个人工具

FileIntegrityAIDE

来自Ubuntu中文

跳转至: 导航, 搜索

Introduction

One of the many possible layers of security which may be applied to your Ubuntu computer is known as file integrity monitoring, or file integrity verification.

在许多可以应用于Ubuntu安全的方法中,有一种被称作文件完整性监视(文件完整性检验)。

The purpose of monitoring and/or verifying the integrity of key files including system binaries, and configuration files is to ensure the files have not been altered by unauthorized means.

对关键的系统二进制文件和配置文件进行完整性监视和校验的目的是确保这些关键文件没有被进行未授权的改变。

The unauthorized alteration of certain system files is one of the symptoms of an active attack, or compromise upon a system.

对系统特定文件的未授权改变是对系统进行攻击和危害活动的表现之一。

Using file integrity monitoring is a pro-active means of being aware of any changes to critical system files.

文件完整性监视是一种积极的方法,可以使你及时了解到系统重要文件的改变。

As with most tools, and utilities in the GNU/Linux community, there exist many different applications for use in monitoring, and verifying the integrity of files on your Ubuntu system.

同大多数的工具一样,在GNU/Linux社区中,有许多不同的应用程序可用于对你的Ubuntu系统文件的完整性进行监视和校验。

  • This guide will mention some of these tools, and go on to discuss installation, configuration, and usage of the tools on an Ubuntu system.
    • 这篇指南会涉及到其中一些工具在Ubuntu系统上的安装、配置和使用。

Available Tools

可用的工具While there are literally a dozen, or more solutions for monitoring, and verifying the integrity of critical files on a GNU/Linux computer system, this guide will focus only on the Advanced Intrusion Detection Environment (AIDE) utility.

虽然严格来说,有许多方法可用于监视和校验GNU/Linux系统关键文件的完整性,但是这份指南只对名为"高级入侵检测环境"的工具进行介绍。

Other possible tools, and utilities for monitoring, and/or verifying file integrity will be listed in the Resources section of this guide, however.

不过,其它可用于监视和校验文件完整性的工具,会在本文的“相关资源”一节中列出。

The exploration, and use of these tools is left as an exercise for the reader of this guide.

浏览和使用这些工具是一种练习,读者可以自己去实践。

AIDE

The Advanced Intrusion Detection Environment (AIDE) is a free replacement for the popular file integrity verification tool Tripwire.

“高级入侵检测环境”(AIDE)是一个自由软件,是流行的文件完整性校验工具Tripwire的替代品。

It creates a database from regular expression rules that it finds in a configuration file, and once this database is initialized, it can be used to verify the integrity of critical system, and user files.

它通过读取配置文件中的一系列正则表达式来建立一个数据库,当数据库初始化后,就可以用来对关键系统文件和一些用户自定义文件的完整性进行校验了。

AIDE uses most of the popular message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) for checking file integrity. Additional algorithms may also be added easily.

AIDE 使用许多流行的信息摘要算法(md5、sha1、rmd160、tiger、haval等)来检查文件的完整性。额外的算法也很容易被添加进去。

All of the traditional file system attributes may also be checked for inconsistencies as well.

所有传统文件系统属性的一致性也会被检查。

Installing AIDE

安装AIDETo install AIDE from a terminal prompt, ensure that your Internet connection is working, and enter the following command:

在终端模式下进行安装之前,请确认您的网络连接良好,然后请在终端中输入以下命令:

sudo apt-get install aide

Enter your password, and upon successful authentication, the AIDE package should be fetched, and installed.

根据系统提示输入您的密码,如果ubuntu验证通过,AIDE安装包将会被下载并自动开始安装。

During installation, an Ubuntu Configuration window will appear notifying you that daily reports are mailed to the root user by default, and that this behavior may be changed by editing the /etc/default/aide configuration file. Press ENTER to acknowledge this message.

在安装过程中,一个配置信息窗口会出现,提示你每天的报告会默认发送给root用户,但是你可以通过编辑配置文件 /etc/default/aide来进行修改。请按下回车键来确认这则消息。

You will then be asked if the AIDE database should be initialized. Select Yes here, and press ENTER.

