在Debian 10上安装和配置AIDE

在本教程中,您将学习如何在Debian 10上安装和配置AIDE。 助手 代表 一种进阶的 一世挤压 d保护 E环境。

AIDE是一种入侵检测系统,可以检测本地系统上文件的更改。它根据从配置文件中找到的正则表达式规则创建数据库。初始化该数据库后,就可以用来验证文件的完整性。它具有几种消息摘要算法(md5,sha1,rmd160,tiger,haval等),用于检查文件的完整性。可以相对轻松地添加更多算法。还可以检查所有通常的文件属性是否存在不一致之处。 AIDE可以检查的某些文件属性包括文件许可权,索引节点,修改时间,文件内容,用户,组,文件大小…

在Debian 10上安装和配置AIDE

运行系统更新

在开始在Debian 10上安装和配置AIDE之前,请更新系统软件包

apt update

在Debian 10上安装AIDE

AIDE在默认的Debian存储库中可用。

apt-cache policy aide
aide:
  Installed: (none)
  Candidate: 0.16.1-1
  Version table:
     0.16.1-1 500
        500 http://deb.debian.org/debian buster/main amd64 Packages

但是,在撰写本文时, 当前版本 AIDE的版本是 0.17.3

不幸的是,由于Debian仓库仍在测试中,因此没有提供AIDE的最新版本。在这种情况下,我们将安装默认存储库上可用的当前稳定发行版, AIDE v0.16.1-1

执行以下命令以在Debian 10上安装AIDE的稳定发行版;否则,请执行以下步骤。

apt install aide

成功安装AIDE之后,您可以通过执行以下命令来验证安装的版本:

aide -v

该命令显示AIDE的当前安装版本以及与其一起安装的选件。

Aide 0.16.1

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/dev/null"

在Debian 10上配置AIDE

AIDE的常规配置文件位于 /etc/default/aide

规则和其他配置位于 /etc/aide/

AIDE数据库位于 /var/lib/aide/

在Debian 10上初始化AIDE数据库

创建新的AIDE数据库。

aideinit

aideinit 将创建一个新的基准数据库, /var/lib/aide/aide.db.new

该命令可能需要几分钟。

Running aide --init...
Start timestamp: 2021-05-13 14:06:27 -0400 (AIDE 0.16.1)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6

Number of entries:	205656

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new
  RMD160   : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
  TIGER    : /TaHlucsBgKis1UAWqApNi05/irDr/EK
  SHA256   : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
             ZgZLEM5aZRo=
  SHA512   : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
             E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
             8rx7wQ2VMcn1aDfA8aXtNQ==
  CRC32    : ibeVcw==
  HAVAL    : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
             7TtzPAdV9Nk=
  GOST     : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
             8vsT+WVZAjQ=


End timestamp: 2021-05-13 14:13:05 -0400 (run time: 6m 38s)

如您所见,已经创建了一个新的基准AIDE数据库, /var/lib/aide/aide.db.new

安装新的AIDE数据库

要安装新创建的AIDE数据库,您需要将其复制到以下位置;

cp /var/lib/aide/aide.db{.new,}

重建AIDE配置

要更新AIDE运行时配置, /etc/aide/aide.conf,执行以下命令

update-aide.conf

该命令生成一个新的配置文件, /var/lib/aide/aide.conf.autogenerated。将新的配置文件复制到默认的AIDE configs目录,并覆盖现有的目录;

cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf

检查AIDE数据库是否存在任何不一致之处

生成新配置后,通过执行以下命令对新配置运行手动数据库检查;

aide -c /etc/aide/aide.conf -C

该命令基本上将尝试检查AIDE数据库和文件系统之间的偏差。参见下面的示例输出;

Start timestamp: 2021-05-13 14:59:37 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6

Summary:
  Total number of entries:	205656
  Added entries:		1
  Removed entries:		1
  Changed entries:		23

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/lib/aide/aide.db

---------------------------------------------------
Removed entries:
---------------------------------------------------

l----------------: /run/systemd/units/invocation:session-3.scope

---------------------------------------------------
Changed entries:
---------------------------------------------------

f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /root/.bash_history
f =.... mc.....  : /run/systemd/timesync/synchronized
d <.... mc.. ..  : /run/systemd/units
f <b... mc..C.. .: /var/lib/dhcp/dhclient.leases
f =.... mc..... .: /var/lib/systemd/timers/stamp-anacron.timer
f =.... mc..... .: /var/lib/systemd/timesync/clock
d =.... mc.. .. .: /var/ossec/etc/shared/default
f =.... mc..... .: /var/ossec/etc/shared/default/merged.mg
f >b... mc..C.. .: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.json
f >b... mc..C.. .: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.log
f >b... mc..C.. .: /var/ossec/logs/alerts/alerts.json
f >b... mc..C.. .: /var/ossec/logs/alerts/alerts.log
f >.... mc..C.. .: /var/ossec/logs/ossec.log
d =.... mc.. .. .: /var/ossec/queue/db
f >b... mc..C.. .: /var/ossec/queue/db/000.db
f <.... mc..C.. .: /var/ossec/queue/diff/debian/535/last-entry
f >.... mc..C.. .: /var/ossec/stats/totals/2021/May/ossec-totals-13.log
d =.... mc.. .. .: /var/ossec/var/run
f =.... mci.... .: /var/ossec/var/run/ossec-analysisd.state
f =.... mci.... .: /var/ossec/var/run/ossec-remoted.state
f =.... mc..C.. .: /var/ossec/var/wodles/syscollector
f =.... mc..C.. .: /var/webmin/miniserv.lastcrons

