[ad_1]
在本教程中,您将学习如何在 Debian 10 上安装和配置 AIDE。AIDE 代表 一种进阶 一世侵入 D保护 乙环境。
AIDE 是一种入侵检测系统,可检测本地系统上的文件更改。 它根据从配置文件中找到的正则表达式规则创建一个数据库。 一旦这个数据库被初始化,它就可以用来验证文件的完整性。 它有多种消息摘要算法(md5、sha1、rmd160、tiger、haval 等)用于检查文件的完整性。 可以相对容易地添加更多算法。 还可以检查所有常见的文件属性是否存在不一致。 AIDE 可以检查的一些文件属性包括文件权限、inode、修改时间、文件内容、用户、组、文件大小……
在 Debian 10 上安装和配置 AIDE
运行系统更新
在开始在 Debian 10 上安装和配置 AIDE 之前,请更新您的系统包
apt update
在 Debian 10 上安装 AIDE
AIDE 在默认的 Debian 存储库中可用。
apt-cache policy aide
aide:
Installed: (none)
Candidate: 0.16.1-1
Version table:
0.16.1-1 500
500 https://deb.debian.org/debian buster/main amd64 Packages但是,在撰写本文时,AIDE 的当前发行版本是 0.17.3.
不幸的是,Debian 存储库不提供 AIDE 的最新版本,因为它仍在测试中。 在这种情况下,我们将安装默认存储库上可用的当前稳定版本,即 帮助 v0.16.1-1.
执行以下命令在 Debian 10 上安装稳定版的 AIDE;
apt install aide
成功安装 AIDE 后,您可以通过执行来验证安装的版本;
aide -v
该命令显示当前安装的 AIDE 版本以及随它安装的选项。
Aide 0.16.1
Compiled with the following options:
WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"在 Debian 10 上配置 AIDE
AIDE 的通用配置文件位于 /etc/default/aide.
规则和其他配置位于 /etc/aide/.
AIDE 数据库位于 /var/lib/aide/.
在 Debian 10 上初始化 AIDE 数据库
创建新的 AIDE 数据库。
aideinit
这 aideinit 将创建一个新的基线数据库, /var/lib/aide/aide.db.new.
不过,该命令可能需要几分钟时间。
Running aide --init...
Start timestamp: 2021-05-13 14:06:27 -0400 (AIDE 0.16.1)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6
Number of entries: 205656
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new
RMD160 : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
TIGER : /TaHlucsBgKis1UAWqApNi05/irDr/EK
SHA256 : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
ZgZLEM5aZRo=
SHA512 : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
8rx7wQ2VMcn1aDfA8aXtNQ==
CRC32 : ibeVcw==
HAVAL : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
7TtzPAdV9Nk=
GOST : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
8vsT+WVZAjQ=
End timestamp: 2021-05-13 14:13:05 -0400 (run time: 6m 38s)如您所见,已经创建了一个新的基线 AIDE 数据库, /var/lib/aide/aide.db.new.
安装新的 AIDE 数据库
安装新创建的AIDE数据库,需要复制到如下位置;
cp /var/lib/aide/aide.db{.new,}
重建 AIDE 配置
要更新 AIDE 运行时配置, /etc/aide/aide.conf,执行下面的命令
update-aide.conf
该命令生成一个新的配置文件, /var/lib/aide/aide.conf.autogenerated. 将新的配置文件复制到默认的AIDE configs目录并覆盖现有的;
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
检查 AIDE 数据库是否有任何不一致之处
生成新配置后,通过执行以下命令对新配置运行手动数据库检查;
aide -c /etc/aide/aide.conf -C
该命令基本上会尝试检查 AIDE 数据库和文件系统之间的偏差。 请参阅下面的示例输出;
Start timestamp: 2021-05-13 14:59:37 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6
Summary:
Total number of entries: 205656
Added entries: 1
Removed entries: 1
Changed entries: 23
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /var/lib/aide/aide.db
---------------------------------------------------
Removed entries:
---------------------------------------------------
l----------------: /run/systemd/units/invocation:session-3.scope
---------------------------------------------------
Changed entries:
---------------------------------------------------
f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /root/.bash_history
f =.... mc..... : /run/systemd/timesync/synchronized
d <.... mc.. .. : /run/systemd/units
f <b... mc..C.. .: /var/lib/dhcp/dhclient.leases
f =.... mc..... .: /var/lib/systemd/timers/stamp-anacron.timer
f =.... mc..... .: /var/lib/systemd/timesync/clock
