特殊:Badtitle/NS100:FileIntegrityAIDE:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
(未显示2个用户的4个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/FileIntegrityAIDE}} | {{From|https://help.ubuntu.com/community/FileIntegrityAIDE}} | ||
{{Languages|UbuntuHelp:FileIntegrityAIDE}} | {{Languages|UbuntuHelp:FileIntegrityAIDE}} | ||
<<Include(Tag/ContentCleanup)>> | |||
== Introduction == | |||
One of the many possible layers of security which may be applied to your Ubuntu computer is known as ''file integrity monitoring'' or ''file integrity verification''. The purpose of monitoring and/or verifying the integrity of key files, including system binaries and configuration files is to ensure that the files have not been altered by unauthorized means. The unauthorized alteration of certain system files is one of the symptoms of an active attack or compromise upon a system. | |||
One of the many possible layers of security which may be applied to your Ubuntu computer is known as ''file integrity monitoring'' | Using file integrity monitoring is a pro-active means of being aware of any changes to critical system files. As with most tools, and utilities in the GNU/Linux community, there are many different applications for use in monitoring and verifying the integrity of files on your Ubuntu system. This guide will discuss the installation, configuration, and usage of some of these tools on an Ubuntu system. | ||
== Available Tools == | |||
While there are literally a dozen or more solutions for monitoring and verifying the integrity of critical files on a GNU/Linux computer system, this guide will focus only on the '''Advanced Intrusion Detection Environment''' ('''AIDE''') utility. Other possible tools, and utilities for monitoring and/or verifying file integrity will be listed in the '''Resources''' section. The exploration and use of these tools is left as an exercise for the reader of this guide. | |||
While there are literally a dozen | == AIDE == | ||
The Advanced Intrusion Detection Environment (AIDE) is a ''free'' replacement for the popular file integrity verification tool known as '''Tripwire'''. It creates a database from regular expression rules that it finds in a configuration file. Once this database is initialized, it can be used to verify the integrity of critical system and user files. | |||
AIDE uses most of the popular message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) for checking file integrity. Additional algorithms may also be easily added. All of the traditional file system attributes may be checked for inconsistencies as well. | |||
The Advanced Intrusion Detection Environment (AIDE) is a ''free'' replacement for the popular file integrity verification tool '''Tripwire'''. It creates a database from regular expression rules that it finds in a configuration file | === Installing AIDE === | ||
AIDE uses most of the popular message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) for checking file integrity. Additional algorithms may also be added | |||
To install AIDE from a terminal prompt, ensure that your Internet connection is working, and enter the following command: | To install AIDE from a terminal prompt, ensure that your Internet connection is working, and enter the following command: | ||
<pre><nowiki> | |||
< | sudo apt-get install aide | ||
</nowiki></pre> | |||
Enter your password | Enter your password. Upon successful authentication, the AIDE package should be fetched and installed. | ||
During installation, an '''Ubuntu Configuration''' window will appear notifying you that daily reports are mailed to the ''root'' user by default, and that this behavior may be changed by editing the <code><nowiki>/etc/default/aide</nowiki></code> configuration file. Press the '''Enter''' key to acknowledge this message. You will then be asked if the AIDE database should be initialized. Select '''Yes''' here, and press the '''Enter''' key. The next confirmation dialog will ask you to examine <code><nowiki>/var/lib/aide/aide.db.new</nowiki></code> before replacing any existing database. If this is your first time installing AIDE on the system in question, select '''Yes''' here, and press the '''Enter''' key. | |||
