。。。。。。。。。。。。。。。。。。。。。。
分类: LINUX
2008-09-11 09:26:59
Aide在安全web中的布署方案
1、 关于Aide:
AIDE, 英文(Advanced Intrusion Detection Environment)直译为高级入侵检测环境,是一个文件完整性检测工具,AIDE 能够构造一个指定文件的数据库,它使用aide.conf作为其配置文件。AIDE生成的数据库能够保存文件的各种属性,包括:权限(permission)、索引节点序号(inode number)、所属用户(user)、所属用户组(group)、文件大小、最后修改时间(mtime)、创建时间(ctime)、最后访问时间(atime)增加的大小及链接数。
2、 方案设计如下:
1)经过实验,编译好的aide可以在同一种操作系统下的主机上使用
2)为使对远程服务器影响最小化下,不在主机上编译aide软件,直接
把编译好的aide拷贝到远程主机上
linux 主机使用:aide-noninstall-linux.tar.gz
FreeBsd 主机使用:aide-noninstall-freebsd.tar.gz
3)在远程主机上运行 /path/to/aide -i 命令生成aide原始的数据库文件,并在
10.0.153.34上通过 scp 把每个服务器上原始的数据库文件备份到本地监测
视机
4)定时在本地监视机通过scp获取远程主机新的aide数据库文件与原始的
数据库比较(执行aide_compare.sh),发现异常即发出警报邮件
5)如果发出警报邮件内容不是非法操作/入侵造成的,则把原始的数据库文
件更新。
3、 Aide的安装
1) 所需软件
mhash-0.9.6.tar.gz
aide-0.11.tar.gz
bison-2.0.tar.gz
flex-2.5.4a.tar.gz
2) 安装
2.1)aide所需软件安装
tar zxvf bison-2.0.tar.gz
tar zxvf flex-2.5.4a.tar.gz
cd bison-2.0
./configure --help
./configure
make
make install
make clean
cd flex-2.5.4
./configure
make
make install
make clean
2.2)aide和mhash的安装
tar zxvf mhash-0.9.6.tar.gz
tar zxvf aide-0.11.tar.gz
. /configure prefix=/usr/local/mhash \
--enable-static=yes –enable-shared=no
. /configure --prefix=/home/livedoorcn/var/aide \
--with-extra-libs=-L/tmp/mhash-0.9.6/lib/.libs \
--with-extra-includes=-I/tmp/mhash-0.9.6/lib --without-zlib
cd mhash-0.9.6
make
make install
cd aide-0.11
make
make install
2.3)本地安装过程全部结束
文件结构:
aide/bin/aide
aide/etc/aide.conf
4、 Aide的设定:
1、配置aide.conf
监视机的aide.conf:
verbose=5
report_url=stdout
All=R+a+sha1+rmd160
/bin All
/sbin All
/usr/bin All
/usr/sbin All
/usr/local/bin All
/usr/local/sbin All
远程主机的aide.conf:
database=file:///home/livedoorcn/var/aide/old.db
database_new=file:///home/livedoorcn/var/aide/new.db
database_out=file:///home/livedoorcn/var/aide/db.new
verbose=5
report_url=stdout
All=R+a+sha1+rmd160
/etc/hosts.* All
/etc/passwd All
/etc/master.passwd All
/etc/shadow All
/etc/in.* All
/etc/rc.* All
/bin All
/sbin All
/usr/bin All
/usr/sbin All
/usr/local/bin All
/usr/local/sbin All
通过以下命令查处服务器上的setuid,setgid 文件追加到上面的aide.conf
find / -perm -4000 -type f -print 2>/dev/null
find / -perm -2000 -type f -print 2>/dev/null
把在本地linux/FreeBSD机器上编译好的aide分别打包:
linux下 tar -zcvf aide-noninstall-linux.tar.gz /usr/local/aide/
freebsd下 tar zcvf aide-noninstall-freebsd.tar.gz aide/
5、 向远程主机部署aide
5.1)通过 脚本把 aide-noninstall-linux.tar.gz 和aide-noninstall-freebsd.tar.gz
拷贝到对应的(即linux或freebsd)远程主机上,并解压到/usr/local/aide
5.2)通过脚本在每台主机上创建aide 数据文件目录/home/livedoorcn/var/aide/
5.3)通过脚本在每台主机上运行aide 初始化命令
/usr/local/aide/bin/aide -c etc/aide.conf -i
6、 本地监视机监视远程主机文件
6.1)通过脚本把每台远程服务器上的/home/livedoorcn/var/aide/db.new
拷贝至本地监视机,并重命名为$ip.original.db格式
6.2)本地监视机运行aide脚本 aide_compare.sh
#!/usr/local/bin/sh
#aide_compare.sh
#huangzb@livedoo.cn
date_time=`date +"%F %H:%M:%S JST"`
iplist="10.0.153.100
10.0.153.101
10.0.153.102
10.0.153.117
10.0.153.118
10.0.153.119
10.0.153.120
