參考：http://www.iamle.com/archives/1664.html

創(chuàng)新互聯(lián)建站-專業(yè)網(wǎng)站定制、快速模板網(wǎng)站建設(shè)、高性價比儋州網(wǎng)站開發(fā)、企業(yè)建站全套包干低至880元,成熟完善的模板庫,直接使用。一站式儋州網(wǎng)站制作公司更省心,省錢,快速模板網(wǎng)站建設(shè)找我們，業(yè)務(wù)覆蓋儋州地區(qū)。費用合理售后完善，10余年實體公司更值得信賴。

AIDE的用法和tripwire類似。都是通過生成一份文件指紋的數(shù)據(jù)庫，然后對比。所以，我們最好在剛安裝完系統(tǒng)后，就安裝這個工具，獲取一份干凈的文件指紋。

安裝與配置

yum -y install aide

主要文件如下：

主程序：/usr/sbin/aide

文件指紋庫：/var/lib/aide

日志：/var/log/aide

cp /etc/aide.conf /etc/aide.conf_bak

vim /etc/aide.conf內(nèi)容如下：

#Example configuration file for AIDE.

@@define DBDIR /var/lib/aide #基準數(shù)據(jù)庫目錄

@@define LOGDIR /var/log/aide #日志目錄

#The location of the database to be read.

database=file:@@{DBDIR}/aide.db.gz #基礎(chǔ)數(shù)據(jù)庫文件

#The location of the database to be written.

#database_out=sql:host:port:database:login_name:passwd:table

#database_out=file:aide.db.new

database_out=file:@@{DBDIR}/aide.db.new.gz #更新數(shù)據(jù)庫文件

#Whether to gzip the output to database

gzip_dbout=yes

#Default.

verbose=5

report_url=file:@@{LOGDIR}/aide.log

report_url=stdout

#report_url=stderr

#NOTIMPLEMENTED report_url=mailto:root@foo.com

#NOTIMPLEMENTED report_url=syslog:LOG_AUTH

#These are the default rules.  下面這些這是規(guī)則說明

#

#p:     permissions

#i:     inode:

#n:     number of links

#u:     user

#g:     group

#s:     size

#b:     block count

#m:     mtime

#a:     atime

#c:     ctime

#S:     check for growing size

#acl:          Access Control Lists

#selinux       SELinux security context

#xattrs:       Extended file attributes

#md5:   md5 checksum

#sha1:  sha1 checksum

#sha256:       sha256 checksum

#sha512:       sha512 checksum

#rmd160:rmd160 checksum

#tiger: tiger checksum

#haval: haval checksum (MHASH only)

#gost:  gost checksum (MHASH only)

#crc32: crc32 checksum (MHASH only)

#whirlpool:    whirlpool checksum (MHASH only)

下面是參數(shù)的組合表示法

#R:            p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

#L:            p+i+n+u+g+acl+selinux+xattrs

#E:            Empty group

#>:            Growing logfilep+u+g+i+n+S+acl+selinux+xattrs

R = p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

L = p+i+n+u+g+acl+selinux+xattrs

> = p+u+g+i+n+S+acl+selinux+xattrs

#You can create custom rules like this.

#With MHASH...

#ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32

ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger

#Everything but access time (Ie. all changes)

EVERYTHING = R+ALLXTRAHASHES

#Sane, with multiple hashes

#NORMAL = R+rmd160+sha256+whirlpool

NORMAL = R+rmd160+sha256

#For directories, don't bother doing hashes

DIR = p+i+n+u+g+acl+selinux+xattrs

#Access control only

PERMS = p+i+u+g+acl+selinux

#Logfile are special, in that they often change

LOG = >

#Just do md5 and sha256 hashes

LSPP = R+sha256

#Some files get updated automatically, so the inode/ctime/mtime change

#but we want to know when the data inside them changes

DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

#下面是配置監(jiān)控哪些目錄下的文件異動情況

#Next decide what directories/files you want in the database.

/boot  NORMAL

/bin   NORMAL

/sbin  NORMAL

/lib   NORMAL

/lib64 NORMAL

/opt   NORMAL

/usr   NORMAL

/root  NORMAL

#These are too volatile

!/usr/src

!/usr/tmp

!/usr/share #通過文件路徑前面加感嘆號 !排除這個路徑的監(jiān)控,請自定義

#Check only permissions, inode, user and group for /etc, but

#cover some important files closely.

