AIDE/ko

AIDE
AIDE는 "고급 침입 탐지 환경"을 의미하며, 파일과 다른 자원을 검사하고, 이 파일에 대한 정보를 데이터베이스에 저장하는 프로그램입니다. 여기서 언급하는 정보에는 해시 정보, 파일 크기, 소유자 등이 있습니다. 프로그램에서는 데이터베이스를 활성화하고, 시스템을 다시 검사하며 이전에 저장한값과 결과를 비교합니다. 값이 다르면, 파일을 바꾸고 바뀐 내용을 보고합니다.

설치 및 설정
젠투에서는 USE 플래그를 설정한 다음의 aide 설치과정은 쉽습니다. 이때 지원하는 USE 플래그는 다음과 같습니다:

그리고 프로그램을 설치하는 방법은:

The configuration file for aide is not as daunting as it might seem at first sight. The default file is stored at but administrators can easily create multiple separate configuration files if necessary. Besides a few variables, the configuration file contains a few short-hand notations for what aspects of files to scan for (only hashes, or also inode information, etc.) and then which files to scan.

일단 먼저 변수를 들여다보도록 하겠습니다.

These parameters define where the database is stored that contains the known values and where to store a new database when a new one  is created. It is generally recommended to not have these variables point to the same, instead manually copying over the generated database from one location to the other.

이제, 이 변수값을 그대로 내버려두고, 나중에 다시 살펴보기로 하겠습니다.

These are short-hand notations for what to measure. The letters are described in the default file, but the next table gives an overview of the most common ones.

Also, it is pretty obvious that  and   mean that the MD5 and SHA-1 checksums are taken.

이러한 간단한 표기 사항은 각 파일을 검사하기 위해 어떤 요소를 확인하는데 사용합니다.

This is the overview of which directories to scan, and what to scan for. In the above three lines example, we tell AIDE to scan the and  locations and take the measures identified earlier in the   short-hand notation. The location should use the   scan measures.

AIDE supports regular expressions and users are allowed to "remove" matches. For instance, to scan but not  then include an exclusion set like so:

초기화 및 잦은 검사
먼저 데이터베이스를 한번 초기화해야 합니다.

초기화를 하고 나면, 데이터베이스 파일을 다른곳으로 복사할 수 있습니다.

이제 데이터베이스를 사용할 수 있으므로, 잠재적인 수정 사항을 다시 검사할 수 있습니다:

When a file modification occurred, a notification will be sent out:

검사 대상을 확실히 하십시오
The default AIDE configuration is useful, but it needs to be fine-tuned to suit the users' needs. It is important to know which files to scan and why.

For instance, to scan for all authentication-related files but not for other files, use a configuration like so:

데이터베이스를 오프라인 상태 및 읽기 전용으로 유지하십시오
A second important aspect is that the result database should be stored off-line when not needed, and use it in read-only modus when the database is needed. This gives some protection against a malicious user, that might already have compromised the machine, to also modify the results database. For instance, provide the result database on a read-only NFS mount (for servers) or read-only medium (when physical access to the machine is possible) such as CD/DVD or read-only USB sticks.

After storing the database on such location, update the file to have   point to this new location.

오프라인 상태에서 검사하십시오
If applicable, try using offline scanning methods for the system. In case of virtual platforms, it might be possible to take a snapshot of the system, mount this snapshot (read-only) and then run the aide scan on the mounted file system.

The above approach uses a chroot. This is only needed when the initial file system has been scanned from the live system and the administrator wants to perform an offline validation. If the initial scan was done offline, then the file will point to the mount point already and the database will use these paths immediately, so then there is no need for chrooting.