name : aide Version : 0.16 Release : 8.el8 Architecture: x86_64 Install Date: Wed 02 Jan 2019 10:19:13 AM EAT Group : Unspecified Size : 382492 License : GPLv2+ Signature : RSA/SHA256, Fri 12 Oct 2016 02:15:34 PM EAT, Key ID 199e2f91fd431d51 Source RPM : aide-0.16-8.el8.src.rpm Build Date : Wed 10 Oct 2016 08:50:10 PM EAT Build Host : x86-vm-08.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla Vendor : Red Hat, Inc. URL : http://sourceforge.net/projects/aide Summary : Intrusion detection environment Description : AIDE (Advanced Intrusion Detection Environment) is a file integrity checker and intrusion detection program.
在RHEL 8上配置AIDE
/etc/aide.conf中的默认配置文件具有相当合理的默认值,并带有大量注释。
如果要更改规则,请参阅:
man aide.conf
我们也可以阅读AIDE手册中的文档。
设置/var/log监视
编辑/etc/aide.conf中的/var/log行,并从
/var/log LOG
至:
/var/log p+u+g+i+n+acl+selinux+xattrs
初始化数据库
我们可以根据需要进行其他更改。完成后,通过运行以下命令初始化AIDE数据库:
$sudo aide --init
Start timestamp: 2019-01-02 10:43:56 +0300 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 36380
The attributes of the (uncompressed) database(s):
/var/lib/aide/aide.db.new.gz
MD5 : oNfFcURzLLDyAJjlLWAM1A==
SHA1 : k8ln2HHU9ylfP2Btvmvubt+CxDs=
RMD160 : ln350FamsGUpt5TdLNMvDGRc18w=
TIGER : d3nafwSfYSC83zQTII9WpPNTo4iI0xTQ
SHA256 : 4vybmPIwHjO0Lmp1gePwoohUx/Gi9wC9
KTPPhvoYWNk=
SHA512 : SjrNZ94tZGoJImhLsY6Pah/P4JwwKJ7j
IDxOoTvflM1roQWpjtK22HCvozXPycIp
26E/AtBZz9KY+urxFQq5NA==
End timestamp: 2019-01-02 10:44:23 +0300 (run time: 0m 27s)
完成后,将生成的AIDE数据库文件复制到master数据库。
sudo cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
要检查AIDE配置,请使用:
$sudo aide -D
根据基准数据库检查数据库,使用:
$sudo aide --check
Start timestamp: 2019-01-02 10:57:22 +0300 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 36380
Added entries: 0
Removed entries: 0
Changed entries: 1
Changed entries:
f = … mc..C… : /var/log/lastlog
Detailed information about changes:
File: /var/log/lastlog
Mtime : 2019-01-02 10:16:52 +0300 | 2019-01-02 10:53:53 +0300
Ctime : 2019-01-02 10:16:52 +0300 | 2019-01-02 10:53:53 +0300
SHA256 : x7kD8sPdgABF4g4Bqtg0bn1NQAEmrd0Q | BuJ2L78swglnMol2Fi/PvzdQommDhy/a
7p818Je1NeY= | Zk+qg77jXYM=
SHA512 : AVN6NJXSLJSVe3WzCl9f4hE0BrHMN/Sz | cduO7gO6MIzpnndpakge01potUDeMnn1
WB4To8uhsa7X5YWvg3pbMoIm5571Hdd2 | lNtsoP2N2zQNPSJNEMQxhy/78JdL6N5q
kxFERBgvE/6Yk/cSM5Vm4g== | K8EJ9/YNV+2RGJbRgiaCxA==
The attributes of the (uncompressed) database(s):
/var/lib/aide/aide.db.gz
MD5 : oNfFcURzLLDyAJjlLWAM1A==
SHA1 : k8ln2HHU9ylfP2Btvmvubt+CxDs=
RMD160 : ln350FamsGUpt5TdLNMvDGRc18w=
TIGER : d3nafwSfYSC83zQTII9WpPNTo4iI0xTQ
SHA256 : 4vybmPIwHjO0Lmp1gePwoohUx/Gi9wC9
KTPPhvoYWNk=
SHA512 : SjrNZ94tZGoJImhLsY6Pah/P4JwwKJ7j
IDxOoTvflM1roQWpjtK22HCvozXPycIp
26E/AtBZz9KY+urxFQq5NA==
End timestamp: 2019-01-02 10:57:40 +0300 (run time: 0m 18s)
如果修改文件并重新检查,则应该进行更改。
$ll /etc/issue
-rw-r--r--. 1 root root 23 Oct 16 10:39 /etc/issue
$sudo chmod 0664 /etc/issue
$ll /etc/issue
-rw-rw-r--. 1 root root 23 Oct 16 10:39 /etc/issue
$sudo aide --check
............................................
