[Translated] 20141008 How to configure a host intrusion detection system on CentOS.md

This commit is contained in:
GOLinux 2014-10-11 09:46:11 +08:00
parent 8bd13824f6
commit 89785a619e
2 changed files with 125 additions and 126 deletions

View File

@ -1,126 +0,0 @@
Translating by GOLinux!
How to configure a host intrusion detection system on CentOS
================================================================================
One of the first safety measures that any sysadmin may want to implement in their production servers is a mechanism to detect file tampering - not only the content of files, but also their attributes.
[AIDE][1] (short for "Advanced Intrusion Detection Environment") is an open source host-based intrusion detection system. AIDE checks the integrity of system binaries and essential configuration files by checking for inconsistencies in a number of file attributes, including permissions, file type, inode, number of links, link name, user, group, file size, block count, mtime, atime, ctime, acl, SELinux security context, xattrs, and md5/sha checksums.
AIDE builds a database of file attributes by scanning the file system of a (untampered) Linux server. It then checks the server's file attributes against the database, and alerts of any changes made to the indexed files while the server is running. For this very reason, AIDE must reindex protected files every time the system is updated or configuration files are changed for legitimate reasons.
For some clients, their security policies may mandate some sort of IDS installed on their servers. But whether a client requires it or not, it's a good sysadmin practice to have IDS in place.
### Installing AIDE on CentOS or RHEL ###
An initial installation (along with the first run) of AIDE is best performed in a system where the operating system has just been installed, and none of the services is exposed to the Internet or even to a local area network. At this early stage, we can minimize the risk of any break-ins and tampering attempts coming from outside. In fact, it is the only way to ensure that the system is clean at the time AIDE builds its initial database.
For that reason, after we install AIDE using:
# yum install aide
we need to unplug our machine from the network, and perform some basic configuration tasks as described next.
### Configuring AIDE ###
The default configuration file can be found in /etc/aide.conf. This file presents several example protection rules (e.g., FIPSR, NORMAL, DIR, DATAONLY), each of which is followed by an equal sign and a list of file attributes to check for, or any predefined rules (delimited by a plus sign). You can also define any custom rules using this format.
![](https://farm3.staticflickr.com/2947/15446746115_7d0a291b0a_o.png)
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
NORMAL = FIPSR+sha512
For example, the above means that NORMAL rule will check for inconsistencies in the following attributes: permissions (p), inode (i), number of links (n), user (u), group (g), size (s), mtime (m), ctime (c), ACL (acl), SELinux (selinux), xattrs (xattr), SHA256/SHA512 checksums (sha256 and sha512).
The defined rules can be used for different directories and files (denoted with regular expressions) flexibly.
![](https://farm6.staticflickr.com/5601/15259978179_f93b757c56_o.png)
An exclamation sign (!) preceding an entry tells AIDE to ignore a subdirectory (or files inside a directory) for which another rule can be defined.
In the above example, PERMS is the default rule for /etc and its subdirectories and files. However, no rule will be applied to backup files in /etc (i.e., /etc/.*~) nor to /etc/mtab file. For some selective subdirectories or files in /etc, NORMAL rule is applied instead, overriding the default rule PERMS.
Defining and applying the right rules to the right locations in your system is perhaps the most difficult part of using AIDE, but using a good judgement is a nice start. As a rule of thumb, do not check for more attributes than necessary. For example, checking mtime for files inside /var/log or /var/spool will certainly result in a lot of false positives because there are many applications and daemons often writing to these locations, which is perfectly fine. In addition, checking for multiple checksums may enhance security at the expense of AIDE's increased running time.
Optionally, you can have the results of the check mailed to you if you specify your email address with the MAILTO variable. Place the following line anywhere in /etc/aide.conf.
MAILTO=root@localhost
### Running AIDE for the First Time ###
Run the following command to initialize the AIDE database:
# aide --init
![](https://farm3.staticflickr.com/2942/15446399402_198472e983_o.png)
The /var/lib/aide/aide.db.new.gz file, as per /etc/aide.conf, needs to be renamed to /var/lib/aide/aide.db.gz, so as to enable AIDE to read it:
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide.db.gz
Now it's time to perform our first system check against the database. For that, simply run:
# aide
When called with no options, AIDE assumes --check.
If no change was made since the database had been created, AIDE will finish with an OK message.
![](https://farm3.staticflickr.com/2948/15260041950_f568b3996a_o.png)
### Managing AIDE in a Production Environment ###
After constructing an initial AIDE database, you often need to update a protected server for various legitimate reasons as part of ongoing system administration activities. Every time your server has been updated, you must re-build the AIDE database to incorporate the change in the database. For that, use this command:
# aide --update
To protect a production system with AIDE, it is probably best to schedule a cron job for checking for any inconsistencies with AIDE periodically. For example, to schedule AIDE to run and have the result mailed to an email address on a daily basis:
# crontab -e
----------
0 0 * * * /usr/sbin/aide --check | /usr/bin/mail -s "AIDE run for $HOSTNAME" your@email.com
### Testing AIDE for File Tampering ###
The following test scenarios will demonstrate how AIDE check the integrity of our files.
#### Test Scenario 1 ####
Let's add a new file (e.g., /etc/fake).
# cat /dev/null > /etc/fake
![](https://farm3.staticflickr.com/2941/15260140358_f1d758d354_o.png)
#### Test Scenario 2 ####
Let's change file permissions, and see if it can be detected.
# chmod 644 /etc/aide.conf
#### Test Scenario 3 ####
Finally, let's change file content (e.g., adding a comment line to /etc/aide.conf)
echo "#This is a comment" >> /etc/aide.conf
![](https://farm4.staticflickr.com/3936/15259978229_3ff1ea950e_b.jpg)
In the screenshot above, the first column shows the file attributes, the second column the values present in the AIDE database, and the third column the updated values for those attributes. An empty space in the third columns indicates that the attribute has not changed (ACL in this example).
### Conclusion ###
If you ever find yourself in a situation where you have good reasons to think that a system has been tampered with, but are unable to determine what might have been changed at first sight, a host-based intrusion detection system like AIDE can be very helpful in that it can help you quickly identify what has changed instead of guessing and wasting valuable time.
--------------------------------------------------------------------------------
via: http://xmodulo.com/host-intrusion-detection-system-centos.html
作者:[Gabriel Cánepa][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[a]:http://xmodulo.com/author/gabriel
[1]:http://aide.sourceforge.net/