d =.... mc.. .. .: /var/ossec/etc/shared/default
f =.... mc..... .: /var/ossec/etc/shared/default/merged.mg
f >b... mc..C.. .: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.json
f >b... mc..C.. .: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.log
f >b... mc..C.. .: /var/ossec/logs/alerts/alerts.json
f >b... mc..C.. .: /var/ossec/logs/alerts/alerts.log
f >.... mc..C.. .: /var/ossec/logs/ossec.log
d =.... mc.. .. .: /var/ossec/queue/db
f >b... mc..C.. .: /var/ossec/queue/db/000.db
f <.... mc..C.. .: /var/ossec/queue/diff/debian/535/last-entry
f >.... mc..C.. .: /var/ossec/stats/totals/2021/May/ossec-totals-13.log
d =.... mc.. .. .: /var/ossec/var/run
f =.... mci.... .: /var/ossec/var/run/ossec-analysisd.state
f =.... mci.... .: /var/ossec/var/run/ossec-remoted.state
f =.... mc..C.. .: /var/ossec/var/wodles/syscollector
f =.... mc..C.. .: /var/webmin/miniserv.lastcrons
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/aide/aide.conf
Size : 6598 | 46195
Bcount : 16 | 96
Mtime : 2016-04-16 13:57:29 -0400 | 2021-05-13 14:52:51 -0400
Ctime : 2021-05-13 05:34:15 -0400 | 2021-05-13 14:52:51 -0400
RMD160 : kHZi6LuS1X5nlHkrtCLV9UdgDxo= | 8wjI15r0D6K1MUVoiyjJPOlGv18=
TIGER : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL
SHA256 : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji
0B5VVewz3h8= | WcEO1u90BTg=
SHA512 : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft/kjH
ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw/K4u+WwMMUeg8iKdNkCL6YPc49X
yKP7Fvoitf+jHcriq57Pgg== | xEkz4dL2MjSFBj0i+zQW1g==
CRC32 : S3Rhfg== | XsRmRw==
HAVAL : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB
S+TXtMWVN/E= | 4YrUy9kI6IU=
GOST : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j
NhV8dix9LIw= | Zf744WY7Flk=
File: /root/.bash_history
Size : 5796 | 8040
Mtime : 2021-05-11 10:25:18 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 05:14:51 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : r8qlsnSTkGosX0fsArK8zsWqTXU= | 1upKL9INTLUGKEWMIxLmc8CRxJ4=
TIGER : 2uPjP9oFh0nVhGjPQqJti44Q3bF4KHNq | +pJmPgLgd3blY4u+BA6AZiwto8VS5Cvl
SHA256 : dCwQv9ucRkmGT0fl5ucRdu+mP9xzM2pF | x2EA+tw6mqkGRq33h7dLOr/t0pX3HR61
w26HE7Pws5Y= | vQDZsEhmJD8=
SHA512 : /W3bSTf1qOpkav1Gucjv0iCcGn0Z7G6U | kxOIprR2dkw/LCCZg61E5kBGSpi4ZGA3
rUh3loPZBEQDvGrMc+9zw5FZKko4tfOM | 6T3UZ0Cr22B5CWWkoObGZQ24e3NvmTH5
1v/0FqiB4MhBvZkGU5l0cA== | pcAhiv4GdP83jO5+Hm2kpA==
CRC32 : KkRAtg== | SUGh1Q==
HAVAL : JBPLwPshi3ls05OEx2RA4yCYLt7m8+wS | Jb1L2/dFG0A8ghyV1txmjwlgsZ1wb8f0
a3UmYwGZDJo= | MOpMWDzQHAs=
GOST : NK8Tmk801XGP72lQktmnfPJ34DFQOuYs | FBMm5BduPdQ2EIw3bYLAS+0uhvdXKSa9
OFvxMiIcmXI= | 11y3Y1oUsyg=
File: /run/systemd/timesync/synchronized
Mtime : 2021-05-13 14:05:09 -0400 | 2021-05-13 14:30:46 -0400
Ctime : 2021-05-13 14:05:09 -0400 | 2021-05-13 14:30:46 -0400
Directory: /run/systemd/units
Size : 940 | 920
Mtime : 2021-05-13 14:01:15 -0400 | 2021-05-13 14:31:33 -0400
Ctime : 2021-05-13 14:01:15 -0400 | 2021-05-13 14:31:33 -0400
File: /var/lib/dhcp/dhclient.leases
Size : 5344 | 2222
Bcount : 16 | 8
Mtime : 2021-05-13 14:08:06 -0400 | 2021-05-13 15:01:44 -0400
Ctime : 2021-05-13 14:08:06 -0400 | 2021-05-13 15:01:44 -0400
RMD160 : x6g8TEahygu/Y6vTVmTHz+jG7/g= | A8i8GUKMIZPvQ67ncZ3vaCulf24=