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/aide/aide.conf
  Size     : 6598                             | 46195
  Bcount   : 16                               | 96
  Mtime    : 2016-04-16 13:57:29 -0400        | 2021-05-13 14:52:51 -0400
  Ctime    : 2021-05-13 05:34:15 -0400        | 2021-05-13 14:52:51 -0400
  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | 8wjI15r0D6K1MUVoiyjJPOlGv18=
  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL
  SHA256   : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji
             0B5VVewz3h8=                     | WcEO1u90BTg=
  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft/kjH
             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw/K4u+WwMMUeg8iKdNkCL6YPc49X
             yKP7Fvoitf+jHcriq57Pgg==         | xEkz4dL2MjSFBj0i+zQW1g==
  CRC32    : S3Rhfg==                         | XsRmRw==
  HAVAL    : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB
             S+TXtMWVN/E=                     | 4YrUy9kI6IU=
  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j
             NhV8dix9LIw=                     | Zf744WY7Flk=

File: /root/.bash_history
  Size     : 5796                             | 8040
  Mtime    : 2021-05-11 10:25:18 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 05:14:51 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : r8qlsnSTkGosX0fsArK8zsWqTXU=     | 1upKL9INTLUGKEWMIxLmc8CRxJ4=
  TIGER    : 2uPjP9oFh0nVhGjPQqJti44Q3bF4KHNq | +pJmPgLgd3blY4u+BA6AZiwto8VS5Cvl
  SHA256   : dCwQv9ucRkmGT0fl5ucRdu+mP9xzM2pF | x2EA+tw6mqkGRq33h7dLOr/t0pX3HR61
             w26HE7Pws5Y=                     | vQDZsEhmJD8=
  SHA512   : /W3bSTf1qOpkav1Gucjv0iCcGn0Z7G6U | kxOIprR2dkw/LCCZg61E5kBGSpi4ZGA3
             rUh3loPZBEQDvGrMc+9zw5FZKko4tfOM | 6T3UZ0Cr22B5CWWkoObGZQ24e3NvmTH5
             1v/0FqiB4MhBvZkGU5l0cA==         | pcAhiv4GdP83jO5+Hm2kpA==
  CRC32    : KkRAtg==                         | SUGh1Q==
  HAVAL    : JBPLwPshi3ls05OEx2RA4yCYLt7m8+wS | Jb1L2/dFG0A8ghyV1txmjwlgsZ1wb8f0
             a3UmYwGZDJo=                     | MOpMWDzQHAs=
  GOST     : NK8Tmk801XGP72lQktmnfPJ34DFQOuYs | FBMm5BduPdQ2EIw3bYLAS+0uhvdXKSa9
             OFvxMiIcmXI=                     | 11y3Y1oUsyg=

File: /run/systemd/timesync/synchronized
  Mtime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400
  Ctime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400

Directory: /run/systemd/units
  Size     : 940                              | 920
  Mtime    : 2021-05-13 14:01:15 -0400        | 2021-05-13 14:31:33 -0400
  Ctime    : 2021-05-13 14:01:15 -0400        | 2021-05-13 14:31:33 -0400

File: /var/lib/dhcp/dhclient.leases
  Size     : 5344                             | 2222
  Bcount   : 16                               | 8
  Mtime    : 2021-05-13 14:08:06 -0400        | 2021-05-13 15:01:44 -0400
  Ctime    : 2021-05-13 14:08:06 -0400        | 2021-05-13 15:01:44 -0400
  RMD160   : x6g8TEahygu/Y6vTVmTHz+jG7/g=     | A8i8GUKMIZPvQ67ncZ3vaCulf24=
  TIGER    : vopFlCGZMR5fD59z2IyqwGTPB4vaPLL7 | ZTotg1uJnCtyljIMyukQsXdIcRxRMBpb
  SHA256   : 4aB4sFExXuQgHU36/U4Gpllva+ew5BwK | rPPBKCIrTIK3E4l8g1kcMDEYIWsBAK7g
             K6IzFjbxGtI=                     | XeH+hNDUQVg=
  SHA512   : oauEMDY2HKK4cNHJyaE9zL9jeIZomb+B | oL4A/nW81CzmU+wLwL2gj4o5i+RSFuDr
             Qr66zW+FblCBjpX9+hPP+C3GWkuhooVO | dMRE57iAr5zpQIaNrsULOBcjf+xVl9/x
             DFLNYa2uAy7M+IZsAoXD1w==         | jWyRn+SAWeFgCbrQ1wVNuA==
  CRC32    : vKR/CQ==                         | iP46NQ==
  HAVAL    : 52H8l2m8tGeeGGb7gC3N3bHcid1pvWDB | pcYoOf6Vk2JyMWqP7qOh+URg9Gz0Cabx
             DZLJ7dflako=                     | kht7TRr3I0A=
  GOST     : 4YlQabl31XCpQCioZVXpyR+cDcW4po24 | RUA3L4LrEvpAz3LYTDG+38Qz4Aco1HKz
             81HDK676bSU=                     | gGtZSrw6AlE=

