AIDE
AIDE(Advanced Intrusion Detection Environment)是一个基于主机的入侵侦测系统。AIDE 扫描文件和其他资源并将有关这些文件的信息存储在数据库中。存储的信息包括关键文件属性,例如文件哈希输出、文件大小、所有权、修改时间、创建时间等。创建初始数据库后,AIDE 会重新扫描系统并将新的扫描结果与之前存储的值进行比较。如果值不同,则文件已被更改,且更改将被报告。使用 AIDE 背后的思想是创建系统的快照,然后将快照与另一个创建的快照进行比较以查找受感染的文件。
安装
USE 标记
相应地设置 USE 标记后,安装 app-forensics/aide 很容易。
USE flags for app-forensics/aide AIDE (Advanced Intrusion Detection Environment) is a file integrity checker
acl
|
Add support for Access Control Lists |
audit
|
Enable support for Linux audit subsystem using sys-process/audit |
curl
|
Use curl for http,https and ftp backends |
e2fs
|
Enable support for checking file attributes on ext2/ext3/ext4 filesystems |
mhash
|
Add support for the mhash library |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
xattr
|
Add support for extended attributes (filesystem-stored metadata) |
特定于某个包的 USE 标记更改应在 /etc/portage/package.use 文件中定义,或在名为 {{Path|/etc/portage/package.use} 的目录下的文本文件中定义}。例如,当使用 /etc/portage/package.use 文件时:
/etc/portage/package.use为 AIDE 启用 zlib 支持app-forensics/aide zlib
Emerge
在 USE 标记设置完成后,开始安装软件:
root #emerge --ask app-forensics/aide配置
概述
The configuration file for app-forensics/aide is not as daunting as it might seem at first sight. The default file is stored at /etc/aide/aide.conf but administrators can easily create multiple configuration files if necessary. Besides a few variables, the configuration file contains short-hand notations for what aspects of files to scan for (only hashes, or also inode information, etc.) and which files to scan.
查看数据库变量:
aide.confAIDE 数据库配置变量database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
The first line in the example above (database) defines where the location of database that contains the known values. The second line (database_out) defines where to store new databases when another is generated. It is generally recommended against having these variables point to the same database (having the same paths for each variable). If one database is to overwrite another, the best method is to manually copy over the generated database from one location to the other. For example, to overwrite the first database with the second, this command could be used:
root #cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db现在,先让数据库变量保持原样;稍后将在本文中更详细地介绍它们。
接下来,考虑要记录在数据库中的信息的简写符号变量。
aide.conf使用简写符号的 AIDE 配置Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
...
显然
md5 和 sha1 意味着(分别)采用 MD5 和 SHA-1 校验和。默认的 aide.conf 文件中描述了这些字母,但为了方便起见,下表提供了最常见选项的概述:
| 缩写 | 描述 |
|---|---|
p
|
权限 |
i
|
节点数字 |
n
|
(硬)链接数 |
u
|
用户信息 |
g
|
组信息 |
s
|
大小 |
S
|
大小(仅在大小突然变小时报告 - 允许增长) |
b
|
块数 |
m
|
修改时间 |
Next is an overview of which directories to scan, and what to scan for. In three line example to follow, AIDE is instructed to scan the /bin and /sbin directories via the measures identified in the Binlib short-hand notation variable. The /var/log file will display the scan measures defined in the Logs variable defined above.
aide.conf扫描目标选项/bin Binlib
/sbin Binlib
/var/log Logs
...
AIDE supports regular expressions and users are allowed to "remove" matches. For instance, to scan /var/log but not /var/log/portage then make an exclusion set by using the ! (exclamation point) before the excluded path(s):
aide.conf其它扫描目标/var/log Logs
!/var/log/portage
详细选项
The configuration file is based on regular expressions, macros and rules for files and directories. Users experienced with the tripwire solution will have no difficulties dealing with AIDE's configuration file. The following macros are available:
| 宏 | 描述 | 语法 |
|---|---|---|
ifdef |
如果定义 | @@ifdef "name"
|
ifndef |
如果未定义 | @@ifndef "name"
|
define |
定义一个变量 | @@define "name" "value"
|
undef |
取消定义变量 | @@undef "name"
|
ifhost |
如果 "hostname" | @@ifhost "hostname"
|
ifnhost |
如果非 "hostname" | @@ifnhost "hostname"
|
endif |
Endif 必须在上述任何宏之后使用,除了 define 和 undef | @@endif
|
这些宏在处理多个 Gentoo box 时非常方便,能同时对所有设备使用相同的配置。并非所有机器都运行相同的服务,甚至拥有相同的用户。
接下来,我们有一组标志,用于标识权限、文件属性、校验和、加密哈希……用以验证文件和目录。
| 标记 | 描述 |
|---|---|
p |
权限(permissions) |
i |
节点(inode) |
n |
链接数(number of links) |
u |
用户(user) |
g |
组(group) |
s |
大小(size) |
b |
块数(block count) |
m |
修改时间(mtime) |
a |
访问时间(atime) |
c |
状态修改时间(ctime) |
S |
检查增长的大小 |
md5 |
md5 校验和 |
sha1 |
sha1 校验和 |
rmd160 |
rmd160 校验和 |
tiger |
tiger 校验和 |
R |
p+i+n+u+g+s+m+c+md5
|
L |
p+i+n+u+g
|
E |
空组(Empty group) |
> |
增长的日志文件 p+u+g+i+n+S
|
如果 AIDE 是在支持 mhash 的情况下编译的,那么也可以使用以下标志:
| 标记 | 描述 |
|---|---|
haval |
haval 校验和 |
gost |
gost 校验和 |
crc32 |
crc32 校验和 |
初始化和频繁扫描
For a basic AIDE setup, a database must be initialized. This is performed using the --init option. To make sure AIDE uses the configuration settings defined in the sections before, be sure to pass the --config option pointed to the correct configuration file:
root #aide --init --config=/etc/aide/aide.confAIDE, version 0.14.2 ### AIDE database at /var/lib/aide/aide.db.new initialized.
