个人工具

UbuntuHelp:FileIntegrityAIDE

来自Ubuntu中文

Oneleaf讨论 | 贡献2007年5月13日 (日) 11:34的版本 (New page: {{From|https://help.ubuntu.com/community/FileIntegrityAIDE}} {{Languages|php5}} === Introduction === One of the many possible layers of security which may be applied to your Ubuntu compu...)

(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳转至: 导航, 搜索
Geographylogo.png 文章出处: 

https://help.ubuntu.com/community/FileIntegrityAIDE

Geographylogo.png 点击翻译: 

English


Introduction

One of the many possible layers of security which may be applied to your Ubuntu computer is known as file integrity monitoring, or file integrity verification. The purpose of monitoring and/or verifying the integrity of key files including system binaries, and configuration files is to ensure the files have not been altered by unauthorized means. The unauthorized alteration of certain system files is one of the symptoms of an active attack, or compromise upon a system. Using file integrity monitoring is a pro-active means of being aware of any changes to critical system files. As with most tools, and utilities in the GNU/Linux community, there exist many different applications for use in monitoring, and verifying the integrity of files on your Ubuntu system. This guide will mention some of these tools, and go on to discuss installation, configuration, and usage of the tools on an Ubuntu system.

Available Tools

While there are literally a dozen, or more solutions for monitoring, and verifying the integrity of critical files on a GNU/Linux computer system, this guide will focus only on the Advanced Intrusion Detection Environment (AIDE) utility. Other possible tools, and utilities for monitoring, and/or verifying file integrity will be listed in the Resources section of this guide, however. The exploration, and use of these tools is left as an exercise for the reader of this guide.

AIDE

The Advanced Intrusion Detection Environment (AIDE) is a free replacement for the popular file integrity verification tool Tripwire. It creates a database from regular expression rules that it finds in a configuration file, and once this database is initialized, it can be used to verify the integrity of critical system, and user files.

AIDE uses most of the popular message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) for checking file integrity. Additional algorithms may also be added easily. All of the traditional file system attributes may also be checked for inconsistencies as well.

Installing AIDE

To install AIDE from a terminal prompt, ensure that your Internet connection is working, and enter the following command:

sudo apt-get install aide

Enter your password, and upon successful authentication, the AIDE package should be fetched, and installed.

During installation, an Ubuntu Configuration window will appear notifying you that daily reports are mailed to the root user by default, and that this behavior may be changed by editing the /etc/default/aide configuration file. Press ENTER to acknowledge this message. You will then be asked if the AIDE database should be initialized. Select Yes here, and press ENTER. The next confirmation dialog asks you to examine /var/lib/aide/aide.db.new before replacing any existing database. If this is your first time installing AIDE on the system in question, select Yes here, and press ENTER.

Configuring AIDE

There are two primary configuration files for AIDE:

||/etc/default/aide||The AIDE general configuration file|| ||/etc/aide/aide.conf||The AIDE rules configuration file||

Some general settings, and behaviors for AIDE may be modified by editing the {/etc/default/aide configuration file. For example, if you would like to have all of AIDE's daily reports e-mailed to the user breandon instead of the default root user, simply use sudo with your favorite editor, and modify the line:

||MAILTO=root||

so that it reflects your choice of user (breandon in our example) as such:

||MAILTO=breandon||

Read the comments in /etc/default/aide to see what the other configuration directives control, and change them accordingly to suit your installation's requirements.

The other configuration file, /etc/aide/aide.conf controls the rules for the directories, files, and attributes of files which AIDE uses to determine changes when scanning. For example, in the default /etc/aide/aide.conf file, all member directories and files of the Group definition BinLib are checked for permissions, inode, number of links, user, group, size, block count, mtime, ctime, md5 checksum, and sha1 checksum (p+i+n+u+g+s+b+m+c+md5+sha1) whereas all member directories, and files in the Group definition Databases are checked only for permissions, number of links, user, and group (p+n+u+g).

