AIDE/zh-cn

AIDE(Advanced Intrusion Detection Environment)是Article description::一个基于主机的入侵侦测系统. AIDE 扫描文件和其他资源并将有关这些文件的信息存储在数据库中. 存储的信息包括关键文件属性，例如文件哈希输出、文件大小、所有权、修改时间、创建时间等. 创建初始数据库后，AIDE 会重新扫描系统并将新的扫描结果与之前存储的值进行比较. 如果值不同，则文件已被更改，且更改将被报告. 使用 AIDE 背后的思想是创建系统的快照，然后将快照与另一个创建的快照进行比较以查找受感染的文件.

USE 标记
相应地设置 USE 标记后，安装 很容易.

特定于某个包的 USE 标志更改应在 文件中定义，或在名为 {{Path|/etc/portage/package.use} 的目录下的文本文件中定义}. 例如，当使用 文件时：

Emerge
在USE标志设置完成后，开始安装软件：

概述
The configuration file for is not as daunting as it might seem at first sight. The default file is stored at but administrators can easily create multiple configuration files if necessary. Besides a few variables, the configuration file contains short-hand notations for what aspects of files to scan for (only hashes, or also inode information, etc.) and which files to scan.

查看数据库变量：

The first line in the example above defines where the location of database that contains the known values. The second line defines where to store new databases when another is generated. It is generally recommended against having these variables point to the same database (having the same paths for each variable). If one database is to overwrite another, the best method is to manually copy over the generated database from one location to the other. For example, to overwrite the first database with the second, this command could be used:

现在，先让数据库变量保持原样；稍后将在本文中更详细地介绍它们.

接下来，考虑要记录在数据库中的信息的简写符号变量.

默认的 文件中描述了这些字母，但为了方便起见，下表提供了最常见选项的概述：

Next is an overview of which directories to scan, and what to scan for. In three line example to follow, AIDE is instructed to scan the and  directories via the measures identified in the Binlib short-hand notation variable. The file will display the scan measures defined in the Logs variable defined above.

AIDE supports regular expressions and users are allowed to "remove" matches. For instance, to scan but not  then make an exclusion set by using the   (exclamation point) before the excluded path(s):

详细选项
The configuration file is based on regular expressions, macros and rules for files and directories. Users experienced with the tripwire solution will have no difficulties dealing with AIDE's configuration file. The following macros are available:

这些宏在处理多个 Gentoo box 时非常方便，能同时对所有设备使用相同的配置. 并非所有机器都运行相同的服务，甚至拥有相同的用户.

接下来，我们有一组标志，用于标识权限、文件属性、校验和、加密哈希……用以验证文件和目录.

如果 AIDE 是在支持 mhash 的情况下编译的，那么也可以使用以下标志：

初始化和频繁扫描
For a basic AIDE setup, a database must be initialized. This is performed using the  option. To make sure AIDE uses the configuration settings defined in the sections before, be sure to pass the  option pointed to the correct configuration file:

初始化后，任何预先存在的数据库文件都能被复制：

With a new database available, the entries can be scanned again (now or at a later date) using the  option. This will create another database containing any modifications that have made to the file system since the first database has been created. Be sure to use the  option pointed to the same configuration file that the first database was created with:

如果发生文件修改，通知将被发出：

清楚要扫描的内容
默认的 AIDE 配置很有用，但需要对其进行微调以满足用户的需求. 了解要扫描哪些文件以及为什么要扫描非常重要.

例如，要扫描所有与身份验证相关的文件而不是其他文件，请使用如下配置：

保持数据库离线和只读
A second important aspect is that the result database should be stored offline when not needed and should be used in read-only mode when the database is needed. This gives some protection against a malicious user that might have compromised the machine to modify the results database. For instance, provide the result database on a read-only NFS mount (for servers) or read-only medium (when physical access to the machine is possible) such as a CD/DVD or a read-only USB drive.

将数据库存储在只读位置后，更新 文件，让   指向这个新位置.

执行离线扫描
如果适用，请尝试对系统使用离线扫描方法. 在虚拟平台的情况下，可能会拍摄系统快照，挂载此快照（只读）然后在挂载的文件系统上运行辅助扫描.

上述方法使用. 这仅在从实时系统扫描初始文件系统并且管理员想要执行离线验证时才需要. 如果初始扫描是离线完成的，那么 文件将已经指向挂载点，数据库将立即使用这些路径，因此不需要 chroot.

另请参阅

 * Integrity/Concepts 讨论系统完整性相关的概念

外部资源

 * AIDE 使用教程 (Linux.com)
 * 使用 AIDE 保护 Linux 相关文章 (Symantec.com)