How to use AIDE to monitor the integrity of files in Linux

brief introduction

AIDE (advanced in qin detection environment) is a file integrity checker and in qin detection program.

Characteristic

  • The main purpose is to check the integrity of files and audit which files on the computer have been changed.
  • AIDE creates the database based on the regular expression rules found in the / etc/aide.conf configuration file. After initializing the database, it can be used to verify the integrity of the file. You can also check for inconsistencies in all common file properties. It can read old or newer versions of the database. AIDE database can save various attributes of files, including permission, inode number, user, group, file size, mtime, CTime, atime, increased size and connection number. AIDE can also use the following algorithms: sha1, md5, rmd160, tiger to establish the check code or hash number of each file in the form of ciphertext.
  • This database should not store frequently changing file information, such as log files, mail, / proc file system, user's directory, and temporary directory.

background

When an entrant enters your system and plants it, he will usually find a way to hide it (in addition to some of his own hidden features, he will try to set obstacles for you to check the system process). Usually, the entrant will modify some files, such as the administrator usually uses ps aux to view the system process, so the entrant is likely to replace his modified ps program Drop the ps program on your system so that you can't find the running program using the ps command. If the entrant finds that the administrator is running the crontab job, it may also replace the crontab program and so on. Therefore, it can be seen that it is necessary to check system files or key files. At present, there are two more tools for system integrity check: Tripwire and AIDE. The former is a commercial software, and the latter is a free but powerful tool.

Operation steps

install

[root@CentOS7 ~]# yum -y install aide

Modify profile

/etc/aide.conf

/etc/aide.conf default configuration file path
 /usr/sbin/aide default binary executable path
 /var/lib/aide default database file path
 /var/log/aide default log file path

Initialize the default AIDE Library:

`which aide` --init

After this operation, a database file named "aide.db.new.gz" will be generated under the default database path / var/lib/aide, and the rules defined in / etc/aide.conf will be written to the database file.

Generate check database (it is recommended to initialize the database to a safe place)

mv /var/lib/aide/aide.db{.new,}.gz

Because aide reads the rules defined in the / etc/aide.conf file from the aide.db.gz database file by default to check the integrity of the file, you need to rename the initialized library file.

Testing

`which aide` --check

Update database

`which aide` --update

After the detection, the file database needs to be updated, otherwise the next detection will still read the rules from the old file database to detect the integrity of the file. At the same time, you need to rename the database file

AIDE default rule

#
#p:      permissions
#i:      inode:
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#acl:           Access Control Lists
#selinux        SELinux security context
#xattrs:        Extended file attributes
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256:        sha256 checksum
#sha512:        sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum

#haval:  haval checksum (MHASH only)
#gost:   gost checksum (MHASH only)
#crc32:  crc32 checksum (MHASH only)
#whirlpool:     whirlpool checksum (MHASH only)

Definition and use of AIDE rules

Rule definition format: rule name = specific rule
 [example]: TEST = a+m+c

Rule usage format: file / directory rule name
 [example]: / dir1 test
 Note: if "!" is added before the file or directory, detection is ignored

AIDE rule validation

The following rules are defined in the / etc/aide.conf file, where the / dir1 directory is initially empty.

TEST = a+c+m
/dir1 TES

Test 1:

Create a new file in this directory file1,And write"hello aide"
[root@CentOS7 ~]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

[root@CentOS7 ~]# echo "hello aide" > /dir1/file1
[root@CentOS7 ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2019-11-10 19:12:57

Summary:
  Total number of files:    3
  Added files:          1
  Removed files:        0
  Changed files:        1

---------------------------------------------------
Added files:
---------------------------------------------------

added: /dir1/file1

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /dir1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /dir1
 Mtime    : 2019-11-10 19:12:00              , 2019-11-10 19:12:55
 Ctime    : 2019-11-10 19:12:00              , 2019-11-10 19:12:55

//The above output indicates that the file1 file has been added in the / dir1 directory, and the Ctime and Mtime properties of the / dir1 directory have been modified

Test 2:

take/dir1/file1 The contents of the document are"hello aide"Modified to"hello world"
[root@CentOS7 ~]# sed -i '/hello/c hello world' /dir1/file1 ; cat /dir1/file1
hello world
[root@CentOS7 ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2019-11-10 19:14:34

Summary:
  Total number of files:    3
  Added files:          1
  Removed files:        0
  Changed files:        1

---------------------------------------------------
Added files:
---------------------------------------------------

added: /dir1/file1

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /dir1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /dir1
 Atime    : 2019-11-10 19:12:02              , 2019-11-10 19:12:57
 Mtime    : 2019-11-10 19:12:00              , 2019-11-10 19:14:31
 Ctime    : 2019-11-10 19:12:00              , 2019-11-10 19:14:31

//At this time, the atime, mtime, and CTime of the / dir1 directory are all modified.

Tags: Linux Database SHA1 crontab SELinux

Posted on Sun, 10 Nov 2019 08:26:47 -0500 by FlashbackJon