TIGER : vopFlCGZMR5fD59z2IyqwGTPB4vaPLL7 | ZTotg1uJnCtyljIMyukQsXdIcRxRMBpb
SHA256 : 4aB4sFExXuQgHU36/U4Gpllva+ew5BwK | rPPBKCIrTIK3E4l8g1kcMDEYIWsBAK7g
K6IzFjbxGtI= | XeH+hNDUQVg=
SHA512 : oauEMDY2HKK4cNHJyaE9zL9jeIZomb+B | oL4A/nW81CzmU+wLwL2gj4o5i+RSFuDr
Qr66zW+FblCBjpX9+hPP+C3GWkuhooVO | dMRE57iAr5zpQIaNrsULOBcjf+xVl9/x
DFLNYa2uAy7M+IZsAoXD1w== | jWyRn+SAWeFgCbrQ1wVNuA==
CRC32 : vKR/CQ== | iP46NQ==
HAVAL : 52H8l2m8tGeeGGb7gC3N3bHcid1pvWDB | pcYoOf6Vk2JyMWqP7qOh+URg9Gz0Cabx
DZLJ7dflako= | kht7TRr3I0A=
GOST : 4YlQabl31XCpQCioZVXpyR+cDcW4po24 | RUA3L4LrEvpAz3LYTDG+38Qz4Aco1HKz
81HDK676bSU= | gGtZSrw6AlE=
File: /var/lib/systemd/timers/stamp-anacron.timer
Mtime : 2021-05-13 13:57:07 -0400 | 2021-05-13 14:31:33 -0400
Ctime : 2021-05-13 13:57:07 -0400 | 2021-05-13 14:31:33 -0400
File: /var/lib/systemd/timesync/clock
Mtime : 2021-05-13 14:05:09 -0400 | 2021-05-13 14:30:46 -0400
Ctime : 2021-05-13 14:05:09 -0400 | 2021-05-13 14:30:46 -0400
Directory: /var/ossec/etc/shared/default
Mtime : 2021-05-13 14:12:09 -0400 | 2021-05-13 15:01:44 -0400
Ctime : 2021-05-13 14:12:09 -0400 | 2021-05-13 15:01:44 -0400
File: /var/ossec/etc/shared/default/merged.mg
Mtime : 2021-05-13 14:12:09 -0400 | 2021-05-13 15:01:44 -0400
Ctime : 2021-05-13 14:12:09 -0400 | 2021-05-13 15:01:44 -0400
File: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.json
Size : 303004 | 303699
Bcount : 600 | 608
Mtime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : HI8kVRJVmBHQ12uM4mgjgC8tG7c= | rXlxkYtULGVhokQ2Plf1gsRwfeU=
TIGER : fYh0uHAKUPT1rbJ/b/e/PcFOCIAqIGfn | 5mbOOvGc9vIdu/fu1HhzjYtSCNaMSA+W
SHA256 : xRC0btISZjbwp3HJ6YWTx8qVl/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu
+GDwaFVbOiM= | 2B3mpC3PNrk=
SHA512 : GYVO1j/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi
aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0/pH/SCacBUILfKQVBbU
Jisfz69u8Fc3WEhGfvN4hQ== | nEBwUdlorF+p3oPQ4lpipg==
CRC32 : mIJZOg== | EaLg9w==
HAVAL : Jt9WwS1ZnQ/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN/6wrrOtC+4K3BIpO
OJBxqeEjgtA= | Sxlq8e5pWqc=
GOST : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq
76dAVlPr8QU= | JyOluc+3ikE=
File: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.log
Size : 196342 | 196713
Bcount : 392 | 400
Mtime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : /5NDXAKCiQxSuPHVbhi9VQOLLak= | IDKuML9GS4sQO8oF6Cxz/vupSJs=
TIGER : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU
SHA256 : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb
f1I4fTI8FOg= | /dHjbIBnNS4=
SHA512 : N9PN7Zm2+6zqZEP/2O4EBU0wGfV+q/ap | ZTb1mxGjv2n/vnwq58/rTUQIdW0o/fxa
E/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6
A5wLwkdp9CRzuqNIAS/WMg== | dpg9q4ewGLAmwHYMPBbgMg==
CRC32 : aTphhA== | LFRiBQ==
HAVAL : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB
s78/EtSkPEc= | S0VrHY0GV08=
GOST : pI74rIIHDI7TDrCA+Sx/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824
NX+WsahkgQI= | Qv+qrf4TU6U=
File: /var/ossec/logs/alerts/alerts.json
Size : 303004 | 303699
Bcount : 600 | 608
Mtime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : HI8kVRJVmBHQ12uM4mgjgC8tG7c= | rXlxkYtULGVhokQ2Plf1gsRwfeU=