File: /var/lib/systemd/timers/stamp-anacron.timer
  Mtime    : 2021-05-13 13:57:07 -0400        | 2021-05-13 14:31:33 -0400
  Ctime    : 2021-05-13 13:57:07 -0400        | 2021-05-13 14:31:33 -0400

File: /var/lib/systemd/timesync/clock
  Mtime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400
  Ctime    : 2021-05-13 14:05:09 -0400        | 2021-05-13 14:30:46 -0400

Directory: /var/ossec/etc/shared/default
  Mtime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400
  Ctime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400

File: /var/ossec/etc/shared/default/merged.mg
  Mtime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400
  Ctime    : 2021-05-13 14:12:09 -0400        | 2021-05-13 15:01:44 -0400

File: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.json
  Size     : 303004                           | 303699
  Bcount   : 600                              | 608
  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : HI8kVRJVmBHQ12uM4mgjgC8tG7c=     | rXlxkYtULGVhokQ2Plf1gsRwfeU=
  TIGER    : fYh0uHAKUPT1rbJ/b/e/PcFOCIAqIGfn | 5mbOOvGc9vIdu/fu1HhzjYtSCNaMSA+W
  SHA256   : xRC0btISZjbwp3HJ6YWTx8qVl/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu
             +GDwaFVbOiM=                     | 2B3mpC3PNrk=
  SHA512   : GYVO1j/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi
             aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0/pH/SCacBUILfKQVBbU
             Jisfz69u8Fc3WEhGfvN4hQ==         | nEBwUdlorF+p3oPQ4lpipg==
  CRC32    : mIJZOg==                         | EaLg9w==
  HAVAL    : Jt9WwS1ZnQ/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN/6wrrOtC+4K3BIpO
             OJBxqeEjgtA=                     | Sxlq8e5pWqc=
  GOST     : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq
             76dAVlPr8QU=                     | JyOluc+3ikE=

File: /var/ossec/logs/alerts/2021/May/ossec-alerts-13.log
  Size     : 196342                           | 196713
  Bcount   : 392                              | 400
  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : /5NDXAKCiQxSuPHVbhi9VQOLLak=     | IDKuML9GS4sQO8oF6Cxz/vupSJs=
  TIGER    : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU
  SHA256   : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb
             f1I4fTI8FOg=                     | /dHjbIBnNS4=
  SHA512   : N9PN7Zm2+6zqZEP/2O4EBU0wGfV+q/ap | ZTb1mxGjv2n/vnwq58/rTUQIdW0o/fxa
             E/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6
             A5wLwkdp9CRzuqNIAS/WMg==         | dpg9q4ewGLAmwHYMPBbgMg==
  CRC32    : aTphhA==                         | LFRiBQ==
  HAVAL    : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB
             s78/EtSkPEc=                     | S0VrHY0GV08=
  GOST     : pI74rIIHDI7TDrCA+Sx/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824
             NX+WsahkgQI=                     | Qv+qrf4TU6U=

File: /var/ossec/logs/alerts/alerts.json
  Size     : 303004                           | 303699
  Bcount   : 600                              | 608
  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : HI8kVRJVmBHQ12uM4mgjgC8tG7c=     | rXlxkYtULGVhokQ2Plf1gsRwfeU=
  TIGER    : fYh0uHAKUPT1rbJ/b/e/PcFOCIAqIGfn | 5mbOOvGc9vIdu/fu1HhzjYtSCNaMSA+W
  SHA256   : xRC0btISZjbwp3HJ6YWTx8qVl/byyU79 | Oal9QcowgkTnOMChs3MoOgTOo0t8xLlu
             +GDwaFVbOiM=                     | 2B3mpC3PNrk=
  SHA512   : GYVO1j/fNYVxIe9mlKJRyUgPb3iOjxDZ | w+npPKwSPtMFmu+8+3bJD9tki9aZIvTi
             aFCLLqCPpZJZn632rwM7nCTOI41CRQV+ | Ev1ry6SsWUMQ0/pH/SCacBUILfKQVBbU
             Jisfz69u8Fc3WEhGfvN4hQ==         | nEBwUdlorF+p3oPQ4lpipg==
  CRC32    : mIJZOg==                         | EaLg9w==
  HAVAL    : Jt9WwS1ZnQ/u1wp8631+MNPgdgDhWD4Q | LrNLJfJrkK3jibcN/6wrrOtC+4K3BIpO
             OJBxqeEjgtA=                     | Sxlq8e5pWqc=
  GOST     : J9yWuApsLcPuqDbmgp2CKup0spB6MrBS | d2HTAxbMxv7MPiI8lLanW+lSyGM7DvOq
             76dAVlPr8QU=                     | JyOluc+3ikE=