During installation, an '''Ubuntu Configuration''' window will appear notifying you that daily reports are mailed to the ''root'' user by default, and that this behavior may be changed by editing the <code><nowiki>/etc/default/aide</nowiki></code> configuration file. Press ''' | === Configuring AIDE === | ||
There are two primary configuration files for AIDE: | There are two primary configuration files for AIDE: | ||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
|<code><nowiki>/etc/default/aide</nowiki></code>||The AIDE general configuration file | |<code><nowiki>/etc/default/aide</nowiki></code>||The AIDE general configuration file. | ||
|- | |- | ||
|<code><nowiki>/etc/aide/aide.conf</nowiki></code>||The AIDE rules configuration file | |<code><nowiki>/etc/aide/aide.conf</nowiki></code>||The AIDE rules configuration file. | ||
|} | |} | ||
Some general settings and behaviors for AIDE may be modified by editing the <code><nowiki>{/etc/default/aide</nowiki></code> configuration file. For example, if you would like to have all of AIDE's daily reports emailed to the user <code><nowiki>breandon</nowiki></code> instead of the default root user, simply use <code><nowiki>sudo</nowiki></code> with your favorite editor, and modify the line <code><nowiki>MAILTO=root</nowiki></code> to reflect your choice of user (<code><nowiki>breandon</nowiki></code> in our example) as in this example: <code><nowiki>MAILTO=breandon</nowiki></code>. | |||
Some general settings | |||
Read the comments in <code><nowiki>/etc/default/aide</nowiki></code> to see what the other configuration directives control, and change them accordingly to suit your installation's requirements. | Read the comments in <code><nowiki>/etc/default/aide</nowiki></code> to see what the other configuration directives control, and change them accordingly to suit your installation's requirements. | ||
The other configuration file, <code><nowiki>/etc/aide/aide.conf</nowiki></code> controls the rules for the directories, files, and attributes of the files AIDE uses to determine changes when scanning. For example, in the default <code><nowiki>/etc/aide/aide.conf</nowiki></code> file, all member directories and files of the Group definition <code><nowiki>BinLib</nowiki></code> are checked for permissions, inode, number of links, user, group, size, block count, mtime, ctime, md5 checksum, and sha1 checksum (p+i+n+u+g+s+b+m+c+md5+sha1), whereas all member directories and files in the Group definition Databases are checked only for permissions, number of links, user, and group (p+n+u+g). | |||
The other configuration file, <code><nowiki>/etc/aide/aide.conf</nowiki></code> controls the rules for the directories, files, and attributes of files | The member directories of a particular Group definition are added by specifying one entry per line, in the form of: | ||
The member directories of a particular Group definition are added by specifying one entry per line, in the form of : | |||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
|<code><nowiki>directory</nowiki></code> <code><nowiki>Group definition</nowiki></code> | |<code><nowiki>directory</nowiki></code> <code><nowiki>Group definition</nowiki></code> | ||
|} | |} | ||
For example, to make the directory <code><nowiki>/opt/local/bin</nowiki></code> part of the <code><nowiki>BinLib</nowiki></code> Group definition, a line would be added in the appropriate section of the <code><nowiki>/etc/aide/aide.conf</nowiki></code> configuration file resembling the following: | For example, to make the directory <code><nowiki>/opt/local/bin</nowiki></code> part of the <code><nowiki>BinLib</nowiki></code> Group definition, a line would be added in the appropriate section of the <code><nowiki>/etc/aide/aide.conf</nowiki></code> configuration file resembling the following: | ||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
|<code><nowiki>/opt/local/bin BinLib</nowiki></code> | |<code><nowiki>/opt/local/bin BinLib</nowiki></code> | ||
|} | |} | ||
Another example of a clever use for AIDE is to monitor the system's crontabs. System crontabs control the scheduled system activities which are executed on a schedule by the cron daemon. To ensure that these files are not altered in such a way as to introduce the automatic, scheduled execution of a malicious application, simply use the <code><nowiki>sudo</nowiki></code> command to edit the <code><nowiki>/etc/aide/aide.conf</nowiki></code> file with your favorite editor and locate the following section of the file: | |||