File: /etc/issue
Perm : -rw-r--r-- | -rw-rw-r-
Ctime : 2016-12-30 23:45:39 +0300 | 2019-01-02 11:06:07 +0300
ACL : A: user::rw- | A: user::rw
A: group::r-- | A: group::rw
A: other::r-- | A: other::r-
...............................................................
# Revert the change
$sudo chmod 0644 /etc/issue
要检查数据库并更新数据库,请使用:
$sudo aide --update
Start timestamp: 2019-01-02 11:01:05 +0300 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Summary:
Total number of entries: 36380
Added entries: 0
Removed entries: 0
Changed entries: 1
Changed entries:
f = … mc..C… : /var/log/lastlog
Detailed information about changes:
File: /var/log/lastlog
Mtime : 2019-01-02 10:16:52 +0300 | 2019-01-02 10:53:53 +0300
Ctime : 2019-01-02 10:16:52 +0300 | 2019-01-02 10:53:53 +0300
SHA256 : x7kD8sPdgABF4g4Bqtg0bn1NQAEmrd0Q | BuJ2L78swglnMol2Fi/PvzdQommDhy/a
7p818Je1NeY= | Zk+qg77jXYM=
SHA512 : AVN6NJXSLJSVe3WzCl9f4hE0BrHMN/Sz | cduO7gO6MIzpnndpakge01potUDeMnn1
WB4To8uhsa7X5YWvg3pbMoIm5571Hdd2 | lNtsoP2N2zQNPSJNEMQxhy/78JdL6N5q
kxFERBgvE/6Yk/cSM5Vm4g== | K8EJ9/YNV+2RGJbRgiaCxA==
The attributes of the (uncompressed) database(s):
/var/lib/aide/aide.db.gz
MD5 : oNfFcURzLLDyAJjlLWAM1A==
SHA1 : k8ln2HHU9ylfP2Btvmvubt+CxDs=
RMD160 : ln350FamsGUpt5TdLNMvDGRc18w=
TIGER : d3nafwSfYSC83zQTII9WpPNTo4iI0xTQ
SHA256 : 4vybmPIwHjO0Lmp1gePwoohUx/Gi9wC9
KTPPhvoYWNk=
SHA512 : SjrNZ94tZGoJImhLsY6Pah/P4JwwKJ7j
IDxOoTvflM1roQWpjtK22HCvozXPycIp
26E/AtBZz9KY+urxFQq5NA==
/var/lib/aide/aide.db.new.gz
MD5 : QCnHueXv69soyePzxSVNHg==
SHA1 : erpgcR9xv6CKiDGBkrZn5xdPwhk=
RMD160 : MOPpCCAPRosIpTzu2eCGzSyfZyY=
TIGER : PlVr5EYqxn9uvQB7GI9/r5+SKvjiLASo
SHA256 : dG5abCnUCW3k11uh9UFB8Xkc8sF4S17W
6FxhCa7kXoI=
SHA512 : HUfQd5GI1fEXSDOTsX5TWAlkwla7mG8Y
g3rdtbtVmN2ss8ytehA8s68cT6aGvWdE
pJf8WJ8vj7gEGKAIZkcJqw==
End timestamp: 2019-01-02 11:01:25 +0300 (run time: 0m 20s)
设置更新计划和电子邮件通知
为此,我们将使用预先创建的脚本。用wget下载
sudo yum -y install wget wget https://rfxn.com/downloads/cron.aide -O aide_cron.sh chmod +x aide_cron.sh
编辑文件以设置变更报告的电子邮件地址(以逗号分隔)。
email="theitroad@localhost,theitroad@localhost"
设定cron
# crontab -e 00 01 * * * /path/to/cron/script
