AIDE 学习笔记

参考：http://www.iamle.com/archives/1664.html

AIDE的用法和tripwire类似。都是通过生成一份文件指纹的数据库，然后对比。所以，我们最好在刚安装完系统后，就安装这个工具，获取一份干净的文件指纹。

安装与配置

yum -y install aide

主要文件如下：

主程序：/usr/sbin/aide

文件指纹库：/var/lib/aide

日志：/var/log/aide

cp /etc/aide.conf /etc/aide.conf_bak

vim /etc/aide.conf内容如下：

#Example configuration file for AIDE.

@@define DBDIR /var/lib/aide #基准数据库目录

@@define LOGDIR /var/log/aide #日志目录

#The location of the database to be read.

database=file:@@{DBDIR}/aide.db.gz #基础数据库文件

#The location of the database to be written.

#database_out=sql:host:port:database:login_name:passwd:table

#database_out=file:aide.db.new

database_out=file:@@{DBDIR}/aide.db.new.gz #更新数据库文件

#Whether to gzip the output to database

gzip_dbout=yes

#Default.

verbose=5

report_url=file:@@{LOGDIR}/aide.log

report_url=stdout

#report_url=stderr

#NOTIMPLEMENTED report_url=mailto:root@foo.com

#NOTIMPLEMENTED report_url=syslog:LOG_AUTH

#These are the default rules. 下面这些这是规则说明

#

#p: permissions

#i: inode:

#n: number of links

#u: user

#g: group

#s: size

#b: block count

#m: mtime

#a: atime

#c: ctime

#S: check for growing size

#acl: Access Control Lists

#selinux SELinux security context

#xattrs: Extended file attributes

#md5: md5 checksum

#sha1: sha1 checksum

#sha256: sha256 checksum

#sha512: sha512 checksum

#rmd160:rmd160 checksum

#tiger: tiger checksum

#haval: haval checksum (MHASH only)

#gost: gost checksum (MHASH only)

#crc32: crc32 checksum (MHASH only)

#whirlpool: whirlpool checksum (MHASH only)

下面是参数的组合表示法

#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

#L: p+i+n+u+g+acl+selinux+xattrs

#E: Empty group

#>: Growing logfilep+u+g+i+n+S+acl+selinux+xattrs

R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

L = p+i+n+u+g+acl+selinux+xattrs

> = p+u+g+i+n+S+acl+selinux+xattrs

#You can create custom rules like this.

#With MHASH...

#ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32

ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger

#Everything but access time (Ie. all changes)

EVERYTHING = R+ALLXTRAHASHES

#Sane, with multiple hashes

#NORMAL = R+rmd160+sha256+whirlpool

NORMAL = R+rmd160+sha256

#For directories, don't bother doing hashes

DIR = p+i+n+u+g+acl+selinux+xattrs

#Access control only

PERMS = p+i+u+g+acl+selinux

#Logfile are special, in that they often change

LOG = >

#Just do md5 and sha256 hashes

LSPP = R+sha256

#Some files get updated automatically, so the inode/ctime/mtime change

#but we want to know when the data inside them changes

DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

#下面是配置监控哪些目录下的文件异动情况

#Next decide what directories/files you want in the database.

/boot NORMAL

/bin NORMAL

/sbin NORMAL

/lib NORMAL

/lib64 NORMAL

/opt NORMAL

/usr NORMAL

/root NORMAL

#These are too volatile

!/usr/src

!/usr/tmp

!/usr/share #通过文件路径前面加感叹号 ! 排除这个路径的监控,请自定义

#Check only permissions, inode, user and group for /etc, but

#cover some important files closely.