File: /var/ossec/logs/alerts/alerts.log
  Size     : 196342                           | 196713
  Bcount   : 392                              | 400
  Mtime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  Ctime    : 2021-05-13 13:57:12 -0400        | 2021-05-13 14:27:45 -0400
  RMD160   : /5NDXAKCiQxSuPHVbhi9VQOLLak=     | IDKuML9GS4sQO8oF6Cxz/vupSJs=
  TIGER    : 6bAnpVoBW5vDbFQGZtpYFXr9uUYwGrXh | xzLHbWTZVWo7WpTHKvGI8PayW95HaWeU
  SHA256   : YgaEZgwSrKxirB8bzvxjIzz9ldKkXhpN | IsVan5sOqYUJrPcz+l6bI3yVlCWlHzCb
             f1I4fTI8FOg=                     | /dHjbIBnNS4=
  SHA512   : N9PN7Zm2+6zqZEP/2O4EBU0wGfV+q/ap | ZTb1mxGjv2n/vnwq58/rTUQIdW0o/fxa
             E/qqtliCxOdacC+jPmF43otCZE34qfd6 | aHoo4c989CS5SN8wO7ZO+ZyK7LikZPe6
             A5wLwkdp9CRzuqNIAS/WMg==         | dpg9q4ewGLAmwHYMPBbgMg==
  CRC32    : aTphhA==                         | LFRiBQ==
  HAVAL    : OOqQLrhUONV5Zm6pimcMyDbX0GsFh81n | CS+LNyUR3QflgCfT0e7pW3FSYzXMZKQB
             s78/EtSkPEc=                     | S0VrHY0GV08=
  GOST     : pI74rIIHDI7TDrCA+Sx/osECG3JGljMk | 05z1Do1bUHdp8pMMcU5LpbBftPvSV824
             NX+WsahkgQI=                     | Qv+qrf4TU6U=

File: /var/ossec/logs/ossec.log
  Size     : 11605                            | 11757
  Mtime    : 2021-05-13 13:57:32 -0400        | 2021-05-13 14:25:18 -0400
  Ctime    : 2021-05-13 13:57:32 -0400        | 2021-05-13 14:25:18 -0400
  RMD160   : UrndE9lRw2gEB6OGZuQ/mnGRc7U=     | rMF+/kDPzTEQp4+fG4nWvCrRdfk=
  TIGER    : j4s+XmwXPueAQuAciYwhO7X455MBGq4r | x61JVqPEUAm6ZSQ0S37CA+stHjQyh2KV
  SHA256   : 9kdSlM2EjZKe451VHXo+BXd3fAtVsRt8 | qktJymmvRRyM1jjuLlvVscpDMBfs/eds
             CcloQ1jNTzo=                     | EQ5zKH61/2o=
  SHA512   : pTDO+6p6JzruJ+AMsZ4LCIqQsKCeagOj | Ga+4TvLk90Q5lTMK1iO/2Zw4Ic0eCLt4
             4OeJYhAdNRJ+1QSFabUatNuwltW0uIs+ | 5X0c7AH5GvbUCs5Cw4y9RUHQlGF7BLVA
             Sj6ab2HDu0RJEmy/EQVAOA==         | cLxxRzeSvk6MKK00DtwotQ==
  CRC32    : Xq9wkw==                         | qoNgtQ==
  HAVAL    : fMCtlMz5vBfRN/UZm+nigxdn/lphzAag | J6sZyDnrOV+vT07OER46CGex4nUPjNAU
             EVwoljewwnk=                     | hZRJBEQuXvQ=
  GOST     : vG3FbAnnsorn5Wa69JWn+rVBLNSWOy0o | mi1diJV7nKcX4li9XFdcYs1rA4rLzcSI
             TvuIiF4Ohzo=                     | r+Y1bqomAjg=

Directory: /var/ossec/queue/db
  Mtime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400
  Ctime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400

File: /var/ossec/queue/db/000.db
  Size     : 2113536                          | 2228224
  Bcount   : 4128                             | 4328
  Mtime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400
  Ctime    : 2021-05-13 13:57:33 -0400        | 2021-05-13 14:25:29 -0400
  RMD160   : h9D0qcSXGbRqsZGJV5wNywYfO30=     | OSPi2pAhW/rVJrwB2NL/NGlcc9U=
  TIGER    : MFWistAyOA7gy+T4ZtmuwmCBghe8ndnN | V00qPUeAtE5+i/uMTSbfidq3Q3dIFxj/
  SHA256   : JMeairDZxZUWoA2Rcpw0CoLxUllolk3l | T0UJvOvhurdsnLokgrBqmIUDLVdJ4HI5
             j79VsRy1d/E=                     | 3IPq7G21RZY=
  SHA512   : sbtVw881IhIicV5UfsWvpbdOOHzb8aVw | XBE7eta1oMwAsG4kOcj793f16ZqMeGh+
             Fy7jrUgDkQSfnMYiNnD329pRbw61OxY8 | k4kw4Q7+lzJYrILo8a5/Ea7cCShz2cnv
             j/dO5nqq7H3tHhzou+bf0A==         | UU6gNnzyT3HslSTfXm2upQ==
  CRC32    : RqsdGg==                         | LD0Qpw==
  HAVAL    : vSCMk/LypxzM/KT0mX/xAZkIMZNt8Qeq | 6vHfo9hW75oG2PksEcaE0IPYLlMxukZU
             RqMoxzLqfcc=                     | eIAcYWyfr6w=
  GOST     : GTCGuUTPs0BM2pSO4/PgO/HXI8P0tgid | Ec053qs2D5hjYO8IxHmW6g6UhW0tK4aE
             mYVX1XfJHM8=                     | vypwpBv5bb8=