TIGER : fYh0uHAKUPT1rbJ/b/e/PcFOCIAqIGfn | 5mbOOvGc9vIdu/fu1HhzjYtSCNaMSA+W
SHA256 : xRC0btISZjbwp3HJ6YWTx8qVl/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu
+GDwaFVbOiM= | 2B3mpC3PNrk=
SHA512 : GYVO1j/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi
aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0/pH/SCacBUILfKQVBbU
Jisfz69u8Fc3WEhGfvN4hQ== | nEBwUdlorF+p3oPQ4lpipg==
CRC32 : mIJZOg== | EaLg9w==
HAVAL : Jt9WwS1ZnQ/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN/6wrrOtC+4K3BIpO
OJBxqeEjgtA= | Sxlq8e5pWqc=
GOST : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq
76dAVlPr8QU= | JyOluc+3ikE=
File: /var/ossec/logs/alerts/alerts.log
Size : 196342 | 196713
Bcount : 392 | 400
Mtime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
Ctime : 2021-05-13 13:57:12 -0400 | 2021-05-13 14:27:45 -0400
RMD160 : /5NDXAKCiQxSuPHVbhi9VQOLLak= | IDKuML9GS4sQO8oF6Cxz/vupSJs=
TIGER : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU
SHA256 : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb
f1I4fTI8FOg= | /dHjbIBnNS4=
SHA512 : N9PN7Zm2+6zqZEP/2O4EBU0wGfV+q/ap | ZTb1mxGjv2n/vnwq58/rTUQIdW0o/fxa
E/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6
A5wLwkdp9CRzuqNIAS/WMg== | dpg9q4ewGLAmwHYMPBbgMg==
CRC32 : aTphhA== | LFRiBQ==
HAVAL : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB
s78/EtSkPEc= | S0VrHY0GV08=
GOST : pI74rIIHDI7TDrCA+Sx/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824
NX+WsahkgQI= | Qv+qrf4TU6U=
File: /var/ossec/logs/ossec.log
Size : 11605 | 11757
Mtime : 2021-05-13 13:57:32 -0400 | 2021-05-13 14:25:18 -0400
Ctime : 2021-05-13 13:57:32 -0400 | 2021-05-13 14:25:18 -0400
RMD160 : UrndE9lRw2gEB6OGZuQ/mnGRc7U= | rMF+/kDPzTEQp4+fG4nWvCrRdfk=
TIGER : j4s+XmwXPueAQuAciYwhO7X455MBGq4r | x61JVqPEUAm6ZSQ0S37CA+stHjQyh2KV
SHA256 : 9kdSlM2EjZKe451VHXo+BXd3fAtVsRt8 | qktJymmvRRyM1jjuLlvVscpDMBfs/eds
CcloQ1jNTzo= | EQ5zKH61/2o=
SHA512 : pTDO+6p6JzruJ+AMsZ4LCIqQsKCeagOj | Ga+4TvLk90Q5lTMK1iO/2Zw4Ic0eCLt4
4OeJYhAdNRJ+1QSFabUatNuwltW0uIs+ | 5X0c7AH5GvbUCs5Cw4y9RUHQlGF7BLVA
Sj6ab2HDu0RJEmy/EQVAOA== | cLxxRzeSvk6MKK00DtwotQ==
CRC32 : Xq9wkw== | qoNgtQ==
HAVAL : fMCtlMz5vBfRN/UZm+nigxdn/lphzAag | J6sZyDnrOV+vT07OER46CGex4nUPjNAU
EVwoljewwnk= | hZRJBEQuXvQ=
GOST : vG3FbAnnsorn5Wa69JWn+rVBLNSWOy0o | mi1diJV7nKcX4li9XFdcYs1rA4rLzcSI
TvuIiF4Ohzo= | r+Y1bqomAjg=
Directory: /var/ossec/queue/db
Mtime : 2021-05-13 13:57:33 -0400 | 2021-05-13 14:25:29 -0400
Ctime : 2021-05-13 13:57:33 -0400 | 2021-05-13 14:25:29 -0400
File: /var/ossec/queue/db/000.db
Size : 2113536 | 2228224
Bcount : 4128 | 4328
Mtime : 2021-05-13 13:57:33 -0400 | 2021-05-13 14:25:29 -0400
Ctime : 2021-05-13 13:57:33 -0400 | 2021-05-13 14:25:29 -0400
RMD160 : h9D0qcSXGbRqsZGJV5wNywYfO30= | OSPi2pAhW/rVJrwB2NL/NGlcc9U=
TIGER : MFWistAyOA7gy+T4ZtmuwmCBghe8ndnN | V00qPUeAtE5+i/uMTSbfidq3Q3dIFxj/
SHA256 : JMeairDZxZUWoA2Rcpw0CoLxUllolk3l | T0UJvOvhurdsnLokgrBqmIUDLVdJ4HI5
j79VsRy1d/E= | 3IPq7G21RZY=
SHA512 : sbtVw881IhIicV5UfsWvpbdOOHzb8aVw | XBE7eta1oMwAsG4kOcj793f16ZqMeGh+
Fy7jrUgDkQSfnMYiNnD329pRbw61OxY8 | k4kw4Q7+lzJYrILo8a5/Ea7cCShz2cnv
j/dO5nqq7H3tHhzou+bf0A== | UU6gNnzyT3HslSTfXm2upQ==
CRC32 : RqsdGg== | LD0Qpw==
HAVAL : vSCMk/LypxzM/KT0mX/xAZkIMZNt8Qeq | 6vHfo9hW75oG2PksEcaE0IPYLlMxukZU
