1、aide介绍

AIDE(Adevanced Intrusion Detection Environment,高级入侵检测环境)是个入侵检测工具，主要用途是检查文本的完整性。

AIDE能够构造一个指定文档的数据库，他使用aide.conf作为其配置文档。AIDE数据库能够保存文档的各种属性，包括：权限(permission)、索引节点序号(inode number)、所属用户(user)、所属用户组(group)、文档大小、最后修改时间(mtime)、创建时间(ctime)、最后访问时间(atime)、增加的大小连同连接数。AIDE还能够使用下列算法：sha1、md5、rmd160、tiger，以密文形式建立每个文档的校验码或散列号。

常见的入侵检测软件： tripwire–操作比较复杂,aide–用以代替tripwire,比较简单.

2、aide安装配置使用

#yum rpm二进制安装

yum -y install aide

我的配置文件

mv /etc/aide.conf /etc/aide.conf.bak

vim /etc/aide.conf

# Example configuration file for AIDE.

@@define DBDIR /var/lib/aide #基准数据库目录
@@define LOGDIR /var/log/aide #日志目录

# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz #基础数据库文件

# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz #更新数据库文件

# Whether to gzip the output to database
gzip_dbout=yes

# Default.
verbose=5

report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules.
#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum

#haval:  haval checksum (MHASH only)
#gost:   gost checksum (MHASH only)
#crc32:  crc32 checksum (MHASH only)
#whirlpool:     whirlpool checksum (MHASH only)

#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L:             p+i+n+u+g+acl+selinux+xattrs
#E:             Empty group
#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
L = p+i+n+u+g+acl+selinux+xattrs
> = p+u+g+i+n+S+acl+selinux+xattrs


# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES

# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only
PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change
LOG = >

# Just do md5 and sha256 hashes
LSPP = R+sha256

# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

# Next decide what directories/files you want in the database.

/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
/lib    NORMAL
/lib64  NORMAL
/opt    NORMAL
/usr    NORMAL
/root   NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
!/usr/share #通过文件路径前面加感叹号 ! 排除这个路径的监控,请自定义
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc    PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports  NORMAL
/etc/fstab    NORMAL
/etc/passwd   NORMAL
/etc/group    NORMAL
/etc/gshadow  NORMAL
/etc/shadow   NORMAL
/etc/security/opasswd   NORMAL

/etc/hosts.allow   NORMAL
/etc/hosts.deny    NORMAL

/etc/sudoers NORMAL
/etc/skel NORMAL

/etc/logrotate.d NORMAL

/etc/resolv.conf DATAONLY

/etc/nscd.conf NORMAL
/etc/securetty NORMAL

# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL

# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL

/var/log   LOG
/var/run/utmp LOG

# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log

# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP

/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP

/etc/hosts LSPP
/etc/sysconfig LSPP

/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP

/etc/ld.so.conf LSPP

/etc/localtime LSPP

/etc/sysctl.conf LSPP

/etc/modprobe.conf LSPP

/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP

/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP

/etc/stunnel LSPP

/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP

/etc/issue LSPP
/etc/issue.net LSPP

/etc/cups LSPP

# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found    DIR
#=/home           DIR

# Ditto /var/log/sa reason...
!/var/log/and-httpd

# Admins dot files constantly change, just check perms
/root/\..* PERMS

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

# Example configuration file for AIDE.

@@define DBDIR /var/lib/aide #基准数据库目录

@@define LOGDIR /var/log/aide #日志目录

# The location of the database to be read.

database=file:@@{DBDIR}/aide.db.gz #基础数据库文件

# The location of the database to be written.

#database_out=sql:host:port:database:login_name:passwd:table

#database_out=file:aide.db.new

database_out=file:@@{DBDIR}/aide.db.new.gz #更新数据库文件

# Whether to gzip the output to database

gzip_dbout=yes

# Default.

verbose=5

report_url=file:@@{LOGDIR}/aide.log

report_url=stdout

#report_url=stderr

#NOT IMPLEMENTED report_url=mailto:root@foo.com

#NOT IMPLEMENTED report_url=syslog:LOG_AUTH

# These are the default rules.

#p: permissions

#i: inode:

#n: number of links

#u: user

#g: group

#s: size

#b: block count

#m: mtime

#a: atime

#c: ctime

#S: check for growing size

#acl: Access Control Lists

#selinux SELinux security context

#xattrs: Extended file attributes

#md5: md5 checksum

#sha1: sha1 checksum

#sha256: sha256 checksum

#sha512: sha512 checksum

#rmd160: rmd160 checksum

#tiger: tiger checksum

#haval: haval checksum (MHASH only)

#gost: gost checksum (MHASH only)

#crc32: crc32 checksum (MHASH only)

#whirlpool: whirlpool checksum (MHASH only)