File: /var/ossec/queue/diff/debian/535/last-entry
  Size     : 1024                             | 1021
  Mtime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:33:10 -0400
  Ctime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:33:10 -0400
  RMD160   : qHsDObPkZuJcZNKKxWUlkN1TmdI=     | j2zl43WJTJelXeuFTkIVH8uCW9A=
  TIGER    : Q8rEdFootqfUPYX6I5u7UC+IBXt1EtQ4 | XPAYBNVvJ+mtPHWOemVeZ7xjls5bE9kQ
  SHA256   : tkk1KU58wTyYjwdmyF4aFWWBttu2gnua | 09g04YBhFqG1lbLtHvyxvBcUbNYwnv7p
             7eqkATbNMy4=                     | LfG5wba7E2Q=
  SHA512   : sKOr9fAXVeaAfmNGTQrJfAeG4nghNw17 | dE7AD9uML4iQcMmH1W38MJu5ngzLxyvZ
             FIjGsgxU3erZS0iIEncQL7XgMBeC9Jts | +e22ULMcqxJC+7GunqeNMn6ADesqjZN1
             bllmBgLe/elsofeGAXfRvQ==         | Tj6RdqgqnxDEmIPnf1tJKg==
  CRC32    : Q0OBsA==                         | CIXH/Q==
  HAVAL    : PFRZcbTmd11VMc9WDRKR5nMvyVVbTwU7 | LY0Eu6iQTPTOTyp2TqXW2/IPvBK5dsn3
             vnQHgGKEN/Y=                     | GOFLTBzoCvE=
  GOST     : 11cAAblplJja5/rktHJDKzFraTKbaqz5 | leGBDPnpRhyRLTGo8QMaMkYHjOSkdqa+
             By98fbs8dTw=                     | +6QrJ4E5rQs=

File: /var/ossec/stats/totals/2021/May/ossec-totals-13.log
  Size     : 894                              | 999
  Mtime    : 2021-05-13 14:01:16 -0400        | 2021-05-13 15:01:46 -0400
  Ctime    : 2021-05-13 14:01:16 -0400        | 2021-05-13 15:01:46 -0400
  RMD160   : zJ8At9unwQxEzSe9J4GrzbqTMz8=     | COrlpQLyTK+TCf8KkThMAyvseig=
  TIGER    : gs7ydELV5qsqM6gqkk3VubEx9WZvybNH | nNzaNRkTekRV/eE7mrzj8wypqqQ3X02M
  SHA256   : OrAiYG8X0UfOSTWwfcFs1gl0CkAwC7aR | 9OjAmTYpHgKyhQ2aXWzbRoTIRjDDpGlk
             52uZF3374G8=                     | SzQNk0h7bHk=
  SHA512   : atNLeqF+T7DoIyN5XBh9Z7Lxvtxv88kv | FOxCmlwtkJ2/ej5BM6HX13p9UpiP+9mV
             u+XHdKFZIr6UMf7UTycb/+qso33BlVfH | CtmkyaWXNcOhw1moeRUGHKdkRUdWh06a
             Mn8sGcjy4DuchZpZeggdyA==         | TpH4CYF4P6uMH4VMfhUwDg==
  CRC32    : f5dIXg==                         | lVKiZg==
  HAVAL    : PO/8wHY4EFaVnO/yUEIPCr9UmrujdHoH | HZF3AmNvk8PNec0OcUHsNWs8TeIJ7Bm/
             baDhTTJixt0=                     | GhgPEEhrtYc=
  GOST     : SDdETY0dZJHWCQGIl4cggiwFBQwp/Ely | lm4MpfRUd+5kF8PkFi066ESY/4ISLjhy
             HVZbNI4G/LM=                     | /w68fjIDHL4=

Directory: /var/ossec/var/run
  Mtime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Ctime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400

File: /var/ossec/var/run/ossec-analysisd.state
  Mtime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Ctime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Inode    : 291862                           | 304591

File: /var/ossec/var/run/ossec-remoted.state
  Mtime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Ctime    : 2021-05-13 14:12:54 -0400        | 2021-05-13 15:02:04 -0400
  Inode    : 304591                           | 307354

File: /var/ossec/var/wodles/syscollector
  Mtime    : 2021-05-13 05:03:42 -0400        | 2021-05-13 14:25:18 -0400
  Ctime    : 2021-05-13 05:03:42 -0400        | 2021-05-13 14:25:18 -0400
  RMD160   : t2dgf7PI+qjCpifY2lsAcxDF9Fk=     | cntjaDX/DCNzvCfiCA1kXl7KCCM=
  TIGER    : +Gq9NCskrl71MYuh9vQY/9SKFmdwV2WC | w2KPhzO5tiv/GcsGpi6kfqs8JPsH4h2J
  SHA256   : YWnwELAriPpKVUvzp48A36IsQiLiDrPa | 5AwQ6d972QnzU6DymNjanYsORD2V5TIQ
             +xaI8POCyBo=                     | yPakdvhIjIQ=
  SHA512   : TmNSY5LxyrRar/OWhzGR/IzBw33HSywQ | adcpxpI3Q9psuemsly3IVcpaXJUKt88W
             eQb39k+4WJOY1Dag638EQj0PQDFTJTyo | zbzT2XtMHO8lWny35/AdVVOYvW56aD6K
             IfHuoARl+hAG/NeGUrb/Nw==         | D0jnB0YUWop4oQI2Exhsgw==
  CRC32    : YrOyVA==                         | Jcfn4Q==
  HAVAL    : kZ1+RJgVhR5Ye4SBgUA++Opyag/JQw5X | JnJ1PH1Qst5GxeaKBT/G9vvBrJJ1v+iO
             7f0i/Y4BMZc=                     | sGj6SbculZI=
  GOST     : c56J+RwvEsiWC3j3TwCigV9ip7G26cc4 | iUktb3cvt2mwTIbtf5pD5y2RBq4c0f/1
             RjAfGj8Yklg=                     | 792rogTuXMw=

