Isntall aide service to audit linux OS.

1. Install aide software.
[root@server7-5499 ~]# yum install aide -y

2. Modify aide configuration file.
Basic cofigrations:
# Define DB/Log location.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide

# Define DB location and name.
database=file:@@{DBDIR}/aide.db.gz
database_out=file:@@{DBDIR}/aide.db.new.gz

# Compress aide DB.
gzip_dbout=yes

verbose=5

# Define generate report write into logs and print in screen.
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout

# Define dirs which you want to audit.
# Next decide what directories/files you want in the database.
/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
#/lib    NORMAL
#/lib64  NORMAL
#/opt    NORMAL
#/usr    NORMAL
/root   NORMAL
# These are too volatile
!/usr/src
!/usr/tmp

3. After cofnigured aide, generate aide DB.
[root@server7-5499 ~]# aide -i

AIDE, version 0.14

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

4. Rename DB to var/lib/aide/aide.db.gz.
[root@server7-5499 ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Generate report with exist DB.


5.Check report.

[root@server7-5499 ~]# aide -C

AIDE, version 0.14

### All files match AIDE database. Looks okay!

6. Change something to verify.
a. Add user user2.
[root@server7-5499 ~]# useradd -u 10004 -s /sbin/nologin user2

b. Check changes.
[root@server7-5499 ~]# aide -C
AIDE found differences between database and filesystem!!
Start timestamp: 2015-04-17 04:16:51

Summary:
  Total number of files:    1815
  Added files:            1
  Removed files:        0
  Changed files:        11


---------------------------------------------------
Added files:
---------------------------------------------------

added: /var/log/httpd/access_log-20150417

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /etc/passwd
changed: /etc/passwd-
changed: /etc/gshadow
changed: /etc/gshadow-
changed: /etc/group-
changed: /etc/shadow-
changed: /etc/shadow
changed: /etc/group
changed: /var/log/httpd/access_log
changed: /root
changed: /root/.viminfo

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /etc/passwd
  Size     : 1339                             , 1386
  Mtime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  Ctime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  Inode    : 25609                            , 25599
  MD5      : d+FKjnPVooobLRWIOQVHNQ==         , MvDGwK3/gRL50jgog6EACQ==
  RMD160   : 8YG5pF836arLZv21lTV+yqy2168=     , VSNqhtinLe/sr8uXAYyA0oR+fSs=
  SHA256   : INjoll/4rmfwEsOYToLMeNBJ8L/mfUxQ , tCOa5LDpBxfTfdCmbc8sbQkdcJCbFg1W

File: /etc/passwd-
  Size     : 1294                             , 1339
  Mtime    : 2015-04-03 02:27:33              , 2015-04-17 02:09:33
  Ctime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  MD5      : /00yqCUwzu/+80x3VOAuJg==         , d+FKjnPVooobLRWIOQVHNQ==
  RMD160   : rZODe9EDMan8u2ZqGWimvk2bLvw=     , 8YG5pF836arLZv21lTV+yqy2168=
  SHA256   : 7IVctSIG7Qw5zYavDOlFqAtDJrDGnklQ , INjoll/4rmfwEsOYToLMeNBJ8L/mfUxQ

File: /etc/gshadow
  Size     : 498                              , 508
  Mtime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  Ctime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  Inode    : 25534                            , 25311
  MD5      : L6+T3NkFFkABarfcq2c4CQ==         , T1TJBYLW6bOfDXRmlGa6gg==
  RMD160   : DpgU5yThE0X5w7okjgWxuwHqzXA=     , ibpE8mR6MV+8w7Voifbo4bzbxR8=
  SHA256   : mT0lKR8rEv7aevcdmx8EJiFrppYNmXzD , zlbrYjEj+lFUR7ZVkcpBbgpv2GS6S/W6

File: /etc/gshadow-
  Size     : 488                              , 498
  Mtime    : 2015-04-03 02:27:33              , 2015-04-17 02:09:33
  Ctime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  MD5      : 6jpjE5dvxH/QyhmmkGPtfQ==         , L6+T3NkFFkABarfcq2c4CQ==
  RMD160   : BN7h6wDeG9Xyj07tJOinZUqt6+w=     , DpgU5yThE0X5w7okjgWxuwHqzXA=
  SHA256   : M1AdyyijKDEbD7jlHgzqHP6MD+53iGMg , mT0lKR8rEv7aevcdmx8EJiFrppYNmXzD

File: /etc/group-
  Size     : 594                              , 608
  Mtime    : 2015-04-03 02:27:33              , 2015-04-17 02:09:33
  Ctime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  MD5      : WrPAJ/80hAgvRGRPk6bDXg==         , XhF8M1FnvxQV01xWfQvtzA==
  RMD160   : mBJff/Xi0fN2bmekHpuz9gJOItg=     , JWBfvVU6VslOSv7ED7kh0cDM6Wg=
  SHA256   : QFlMvKnLkOEBiMyxvlwgQbrIDxkWzAL4 , s/36GkNID/mhdjANgxx5v2h82/XS17/C

File: /etc/shadow-
  Size     : 723                              , 751
  Mtime    : 2015-04-03 02:27:33              , 2015-04-17 02:09:33
  Ctime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  MD5      : A8Zb/ckBsHBtsk8mq76zxQ==         , 3aUQZa/Rm4M2dM2OCuki8w==
  RMD160   : ZlrkTM5D1FApq0jzXOMzJAj8f/Y=     , 9pLx0kdQ2xUXHoyna9DL5DFMAeM=
  SHA256   : iiOhA9Tmtq486nMVSKvFO0QluRkAnilR , 3KETpurrzpBFAMBqeY8ieDscEpL9X9Fu

File: /etc/shadow
  Size     : 751                              , 779
  Mtime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  Ctime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  Inode    : 25536                            , 25602
  MD5      : 3aUQZa/Rm4M2dM2OCuki8w==         , 4sl4OTMZdUxLFy8F5o1MIQ==
  RMD160   : 9pLx0kdQ2xUXHoyna9DL5DFMAeM=     , mrOgJ9i5zr2adGqFXHNVsnszQrg=
  SHA256   : 3KETpurrzpBFAMBqeY8ieDscEpL9X9Fu , Uf0sxciwL16vT0plQeWLS8Kltd93F64t

File: /etc/group
  Size     : 608                              , 623
  Mtime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  Ctime    : 2015-04-17 02:09:33              , 2015-04-17 04:16:22
  Inode    : 25311                            , 25536
  MD5      : XhF8M1FnvxQV01xWfQvtzA==         , jLMJugOfdQRDiiqFvUUSBg==
  RMD160   : JWBfvVU6VslOSv7ED7kh0cDM6Wg=     , MY2+zs+5bSFXKOddHkDBxanlunY=
  SHA256   : s/36GkNID/mhdjANgxx5v2h82/XS17/C , NjUENRSrdD7bg31irex1ME7YWZHidVPK

File: /var/log/httpd/access_log
  Size     : 730                              , 0
  Inode    : 266417                           , 266453

Directory: /root
  Mtime    : 2015-04-17 04:05:56              , 2015-04-17 04:15:20
  Ctime    : 2015-04-17 04:05:56              , 2015-04-17 04:15:20

File: /root/.viminfo
  Inode    : 25306                            , 25269
[root@server7-5499 ~]#

posted @ 2015-04-17 12:23  Torvalds0310  阅读(157)  评论(0编辑  收藏  举报