#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

#L: p+i+n+u+g+acl+selinux+xattrs

#E: Empty group

#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

L = p+i+n+u+g+acl+selinux+xattrs

> = p+u+g+i+n+S+acl+selinux+xattrs

# You can create custom rules like this.

# With MHASH...

# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32

ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger

# Everything but access time (Ie. all changes)

EVERYTHING = R+ALLXTRAHASHES

# Sane, with multiple hashes

# NORMAL = R+rmd160+sha256+whirlpool

NORMAL = R+rmd160+sha256

# For directories, don't bother doing hashes

DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only

PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change

LOG = >

# Just do md5 and sha256 hashes

LSPP = R+sha256

# Some files get updated automatically, so the inode/ctime/mtime change

# but we want to know when the data inside them changes

DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

# Next decide what directories/files you want in the database.

/boot NORMAL

/bin NORMAL

/sbin NORMAL

/lib NORMAL

/lib64 NORMAL

/opt NORMAL

/usr NORMAL

/root NORMAL

# These are too volatile

!/usr/src

!/usr/tmp

!/usr/share #通过文件路径前面加感叹号 ! 排除这个路径的监控,请自定义

# Check only permissions, inode, user and group for /etc, but

# cover some important files closely.

/etc PERMS

!/etc/mtab

# Ignore backup files

!/etc/.*~

/etc/exports NORMAL

/etc/fstab NORMAL

/etc/passwd NORMAL

/etc/group NORMAL

/etc/gshadow NORMAL

/etc/shadow NORMAL

/etc/security/opasswd NORMAL

/etc/hosts.allow NORMAL

/etc/hosts.deny NORMAL

/etc/sudoers NORMAL

/etc/skel NORMAL

/etc/logrotate.d NORMAL

/etc/resolv.conf DATAONLY

/etc/nscd.conf NORMAL

/etc/securetty NORMAL

# Shell/X starting files

/etc/profile NORMAL

/etc/bashrc NORMAL

/etc/bash_completion.d/ NORMAL

/etc/login.defs NORMAL

/etc/zprofile NORMAL

/etc/zshrc NORMAL

/etc/zlogin NORMAL

/etc/zlogout NORMAL

/etc/profile.d/ NORMAL

/etc/X11/ NORMAL

# Pkg manager

/etc/yum.conf NORMAL

/etc/yumex.conf NORMAL

/etc/yumex.profiles.conf NORMAL

/etc/yum/ NORMAL

/etc/yum.repos.d/ NORMAL

/var/log LOG

/var/run/utmp LOG

# This gets new/removes-old filenames daily

!/var/log/sa

# As we are checking it, we've truncated yesterdays size to zero.

!/var/log/aide.log

# LSPP rules...

# AIDE produces an audit record, so this becomes perpetual motion.

# /var/log/audit/ LSPP

/etc/audit/ LSPP

/etc/libaudit.conf LSPP

/usr/sbin/stunnel LSPP

/var/spool/at LSPP

/etc/at.allow LSPP

/etc/at.deny LSPP

/etc/cron.allow LSPP

/etc/cron.deny LSPP

/etc/cron.d/ LSPP

/etc/cron.daily/ LSPP

/etc/cron.hourly/ LSPP

/etc/cron.monthly/ LSPP

/etc/cron.weekly/ LSPP

/etc/crontab LSPP

/var/spool/cron/root LSPP

/etc/login.defs LSPP

/etc/securetty LSPP

/var/log/faillog LSPP

/var/log/lastlog LSPP

/etc/hosts LSPP

/etc/sysconfig LSPP

/etc/inittab LSPP

/etc/grub/ LSPP

/etc/rc.d LSPP

/etc/ld.so.conf LSPP

/etc/localtime LSPP

/etc/sysctl.conf LSPP

/etc/modprobe.conf LSPP

/etc/pam.d LSPP

/etc/security LSPP

/etc/aliases LSPP

/etc/postfix LSPP

/etc/ssh/sshd_config LSPP

/etc/ssh/ssh_config LSPP

/etc/stunnel LSPP

/etc/vsftpd.ftpusers LSPP

/etc/vsftpd LSPP

/etc/issue LSPP

/etc/issue.net LSPP

/etc/cups LSPP

# With AIDE's default verbosity level of 5, these would give lots of

# warnings upon tree traversal. It might change with future version.

#=/lost\+found DIR

#=/home DIR

# Ditto /var/log/sa reason...

!/var/log/and-httpd

# Admins dot files constantly change, just check perms

/root/\..* PERMS

#初始化监控数据库(这需要一些时间)
/usr/sbin/aide -c /etc/aide.conf --init
 
#把当前初始化的数据库作为开始的基础数据库
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
 
#如果是正常的改动 更新改动到基础数据库
aide --update
cd /var/lib/aide/
#覆盖替换旧的数据库
mv aide.db.new.gz aide.db.gz
 