Another example of a clever use for AIDE is to monitor the system's crontabs. System crontabs control the scheduled system activities which are executed on a schedule by the cron daemon. To ensure these files are not altered in such a way as to introduce the automatic, scheduled execution of a malicious application, simply use the <code><nowiki>sudo</nowiki></code> command to edit the <code><nowiki>/etc/aide/aide.conf</nowiki></code> file with your favorite editor and locate the following section of the file : | |||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
|<code><nowiki># Check crontabs</nowiki></code> | |<code><nowiki># Check crontabs</nowiki></code> | ||
|} | |} | ||
Uncomment all of the lines beginning with <code><nowiki>#/var/spool</nowiki></code> under the <code><nowiki># Check crontabs</nowiki></code> heading, and save the file. You should examine the <code><nowiki>/etc/aide/aide.conf</nowiki></code> file closely, observing the commented sections in particular, for other possible uses of AIDE. Also read the <code><nowiki>aide.conf</nowiki></code> manual page, in addition to reading the HTML version of the AIDE manual, for further uses of AIDE which may be specified in this configuration file. | |||
Uncomment all of the lines beginning with <code><nowiki>#/var/spool</nowiki></code> under the <code><nowiki># Check crontabs</nowiki></code> heading, and save the file. | After making configuration changes, issue the following command at the terminal prompt to update the AIDE configuration: | ||
You should examine the | <pre><nowiki> | ||
sudo update-aide.conf | |||
</nowiki></pre> | |||
=== Using AIDE === | |||
< | |||
To begin using AIDE, you must make sure the database is present: | To begin using AIDE, you must make sure the database is present: | ||
<pre><nowiki> | |||
< | ls /var/lib/aide | ||
</nowiki></pre> | |||
If you see the file <code><nowiki>aide.db</nowiki></code> in the output of the <code><nowiki>ls</nowiki></code> command, then proceed to the initialization step. If instead, you see the file <code><nowiki>aide.db.new</nowiki></code> then you need to rename the <code><nowiki>aide.db.new</nowiki></code> file to <code><nowiki>aide.db</nowiki></code> using this command: | If you see the file <code><nowiki>aide.db</nowiki></code> in the output of the <code><nowiki>ls</nowiki></code> command, then proceed to the initialization step. If, instead, you see the file <code><nowiki>aide.db.new</nowiki></code>, then you need to rename the <code><nowiki>aide.db.new</nowiki></code> file to <code><nowiki>aide.db</nowiki></code> using this command: | ||
<pre><nowiki> | |||
< | sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db | ||
</nowiki></pre> | |||
Once the AIDE database is in place, you can initialize the database with the following command from a terminal prompt: | Once the AIDE database is in place, you can initialize the database with the following command from a terminal prompt: | ||
<pre><nowiki> | |||
< | sudo aide --init | ||
</nowiki></pre> | |||
At the end of this process, you should see the line: | At the end of this process, you should see the line: | ||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
|<code><nowiki>### AIDE database initialized</nowiki></code> | |<code><nowiki>### AIDE database initialized</nowiki></code> | ||
|} | |} | ||
You may run an initial check of the directories and files as defined in <code><nowiki>/etc/aide/aide.conf</nowiki></code> by entering the following command at a terminal prompt: | You may run an initial check of the directories and files as defined in <code><nowiki>/etc/aide/aide.conf</nowiki></code> by entering the following command at a terminal prompt: | ||
<pre><nowiki> | |||
< | sudo aide --check | ||
</nowiki></pre> | |||
If all is well in the directories, and files being monitored, you will see this message when the check completes: | If all is well in the directories, and files being monitored, you will see this message when the check completes: | ||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