/etc PERMS

!/etc/mtab

#Ignore backup files

!/etc/.*~

/etc/exports NORMAL

/etc/fstab NORMAL

/etc/passwd NORMAL

/etc/group NORMAL

/etc/gshadow NORMAL

/etc/shadow NORMAL

/etc/security/opasswd NORMAL

/etc/hosts.allow NORMAL

/etc/hosts.deny NORMAL

/etc/sudoers NORMAL

/etc/skel NORMAL

/etc/logrotate.d NORMAL

/etc/resolv.conf DATAONLY

/etc/nscd.conf NORMAL

/etc/securetty NORMAL

#Shell/X starting files

/etc/profile NORMAL

/etc/bashrc NORMAL

/etc/bash_completion.d/ NORMAL

/etc/login.defs NORMAL

/etc/zprofile NORMAL

/etc/zshrc NORMAL

/etc/zlogin NORMAL

/etc/zlogout NORMAL

/etc/profile.d/ NORMAL

/etc/X11/ NORMAL

#Pkg manager

/etc/yum.conf NORMAL

/etc/yumex.conf NORMAL

/etc/yumex.profiles.conf NORMAL

/etc/yum/ NORMAL

/etc/yum.repos.d/ NORMAL

/var/log LOG

/var/run/utmp LOG

#This gets new/removes-old filenames daily

!/var/log/sa

#As we are checking it, we've truncated yesterdays size to zero.

!/var/log/aide.log

#LSPP rules...

#AIDE produces an audit record, so this becomes perpetual motion.

#/var/log/audit/ LSPP

/etc/audit/ LSPP

/etc/libaudit.conf LSPP

/usr/sbin/stunnel LSPP

/var/spool/at LSPP

/etc/at.allow LSPP

/etc/at.deny LSPP

/etc/cron.allow LSPP

/etc/cron.deny LSPP

/etc/cron.d/ LSPP

/etc/cron.daily/ LSPP

/etc/cron.hourly/ LSPP

/etc/cron.monthly/ LSPP

/etc/cron.weekly/ LSPP

/etc/crontab LSPP

/var/spool/cron/root LSPP

/etc/login.defs LSPP

/etc/securetty LSPP

/var/log/faillog LSPP

/var/log/lastlog LSPP

/etc/hosts LSPP

/etc/sysconfig LSPP

/etc/inittab LSPP

/etc/grub/ LSPP

/etc/rc.d LSPP

/etc/ld.so.conf LSPP

/etc/localtime LSPP

/etc/sysctl.conf LSPP

/etc/modprobe.conf LSPP

/etc/pam.d LSPP

/etc/security LSPP

/etc/aliases LSPP

/etc/postfix LSPP

/etc/ssh/sshd_config LSPP

/etc/ssh/ssh_config LSPP

/etc/stunnel LSPP

/etc/vsftpd.ftpusers LSPP

/etc/vsftpd LSPP

/etc/issue LSPP

/etc/issue.net LSPP

/etc/cups LSPP

#With AIDE's default verbosity level of 5, these would give lots of

#warnings upon tree traversal. It might change with future version.

#

#=/lost\+found DIR

#=/home DIR

#Ditto /var/log/sa reason...

!/var/log/and-httpd

#Admins dot files constantly change, just check perms

/root/\..*PERMS

# 初始化监控数据库

aide -c /etc/aide.conf --init

这步的时间较长，完成后会在/var/lib/aide下面生成一个名为：aide.db.new.gz的文件

# 把当前初始化的数据库作为开始的基础数据库

cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

# 在终端中查看检测结果

aide --check

下图是我添加一个账户账户，执行aide --check 的结果的部分截图。

# 如果确认文件变动是正常的改动更新改动到基础数据库

aide --update

cd /var/lib/aide/

mv aide.db.new.gz aide.db.gz # 覆盖替换旧的数据库

# 检查文件改动保存到文件

aide --check --report=file:/tmp/aide-report-`date +%Y%m%d`.txt

# 定时任务执行aide检测报告和自动邮件发送aide检测报告

echo '0 8 * * * /usr/sbin/aide -C -V4 | mail -s "AIDE REPORT $(date+%Y%m%d)" xxx@gmail.com' >> /var/spool/cron/root

注意：需要先配置好发邮件的程序。

-C参数和-check是一个意思

-V报告的详细程度可以通过-V选项来调控，级别为0-255， -V0 最简略，-V255 最详细。