初始化后,任何预先存在的数据库文件都能被复制:
root #cd /var/lib/aide; cp aide.db.new aide.dbWith a new database available, the entries can be scanned again (now or at a later date) using the --check option. This will create another database containing any modifications that have made to the file system since the first database has been created. Be sure to use the --config option pointed to the same configuration file that the first database was created with:
root #aide --check --config=/etc/aide/aide.confAIDE, version 0.14.2 ### All files match AIDE database. Looks okay!
如果发生文件修改,通知将被发出:
This is not a real error and is simply aide stating it cannot find a database so it must create one, this may take several minutes.
root #aide --check --config=/etc/aide/aide.confAIDE found differences between database and filesystem!! Start timestamp: 2013-04-11 15:31:02 Summary: Total number of files: 318 Added files: 0 Removed files: 0 Changed files: 2 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /etc/pam.d changed: /etc/pam.d/run_init --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /etc/pam.d Mtime : 2013-04-09 22:11:18 , 2013-04-11 15:31:01 Ctime : 2013-04-09 22:11:18 , 2013-04-11 15:31:01 File: /etc/pam.d/run_init Size : 205 , 208 Mtime : 2013-04-09 22:11:18 , 2013-04-11 15:31:00 Ctime : 2013-04-09 22:11:18 , 2013-04-11 15:31:01 Inode : 394203 , 394053 MD5 : Mm0KPzpPt63eqGClTJ/KaQ== , eLUrP2BsIq25f3AZX+dlBA== SHA1 : NrQtsUeOsXS4RHUq+ejYBne5V6E= , 5A6ef6VJCcMiqEjKQ7e9xkBNZB8=
最佳实践
清楚要扫描的内容
默认的 AIDE 配置很有用,但需要对其进行微调以满足用户的需求。了解要扫描哪些文件以及为什么要扫描非常重要。
例如,要扫描所有与身份验证相关的文件而不是其他文件,请使用如下配置:
aide.conf与身份验证相关的扫描目标# SELinux policy and settings
/etc/selinux ConfFiles
# Authentication databases
/etc/passwd ConfFiles
/etc/shadow ConfFiles
/etc/nsswitch.conf ConfFiles
# Authentication configuration
/etc/pam.d ConfFiles
/etc/securetty ConfFiles
/etc/security ConfFiles
# PAM libraries
/lib(64)?/security Binlib
保持数据库离线和只读
A second important aspect is that the result database should be stored offline when not needed and should be used in read-only mode when the database is needed. This gives some protection against a malicious user that might have compromised the machine to modify the results database. For instance, provide the result database on a read-only NFS mount (for servers) or read-only medium (when physical access to the machine is possible) such as a CD/DVD or a read-only USB drive.
将数据库存储在只读位置后,更新 aide.conf 文件,让 database 指向这个新位置。
执行离线扫描
如果适用,请尝试对系统使用离线扫描方法。在虚拟平台的情况下,可能会拍摄系统快照,挂载此快照(只读)然后在挂载的文件系统上运行辅助扫描。
root #losetup /dev/loop0 /srv/virt/gentoo.img
root #vgscan
root #vgchange -ay
root #mount -o ro /dev/volgrpX/volumeY /mnt/image
root #chroot /mnt/image
root #aide --check --config=/path/to/aide.conf
root #exit
root #umount /mnt/image
root #vgchange -an /dev/volgrpX
root #losetup -d /dev/loop0上述方法使用 chroot。这仅在从实时系统扫描初始文件系统并且管理员想要执行离线验证时才需要。如果初始扫描是离线完成的,那么 aide.conf 文件将已经指向挂载点,数据库将立即使用这些路径,因此不需要 chroot。
另请参阅
- Integrity/Concepts 讨论系统完整性相关的概念