RqMoxzLqfcc= | eIAcYWyfr6w=
GOST : GTCGuUTPs0BM2pSO4/PgO/HXI8P0tgid | Ec053qs2D5hjYO8IxHmW6g6UhW0tK4aE
mYVX1XfJHM8= | vypwpBv5bb8=
File: /var/ossec/queue/diff/debian/535/last-entry
Size : 1024 | 1021
Mtime : 2021-05-13 13:57:08 -0400 | 2021-05-13 14:33:10 -0400
Ctime : 2021-05-13 13:57:08 -0400 | 2021-05-13 14:33:10 -0400
RMD160 : qHsDObPkZuJcZNKKxWUlkN1TmdI= | j2zl43WJTJelXeuFTkIVH8uCW9A=
TIGER : Q8rEdFootqfUPYX6I5u7UC+IBXt1EtQ4 | XPAYBNVvJ+mtPHWOemVeZ7xjls5bE9kQ
SHA256 : tkk1KU58wTyYjwdmyF4aFWWBttu2gnua | 09g04YBhFqG1lbLtHvyxvBcUbNYwnv7p
7eqkATbNMy4= | LfG5wba7E2Q=
SHA512 : sKOr9fAXVeaAfmNGTQrJfAeG4nghNw17 | dE7AD9uML4iQcMmH1W38MJu5ngzLxyvZ
FIjGsgxU3erZS0iIEncQL7XgMBeC9Jts | +e22ULMcqxJC+7GunqeNMn6ADesqjZN1
bllmBgLe/elsofeGAXfRvQ== | Tj6RdqgqnxDEmIPnf1tJKg==
CRC32 : Q0OBsA== | CIXH/Q==
HAVAL : PFRZcbTmd11VMc9WDRKR5nMvyVVbTwU7 | LY0Eu6iQTPTOTyp2TqXW2/IPvBK5dsn3
vnQHgGKEN/Y= | GOFLTBzoCvE=
GOST : 11cAAblplJja5/rktHJDKzFraTKbaqz5 | leGBDPnpRhyRLTGo8QMaMkYHjOSkdqa+
By98fbs8dTw= | +6QrJ4E5rQs=
File: /var/ossec/stats/totals/2021/May/ossec-totals-13.log
Size : 894 | 999
Mtime : 2021-05-13 14:01:16 -0400 | 2021-05-13 15:01:46 -0400
Ctime : 2021-05-13 14:01:16 -0400 | 2021-05-13 15:01:46 -0400
RMD160 : zJ8At9unwQxEzSe9J4GrzbqTMz8= | COrlpQLyTK+TCf8KkThMAyvseig=
TIGER : gs7ydELV5qsqM6gqkk3VubEx9WZvybNH | nNzaNRkTekRV/eE7mrzj8wypqqQ3X02M
SHA256 : OrAiYG8X0UfOSTWwfcFs1gl0CkAwC7aR | 9OjAmTYpHgKyhQ2aXWzbRoTIRjDDpGlk
52uZF3374G8= | SzQNk0h7bHk=
SHA512 : atNLeqF+T7DoIyN5XBh9Z7Lxvtxv88kv | FOxCmlwtkJ2/ej5BM6HX13p9UpiP+9mV
u+XHdKFZIr6UMf7UTycb/+qso33BlVfH | CtmkyaWXNcOhw1moeRUGHKdkRUdWh06a
Mn8sGcjy4DuchZpZeggdyA== | TpH4CYF4P6uMH4VMfhUwDg==
CRC32 : f5dIXg== | lVKiZg==
HAVAL : PO/8wHY4EFaVnO/yUEIPCr9UmrujdHoH | HZF3AmNvk8PNec0OcUHsNWs8TeIJ7Bm/
baDhTTJixt0= | GhgPEEhrtYc=
GOST : SDdETY0dZJHWCQGIl4cggiwFBQwp/Ely | lm4MpfRUd+5kF8PkFi066ESY/4ISLjhy
HVZbNI4G/LM= | /w68fjIDHL4=
Directory: /var/ossec/var/run
Mtime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Ctime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
File: /var/ossec/var/run/ossec-analysisd.state
Mtime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Ctime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Inode : 291862 | 304591
File: /var/ossec/var/run/ossec-remoted.state
Mtime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Ctime : 2021-05-13 14:12:54 -0400 | 2021-05-13 15:02:04 -0400
Inode : 304591 | 307354
File: /var/ossec/var/wodles/syscollector
Mtime : 2021-05-13 05:03:42 -0400 | 2021-05-13 14:25:18 -0400
Ctime : 2021-05-13 05:03:42 -0400 | 2021-05-13 14:25:18 -0400
RMD160 : t2dgf7PI+qjCpifY2lsAcxDF9Fk= | cntjaDX/DCNzvCfiCA1kXl7KCCM=
TIGER : +Gq9NCskrl71MYuh9vQY/9SKFmdwV2WC | w2KPhzO5tiv/GcsGpi6kfqs8JPsH4h2J
SHA256 : YWnwELAriPpKVUvzp48A36IsQiLiDrPa | 5AwQ6d972QnzU6DymNjanYsORD2V5TIQ
+xaI8POCyBo= | yPakdvhIjIQ=
SHA512 : TmNSY5LxyrRar/OWhzGR/IzBw33HSywQ | adcpxpI3Q9psuemsly3IVcpaXJUKt88W
eQb39k+4WJOY1Dag638EQj0PQDFTJTyo | zbzT2XtMHO8lWny35/AdVVOYvW56aD6K
IfHuoARl+hAG/NeGUrb/Nw== | D0jnB0YUWop4oQI2Exhsgw==
CRC32 : YrOyVA== | Jcfn4Q==
HAVAL : kZ1+RJgVhR5Ye4SBgUA++Opyag/JQw5X | JnJ1PH1Qst5GxeaKBT/G9vvBrJJ1v+iO
7f0i/Y4BMZc= | sGj6SbculZI=