#在终端中查看检测结果
aide --check
 
#检查文件改动 保存到文件
aide --check --report=file:/tmp/aide-report-`date +%Y%m%d`.txt
 
#定时任务执行aide检测报告和自动邮件发送aide检测报告(如果没有mail, yum install mail,还需要有本地邮件服务支持, yum install sendmail;/etc/init.d/sendmail start)
crontab -e
00 02 * * * /usr/sbin/aide -C -V4 | /bin/mail -s "AIDE REPORT $(date +%Y%m%d)"  root@localhost

#初始化监控数据库(这需要一些时间)

/usr/sbin/aide -c /etc/aide.conf --init

#把当前初始化的数据库作为开始的基础数据库

cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

#如果是正常的改动更新改动到基础数据库

aide --update

cd /var/lib/aide/

#覆盖替换旧的数据库

mv aide.db.new.gz aide.db.gz

#在终端中查看检测结果

aide --check

#检查文件改动保存到文件

aide --check --report=file:/tmp/aide-report-`date +%Y%m%d`.txt

#定时任务执行aide检测报告和自动邮件发送aide检测报告(如果没有mail, yum install mail,还需要有本地邮件服务支持, yum install sendmail;/etc/init.d/sendmail start)

crontab -e

00 02 * * * /usr/sbin/aide -C -V4 | /bin/mail -s "AIDE REPORT $(date +%Y%m%d)" root@localhost

-C参数和 –check是一个意思

-V 报告的详细程度可以通过-V选项来调控，级别为0-255， -V0 最简略，-V255 最详细。

[root@dev ~]# aide –help

Aide 0.14

Usage: aide [options] command

Commands:

-i, –initInitialize the database

-C, –checkCheck the database

-u, –updateCheck and update the database non-interactively

–compareCompare two databases

Miscellaneous:

-D, –config-checkTest the configuration file

-v, –versionShow version of AIDE and compilation options

-h, –helpShow this help message

Options:

-c [cfgfile]–config=[cfgfile]Get config options from [cfgfile]

-B “OPTION”–before=”OPTION”Before configuration file is read define OPTION

-A “OPTION”–after=”OPTION”After configuration file is read define OPTION

-r [reporter]–report=[reporter]Write report output to [reporter] url

-V[level]–verbose=[level]Set debug message level to [level]

4、使用中遇到的问题错误

执行 /usr/sbin/aide -c /etc/aide.conf –init 或者 aide -i 后报错

lgetfilecon_raw failed for /var/log/yum.log:No data available
lgetfilecon_raw failed for /var/log/messages.2:No data available
lgetfilecon_raw failed for /var/log/cron:No data available
lgetfilecon_raw failed for /var/log/messages.3:No data available
lgetfilecon_raw failed for /var/log/messages.1:No data available
lgetfilecon_raw failed for /var/log/sdsvrd.log:No data available
lgetfilecon_raw failed for /var/log/spooler.3:No data available
lgetfilecon_raw failed for /var/log/cron.3:No data available
lgetfilecon_raw failed for /var/log/cron.1:No data available
lgetfilecon_raw failed for /var/log/sdupdate.log:No data available
lgetfilecon_raw failed for /var/log/rsyncd.log:No data available
lgetfilecon_raw failed for /var/log/maillog.3:No data available
lgetfilecon_raw failed for /var/log/rpmpkgs.3:No data available
lgetfilecon_raw failed for /var/log/pm/suspend.log:No data available
lgetfilecon_raw failed for /var/log/prelink/prelink.log:No data available

以下配置项改为如下.

#/etc/aide.conf
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES
NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256
DIR = p+i+n+u+g+acl+xattrs
PERMS = p+i+u+g+acl
LOG = p+u+g+i+n+S+acl+xattrs
LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger

#/etc/aide.conf

ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger

EVERYTHING = p+i+n+u+g+s+m+c+acl+xattrs+md5+ALLXTRAHASHES

NORMAL = p+i+n+u+g+s+m+c+acl+xattrs+md5+rmd160+sha256

DIR = p+i+n+u+g+acl+xattrs

PERMS = p+i+u+g+acl

LOG = p+u+g+i+n+S+acl+xattrs

LSPP = p+i+n+u+g+s+m+c+acl+xattrs+md5+sha256

DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger

参考来源:How to Fix Aide “lgetfilecon_raw failed for / : No data available” errors

5、参考

官网 http://aide.sourceforge.net/

AIDE –Linux高级入侵检测 http://gupt12.blog.51cto.com/7651206/1263183

打赏

流水理鱼

流水理鱼（wwek）的博客

使用AIDE做Linux高级入侵检测文件监控

1、aide介绍

2、aide安装配置使用

4、使用中遇到的问题错误

5、参考

发表评论取消回复

1、aide介绍

2、aide安装 配置使用

4、使用中遇到的问题 错误

5、参考

发表评论 取消回复

2、aide安装配置使用

4、使用中遇到的问题错误

发表评论取消回复