View File

@ -0,0 +1,125 @@
在CentOS上配置主机入侵检测系统
================================================================================
所有系统管理员想要在他们生产服务器上部署的第一个安全手段之一,就是检测文件篡改的机制——不仅仅是文件内容,而且也包括它们的属性。
[AIDE][1] “高级入侵检测环境”的简称是一个开源的基于主机的入侵检测系统。AIDE通过检查大量文件属性的不一致性来检查系统二进制文件和基本配置文件的完整性这些文件属性包括权限、文件类型、索引节点、链接数、链接名、用户、组、文件大小、块计数、修改时间、添加时间、创建时间、acl、SELinux安全上下文、xattrs以及md5/sha校验和在内。
AIDE通过扫描一台未被篡改的Linux服务器的文件系统来构建文件属性数据库以后将服务器文件属性与数据库中的进行校对然后在服务器运行时对修改过的索引的文件发出警告。处于这个原因AIDE必须在系统更新后或其配置文件进行合法修改后重新对受保护的文件做索引。
对于某些客户,他们可能会根据他们的安全策略在他们的服务器上强制安装某种入侵检测系统。但是,不管客户是否要求,系统管理员都部署一个入侵检测系统,这通常是一个很好的做法。
### 安装AIDE到CentOS或RHEL ###
AIDE的初始安装同时是首次运行最好是在系统刚安装完后并且没有任何服务暴露在互联网甚至是局域网中。在这个早期阶段我们可以将来自外部的一切闯入和破坏风险降到最低限度。事实上这也是确保系统在AIDE构建其初始数据库时保持干净的唯一途径。
出于上面的原因在安装完AIDE后我们可以执行下面的命令
# yum install aide
我们需要将我们的机器从网络断开,并实施下面所述的一些基本配置任务。
### 配置AIDE ###
默认配置文件是/etc/aide.conf该文件介绍了几个示例保护规则如FIPSRNORMALDIRDATAONLY各个规则后面跟着一个等于号以及要检查的文件属性列表或者某些预定义的规则由+分隔)。你也可以使用此种格式自定义规则。
![](https://farm3.staticflickr.com/2947/15446746115_7d0a291b0a_o.png)
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
NORMAL = FIPSR+sha512
例如上面的例子说明NORMAL规则将检查下列属性的不一致性权限p、索引节点i、链接数n、用户u、组g、大小s、修改时间m、创建时间c、ACLacl、SELinuxselinux、xattrsxattr、SHA256/SHA512校验和sha256和sha512
定义的规则可灵活地用于不同的目录和文件(用正则表达式表示)。
![](https://farm6.staticflickr.com/5601/15259978179_f93b757c56_o.png)
条目之前的感叹号告诉AIDE忽略子目录或目录中的文件对于这些可以另外定义规则。
在上面的例子中PERMS是用于/etc机器子目录和文件的默认规则。然而没有规则将用于/etc中的备份文件如/etc/.*~),也没有规则用于/etc/mtab文件。对于/etc中的一些选择性的子目录或文件NORMAL规则会被应用覆盖默认规则PERMS。
定义并应用正确的规则到系统中正确的位置是使用AIDE最难的一部分但作出好的判断是一个良好的开始。作为首要的一条规则不要检查不必要的属性。例如检查/var/log或/var/spool里头的文件的修改时间将导致大量误报因为许多的应用程序和守护进程经常会写入内容到该位置而这些内容都没有问题。此外检查多个校验和可能加强安全性但随之而来的是AIDE的运行时间的增加。
你可以选择将检查结果发送到你的邮箱如果你使用MAILTO变量指定了电子邮件地址。将下面这一行放到/etc/aide.conf中的任何位置即可。