|<code><nowiki>### All files match AIDE database. Looks okay!</nowiki></code> | |<code><nowiki>### All files match AIDE database. Looks okay!</nowiki></code> | ||
|} | |} | ||
AIDE will also run each day from the <code><nowiki>/etc/cron.daily/aide</nowiki></code> crontab, and the output of this run will be mailed to the user specified in the <code><nowiki>MAILTO=</nowiki></code> directive of the <code><nowiki>/etc/default/aide</nowiki></code> configuration file as detailed above. | AIDE will also run each day from the <code><nowiki>/etc/cron.daily/aide</nowiki></code> crontab, and the output of this run will be mailed to the user specified in the <code><nowiki>MAILTO=</nowiki></code> directive of the <code><nowiki>/etc/default/aide</nowiki></code> configuration file as detailed above. | ||
== Resources == | |||
Additional information on AIDE, and file integrity monitoring and verification is available via the following resources: | |||
Additional information on AIDE, and file integrity monitoring | === Local System Resources === | ||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
| | |<code><nowiki>man aide</nowiki></code>|| System manual page for the <code><nowiki>aide</nowiki></code> command. | ||
|- | |- | ||
| | |<code><nowiki>man aide.conf</nowiki></code>|| System manual page for the <code><nowiki>aide.conf</nowiki></code> configuration file. | ||
|- | |- | ||
| | |<code><nowiki>man aideinit</nowiki></code>|| System manual page for the <code><nowiki>aideinit</nowiki></code> command. | ||
|- | |- | ||
| | |<code><nowiki>man update-aide.conf</nowiki></code>|| System manual page for the <code><nowiki>update-aide.conf</nowiki></code> command. | ||
|- | |- | ||
| | |<code><nowiki>/usr/share/doc/aide/manual.html</nowiki></code>|| The AIDE manual in HTML format. | ||
|- | |- | ||
| | |<code><nowiki>/etc/default/aide</nowiki></code>|| The AIDE general configuration file. | ||
|- | |- | ||
| | |<code><nowiki>/etc/aide/aide.conf</nowiki></code>|| The AIDE rules configuration file. | ||
|- | |- | ||
| | |<code><nowiki>/etc/cron.daily/aide</nowiki></code>|| Daily AIDE cron scripts. | ||
|} | |} | ||
=== Other File Integrity Monitoring and Verification Tools === | |||
* '''BSign''' : Corruption and Intrusion Detection using embedded hashes. | |||
* '''Integrit''' : Small footprint, unattended monitoring of file integrity with cascading rulesets. | |||
* '''BSign''' : Corruption and Intrusion Detection using embedded hashes | * '''Samhain''' : Standalone, or Client-Server file integrity monitoring solution. | ||
* '''Integrit''' : Small footprint, unattended monitoring of file integrity with cascading rulesets | * '''Systraq''' : Monitors, and alerts on file changes. | ||
* '''Samhain''' : Standalone, or Client-Server file integrity monitoring solution | == External Links == | ||
* '''Systraq''' : Monitors, and alerts on file changes | * [http://sourceforge.net/projects/aide] - AIDE web site. | ||
* [http://www.linuxsecurity.com/content/view/101882/49/] - Guide for CHKROOTKIT and AIDE. | |||
* [http://la-samhna.de/samhain/] - Samhain home page. | |||
* [http://mdcc.cx/systraq/] - Systraq home page. | |||
* [http://sourceforge.net/projects/aide AIDE | |||
* [http://www.linuxsecurity.com/content/view/101882/49/ Guide | |||
---- | ---- | ||
[[category:CategorySecurity | [[category:CategorySecurity]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2009年11月17日 (二) 19:07的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/FileIntegrityAIDE }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/af | • {{#if: UbuntuHelp:FileIntegrityAIDE|Afrikaans| [[::FileIntegrityAIDE/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/ar | • {{#if: UbuntuHelp:FileIntegrityAIDE|العربية| [[::FileIntegrityAIDE/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/az | • {{#if: UbuntuHelp:FileIntegrityAIDE|azərbaycanca| [[::FileIntegrityAIDE/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/bcc | • {{#if: UbuntuHelp:FileIntegrityAIDE|جهلسری بلوچی| [[::FileIntegrityAIDE/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/bg | • {{#if: UbuntuHelp:FileIntegrityAIDE|български| [[::FileIntegrityAIDE/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/br | • {{#if: UbuntuHelp:FileIntegrityAIDE|brezhoneg| [[::FileIntegrityAIDE/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/ca | • {{#if: UbuntuHelp:FileIntegrityAIDE|català| [[::FileIntegrityAIDE/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/cs | • {{#if: UbuntuHelp:FileIntegrityAIDE|čeština| [[::FileIntegrityAIDE/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/de | • {{#if: UbuntuHelp:FileIntegrityAIDE|Deutsch| [[::FileIntegrityAIDE/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/el | • {{#if: UbuntuHelp:FileIntegrityAIDE|Ελληνικά| [[::FileIntegrityAIDE/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/es | • {{#if: UbuntuHelp:FileIntegrityAIDE|español| [[::FileIntegrityAIDE/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/fa | • {{#if: UbuntuHelp:FileIntegrityAIDE|فارسی| [[::FileIntegrityAIDE/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/fi | • {{#if: UbuntuHelp:FileIntegrityAIDE|suomi| [[::FileIntegrityAIDE/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/fr | • {{#if: UbuntuHelp:FileIntegrityAIDE|français| [[::FileIntegrityAIDE/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/gu | • {{#if: UbuntuHelp:FileIntegrityAIDE|ગુજરાતી| [[::FileIntegrityAIDE/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/he | • {{#if: UbuntuHelp:FileIntegrityAIDE|עברית| [[::FileIntegrityAIDE/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/hu | • {{#if: UbuntuHelp:FileIntegrityAIDE|magyar| [[::FileIntegrityAIDE/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/id | • {{#if: UbuntuHelp:FileIntegrityAIDE|Bahasa Indonesia| [[::FileIntegrityAIDE/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/it | • {{#if: UbuntuHelp:FileIntegrityAIDE|italiano| [[::FileIntegrityAIDE/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/ja | • {{#if: UbuntuHelp:FileIntegrityAIDE|日本語| [[::FileIntegrityAIDE/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/ko | • {{#if: UbuntuHelp:FileIntegrityAIDE|한국어| [[::FileIntegrityAIDE/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/ksh | • {{#if: UbuntuHelp:FileIntegrityAIDE|Ripoarisch| [[::FileIntegrityAIDE/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/mr | • {{#if: UbuntuHelp:FileIntegrityAIDE|मराठी| [[::FileIntegrityAIDE/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/ms | • {{#if: UbuntuHelp:FileIntegrityAIDE|Bahasa Melayu| [[::FileIntegrityAIDE/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/nl | • {{#if: UbuntuHelp:FileIntegrityAIDE|Nederlands| [[::FileIntegrityAIDE/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/no | • {{#if: UbuntuHelp:FileIntegrityAIDE|norsk| [[::FileIntegrityAIDE/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/oc | • {{#if: UbuntuHelp:FileIntegrityAIDE|occitan| [[::FileIntegrityAIDE/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/pl | • {{#if: UbuntuHelp:FileIntegrityAIDE|polski| [[::FileIntegrityAIDE/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/pt | • {{#if: UbuntuHelp:FileIntegrityAIDE|português| [[::FileIntegrityAIDE/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/ro | • {{#if: UbuntuHelp:FileIntegrityAIDE|română| [[::FileIntegrityAIDE/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/ru | • {{#if: UbuntuHelp:FileIntegrityAIDE|русский| [[::FileIntegrityAIDE/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/si | • {{#if: UbuntuHelp:FileIntegrityAIDE|සිංහල| [[::FileIntegrityAIDE/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/sq | • {{#if: UbuntuHelp:FileIntegrityAIDE|shqip| [[::FileIntegrityAIDE/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/sr | • {{#if: UbuntuHelp:FileIntegrityAIDE|српски / srpski| [[::FileIntegrityAIDE/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/sv | • {{#if: UbuntuHelp:FileIntegrityAIDE|svenska| [[::FileIntegrityAIDE/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/th | • {{#if: UbuntuHelp:FileIntegrityAIDE|ไทย| [[::FileIntegrityAIDE/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/tr | • {{#if: UbuntuHelp:FileIntegrityAIDE|Türkçe| [[::FileIntegrityAIDE/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/vi | • {{#if: UbuntuHelp:FileIntegrityAIDE|Tiếng Việt| [[::FileIntegrityAIDE/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/yue | • {{#if: UbuntuHelp:FileIntegrityAIDE|粵語| [[::FileIntegrityAIDE/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/zh | • {{#if: UbuntuHelp:FileIntegrityAIDE|中文| [[::FileIntegrityAIDE/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/zh-hans | • {{#if: UbuntuHelp:FileIntegrityAIDE|中文(简体)| [[::FileIntegrityAIDE/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:FileIntegrityAIDE | UbuntuHelp:FileIntegrityAIDE | {{#if: | :}}FileIntegrityAIDE}}/zh-hant | • {{#if: UbuntuHelp:FileIntegrityAIDE|中文(繁體)| [[::FileIntegrityAIDE/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:FileIntegrityAIDE|:FileIntegrityAIDE|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :FileIntegrityAIDE/zh | | {{#ifexist: FileIntegrityAIDE/zh | | {{#ifeq: {{#titleparts:FileIntegrityAIDE|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:FileIntegrityAIDE|1|-1|}} | zh | | }}
<<Include(Tag/ContentCleanup)>>
Introduction
One of the many possible layers of security which may be applied to your Ubuntu computer is known as file integrity monitoring or file integrity verification. The purpose of monitoring and/or verifying the integrity of key files, including system binaries and configuration files is to ensure that the files have not been altered by unauthorized means. The unauthorized alteration of certain system files is one of the symptoms of an active attack or compromise upon a system. Using file integrity monitoring is a pro-active means of being aware of any changes to critical system files. As with most tools, and utilities in the GNU/Linux community, there are many different applications for use in monitoring and verifying the integrity of files on your Ubuntu system. This guide will discuss the installation, configuration, and usage of some of these tools on an Ubuntu system.
Available Tools
While there are literally a dozen or more solutions for monitoring and verifying the integrity of critical files on a GNU/Linux computer system, this guide will focus only on the Advanced Intrusion Detection Environment (AIDE) utility. Other possible tools, and utilities for monitoring and/or verifying file integrity will be listed in the Resources section. The exploration and use of these tools is left as an exercise for the reader of this guide.
AIDE
The Advanced Intrusion Detection Environment (AIDE) is a free replacement for the popular file integrity verification tool known as Tripwire. It creates a database from regular expression rules that it finds in a configuration file. Once this database is initialized, it can be used to verify the integrity of critical system and user files. AIDE uses most of the popular message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) for checking file integrity. Additional algorithms may also be easily added. All of the traditional file system attributes may be checked for inconsistencies as well.
Installing AIDE
To install AIDE from a terminal prompt, ensure that your Internet connection is working, and enter the following command:
sudo apt-get install aide
Enter your password. Upon successful authentication, the AIDE package should be fetched and installed.
During installation, an Ubuntu Configuration window will appear notifying you that daily reports are mailed to the root user by default, and that this behavior may be changed by editing the /etc/default/aide
configuration file. Press the Enter key to acknowledge this message. You will then be asked if the AIDE database should be initialized. Select Yes here, and press the Enter key. The next confirmation dialog will ask you to examine /var/lib/aide/aide.db.new
before replacing any existing database. If this is your first time installing AIDE on the system in question, select Yes here, and press the Enter key.
Configuring AIDE
There are two primary configuration files for AIDE:
/etc/default/aide |
The AIDE general configuration file. |
/etc/aide/aide.conf |
The AIDE rules configuration file. |
Some general settings and behaviors for AIDE may be modified by editing the {/etc/default/aide
configuration file. For example, if you would like to have all of AIDE's daily reports emailed to the user breandon
instead of the default root user, simply use sudo
with your favorite editor, and modify the line MAILTO=root
to reflect your choice of user (breandon
in our example) as in this example: MAILTO=breandon
.
