How to detect file system integrity based on AIDE in Linux

1. AIDE

AIDE (Advanced Intrusion Detection Environment) is a program that performs integrity checks on files and directories. It was developed as a replacement for Tripwire.

How AIDE works

AIDE constructs an integrity sample library (snapshot) of specified files as a comparison standard. When these files are changed, their corresponding checksum values ​​will inevitably change accordingly. AIDE can identify these changes and alert the administrator. The attribute changes monitored by AIDE mainly include: permissions, owner, group, file size, creation time, last modification time, last access time, increased size and number of links, and can use algorithms such as SHA1 and MD5 to generate verification codes for each file.

This tool is quite old, and compared to similar tools like Tripwire, it is also simpler to operate. It needs to take a snapshot of the system, record the HASH value, modification time, and the administrator's preprocessing of the file. This snapshot allows administrators to build a database and then store it on an external device for safekeeping.
When the administrator wants to perform an integrity check on the system, the administrator will place the previously built database in an area accessible to the current system, then use AIDE to compare the status of the current system with the database, and finally report the detected changes to the current system to the administrator. In addition, AIDE can be configured to run on a scheduled basis, using schedule scheduling technologies such as cron to generate daily system detection reports.
This system is mainly used for operation and maintenance security detection. AIDE will report all malicious changes in the system to the administrator.

Features of AIDE

• Support message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool
• Supported file attributes: file type, file permissions, inode, UID, GID, link name, file size, block size, number of links, Mtime, Ctime, Atime
• Support Posix ACL, SELinux, XAttrs, extended file system attributes
• Plain text configuration files, simplified database
• Powerful regular expressions to easily filter files and directories to monitor
• Support Gzip database compression
• Independent binary static compiled client/server monitoring configuration package

[root@centos7 ~]$ yuminstall-y aide

Install AIDE

Download: http://sourceforge.net/projects/aide

yum install aide
vi /etc/aide.conf
database=file:@@{DBDIR}/aide.db.gz #System image library location database_out=file:@@{DBDIR}/aide.db.new.gz #Newly generate system image library, by default in /var/lib/aide/# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
#/opt NORMAL #Comment not to check directory /usr NORMAL
/root NORMAL
# These are too volatile, exclude individual directories that are not checked!/usr/src
!/usr/tmp
#Add a new detection directory /etc/exports NORMAL below according to requirements
/etc/fstab NORMAL
/etc/passwd NORMA

Detailed explanation of the configuration file#Defines the variables of the database path and the log path

@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide

# Enable compression

gzip_dbout=yes

# Define multiple permissions as rules and assign them to variables for later reference

CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs
CONTENT = sha256+ftype
PERMS = p+u+g+acl+selinux+xattrs

# Which rules are used to monitor which files

/boot/CONTENT_EX
/bin/CONTENT_EX
/sbin/CONTENT_EX
/lib/CONTENT_EX
/lib64/ CONTENT_EX #Use the rules defined by CONTENT_EX for monitoring
/opt/ CONTENT #Only monitor the checksum and file type of the opt directory
/root/\..* PERMS #PERMS does not have a hash check value because the data under /root changes frequently

# Files not to be monitored

!/etc/.*~
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum

Defining Rules

Edit the configuration file /etc/adie.conf, define a rule variable mon, monitor all files in the /app directory, and do not monitor /app/saomiao.log.

[root@centos7 aide]$ vim /etc/aide.conf
 mon = p+u+g+sha512+m+a+c
 /appmon
 !/app/juli.sh

Create a database

Generate a database file, define the checksums for each file in the configuration file, and put them into the database for later comparison. From the prompt, we can see that a /var/lib/aide/aide.db.new.gz database file is generated. This database file is the initial database. If intrusion detection is performed, it will be compared with the /var/lib/aide/aide.db.gz database file. If the two databases are inconsistent, it will be prompted that there is an intrusion.

[root@centos7 aide]$aide --init
AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Simulate files being hacked and changed

Simulation files are modified: Add newlines to saomiao.sh file, prompting changes to checksum, Mtime, Ctime

[root@centos7 aide]$ echo >> /app/saomiao.sh

Detection: AIDE's detection mechanism is to calculate the current database and compare it with aide.db.gz. aide.db.gz does not exist by default, so you need to rename the previously created initialization database aide.db.new.gz to aide.db.gz.

[root@centos7 aide]$mv aide.db.new.gz aide.db.gz

Intrusion Detection

Finally, use aide -C, note that it is capitalized, to compare the calculated data with aide.db.new.gz, and check whether the Mtime and Ctime SHA512 of the saomiao.sh file have been changed.

Set up task schedule and conduct regular inspections

crontab –e
30 08 * * * /usr/sbin/aide --check--report=file:/tmp/aide-check-` date +%Y%m%d `.txt #Execute once every morning at 08:30

You can also send information to email:

30 08 * * * /usr/sbin/aide --check| mail –s “AIDE report“ [email protected]

2. RKHunter

RKHunter is a tool that is specifically designed to detect whether a system is infected with rootkits. It automatically executes a series of scripts to comprehensively detect whether the server is infected with rootkits.

Features of RKHunter

• Detect vulnerable files;
• Detect hidden files;
• Check the permissions of important files;
• Detection system port number;

Install

[root@centos7 aide]$yum install rkhunter

Detection

Run the rkhunker -c command to test the system. RKHunter detection is divided into several parts. The first part mainly detects binary tools of the system, because these tools are the primary infection targets of rootkits. After each test, you need to press Enter to confirm.

[ ok ] means no abnormality

[ no found ] means the tool was not found, ignore it

[ warning ] If it is a red warning, you need to further confirm whether these tools are infected or replaced.

Set up task schedule and conduct regular inspections

crontab –e
30 08 * * * /usr/sbin/aide --check--report=file:/tmp/aide-check-` date +%Y%m%d `.txt #Execute once every morning at 08:30

You can also send information to email:

30 08 * * * /usr/sbin/aide --check| mail –s “AIDE report“ [email protected]

2. RKHunter

RKHunter is a tool that is specifically designed to detect whether a system is infected with rootkits. It automatically executes a series of scripts to comprehensively detect whether the server is infected with rootkits.

Features of RKHunter

• Detect vulnerable files;
• Detect hidden files;
• Check the permissions of important files;
• Detection system port number;

Install

[root@centos7 aide]$yum install rkhunter

Detection

Run the rkhunker -c command to test the system. RKHunter detection is divided into several parts. The first part mainly detects binary tools of the system, because these tools are the primary infection targets of rootkits. After each test, you need to press Enter to confirm.

[ ok ] means no abnormality
[ no found ] means the tool was not found, ignore it
[ warning ] If it is a red warning, you need to further confirm whether these tools are infected or replaced.

If you want the program to detect automatically instead of asking the user to confirm after each detection, you can use

rkhunter --check --skip-keypress

At the same time, if you want to achieve weekly or monthly automatic detection, you can add it to the scheduled task for automatic execution

crontab -e
1 10 7 * * * root /usr/bin/rkhunter --check --cronjob

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.