//安装aide
root@storagesrv:/#apt install aide
//aide的配置文件在/etc/aide下,aide.conf文件中配置了检测的信息,而aide.conf.d下面有默认的系统检测规则
root@storagesrv:/etc/aide# ls -l total 16 -rw-r--r-- 1 root root 6601 May 11 21:59 aide.conf drwxr-xr-x 2 root root 4096 May 11 22:29 aide.conf.d drwxr-xr-x 2 root root 4096 May 11 07:31 aide.settings.d
//可以在aide.conf.d下面新建一个规则文件,前面的编号决定了优先级,若是属性在配置文件中没有定义,初始化数据库会失败
root@storagesrv:/etc/aide/aide.conf.d# cat 10_aide_test /mut/crypt StaticFile
//初始化数据库,每次修改了配置和规则都需要重新初始化数据库
root@storagesrv:/etc/aide/aide.conf.d# aideinit -y -f Running aide --init... Start timestamp: 2021-05-11 22:29:38 -0400 (AIDE 0.16.1) AIDE initialized database at /var/lib/aide/aide.db.new Verbose level: 6 Number of entries: 147985 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.new RMD160 : KZ9hFLrL0mc+cW0oHzy0ro88RgM= TIGER : 8aqwbHfBUD4uG+cgSdnbTjr0OmOwcfHj SHA256 : 29W1GDCbbzuw78I4pZjhYe8iD9V44HKc JgkYhtO5PlE= SHA512 : xUO66cqT3rrydGY5/YLQQ0uhW8cxEeka 3t0yXHrQmowzhIiiGVUTLvmaraza5/ja ZCNadU9drsb8PfRHRdjVfg== CRC32 : z7Flew== HAVAL : GNZaJWOZTjQhMj78j7PQShUqZIDZsgXa vZopd0lsAQY= GOST : x0dRsg5PodXwKqzhFluAaeBimddIv5Ct hJO9I/YoNCM= End timestamp: 2021-05-11 22:38:29 -0400 (run time: 8m 51s)
//在/var/lib/aide中有aide初始化后生成的文件,aide.conf.autogenerated更新后生成的配置文件,里面有新添加的规则
root@storagesrv:/var/lib/aide# cat aide.conf.autogenerated | grep crypt /@@{ROOTPREFIX}mut/crypt StaticFile
//初始化的数据库为aide.db.new,拷贝为aide.db
root@storagesrv:/var/lib/aide# cp aide.db.new aide.db
//将配置复制回/etc/aide下
root@storagesrv:/etc/aide# cp /var/lib/aide/aide.conf.autogenerated aide.conf
//在检测目录下创建文件
root@storagesrv:/var/lib/aide# cd /mut/crypt/ root@storagesrv:/mut/crypt# touch test{1..5} root@storagesrv:/mut/crypt# ls -l -rw-r--r-- 1 root root 0 May 11 23:29 test1 -rw-r--r-- 1 root root 0 May 11 23:29 test2 -rw-r--r-- 1 root root 0 May 11 23:29 test3 -rw-r--r-- 1 root root 0 May 11 23:29 test4 -rw-r--r-- 1 root root 0 May 11 23:29 test5
//执行一次性扫描
root@storagesrv:/mut/crypt# aide.wrapper Start timestamp: 2021-05-11 23:29:50 -0400 (AIDE 0.16.1) AIDE found differences between database and filesystem!! Verbose level: 6 Summary: Total number of entries: 147991 Added entries: 6 Removed entries: 0 Changed entries: 6 --------------------------------------------------- Added entries: --------------------------------------------------- f++++++++++++++++: /etc/aide/aide.conf.bak f++++++++++++++++: /mut/crypt/test1 f++++++++++++++++: /mut/crypt/test2 f++++++++++++++++: /mut/crypt/test3 f++++++++++++++++: /mut/crypt/test4 f++++++++++++++++: /mut/crypt/test5 --------------------------------------------------- Changed entries: --------------------------------------------------- d =.... mc.. .. .: /etc/aide f >b... mc..C.. .: /etc/aide/aide.conf d mc : /mut/crypt d =.... mc.. .. .: /root f <b... mci.C.. .: /root/.viminfo f =.... mc..... .: /var/lib/systemd/timers/stamp-anacron.timer --------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /etc/aide