AIDE/zh-cn

AIDE (Advanced Intrusion Detection Environment) is Article description::a host-based intrusion detection system. AIDE scans files and other resources and stores information about these files in a database. Stored information includes key file attributes such as file hash output, file size, ownership, modification time, creation time, and more. After the initial database has been created, AIDE then rescans the system and compares new scan results with previously stored values. If values differ then the file has been changed and the change will be reported. The idea behind using AIDE is to create a snapshot of a system then compare the snapshot to another created snapshot to find compromised files.

USE 标记
相应地设置 USE 标记后，安装 很容易.

USE flag changes specific to a certain package should be defined in the file, or a text file inside a directory called. For example, when using a file:

Emerge
在USE标志设置完成后，开始安装软件：

概述
The configuration file for is not as daunting as it might seem at first sight. The default file is stored at but administrators can easily create multiple configuration files if necessary. Besides a few variables, the configuration file contains short-hand notations for what aspects of files to scan for (only hashes, or also inode information, etc.) and which files to scan.

查看数据库变量：

The first line in the example above defines where the location of database that contains the known values. The second line defines where to store new databases when another is generated. It is generally recommended against having these variables point to the same database (having the same paths for each variable). If one database is to overwrite another, the best method is to manually copy over the generated database from one location to the other. For example, to overwrite the first database with the second, this command could be used:

现在，先让数据库变量保持原样；稍后将在本文中更详细地介绍它们.

接下来，考虑要记录在数据库中的信息的简写符号变量.

The letters are described in the default file, but for convenience the following table provides an overview of the most common options:

Next is an overview of which directories to scan, and what to scan for. In three line example to follow, AIDE is instructed to scan the and  directories via the measures identified in the Binlib short-hand notation variable. The file will display the scan measures defined in the Logs variable defined above.

AIDE supports regular expressions and users are allowed to "remove" matches. For instance, to scan but not  then make an exclusion set by using the   (exclamation point) before the excluded path(s):

详细选项
The configuration file is based on regular expressions, macros and rules for files and directories. Users experienced with the tripwire solution will have no difficulties dealing with AIDE's configuration file. The following macros are available:

这些宏在处理多个 Gentoo box 时非常方便，能同时对所有设备使用相同的配置. 并非所有机器都运行相同的服务，甚至拥有相同的用户.

接下来，我们有一组标志，用于标识权限、文件属性、校验和、加密哈希……用以验证文件和目录.

如果 AIDE 是在支持 mhash 的情况下编译的，那么也可以使用以下标志：

初始化和频繁扫描
For a basic AIDE setup, a database must be initialized. This is performed using the  option. To make sure AIDE uses the configuration settings defined in the sections before, be sure to pass the  option pointed to the correct configuration file:

初始化后，任何预先存在的数据库文件都能被复制：

With a new database available, the entries can be scanned again (now or at a later date) using the  option. This will create another database containing any modifications that have made to the file system since the first database has been created. Be sure to use the  option pointed to the same configuration file that the first database was created with:

如果发生文件修改，通知将被发出：

清楚要扫描的内容
The default AIDE configuration is useful, but it needs to be fine-tuned to suit the users' needs. It is important to know which files to scan and why.

For instance, to scan for all authentication-related files but not for other files, use a configuration like so:

保持数据库离线和只读
A second important aspect is that the result database should be stored offline when not needed and should be used in read-only mode when the database is needed. This gives some protection against a malicious user that might have compromised the machine to modify the results database. For instance, provide the result database on a read-only NFS mount (for servers) or read-only medium (when physical access to the machine is possible) such as a CD/DVD or a read-only USB drive.

After storing the database on a read-only location, update the file to have   point to this new location.

执行离线扫描
If applicable, try using offline scanning methods for the system. In case of virtual platforms, it might be possible to take a snapshot of the system, mount this snapshot (read-only) and then run the aide scan on the mounted file system.

The above approach uses. This is only needed when the initial file system has been scanned from the live system and the administrator wants to perform an offline validation. If the initial scan was done offline, then the file will point to the mount point already and the database will use these paths immediately, so then there is no need for chrooting.

另请参阅

 * Integrity/Concepts talks about the concepts related to system integrity

外部资源

 * Tutorial on how to use AIDE (Linux.com)
 * Securing Linux with AIDE article (Symantec.com)