然后系统会询问你是否现在进行AIDE数据库的初始化。现在,请输入Yes,并按下回车键。

The next confirmation dialog asks you to examine /var/lib/aide/aide.db.new before replacing any existing database. If this is your first time installing AIDE on the system in question, select Yes here, and press ENTER.

下一个对话框会询问你是否要覆盖已存在的数据库。如果这是你第一次安装AIDE,请选择Yes并按回车键。

Configuring AIDE

配置AIDEThere are two primary configuration files for AIDE:

AIDE有两个主要的配置文件。

/etc/default/aide The AIDE general configuration file(AIDE的一般属性配置文档)
/etc/aide/aide.conf The AIDE rules configuration file(AIDE检查规则配置文件)


Some general settings, and behaviors for AIDE may be modified by editing the {/etc/default/aide configuration file. For example, if you would like to have all of AIDE's daily reports e-mailed to the user breandon instead of the default root user, simply use sudo with your favorite editor, and modify the line:

一些AIDE属性和行为可以通过编辑配置文件/etc/default/aide来进行修改。例如:如果你想把AIDE每天产生的报告都发送至breandon用户而不是默认的root用户,只须使用你喜欢的文本编辑器简单的对下面这行进行修改。

MAILTO=root


so that it reflects your choice of user (breandon in our example) as such:

这一行显示出你选择的用户(在这个例子中是breandon):

MAILTO=breandon


Read the comments in /etc/default/aide to see what the other configuration directives control, and change them accordingly to suit your installation's requirements.

阅读/etc/default/aide的注释来看一看其他配置项用来控制什么,然后就可以根据你的需求进行修改。

The other configuration file, /etc/aide/aide.conf controls the rules for the directories, files, and attributes of files which AIDE uses to determine changes when scanning.

另一个配置文件/etc/aide/aide.conf用来控制目录、文件和文件属性的检查规则,在扫描的时候AIDE根据这些规则来判断文件是否被更改。

For example, in the default /etc/aide/aide.conf file, all member directories and files of the Group definition BinLib are checked for permissions, inode, number of links, user, group, size, block count, mtime, ctime, md5 checksum, and sha1 checksum (p+i+n+u+g+s+b+m+c+md5+sha1) whereas all member directories, and files in the Group definition Databases are checked only for permissions, number of links, user, and group (p+n+u+g).

例如,在默认的/etc/aide/aide.conf中,对于所有属于组BinLib的目录、文件,AIDE要检查它们的访问权限(permissions)、节点(inode)、被链接数(number of links)、所属用户(user)、所属组(group)、大小(size)、块数目(block count)、修改时间(mtime)、建立时间(ctime)、md5校验值(md5 checksum)、sha1校验值(sha1 checksum)是否改变(p+i+n+u+g+s+b+m+c+md5+sha1),而对于所有属于组Databases的目录和文件,AIDE只检查它们的访问权限、被链接数、所属用户、所属组是否改变(p+n+u+g)。

The member directories of a particular Group definition are added by specifying one entry per line, in the form of :

每行可以定义一个属于特定组的目录,其格式如下:

directory Group definition


For example, to make the directory /opt/local/bin part of the BinLib Group definition, a line would be added in the appropriate section of the /etc/aide/aide.conf configuration file resembling the following:

例如,要把目录/opt/local/bin加入到BinLib组的定义中,只要在/etc/aide/aide.conf中合适的章节添加如下的行:

/opt/local/bin BinLib


Another example of a clever use for AIDE is to monitor the system's crontabs. System crontabs control the scheduled system activities which are executed on a schedule by the cron daemon. To ensure these files are not altered in such a way as to introduce the automatic, scheduled execution of a malicious application, simply use the sudo command to edit the /etc/aide/aide.conf file with your favorite editor and locate the following section of the file :

另一个善于使用AIDE的例子是用它监视系统任务计划文件(crontabs)。系统任务计划文件定义计划好的通过cron daemon执行的任务。为了确保这些文件不会被自动的、按计划执行的恶意程序所修改,只需简单的使用sudo命令,用你喜欢的编辑器编辑/etc/aide/aide.conf,找到下面这行:

# Check crontabs


Uncomment all of the lines beginning with #/var/spool under the # Check crontabs heading, and save the file. You should examine the file /etc/aide/aide.conf closely, observing the commented sections in particular, for other possible uses of AIDE, and read the aide.conf manual page, in addition to reading the HTML version of the AIDE manual for further uses of AIDE which may be specified in this configuration file.

