CentOS7下的AIDE入侵檢測配置
1、AIDE的簡單介紹
AIDE通過掃描一臺(未被篡改)的Linux服務器的文件系統來構建文件屬性數據庫,以後將服務器文件屬性與數據庫中的進行校對,然後在服務器運行時對被修改的索引了的文件發出警告。出於這個原因,AIDE必須在系統更新後或其配置文件進行合法修改後重新對受保護的文件做索引。
2、安裝並簡單配置aide
[[email protected] ~]# yum -y install aide [[email protected] ~]# vim /etc/aide.conf # 添加下列行: /molewan NORMAL [[email protected]
3、模擬在aide監管的目錄下,新添加一個文件
[[email protected] ~]# cd /molewan/ [[email protected] molewan]# cp /etc/passwd . [[email protected] molewan]# ls passwd
4、執行aide進行檢查
[[email protected] molewan]# aide --check Entry /root/.mysql_history in databases has different attributes: 20000001d 20020001d AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2017-06-22 10:35:10 Summary: Total number of files:272614 Added files:1 Removed files:0 Changed files:3 --------------------------------------------------- Added files: --------------------------------------------------- added: /molewan/passwd --------------------------------------------------- Changed files: --------------------------------------------------- changed: /opt/gitlab/sv/logrotate/supervise/pid changed: /opt/gitlab/sv/logrotate/supervise/status changed: /root/.mysql_history --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /opt/gitlab/sv/logrotate/supervise/pid SHA256 : 1JSst6Quw/tdtJftiGt/21jUIBRbzOcQ , NUB/zWnJypaqQW2QQcC/Mx5e1QInQn+0 File: /opt/gitlab/sv/logrotate/supervise/status SHA256 : A/GkExLS7Y1JyYVE4N7/I1pUxRH/xj1P , BKuJ49lWHu2kprL//4A+AO/lJZS7evFx File: /root/.mysql_history Perm : lrwxrwxrwx , -rw------- 說明:可以發現,新添加哪些文件,修改了哪些參數
參考資料:http://os.51cto.com/art/201411/457358.htm
本文出自 “冰凍vs西瓜” 博客,請務必保留此出處http://molewan.blog.51cto.com/287340/1940878
CentOS7下的AIDE入侵檢測配置