10.0.153.121
10.0.153.122
10.0.153.124
10.0.153.125
10.0.153.128
10.0.153.138
10.0.153.26
10.0.153.27
10.0.153.28
10.0.153.29
10.0.153.30
10.0.153.31
10.0.153.36
10.0.153.37
10.0.153.39
10.0.153.41
10.0.153.42
10.0.153.43
10.0.153.46
10.0.153.47
10.0.153.48
10.0.153.53
10.0.153.54
10.0.153.55
10.0.153.57
10.0.153.61
10.0.153.62
10.0.153.63
10.0.153.64
10.0.153.67
10.0.153.69
10.0.153.70
10.0.153.72
10.0.153.73
10.0.153.74
10.0.153.75
10.0.153.76
10.0.153.77
10.0.153.78
10.0.153.79
10.0.153.88
10.0.153.89
10.0.153.90
10.0.153.91
10.0.153.92
10.0.153.34
10.0.153.38
10.0.153.123
10.0.153.126";
for ip in $iplist
do
#----------------------------------------
ip_addr=$ip
reportfile=/usr/local/aide/$ip.report;
echo -n > $reportfile;
echo "From : $ip_addr" >> $reportfile;
echo "State : Report" >> $reportfile;
echo "ReportBy: /usr/local/aide/aide_compare.sh" >> $reportfile;
echo "DateTime: $date_time" >> $reportfile;
echo "Info : groupName/Liujun" >> $reportfile;
echo "" >> $reportfile ;
echo "" >> $reportfile;
#----------------------------------------
ssh root@$ip /usr/local/aide/bin/aide -c /usr/local/aide/etc/aide.conf -i;
scp root@$ip:/home/livedoorcn/var/aide/db.new /home/livedoorcn/var/aide/$ip.new.db ;
bin/aide --before="database=file:/home/livedoorcn/var/aide/$ip.original.db" \
--before="database_new=file:/home/livedoorcn/var/aide/$ip.new.db" \
-c etc/aide.conf --compare >>$reportfile ;
cat $reportfile|grep -v '^db_'|grep -v 'for r$' >/tmp/aidemail.tmp;
cat /tmp/aidemail.tmp >$reportfile;
ErrNum=`cat $reportfile | grep differences | wc -l` ;
if [ ${ErrNum} -gt 0 ];
then
mail -s "!*Warning:Server $ip maybe attack for some change*!" huangzb@livedoor.cn< $reportfile;
fi
done
对以上布署大概需要二天的时间.
7、 以下为监视邮件效果:
From : 10.0.153.100
State : Report
ReportBy: /usr/tmp/huangzb/aide/aide_compare.sh
DateTime: 2006-05-26 16:22:10 JST
Info : groupName/Liujun
AIDE found differences between the two databases!!
Start timestamp: 2006-05-26 16:22:11
Summary:
Total number of files: 12
Added files: 10
Removed files: 0
Changed files: 2
---------------------------------------------------
Added files:
---------------------------------------------------
added:/tmp/ae/060525
added:/tmp/ae/10.0.153.100
added:/tmp/ae/www
added:/tmp/ae/www/cc
added:/tmp/ae/www/cc/dsfsf
added:/tmp/ae/www/cc/dsfsf/dsfsf
added:/tmp/ae/www/cc/dsfsf/dsfsf/touch.txt
added:/tmp/ae/hhhh
added:/tmp/ae/zzz
added:/tmp/ae/060526
---------------------------------------------------
Changed files:
---------------------------------------------------
changed:/tmp/ae
changed:/tmp/ae/100
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /tmp/ae
Atime : 2006-05-24 12:08:07 , 2006-05-26 16:28:54
Mtime : 2006-05-24 12:08:02 , 2006-05-26 12:23:50
Ctime : 2006-05-24 12:08:02 , 2006-05-26 12:23:50
Linkcount: 2 , 3
File: /tmp/ae/100
Permissions: -rw-r--r-- , -rwxrwxrwx
Uid : 0 , 99
Ctime : 2006-05-24 12:08:02 , 2006-05-26 10:40:02
