1、AIDE的简单介绍
AIDE通过扫描一台(未被篡改)的Linux服务器的文件系统来构建文件属性数据库,以后将服务器文件属性与数据库中的进行校对,然后在服务器运行时对被修改的索引了的文件发出警告。出于这个原因,AIDE必须在系统更新后或其配置文件进行合法修改后重新对受保护的文件做索引。
2、安装并简单配置aide
[[email protected] ~]# yum -y install aide [[email protected] ~]# vim /etc/aide.conf # 添加下列行: /molewan NORMAL [[email protected] ~]# aide --init AIDE, version 0.15.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. 初始化的时间会比较长,耐心等待下 [[email protected] ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 说明:根据/etc/aide.conf生成的/var/lib/aide/aide.db.new.gz文件需要重命名 为/var/lib/aide/aide.db.gz,以便让AIDE能读取它
3、模拟在aide监管的目录下,新添加一个文件
[[email protected] ~]# cd /molewan/ [[email protected] molewan]# cp /etc/passwd . [[email protected] molewan]# ls passwd
4、执行aide进行检查
[[email protected] molewan]# aide --check Entry /root/.mysql_history in databases has different attributes: 20000001d 20020001d AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2017-06-22 10:35:10 Summary: Total number of files:272614 Added files:1 Removed files:0 Changed files:3 --------------------------------------------------- Added files: --------------------------------------------------- added: /molewan/passwd --------------------------------------------------- Changed files: --------------------------------------------------- changed: /opt/gitlab/sv/logrotate/supervise/pid changed: /opt/gitlab/sv/logrotate/supervise/status changed: /root/.mysql_history --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /opt/gitlab/sv/logrotate/supervise/pid SHA256 : 1JSst6Quw/tdtJftiGt/21jUIBRbzOcQ , NUB/zWnJypaqQW2QQcC/Mx5e1QInQn+0 File: /opt/gitlab/sv/logrotate/supervise/status SHA256 : A/GkExLS7Y1JyYVE4N7/I1pUxRH/xj1P , BKuJ49lWHu2kprL//4A+AO/lJZS7evFx File: /root/.mysql_history Perm : lrwxrwxrwx , -rw------- 说明:可以发现,新添加哪些文件,修改了哪些参数
参考资料:http://os.51cto.com/art/201411/457358.htm
时间: 2024-08-03 22:32:07