File: /var/webmin/miniserv.lastcrons
  Mtime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:57:09 -0400
  Ctime    : 2021-05-13 13:57:08 -0400        | 2021-05-13 14:57:09 -0400
  RMD160   : l4hocPE/SHW9NhN2NCF2nQX+fbU=     | pm7WC+m645+3fPpMGPfMIbZML1c=
  TIGER    : AZZbVVUb9d9+o+IPaFHr/1JTepGY0skV | QG8yw6Ma8zTNORA5mvFJgZvdZVRRqarp
  SHA256   : OZbnUDEbF2h8/h3wEy+xQ0+qQ+X1IdED | ZmH3hXZrdFopMfPquWUplysApSgaCLbN
             tW0z/XmwFgE=                     | woeJMG74uoY=
  SHA512   : ebuDdi38UvLbg7hE5b90rU01dTNsH8PT | pcFF4JY4+w/OL9gujrtJ1OqWyDyQabrM
             Vyn01yobjF9ieXuIVgtohQFhfj4V/ciG | VLmyprO+sEYWvkCWE028s350NM1ZOIzI
             jH49Npaj0MOT418Lj7sbBw==         | feXBta/T/EvgzOi5Uz/oCQ==
  CRC32    : /ZYiew==                         | 8UcOAw==
  HAVAL    : K2mLlgdjxme5iRQ8+GS1fbIa0wkKR4Q2 | nMGCLXkIIls7X6YraMeRbq3+mnboYOe8
             fUXtscLxzYw=                     | pidvAJg7Q0M=
  GOST     : eMerS2vevb7fswadmjiZLo0ImDxQ2uo/ | 5rwUUkXBg6z9QsYhGJ7pOVkwaeZfHt5X
             fRjhDng5dWg=                     | c1AvM7h2otw=


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  RMD160   : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
  TIGER    : /TaHlucsBgKis1UAWqApNi05/irDr/EK
  SHA256   : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
             ZgZLEM5aZRo=
  SHA512   : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
             E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
             8rx7wQ2VMcn1aDfA8aXtNQ==
  CRC32    : ibeVcw==
  HAVAL    : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
             7TtzPAdV9Nk=
  GOST     : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
             8vsT+WVZAjQ=


End timestamp: 2021-05-13 15:02:37 -0400 (run time: 3m 0s)

从上面的输出中,AIDE发现了许多文件系统更改。检查报告。

在Debian 10上测试AIDE

现在,您可以创建新文件,编辑甚至删除一些文件,然后重新运行AIDE检查,以实际查看AIDE如何检测所有这些更改。

echo "1.2.3.4 test.kifarunix-demo.com" >> /etc/hosts
touch /etc/newfile
rm -rf /etc/issue

完成所有更改后,针对文件系统重新运行AIDE数据库检查。

aide -c /etc/aide/aide.conf -C

样品输出;

Start timestamp: 2021-05-13 15:08:24 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6

Summary:
  Total number of entries:	205656
  Added entries:		2
  Removed entries:		2
  Changed entries:		24

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/newfile
f++++++++++++++++: /var/lib/aide/aide.db

---------------------------------------------------
Removed entries:
---------------------------------------------------

f----------------: /etc/issue
l----------------: /run/systemd/units/invocation:session-3.scope

---------------------------------------------------
Changed entries:
---------------------------------------------------

f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /etc/hosts
...

将AIDES完整性检查限制为特定的文件/目录

例如,将完整性检查限制为特定条目 /etc,通过 --limit REGEX AIDE检查命令的选项,其中REGEX是要检查的条目。

例如,检查并更新匹配的数据库条目 /etc,您将运行如下所示的aide命令;

aide -c /etc/aide/aide.conf --limit /etc --check

样品输出;

Start timestamp: 2021-05-13 15:13:34 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Limit: /etc | Verbose level: 6

Summary:
  Total number of entries:	205656
  Added entries:		1
  Removed entries:		1
  Changed entries:		2

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /etc/newfile

---------------------------------------------------
Removed entries:
---------------------------------------------------

f----------------: /etc/issue

---------------------------------------------------
Changed entries:
---------------------------------------------------

f >b... mc..C.. .: /etc/aide/aide.conf
f >.... mc..C.. .: /etc/hosts

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /etc/aide/aide.conf
  Size     : 6598                             | 46195
  Bcount   : 16                               | 96
  Mtime    : 2016-04-16 13:57:29 -0400        | 2021-05-13 14:52:51 -0400
  Ctime    : 2021-05-13 05:34:15 -0400        | 2021-05-13 14:52:51 -0400
  RMD160   : kHZi6LuS1X5nlHkrtCLV9UdgDxo=     | 8wjI15r0D6K1MUVoiyjJPOlGv18=
  TIGER    : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | 5D516C4863lj53Gcsjw6criLTX43JoSL
  SHA256   : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | awEfe2H7plz+FstE6NEEHwBsthaweMji
             0B5VVewz3h8=                     | WcEO1u90BTg=
  SHA512   : o4LOstw3erheco5dpKcKLadGav29Ud9E | DeNIyQrjM8tDAfJdjLTYMTgDPvft/kjH
             ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | 9GJbw/K4u+WwMMUeg8iKdNkCL6YPc49X
             yKP7Fvoitf+jHcriq57Pgg==         | xEkz4dL2MjSFBj0i+zQW1g==
  CRC32    : S3Rhfg==                         | XsRmRw==
  HAVAL    : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | 2nb6INYq7XrgjDfncGvqSEz+UwXIYtSB
             S+TXtMWVN/E=                     | 4YrUy9kI6IU=
  GOST     : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | omvkgMtCPG2xKS2Sbe3PVUKg8+ZNve9j
             NhV8dix9LIw=                     | Zf744WY7Flk=