Mtime : 2021-05-11 22:44:06 -0400 | 2021-05-11 22:56:51 -0400 Ctime : 2021-05-11 22:44:06 -0400 | 2021-05-11 22:56:51 -0400 File: /etc/aide/aide.conf Size : 6601 | 42964 Bcount : 16 | 88 Mtime : 2021-05-11 21:59:05 -0400 | 2021-05-11 22:57:09 -0400 Ctime : 2021-05-11 21:59:05 -0400 | 2021-05-11 22:57:09 -0400 RMD160 : qg6gTepXW1gAJf3jNEaGSAp40pA= | TcvzR4pijuFu6MoeFmAAz9gxQ9M= TIGER : bo3B7Uq4pbJTaLwZoO4VrrNiRXZ9qv+w | ckiWoT3V4YZPcZGpTKDyaorhdQxwjWPn SHA256 : eutwzJ6JMx6rY3HOSYOd0AMVfIIMhVA/ | HIVzlNqm+UHE9nIm+xta4shAoQlQT7x1 JL64qomJoJc= | H0L67RGCsfg= SHA512 : a/hC/sXXG8lpSIwX7LqzYSMKeSJm3SPA | sDALST+o0uJ7RKyrcOuBdGkXpm0eoqDA aqiecNU+TXqGtzvWCwKT7vRzf0OWnyW/ | XgvQxnAgyPUj+cBIJO82gWo2l41IUjQq jyE+lJwlsFpB6K9L7Gk8lQ== | y2OfPpDhK1vm5hUO04xXNw== CRC32 : tbIxEQ== | fgq/eA== HAVAL : 8Sb71hV6Ol97jYle+cD9W8R7kNlHyPeX | Rxe5CUJ6TD0X6P2TWiD9tkKVQ7KiUE2Y rGZzKLahUlY= | RsEcsNeue1o= GOST : oqnFZQROwa5ruRGCvSH3NNOMesXpBSm9 | jmaJ1EJKRjRWVSyMl30MznLoC4hS/a3x EENDKvIBoJs= | OKMOp/ajOOg= Directory: /mut/crypt Mtime : 2021-05-11 22:42:29 -0400 | 2021-05-11 23:29:04 -0400 Ctime : 2021-05-11 22:42:29 -0400 | 2021-05-11 23:29:04 -0400 Directory: /root Mtime : 2021-05-11 22:44:47 -0400 | 2021-05-11 22:54:34 -0400 Ctime : 2021-05-11 22:44:47 -0400 | 2021-05-11 22:54:34 -0400 File: /root/.viminfo Size : 12480 | 12141 Bcount : 32 | 24 Mtime : 2021-05-11 22:44:47 -0400 | 2021-05-11 22:54:34 -0400 Ctime : 2021-05-11 22:44:47 -0400 | 2021-05-11 22:54:34 -0400 Inode : 529960 | 529959 RMD160 : ZfhzKEuYUNbc4QhcAjpwzsal+GE= | K7Jj3i9F6jIH80zCV1LNvc9WVdo= TIGER : 4TXFRKUe+gl4D/Wa1mDq2MDUeCgx990C | UGvU2l2vwRjHK8T6w9S85kGB6tEiVT4W SHA256 : fdgDFBjXRR+YE6CDRRGZ1TqI9oXgEFQf | bEtvk+3ek7lch8B/6zkAdpvmhokDnzOo nGkymGJxs9A= | v6l3Hu5IJhI= SHA512 : BxlsYnEPaq3hJVoEHxDmICKn0twptltA | qgmRrjh7jj5+kzpUctxbOpON/GuqctY1 Xs/MojJ4NFeQuwSdvCuY43bkDnQkobAW | W39ZU+1wBJEoO47MIWz+hhlLmmXVjvFw lcEAFFFX8ryHMzPO2TZIig== | CowAI6vqGh9ob5ahqjS6cg== CRC32 : BbQyDQ== | sNq00g== HAVAL : A0oMbik/8XE7YtScj6IqYIQlq5wwQxMv | 6uTf16rM1661GTbLdAGFIC4qzb4KbQsb TYz6Sh5WwBo= | /TrwgyAbCG8= GOST : f6SpuAIHKqtwpJpZmFpJ7LBqDAKdxEqR | Vmm8zia19s7fsWaBUP96xESgQKDkmKkH O8VGlgdOrBc= | P0lSF50TswU= File: /var/lib/systemd/timers/stamp-anacron.timer Mtime : 2021-05-11 22:34:55 -0400 | 2021-05-11 23:31:27 -0400 Ctime : 2021-05-11 22:34:55 -0400 | 2021-05-11 23:31:27 -0400 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db RMD160 : XLnxa8vT6YLymOP5fHGqcv68L1s= TIGER : LolS9xoFuRPDzzMj554mUJmUfCxkK6YF SHA256 : RntkidsvUEeXp4ZLog2M/1luqeQ3GN81 lFS4aBs3xIw= SHA512 : xAxb9yFaGKNiAooUr6A9tmiNAANzNCpa QrtdTRPuEEpA3eqxX9H/PC8JgEWzih2h Kpn9FA2/pmv9B+XCz/CnEA== CRC32 : LF1YNw== HAVAL : 6c24iUP3sbn40RsY/yGK9ljv/DZQsASm Y+sTgZp82ho= GOST : lEat2jtjjcQWlBZ2oXEzCSgd+HwNWkaA xbqLm4TKl90= End timestamp: 2021-05-11 23:38:46 -0400 (run time: 8m 56s)
//其他:
//其他的基本配置可以在default下面配置,同时创建了一个计划任务cron
root@storagesrv:~# vim /etc/default/aide root@storagesrv:~# vim /etc/cron.daily/aide
