RKHunter:检测Rootkit
RKHunter 传送门:http://rkhunter.sourceforge.net/
Root Kit 详解:http://linux.vbird.org/linux_security/0420rkhunter.php
[root@linuxprobe ~]# yum --enablerepo=epel -y install rkhunter
-
配置和使用RKHunter,对于常规检查,检查脚本安装在cron.daily目录下,并由Cron每天执行
[root@linuxprobe ~]# vi /etc/sysconfig/rkhunter
# recipient address for report
MAILTO=root@localhost
# if specified "yes", scan more detaily
DIAG_SCAN=no
# update database
[root@linuxprobe ~]# rkhunter --update
# update system file properties
[root@linuxprobe ~]# rkhunter --propupd
# execute checking
# --sk means sikpping to push Enter key
# if specified --rwo , display only warnings
[root@linuxprobe ~]# rkhunter --check --sk
Lynis
安全审计工具 Lynis 传送门: https://cisofy.com/lynis/
[root@linuxprobe ~]# yum --enablerepo=epel -y install lynis
[root@linuxprobe ~]# lynis audit system
相关文档Lynis 教程: http://netsecurity.51cto.com/art/201410/455466.htm
AIDE 简介
-
AIDE(Advanced Intrusion Detection Environment,高级入侵检测环境)是个入侵检测工具,主要用途是检查文档的完整性。
-
安装和配置基于主机的IDS(入侵检测系统)“AIDE”(高级入侵检测环境)
AIDE 下载地址: https://sourceforge.net/projects/aide/
[root@linuxprobe ~]# yum -y install aide
-
配置AIDE并初始化数据库。可以使用带有默认配置的AIDE,但是如果要自定义设置,请按如下所示更改配置文件。设置规则写在26-84行附近,参考它们。
[root@linuxprobe ~]# vi /etc/aide.conf
# for example, change setting of monitoring /var/log
/var/log p+u+g+i+n+acl+selinux+xattrs
# initialize database
[root@linuxprobe ~]# aide --init
AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
# copy generated DB to master DB
[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[root@linuxprobe ~]# aide --check
AIDE, version 0.15.1
### All files match AIDE database. Looks okay!
[root@linuxprobe ~]# chmod 640 /root/anaconda-ks.cfg
[root@linuxprobe ~]# aide --check
# 检测到的差异如下
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-10-27 04:44:55
Summary:
Total number of files: 31983
Added files: 0
Removed files: 0
Changed files: 1
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /root/anaconda-ks.cfg
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /root/anaconda-ks.cfg
Perm : -rw------- , -rw-r-----
Ctime : 2016-10-25 04:52:57 , 2016-10-27 04:44:25
ACL : old = A:
----
user::rw-
group::---
other::---
----
D: <NONE>
new = A:
----
user::rw-
group::r--
other::---
----
D: <NONE>
-
如果没有ploblem,即使检测到一些差异,则更新数据库如下
[root@linuxprobe ~]# aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-10-27 04:49:12
Summary:
Total number of files: 31983
Added files: 0
Removed files: 0
Changed files: 1
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /root/anaconda-ks.cfg
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
...
# update database
[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
-
如果检查regulary添加在Cron。日志文件[/var/log/aide/aide.log]每次都更新,如果没有区别,它将用零字节更新,因此如果你想保存日志文件,它需要创建一个shell脚本或发送结果通过电子邮件或其他。
# for example, add daily check in Crontab and send results via email
[root@dlp ~]# vi /etc/cron.d/aide
00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root
Tripwire 简介
# install from EPEL
[root@linuxprobe ~]# yum --enablerepo=epel -y install tripwire
# generate keys
[root@linuxprobe ~]# tripwire-setup-keyfiles
.....
.....
Enter the site keyfile passphrase:# set site keyfile passphrase
Verify the site keyfile passphrase:# confirm
....
.....
Enter the local keyfile passphrase:# set local keyfile passphrase
Verify the local keyfile passphrase:# confirm
.....
.....
Please enter your site passphrase: # answer with site keyfile passphrase
.....
.....
Please enter your site passphrase: # answer with site keyfile passphrase
.....
.....
[root@linuxprobe ~]# cd /etc/tripwire
[root@linuxprobe tripwire]# vi twcfg.txt
# line 12: report level (4 is max)
REPORTLEVEL =4
# generate config
[root@linuxprobe tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase:# answer with site keyfile passphrase
Wrote configuration file: /etc/tripwire/tw.cfg
# optimize policy file with the script below
[root@linuxprobe tripwire]# vi twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
[root@linuxprobe tripwire]# perl twpolmake.pl twpol.txt > twpol.txt.new
[root@linuxprobe tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
[root@linuxprobe tripwire]# tripwire -m i -s -c tw.cfg
Please enter your local passphrase:
-
手动执行检查。 (Cron的每日检查脚本包含在包中)
(责任编辑:IT) |