Read the comments in /etc/default/aide
to see what the other configuration directives control, and change them accordingly to suit your installation's requirements.
The other configuration file, /etc/aide/aide.conf
controls the rules for the directories, files, and attributes of the files AIDE uses to determine changes when scanning. For example, in the default /etc/aide/aide.conf
file, all member directories and files of the Group definition BinLib
are checked for permissions, inode, number of links, user, group, size, block count, mtime, ctime, md5 checksum, and sha1 checksum (p+i+n+u+g+s+b+m+c+md5+sha1), whereas all member directories and files in the Group definition Databases are checked only for permissions, number of links, user, and group (p+n+u+g).
The member directories of a particular Group definition are added by specifying one entry per line, in the form of:
directory Group definition
|
For example, to make the directory /opt/local/bin
part of the BinLib
Group definition, a line would be added in the appropriate section of the /etc/aide/aide.conf
configuration file resembling the following:
/opt/local/bin BinLib
|
Another example of a clever use for AIDE is to monitor the system's crontabs. System crontabs control the scheduled system activities which are executed on a schedule by the cron daemon. To ensure that these files are not altered in such a way as to introduce the automatic, scheduled execution of a malicious application, simply use the sudo
command to edit the /etc/aide/aide.conf
file with your favorite editor and locate the following section of the file:
# Check crontabs
|
Uncomment all of the lines beginning with #/var/spool
under the # Check crontabs
heading, and save the file. You should examine the /etc/aide/aide.conf
file closely, observing the commented sections in particular, for other possible uses of AIDE. Also read the aide.conf
manual page, in addition to reading the HTML version of the AIDE manual, for further uses of AIDE which may be specified in this configuration file.
After making configuration changes, issue the following command at the terminal prompt to update the AIDE configuration:
sudo update-aide.conf
Using AIDE
To begin using AIDE, you must make sure the database is present:
ls /var/lib/aide
If you see the file aide.db
in the output of the ls
command, then proceed to the initialization step. If, instead, you see the file aide.db.new
, then you need to rename the aide.db.new
file to aide.db
using this command:
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
Once the AIDE database is in place, you can initialize the database with the following command from a terminal prompt:
sudo aide --init
At the end of this process, you should see the line:
### AIDE database initialized
|
You may run an initial check of the directories and files as defined in /etc/aide/aide.conf
by entering the following command at a terminal prompt:
sudo aide --check
If all is well in the directories, and files being monitored, you will see this message when the check completes:
### All files match AIDE database. Looks okay!
|
AIDE will also run each day from the /etc/cron.daily/aide
crontab, and the output of this run will be mailed to the user specified in the MAILTO=
directive of the /etc/default/aide
configuration file as detailed above.
Resources
Additional information on AIDE, and file integrity monitoring and verification is available via the following resources:
Local System Resources
man aide |
System manual page for the aide command.
|
man aide.conf |
System manual page for the aide.conf configuration file.
|
man aideinit |
System manual page for the aideinit command.
|
man update-aide.conf |
System manual page for the update-aide.conf command.
|
/usr/share/doc/aide/manual.html |
The AIDE manual in HTML format. |
/etc/default/aide |
The AIDE general configuration file. |
/etc/aide/aide.conf |
The AIDE rules configuration file. |
/etc/cron.daily/aide |
Daily AIDE cron scripts. |
Other File Integrity Monitoring and Verification Tools
- BSign : Corruption and Intrusion Detection using embedded hashes.
- Integrit : Small footprint, unattended monitoring of file integrity with cascading rulesets.
- Samhain : Standalone, or Client-Server file integrity monitoring solution.
- Systraq : Monitors, and alerts on file changes.
External Links
- [1] - AIDE web site.
- [2] - Guide for CHKROOTKIT and AIDE.
- [3] - Samhain home page.
- [4] - Systraq home page.