GOST : c56J+RwvEsiWC3j3TwCigV9ip7G26cc4 | iUktb3cvt2mwTIbtf5pD5y2RBq4c0f/1
RjAfGj8Yklg= | 792rogTuXMw=
File: /var/webmin/miniserv.lastcrons
Mtime : 2021-05-13 13:57:08 -0400 | 2021-05-13 14:57:09 -0400
Ctime : 2021-05-13 13:57:08 -0400 | 2021-05-13 14:57:09 -0400
RMD160 : l4hocPE/SHW9NhN2NCF2nQX+fbU= | pm7WC+m645+3fPpMGPfMIbZML1c=
TIGER : AZZbVVUb9d9+o+IPaFHr/1JTepGY0skV | QG8yw6Ma8zTNORA5mvFJgZvdZVRRqarp
SHA256 : OZbnUDEbF2h8/h3wEy+xQ0+qQ+X1IdED | ZmH3hXZrdFopMfPquWUplysApSgaCLbN
tW0z/XmwFgE= | woeJMG74uoY=
SHA512 : ebuDdi38UvLbg7hE5b90rU01dTNsH8PT | pcFF4JY4+w/OL9gujrtJ1OqWyDyQabrM
Vyn01yobjF9ieXuIVgtohQFhfj4V/ciG | VLmyprO+sEYWvkCWE028s350NM1ZOIzI
jH49Npaj0MOT418Lj7sbBw== | feXBta/T/EvgzOi5Uz/oCQ==
CRC32 : /ZYiew== | 8UcOAw==
HAVAL : K2mLlgdjxme5iRQ8+GS1fbIa0wkKR4Q2 | nMGCLXkIIls7X6YraMeRbq3+mnboYOe8
fUXtscLxzYw= | pidvAJg7Q0M=
GOST : eMerS2vevb7fswadmjiZLo0ImDxQ2uo/ | 5rwUUkXBg6z9QsYhGJ7pOVkwaeZfHt5X
fRjhDng5dWg= | c1AvM7h2otw=
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
TIGER : /TaHlucsBgKis1UAWqApNi05/irDr/EK
SHA256 : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
ZgZLEM5aZRo=
SHA512 : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
8rx7wQ2VMcn1aDfA8aXtNQ==
CRC32 : ibeVcw==
HAVAL : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
7TtzPAdV9Nk=
GOST : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
8vsT+WVZAjQ=
End timestamp: 2021-05-13 15:02:37 -0400 (run time: 3m 0s)从上面的输出中,AIDE 发现了许多文件系统更改。 检查报告。
在 Debian 10 上测试 AIDE
您现在可以创建新文件、编辑一些文件甚至删除一些文件并重新运行 AIDE 检查以实际查看 AIDE 如何检测所有这些更改。
echo "1.2.3.4 test.kifarunix-demo.com" >> /etc/hosts
touch /etc/newfile
rm -rf /etc/issue
在所有这些更改之后,针对文件系统重新运行 AIDE 数据库检查。
aide -c /etc/aide/aide.conf -C
样本输出;
Start timestamp: 2021-05-13 15:08:24 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6
Summary:
Total number of entries: 205656
Added entries: 2
Removed entries: 2
Changed entries: 24
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/newfile
f++++++++++++++++: /var/lib/aide/aide.db
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /etc/issue
l----------------: /run/systemd/units/invocation:session-3.scope
---------------------------------------------------
Changed entries:
---------------------------------------------------
f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /etc/hosts
...将 AIDES 完整性检查限制为特定文件/目录
例如,将完整性检查限制为特定条目 /etc,通过 --limit REGEX AIDE 检查命令的选项,其中 REGEX 是要检查的条目。
例如,检查和更新匹配的数据库条目 /etc,您将运行如下所示的 aide 命令;
aide -c /etc/aide/aide.conf --limit /etc --check
样本输出;
Start timestamp: 2021-05-13 15:13:34 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Limit: /etc | Verbose level: 6
Summary:
Total number of entries: 205656
Added entries: 1
Removed entries: 1
Changed entries: 2
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /etc/newfile
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /etc/issue
---------------------------------------------------
Changed entries:
---------------------------------------------------
f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /etc/hosts
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/aide/aide.conf
Size : 6598 | 46195
Bcount : 16 | 96
Mtime : 2016-04-16 13:57:29 -0400 | 2021-05-13 14:52:51 -0400