The member directories of a particular Group definition are added by specifying one entry per line, in the form of :

||directory Group definition||

For example, to make the directory /opt/local/bin part of the BinLib Group definition, a line would be added in the appropriate section of the /etc/aide/aide.conf configuration file resembling the following:

||/opt/local/bin BinLib||

Another example of a clever use for AIDE is to monitor the system's crontabs. System crontabs control the scheduled system activities which are executed on a schedule by the cron daemon. To ensure these files are not altered in such a way as to introduce the automatic, scheduled execution of a malicious application, simply use the sudo command to edit the /etc/aide/aide.conf file with your favorite editor and locate the following section of the file :

||# Check crontabs||

Uncomment all of the lines beginning with #/var/spool under the # Check crontabs heading, and save the file. You should examine the file /etc/aide/aide.conf closely, observing the commented sections in particular, for other possible uses of AIDE, and read the aide.conf manual page, in addition to reading the HTML version of the AIDE manual for further uses of AIDE which may be specified in this configuration file.

When you've made configuration changes, and you would like them used immediately, issue the following command at the terminal prompt to update the AIDE configuration:

sudo update-aide.conf

Otherwise, AIDE's daily crontab will do the same thing, so if you have made changes, but do not need to run aide manually, and immediately you can be assured the configuration will be updated by the daily crontab automatically before the daily run of AIDE by the daily crontab.

Using AIDE

To begin using AIDE, you must make sure the database is present:

ls /var/lib/aide

If you see the file aide.db in the output of the ls command, then proceed to the initialization step. If instead, you see the file aide.db.new then you need to rename the aide.db.new file to aide.db using this command:

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Once the AIDE database is in place, you can initialize the database with the following command from a terminal prompt:

sudo aide --init

At the end of this process, you should see the line:

||
You may run an initial check of the directories and files as defined in <code><nowiki>/etc/aide/aide.conf</code> by entering the following command at a terminal prompt:

<code>sudo aide --check</code>

If all is well in the directories, and files being monitored, you will see this message when the check completes:

||<pre>
AIDE will also run each day from the <code><nowiki>/etc/cron.daily/aide</code> crontab, and the output of this run will be mailed to the user specified in the <code>MAILTO=</code> directive of the <code>/etc/default/aide</code> configuration file as detailed above.

=== Resources ===
Additional information on AIDE, and file integrity monitoring, and verification is available via the following resources:

==== Local System Resources ====

||<style="background:#F1F1ED;"><code>man aide</code>|| System manual page for the <code>aide</code> command||
||<style="background:#F1F1ED;"><code>man aide.conf</code>|| System manual page for the <code>aide.conf</code> configuration file||
||<style="background:#F1F1ED;"><code>man aideinit</code>|| System manual page for the <code>aideinit</code> command||
||<style="background:#F1F1ED;"><code>man update-aide.conf</code>|| System manual page for the <code>update-aide.conf</code> command||
||<style="background:#F1F1ED;"><code>/usr/share/doc/aide/manual.html</code>|| The AIDE manual in HTML format||
||<style="background:#F1F1ED;"><code>/etc/default/aide</code>|| The AIDE general configuration file||
||<style="background:#F1F1ED;"><code>/etc/aide/aide.conf</code>|| The AIDE rules configuration file||
||<style="background:#F1F1ED;"><code>/etc/cron.daily/aide</code>|| Daily AIDE cron scripts||

==== Other File Integrity Monitoring and Verification Tools ====

* '''BSign''' : Corruption and Intrusion Detection using embedded hashes
* '''Integrit''' : Small footprint, unattended monitoring of file integrity with cascading rulesets [http://integrit.sourceforge.net/ Integrit Website]
* '''Samhain''' : Standalone, or Client-Server file integrity monitoring solution [http://la-samhna.de/samhain/ Samhain Website]
* '''Systraq''' : Monitors, and alerts on file changes [http://mdcc.cx/systraq/ Systraq Website]
 
==== WWW Resources ====

* [http://sourceforge.net/projects/aide AIDE Website]
* [http://www.linuxsecurity.com/content/view/101882/49/ Guide on CHKROOTKIT and AIDE]

----
CategorySecurity CategoryCleanup

[[category:UbuntuHelp]]
取自“https://wiki.ubuntu.org.cn/index.php?title=UbuntuHelp:FileIntegrityAIDE&oldid=1506