/etc   PERMS

!/etc/mtab

#Ignore backup files

!/etc/.*~

/etc/exports NORMAL

/etc/fstab   NORMAL

/etc/passwd  NORMAL

/etc/group   NORMAL

/etc/gshadow NORMAL

/etc/shadow  NORMAL

/etc/security/opasswd  NORMAL

/etc/hosts.allow  NORMAL

/etc/hosts.deny   NORMAL

/etc/sudoers    NORMAL

/etc/skel    NORMAL

/etc/logrotate.d    NORMAL

/etc/resolv.conf    DATAONLY

/etc/nscd.conf    NORMAL

/etc/securetty    NORMAL

#Shell/X starting files

/etc/profile    NORMAL

/etc/bashrc  NORMAL

/etc/bash_completion.d/  NORMAL

/etc/login.defs  NORMAL

/etc/zprofile  NORMAL

/etc/zshrc  NORMAL

/etc/zlogin  NORMAL

/etc/zlogout  NORMAL

/etc/profile.d/    NORMAL

/etc/X11/    NORMAL

#Pkg manager

/etc/yum.conf    NORMAL

/etc/yumex.conf    NORMAL

/etc/yumex.profiles.conf    NORMAL

/etc/yum/    NORMAL

/etc/yum.repos.d/    NORMAL

/var/log  LOG

/var/run/utmp    LOG

#This gets new/removes-old filenames daily

!/var/log/sa

#As we are checking it, we've truncated yesterdays size to zero.

!/var/log/aide.log

#LSPP rules...

#AIDE produces an audit record, so this becomes perpetual motion.

#/var/log/audit/ LSPP

/etc/audit/    LSPP

/etc/libaudit.conf    LSPP

/usr/sbin/stunnel  LSPP

/var/spool/at    LSPP

/etc/at.allow    LSPP

/etc/at.deny    LSPP

/etc/cron.allow    LSPP

/etc/cron.deny    LSPP

/etc/cron.d/    LSPP

/etc/cron.daily/    LSPP

/etc/cron.hourly/    LSPP

/etc/cron.monthly/    LSPP

/etc/cron.weekly/    LSPP

/etc/crontab    LSPP

/var/spool/cron/root    LSPP

/etc/login.defs    LSPP

/etc/securetty    LSPP

/var/log/faillog    LSPP

/var/log/lastlog    LSPP

/etc/hosts    LSPP

/etc/sysconfig    LSPP

/etc/inittab    LSPP

/etc/grub/    LSPP

/etc/rc.d    LSPP

/etc/ld.so.conf    LSPP

/etc/localtime    LSPP

/etc/sysctl.conf    LSPP

/etc/modprobe.conf    LSPP

/etc/pam.d    LSPP

/etc/security    LSPP

/etc/aliases    LSPP

/etc/postfix    LSPP

/etc/ssh/sshd_config    LSPP

/etc/ssh/ssh_config    LSPP

/etc/stunnel    LSPP

/etc/vsftpd.ftpusers    LSPP

/etc/vsftpd    LSPP

/etc/issue    LSPP

/etc/issue.net    LSPP

/etc/cups    LSPP

#With AIDE's default verbosity level of 5, these would give lots of

#warnings upon tree traversal. It might change with future version.

#

#=/lost\+found   DIR

#=/home          DIR

#Ditto /var/log/sa reason...

!/var/log/and-httpd

#Admins dot files constantly change, just check perms

/root/\..*PERMS

#初始化監(jiān)控數(shù)據(jù)庫

aide -c /etc/aide.conf --init

這步的時間較長，完成后會在/var/lib/aide下面生成一個名為：aide.db.new.gz的文件

#把當(dāng)前初始化的數(shù)據(jù)庫作為開始的基礎(chǔ)數(shù)據(jù)庫

cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

#在終端中查看檢測結(jié)果

aide --check

下圖是我添加一個賬戶賬戶，執(zhí)行aide --check的結(jié)果的部分截圖。

#如果確認文件變動是正常的改動更新改動到基礎(chǔ)數(shù)據(jù)庫

aide --update

cd /var/lib/aide/

mv aide.db.new.gz aide.db.gz #覆蓋替換舊的數(shù)據(jù)庫

#檢查文件改動保存到文件

aide --check --report=file:/tmp/aide-report-`date +%Y%m%d`.txt

#定時任務(wù)執(zhí)行aide檢測報告和自動郵件發(fā)送aide檢測報告

echo '0 8 * * * /usr/sbin/aide -C -V4 | mail -s "AIDE REPORT $(date+%Y%m%d)" xxx@gmail.com' >> /var/spool/cron/root

注意：需要先配置好發(fā)郵件的程序。

-C參數(shù)和–check是一個意思

-V報告的詳細程度可以通過-V選項來調(diào)控，級別為0-255， -V0最簡略，-V255最詳細。

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn，海內(nèi)外云服務(wù)器15元起步，三天無理由+7*72小時售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機、免備案服務(wù)器”等云主機租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價比高”等特點與優(yōu)勢，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場景需求。

文章題目：AIDE學(xué)習(xí)筆記-創(chuàng)新互聯(lián)
文章源于：http://weahome.cn/article/pidsi.html