Ctime : 2021-05-13 05:34:15 -0400 | 2021-05-13 14:52:51 -0400
RMD160 : kHZi6LuS1X5nlHkrtCLV9UdgDxo= | 8wjI15r0D6K1MUVoiyjJPOlGv18=
TIGER : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL
SHA256 : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji
0B5VVewz3h8= | WcEO1u90BTg=
SHA512 : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft/kjH
ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw/K4u+WwMMUeg8iKdNkCL6YPc49X
yKP7Fvoitf+jHcriq57Pgg== | xEkz4dL2MjSFBj0i+zQW1g==
CRC32 : S3Rhfg== | XsRmRw==
HAVAL : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB
S+TXtMWVN/E= | 4YrUy9kI6IU=
GOST : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j
NhV8dix9LIw= | Zf744WY7Flk=
File: /etc/hosts
Size : 186 | 218
Mtime : 2021-01-29 14:23:36 -0500 | 2021-05-13 15:07:59 -0400
Ctime : 2021-01-29 14:23:36 -0500 | 2021-05-13 15:07:59 -0400
RMD160 : pgg6hjBhDjMlk+l8yu0LB1SL7o8= | sUqfThZK2gYBG5rgKCY0882JsFE=
TIGER : 6rCGqnmCVSK81X5SatwKyW6Cybt1B9yP | 04im6NfESOdCKzANx6VA3ehjZ0skylIh
SHA256 : XJiphdFN5h4JGKNCqvrG71xF+FyFEi5E | rjTkky/c4992255kH3yXciO+SHZa8wlA
SvfqvfKxUng= | 9brQo29MU+o=
SHA512 : Frpi7XYfQq7SA8HSImzFystaarku/1Cs | jqUFxAQYoNlj5LXVZxn6kJGwQLePCWcs
Ba7vka2boOYZsqzVoXq0c6zlxb5AVX7J | Ay3i8i8bAv59cfjRpxQpTj3rNdeS70pp
Yl+VEG/SZpPvca+6xn4P8Q== | xj1P9YWWTtn6unB6ZON2pg==
CRC32 : xZ01PQ== | 9LtLwA==
HAVAL : 17oJH6iVQGXq3ge2uXnwumq0xCLaF+fS | Qty/rrMbvG1RTmj6+PvPUtB6zAk6x/na
Goy5GCiijPI= | oiBWgvPWsmY=
GOST : X8Mnh75FrKoDQl88Ez1l0hRH4pR9lOon | zjAjM0BCHajG4Xb1AIZGOXOzjOtRQ7lZ
jkxNlJeC1fA= | EzBfUnAXze0=
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
TIGER : /TaHlucsBgKis1UAWqApNi05/irDr/EK
SHA256 : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
ZgZLEM5aZRo=
SHA512 : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
8rx7wQ2VMcn1aDfA8aXtNQ==
CRC32 : ibeVcw==
HAVAL : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
7TtzPAdV9Nk=
GOST : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
8vsT+WVZAjQ=
End timestamp: 2021-05-13 15:14:04 -0400 (run time: 0m 30s)从 AIDE 检查中排除特定目录
要排除某些目录,请编辑配置文件, /etc/aide/aide.conf, 并在格式中将要忽略的目录添加到文件末尾;
!/home/
!/var/lib/
!/proc使用自定义 AIDE 配置
您还可以创建自己的配置并定义需要检查的内容和不需要检查的内容。
请参阅下面的示例配置;
mkdir /home/koromicha/aide
vim /home/koromicha/aide/aide.conf
# Path for creating the databases
database=file:/home/koromicha/aide/aide.db
database_out=file:/home/koromicha/aide/aide.db.new
database_new=file:/home/koromicha/aide/aide.db.new
# Set your own AIDE rule.
MYRULE=p+n+u+g+s+m+c+xattrs+md5+sha512
# Directories/files to be monitored and rule to apply
#/etc MYRULE
#/bin MYRULE
#/usr/bin MYRULE
# Directories to ignore
/home MYRULE
!/proc基本上,上面设置的规则检查:
- 磷排放量,
- n链接数,
- 你成为,
- G团,
- 米修饰时间,
- 索引节点/文件 C悬挂时间,
- 电子X文件 属性伊布特秒,
- MD5 校验和,
- SHA512 校验和。
使用新配置初始化数据库;
aide -c /home/koromicha/aide/aide.conf -i
将数据库复制到位;
cp /home/koromicha/aide/aide.db{.new,}
帮助诊断
通过运行以下命令验证配置文件是否有错误;
aide -c /home/koromicha/aide/aide.conf --config-check
检查命令退出状态。
echo $?
根据 AIDE 手册页,如果没有发生错误,AIDE 的退出状态通常为 0。 除非请求了 –check、–compare 或 –update 命令,在这种情况下,退出状态定义为:
1 * (new files detected?) +
2 * (removed files detected?) +
4 * (changed files detected?)
Since those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files detected, the exit status will be 1 + 2 = 3.