File: /etc/hosts
  Size     : 186                              | 218
  Mtime    : 2021-01-29 14:23:36 -0500        | 2021-05-13 15:07:59 -0400
  Ctime    : 2021-01-29 14:23:36 -0500        | 2021-05-13 15:07:59 -0400
  RMD160   : pgg6hjBhDjMlk+l8yu0LB1SL7o8=     | sUqfThZK2gYBG5rgKCY0882JsFE=
  TIGER    : 6rCGqnmCVSK81X5SatwKyW6Cybt1B9yP | 04im6NfESOdCKzANx6VA3ehjZ0skylIh
  SHA256   : XJiphdFN5h4JGKNCqvrG71xF+FyFEi5E | rjTkky/c4992255kH3yXciO+SHZa8wlA
             SvfqvfKxUng=                     | 9brQo29MU+o=
  SHA512   : Frpi7XYfQq7SA8HSImzFystaarku/1Cs | jqUFxAQYoNlj5LXVZxn6kJGwQLePCWcs
             Ba7vka2boOYZsqzVoXq0c6zlxb5AVX7J | Ay3i8i8bAv59cfjRpxQpTj3rNdeS70pp
             Yl+VEG/SZpPvca+6xn4P8Q==         | xj1P9YWWTtn6unB6ZON2pg==
  CRC32    : xZ01PQ==                         | 9LtLwA==
  HAVAL    : 17oJH6iVQGXq3ge2uXnwumq0xCLaF+fS | Qty/rrMbvG1RTmj6+PvPUtB6zAk6x/na
             Goy5GCiijPI=                     | oiBWgvPWsmY=
  GOST     : X8Mnh75FrKoDQl88Ez1l0hRH4pR9lOon | zjAjM0BCHajG4Xb1AIZGOXOzjOtRQ7lZ
             jkxNlJeC1fA=                     | EzBfUnAXze0=


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  RMD160   : 7x5/c1dpNifnCqEfbegXkgeUYZ8=
  TIGER    : /TaHlucsBgKis1UAWqApNi05/irDr/EK
  SHA256   : IV3S6dK0Vq1MLMBPhkkdbDBbSfxEO5UO
             ZgZLEM5aZRo=
  SHA512   : VwkOKebuBWzrAAhNdeyI/KlgrJGp+Cx7
             E/INRFtcmZnJpMw0ObfyKDFrm8P+OvXb
             8rx7wQ2VMcn1aDfA8aXtNQ==
  CRC32    : ibeVcw==
  HAVAL    : gWjXP+myfjy0ERTHYTTMmtNE+R7trYf1
             7TtzPAdV9Nk=
  GOST     : g0So72BymlRqZ2fx9ZckwTdHaGyy9B9F
             8vsT+WVZAjQ=


End timestamp: 2021-05-13 15:14:04 -0400 (run time: 0m 30s)

从AIDE检查中排除特定目录

要排除某些目录,请编辑配置文件, /etc/aide/aide.conf,并以格式将要忽略的目录添加到文件的末尾;

!/home/
!/var/lib/
!/proc

使用自定义AIDE配置

您还可以创建自己的配置,并定义需要检查的内容和不需要检查的内容。

请参见下面的示例配置;

mkdir /home/koromicha/aide
vim /home/koromicha/aide/aide.conf
# Path for creating the databases
database=file:/home/koromicha/aide/aide.db
database_out=file:/home/koromicha/aide/aide.db.new
database_new=file:/home/koromicha/aide/aide.db.new

# Set your own AIDE rule.
MYRULE=p+n+u+g+s+m+c+xattrs+md5+sha512

# Directories/files to be monitored and rule to apply
#/etc MYRULE
#/bin MYRULE
#/usr/bin MYRULE

# Directories to ignore
/home MYRULE
!/proc

基本上,上述规则集检查:

  • p发芽,
  • ñ链接数,
  • üSER,
  • G团,
  • 验证时间,
  • 索引节点/文件 Change时间,
  • ËX倾向于文件 属性ibutes
  • MD5 校验和
  • SHA512 校验和。

使用新配置初始化数据库;

aide -c /home/koromicha/aide/aide.conf -i

复制数据库到位;

cp /home/koromicha/aide/aide.db{.new,}

AIDE诊断

通过运行以下命令来验证配置文件是否存在错误;

aide -c /home/koromicha/aide/aide.conf --config-check

检查命令退出状态。

echo $?

根据AIDE手册页,如果没有发生错误,则AIDE的退出状态通常为0。除了请求–check,–compare或–update命令时,在这种情况下,退出状态定义为:

   1 * (new files detected?)     +

   2 * (removed files detected?) +

   4 * (changed files detected?)