MAILTO=root@localhost
### 首次运行AIDE ###
运行以下命令来初始化AIDE数据库
# aide --init
![](https://farm3.staticflickr.com/2942/15446399402_198472e983_o.png)
根据/etc/aide.conf生成的/var/lib/aide/aide.db.new.gz文件需要被重命名为/var/lib/aide/aide.db.gz,以便AIDE能读取它
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide.db.gz
现在,是时候来将我们的系统与数据库进行第一次校对了。任务很简单,只需运行:
# aide
在没有选项时AIDE假定使用了--check选项。
如果在数据库创建后没有对系统做过任何修改AIDE将会以OK信息来结束本次校对。
![](https://farm3.staticflickr.com/2948/15260041950_f568b3996a_o.png)
### 生产环境中管理AIDE ###
在构建了一个初始AIDE数据库后作为不断推进的系统管理活动你常常需要处于某些合法的理由更新受保护的服务器。每次服务器更新后你必须重新构建AIDE数据库以更新数据库内容。要完成该任务请执行以下命令
# aide --update
要使用AIDE保护生产系统可能最好通过任务计划调用AIDE来周期性检查不一致性。例如要让AIDE每天运行一次并将结果发送到邮箱
# crontab -e
----------
0 0 * * * /usr/sbin/aide --check | /usr/bin/mail -s "AIDE run for $HOSTNAME" your@email.com
### 测试AIDE检查文件篡改 ###
下面的测试环境将演示AIDE是如何来检查文件的完整性的。
#### 测试环境 1 ####
让我们添加一个新文件(如/etc/fake
# cat /dev/null > /etc/fake
![](https://farm3.staticflickr.com/2941/15260140358_f1d758d354_o.png)
#### 测试环境 2 ####
让我们修改文件权限,然后看看它是否被检测到。
# chmod 644 /etc/aide.conf
#### 测试环境 3 ####
最后,让我们修改文件内容(如,添加一个注释行到/etc/aide.conf
echo "#This is a comment" >> /etc/aide.conf
![](https://farm4.staticflickr.com/3936/15259978229_3ff1ea950e_b.jpg)
上面的截图中第一栏显示了文件的属性第二栏是AIDE数据库中的值而第三栏是更新后的值。第三栏中空白部分表示该属性没有改动如本例中的ACL
### 结尾 ###
如果你曾经发现你自己有很好的理由相信系统被入侵了但是第一眼又不能确定到底哪些东西被改动了那么像AIDE这样一个基于主机的入侵检测系统就会很有帮助了因为它可以帮助你很快识别出哪些东西被改动过而不是通过猜测来浪费宝贵的时间。
--------------------------------------------------------------------------------
via: http://xmodulo.com/host-intrusion-detection-system-centos.html
作者:[Gabriel Cánepa][a]
译者:[GOLinux](https://github.com/GOLinux)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[a]:http://xmodulo.com/author/gabriel
[1]:http://aide.sourceforge.net/