Additionally, the following exit codes are defined for generic error conditions:
14 Error writing error
15 Invalid argument error
16 Unimplemented function error
17 Invalid configureline error
18 IO error
19 Version mismatch error注意:无论何时进行任何 AIDE 配置更改,请记住初始化数据库以创建基线。
进行更改,例如创建新目录、文件;
rm -rf /home/koromicha/aide/aide.db.new mkdir /home/koromicha/test-dir touch /home/koromicha/test-file
然后,您可以针对您的自定义配置运行 AIDE。
aide -c /home/koromicha/aide/aide.conf -C
Start timestamp: 2021-05-13 15:20:06 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 10
Added entries: 3
Removed entries: 1
Changed entries: 2
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /home/koromicha/aide/aide.db
d++++++++++++++++: /home/koromicha/test-dir
f++++++++++++++++: /home/koromicha/test-file
---------------------------------------------------
Removed entries:
---------------------------------------------------
f----------------: /home/koromicha/aide/aide.db.new
---------------------------------------------------
Changed entries:
---------------------------------------------------
d = ... mc n . : /home/koromicha
d = ... mc . . : /home/koromicha/aide
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /home/koromicha
Mtime : 2021-05-13 15:17:02 -0400 | 2021-05-13 15:19:59 -0400
Ctime : 2021-05-13 15:17:02 -0400 | 2021-05-13 15:19:59 -0400
Linkcount: 3 | 4
Directory: /home/koromicha/aide
Mtime : 2021-05-13 15:18:19 -0400 | 2021-05-13 15:19:59 -0400
Ctime : 2021-05-13 15:18:19 -0400 | 2021-05-13 15:19:59 -0400
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/home/koromicha/aide/aide.db
MD5 : f0gmAXaAnpmsLpcqEB2yaw==
SHA1 : HjZ96ZFaLaGXT7oLQHetDByRcfg=
RMD160 : ND0cqBPVsKaZw6peqJq81oAckx8=
TIGER : GsNazCXJu/wNbSTKyXUSPXgGImsKYZSj
SHA256 : yz0xi62lx4v4yxwvcVG4DcrEpaszxCFi
M5SFuRB7rFc=
SHA512 : bMqIRxmfMz/Id1aKhKNUfZbG6I/Jn5UD
6+G7x0oTFwf/GxUn8AVbhDyitO4bDjE/
6yw2N+Ea4b69UgYkt8v6xQ==
CRC32 : amnOHQ==
HAVAL : lKVe1OAZ/RHx8vq3AH1td++qnLZhomN/
8VWvgolh12Y=
GOST : WzrpoPdX5kbKV9+XXKO2B6mWdyPq2m17
u3querF/YTk=
WHIRLPOOL: gsUPlPVbwDJYOXOWi30/1PXONnTZqMGM
fQOCS8VsEpV9tYUuM2Yrb78hCjfjACla
SdxnhuyiM3DPwIVS9c1x9Q==
End timestamp: 2021-05-13 15:20:06 -0400 (run time: 0m 0s)通过邮件发送 AIDE 报告
默认情况下,AIDE 会为自己设置一个每日执行脚本, /etc/cron.daily/aide,安装时。
支票的输出将邮寄给指定的用户 MAILTO= 的指令 /etc/default/aide 配置文件如上详述。
要通过邮件发送 AIDE 报告,您需要编辑文件, /etc/default/aide 并设置值 MAILTO 指令到您的电子邮件 ID,如下所示。 默认收件人是 root.
vim /etc/default/aide
...
#MAILTO=root
[email protected]大多数 AIDE 默认参数设置都在此文件中定义。 因其易于理解而受到高度赞扬,因此请浏览此文件以查看要启用或禁用的其他选项。
仅当您为电子邮件传输配置了 MTA 时,电子邮件传送才有效。 按照以下链接了解如何配置 Postfix 以使用 Gmail SMTP 进行中继;
配置 Postfix 以使用 Gmail SMTP
在 Ubuntu 18.04 上配置 Postfix 以使用 Gmail SMTP
除了使用上面的 cron 邮件收件人地址,您可以编辑 Postfix 邮件别名并将 root 的别名设置为您希望接收 AIDE 报告的电子邮件地址;
vim /etc/aliases
postmaster: root
root: [email protected]确保您更新别名;
newaliases
您也可以安装一个 cron 作业以特定时间间隔执行 AIDE;
sudo crontab -e
*/10 * * * * aide -c /home/koromicha/aide/aide.conf -u && cp /home/koromicha/aide/aide.db{.new,}这将每 10 分钟执行一次 AIDE 系统检查,并将报告通过电子邮件发送至 [email protected] 按照我的设置。
还需要注意的是,AIDE 检查可能会占用大量资源,并且可能会在完整性检查期间导致系统出现性能问题。 如果您在系统范围内扫描,请确保提供“足够”的资源。
这标志着我们关于如何在 Debian 10 上安装和配置 AIDE 的教程结束。
安装 ModSecurity 3 Apache 在 Docker 容器中
使用 ModSecurity 和 ClamAV 拦截恶意文件上传
使用 Fail2ban 保护 WordPress 免受暴力攻击
在 Ubuntu 上安装 Arkime (Moloch) Full Packet Capture 工具
[ad_2]