   Since  those three cases can occur together, the respective error codes are added. For example, if there are new files and removed files detected, the exit status will be 1 + 2 = 3.

   Additionally, the following exit codes are defined for generic error conditions:

   14 Error writing error

   15 Invalid argument error

   16 Unimplemented function error

   17 Invalid configureline error

   18 IO error

   19 Version mismatch error

注意:每当您对AIDE配置进行任何更改时,请记住都要初始化数据库以创建基准。

进行更改,例如创建新目录,文件;

rm -rf /home/koromicha/aide/aide.db.new
mkdir /home/koromicha/test-dir
touch /home/koromicha/test-file

然后,您可以针对自定义配置运行AIDE。

aide -c /home/koromicha/aide/aide.conf -C
Start timestamp: 2021-05-13 15:20:06 -0400 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	10
  Added entries:		3
  Removed entries:		1
  Changed entries:		2

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /home/koromicha/aide/aide.db
d++++++++++++++++: /home/koromicha/test-dir
f++++++++++++++++: /home/koromicha/test-file

---------------------------------------------------
Removed entries:
---------------------------------------------------

f----------------: /home/koromicha/aide/aide.db.new

---------------------------------------------------
Changed entries:
---------------------------------------------------

d = ... mc n  .  : /home/koromicha
d = ... mc .  .  : /home/koromicha/aide

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /home/koromicha
  Mtime    : 2021-05-13 15:17:02 -0400        | 2021-05-13 15:19:59 -0400
  Ctime    : 2021-05-13 15:17:02 -0400        | 2021-05-13 15:19:59 -0400
  Linkcount: 3                                | 4

Directory: /home/koromicha/aide
  Mtime    : 2021-05-13 15:18:19 -0400        | 2021-05-13 15:19:59 -0400
  Ctime    : 2021-05-13 15:18:19 -0400        | 2021-05-13 15:19:59 -0400


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/home/koromicha/aide/aide.db
  MD5      : f0gmAXaAnpmsLpcqEB2yaw==
  SHA1     : HjZ96ZFaLaGXT7oLQHetDByRcfg=
  RMD160   : ND0cqBPVsKaZw6peqJq81oAckx8=
  TIGER    : GsNazCXJu/wNbSTKyXUSPXgGImsKYZSj
  SHA256   : yz0xi62lx4v4yxwvcVG4DcrEpaszxCFi
             M5SFuRB7rFc=
  SHA512   : bMqIRxmfMz/Id1aKhKNUfZbG6I/Jn5UD
             6+G7x0oTFwf/GxUn8AVbhDyitO4bDjE/
             6yw2N+Ea4b69UgYkt8v6xQ==
  CRC32    : amnOHQ==
  HAVAL    : lKVe1OAZ/RHx8vq3AH1td++qnLZhomN/
             8VWvgolh12Y=
  GOST     : WzrpoPdX5kbKV9+XXKO2B6mWdyPq2m17
             u3querF/YTk=
  WHIRLPOOL: gsUPlPVbwDJYOXOWi30/1PXONnTZqMGM
             fQOCS8VsEpV9tYUuM2Yrb78hCjfjACla
             SdxnhuyiM3DPwIVS9c1x9Q==


End timestamp: 2021-05-13 15:20:06 -0400 (run time: 0m 0s)

通过邮件发送AIDE报告

默认情况下,AIDE会自行设置每日执行脚本, /etc/cron.daily/aide,安装后。

支票的输出邮寄给在 MAILTO= 的指令 /etc/default/aide 如上所述的配置文件。

要通过邮件发送AIDE报告,您需要编辑文件, /etc/default/aide 并设置值 MAILTO 指令发送到您的电子邮件ID,如下所示。默认收件人是 root

vim /etc/default/aide
...
#MAILTO=root
[email protected]

此文件中定义了大多数AIDE默认参数设置。为了易于理解,强烈建议您使用该文件,因此请仔细阅读此文件以了解其他启用或禁用的选项。

仅当您已配置MTA进行电子邮件传输时,电子邮件传递才能工作。请点击以下链接,了解如何将Postfix配置为使用Gmail SMTP进行中继;

配置Postfix以使用Gmail SMTP

将Postfix配置为在Ubuntu 18.04上使用Gmail SMTP

您可以编辑Postfix邮件别名,并将root的别名设置为要接收AIDE报告的电子邮件地址,而不是使用上面的cron邮件收件人地址。

vim /etc/aliases
postmaster:    root
root:   [email protected]

确保您更新别名;

newaliases

您也可以安装cron作业以在特定的时间间隔执行AIDE。

sudo crontab -e
*/10 * * * * aide -c /home/koromicha/aide/aide.conf -u && cp /home/koromicha/aide/aide.db{.new,}

这将每10分钟执行一次AIDE系统检查,并将报告通过电子邮件发送给 [email protected] 根据我的设置。

还需要注意的是,AIDE检查可能会占用大量资源,并且在完整性检查过程中可能会导致系统性能问题。如果您要扫描整个系统,请确保提供“足够”的资源。

这标志着我们有关如何在Debian 10上安装和配置AIDE的教程的结尾。

其他教程

在Docker容器中将ModSecurity 3与Apache一起安装

使用ModSecurity和ClamAV拦截恶意文件上传

使用Fail2ban保护WordPress免受暴力攻击

在Ubuntu上安装Arkime(Moloch)Full Packet Capture工具

Sidebar