将Check crontabs块下所有以/var/spool开头的行的注释取消掉,然后存盘。为了进一步的应用AIDE,您应当仔细的阅读/etc/aide/aide.conf(尤其是那些被注释掉的块)和aide.conf的手册,您也可以阅读AIDE手册的HTML版本来进一步的了解这个配置文档的使用方法。

When you've made configuration changes, and you would like them used immediately, issue the following command at the terminal prompt to update the AIDE configuration:

如果您希望对配置文件的修改马上生效,请在终端下执行下面的命令来更新AIDE的配置:

sudo update-aide.conf

Otherwise, AIDE's daily crontab will do the same thing, so if you have made changes, but do not need to run aide manually, and immediately you can be assured the configuration will be updated by the daily crontab automatically before the daily run of AIDE by the daily crontab.

如果您不这样做,AIDE每天会自动进行这项工作,所以如果您作了修改,不需要马上手动执行上述的命令。你可以放心,通过使用crontab,配置会在AIDE每天运行前被自动的更新。

Using AIDE

使用AIDETo begin using AIDE, you must make sure the database is present:

要使用AIDE,您必须确认数据库存在:

ls /var/lib/aide

If you see the file aide.db in the output of the ls command, then proceed to the initialization step. If instead, you see the file aide.db.new then you need to rename the aide.db.new file to aide.db using this command:

如果在ls命令的输出中可以看到aide.db,那么可以进行初始化的工作了,反之,如果您看到了aide.db.new你就必须使用下面的命令把aide.db.new重命名为aide.db:

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Once the AIDE database is in place, you can initialize the database with the following command from a terminal prompt:

AIDE数据库准备好后,您就可以对数据库进行初始化了,请在终端中输入下面的命令:

sudo aide --init

At the end of this process, you should see the line:

在初始化完成后,您应当可以看到下面这行:

### AIDE database initialized


You may run an initial check of the directories and files as defined in /etc/aide/aide.conf by entering the following command at a terminal prompt:

您可以开始检查/etc/aide/aide.conf中定义的目录和文件,请在终端中输入下面的命令:

sudo aide --check

If all is well in the directories, and files being monitored, you will see this message when the check completes:

如果所有目录都是正常的,并且所有文件都在监视中,在检查结束后,您可以看到下面的提示:

### All files match AIDE database. Looks okay!


AIDE will also run each day from the /etc/cron.daily/aide crontab, and the output of this run will be mailed to the user specified in the MAILTO= directive of the /etc/default/aide configuration file as detailed above.

AIDE可以通过/etc/cron.daily/aide每天启动。AIDE的输出会发送给特定的用户,这个用户可以在/etc/default/aide文件中的“MAILTO=”处进行定义,就像前面描述的一样。

Resources

相关资源Additional information on AIDE, and file integrity monitoring, and verification is available via the following resources:

关于AIDE、文件完整性监视和校验的一些资源可见下表:

Local System Resources

本地资源

man aide System manual page for the aide command(aide命令的手册)
man aide.conf System manual page for the aide.conf configuration file(aide.conf的手册)
man aideinit System manual page for the aideinit command(aideinit命令的手册)
man update-aide.conf System manual page for the update-aide.conf command(update-aide.conf的手册)
/usr/share/doc/aide/manual.html The AIDE manual in HTML format(AIDE手册的网页版本)
/etc/default/aide The AIDE general configuration file(AIDE的一般属性配置文件)
/etc/aide/aide.conf The AIDE rules configuration file(AIDE检查规则配置文件)
/etc/cron.daily/aide Daily AIDE cron scripts(AIDE的计划任务脚本)

Other File Integrity Monitoring and Verification Tools

其他文件完整性监视和校验工具 * BSign : Corruption and Intrusion Detection using embedded hashes

  • Integrit : Small footprint, unattended monitoring of file integrity with cascading rulesets Integrit Website
  • Samhain : Standalone, or Client-Server file integrity monitoring solution Samhain Website
  • Systraq : Monitors, and alerts on file changes Systraq Website

WWW Resources

网络资源AIDE Website

AIDE 网站

Guide on CHKROOTKIT and AIDE