介绍

AIDE(Adevanced Intrusion Detection Environment）高级入侵检测环境)是个入侵检测工具，主要用途是检查文本的完整性。AIDE能够构造一个指定文档的数据库，使用aide.conf作为配置文档。AIDE数据库能够保存文档的各种属性，包括：权限(permission)、索引节点序号(inode number)、所属用户(user)、所属用户组(group)、文档大小、最后修改时间(mtime)、创建时间(ctime)、最后访问时间(atime)、增加的大小连同连接数。AIDE使用下列算法：sha256，sha512，rmd160，haval，gost，crc32，tiger，以密文形式建立每个文档的校验码或散列号。
AIDE是用以代替收费商业版软件tripwire的一款新产品。

文件系统入侵检测的原理：

1、当系统处于健康状态时，把系统所有的文件做各种指纹的检验，得出一个检验基准数据库。

2、不是所有的文件都需要保存指纹，临时文件（/var/log | /tmp | /var/tmp | /proc | /sys | /dev/shm...）

3、需要检验文件是否被更改，只需要把基准数据对应指纹值做对比，就可以得知哪些文件被更改过。

4、每天把检验的结果以邮件或者其它方式发送管理员。

安装

安装AIDE可以直接从仓库中安装：

admin@debian ~> sudo aptitude  install aide
The following NEW packages will be installed:
  aide aide-common{a} 
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/836 kB of archives. After unpacking 2,416 kB will be used.
Do you want to continue? [Y/n/?] 

安装时，会自动生成常用配置文件，如下所示：

Creating config file /etc/aide/aide.conf.d/30_aide_apache2 with new version

Creating config file /etc/aide/aide.conf.d/31_aide_console-log with new version

Creating config file /etc/aide/aide.conf.d/31_aide_anacron with new version

Creating config file /etc/aide/aide.conf.d/31_aide_torrus with new version

Creating config file /etc/aide/aide.conf.d/70_aide_dev with new version

Creating config file /etc/aide/aide.conf.d/31_aide_amanda-client with new version

Creating config file /etc/aide/aide.conf.d/31_aide_privoxy with new version

Creating config file /etc/aide/aide.conf.d/31_aide_apache with new version

Creating config file /etc/aide/aide.conf.d/31_aide_fcron with new version

Creating config file /etc/aide/aide.conf.d/31_aide_x11-xkb-utils with new version

Creating config file /etc/aide/aide.conf with new version

Creating config file /etc/aide/aide.settings.d/31_aide_svn-server_settings with new version

Creating config file /etc/aide/aide.settings.d/31_aide_apt_settings with new version

Creating config file /etc/aide/aide.settings.d/31_aide_trac_settings with new version

Creating config file /etc/aide/aide.settings.d/10_aide_sourceslist with new version

Creating config file /etc/cron.daily/aide with new version

这些配置文件都是通过aide-common这个包生成的，同时这个软件包还包括aide的初始化工具aideinit，方便用户使用。

AIDE的配置

AIDE的配置文件所在的位置为：/etc/aide/aide.conf。

默认的配置文件：

# AIDE conf

# The daily cron job depends on these paths
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
database_new=file:/var/lib/aide/aide.db.new
gzip_dbout=yes

# Set to no to disable summarize_changes option.
summarize_changes=yes

# Set to no to disable grouping of files in report.
grouped=yes

# standard verbose level
verbose = 6

# Set to yes to print the checksums in the report in hex format
report_base16 = no

# if you want to sacrifice security for speed, remove some of these
# checksums. Whirlpool is broken on sparc and sparc64 (see #429180,
# #420547, #152203).
Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger

# The checksums of the databases to be printed in the report
# Set to 'E' to disable.
database_attrs = Checksums

# check permissions, owner, group and file type
OwnerMode = p+u+g+ftype

# Check size and block count
Size = s+b

# Files that stay static
InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums

# Files that stay static but are copied to a ram disk on startup
# (causing different inode)
RamdiskData = InodeData-i

# Check everything
Full = InodeData+StaticFile

# Files that change their mtimes or ctimes but not their contents
VarTime = InodeData+Checksums

# Files that are recreated regularly but do not change their contents
VarInode = VarTime-i

# Files that change their contents during system operation
VarFile = OwnerMode+n+l+X

# Directories that change their contents during system operation
VarDir = OwnerMode+n+i+X

# Directories that are recreated regularly and change their contents
VarDirInode = OwnerMode+n+X

# Directories that change their mtimes or ctimes but not their contents
VarDirTime = InodeData

# Logs are special: they are continously written to, may be compressed
# have their file name changed in different, mutually incompatibly ways
# and apprear and vanish at will. Handling this is a a complex and error-
# prone issue.
#
# This is best broken down in a number of small tasks:
#
#
# (A)
# While a live log is being written to, it doesn't change its mode and
# inode and its size only increases.
#
# (B)
# When a live log is rotated for the first time, it should not change
# its mode, may change its inode, and its size decreases. The size
# decrease may not be noticed by aide if the file had size x at the last
# aide run, was rotated in the mean time and was written to so that it
# had a size > x at the next aide run.
#
# (C)
# When a log is compressed, this looks to aide like the uncompressed
# file vanished (or was replaced by another file) and the compressed
# file appeared out of the blue. There is (currently) no way to
# associate the (gone) uncompressed file's contents with the (new)
# compressed file's contents
#
# (D)
# The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without
# changing the other properties of the file
#
# (E)
# If only a given number of log generations is to be kept, foo.{y}.bar may
# vanish, but usually only when no foo.{z}.bar exists for z>y.
#
# (F)
# The set of files foo.{x}.bar to foo.{y}.bar is called a "log series"
# in aide terms, with the lowest x being called the "LoSerMember" element
# and the highest y being called the "HiSerMember" element, and the z
# with x<z<y simple called "SerMember". The Lo and Hi members need to
# be special cased in aide configuration.
#
#
# This is an example of the normal life of a log named foo in a logrotate
# configuration using a configuration at it is commonly used in Debian
# (from old to new):
#     1 logrotate deletes HiSerMember foo.{y}.gz
#     2 logrotate rotates SerMember foo.{z-1}.gz to foo.{z}.gz for all
#       z with 3<z<=y. This includes rotation of foo.{y-1}.gz to
#       foo.{y}.gz and foo.2.gz to foo.3.gz
#     3 logrotate compresses foo.1 to foo.2.gz, creating LoSerMember foo.2.gz
#     4 logrotate rotates foo to foo.1 (a simple rename)
#     5 logrotate creates new, empty foo
#     6 foo daemon logs to foo - foo grows in size
#
# we need the following rules:
# /var/log/foo$ Log
# /var/log/foo$ FreqRotLog
#    this takes care of the growing live log (step 7). The "Log" rule
#    is appropriate for logs that are not rotated daily as rotation
#    might be reported (if the file size has decreased since the last
#    aide run). For daily rotated logs, the "FreqRotLog" may be more
#    appropriate.
# /var/log/foo\.1$ LowLog
#    this takes care of step 5.
# /var/log/foo\.2\.gz$ LoSerMemberLog
#    this allows yet unknown new files to appear with a \.2\.gz extension,
#    covering step 3.
# /var/log/foo\.[3..y-1]\.gz$ SerMemberLog
#    this watches the log files as they wander through the Series,
#    changing only their file name but not their contents or metadata,
#    covering step 2.
#    Please note that [3..y-1] needs to be a manually crafted regexp covering
#    all numbers between 3 and y-1.
# /var/log/foo\.y\.gz$ HiSerMemberLog
#    finally, the last element of the Series is allowed to vanish without
#    being reported, covering step 1.
#
# Please note that these example rules need to be adapted to the logrotate
# configuration for the log. Compression may be disabled or lead to a different
# extension, the dateext option may be used, old logs might be held in a
# different place, a log series does not necessarily need to be compressed etc.
#
# Please note that savelog rotates the live log to .0 and not to .1 as it
# is logrotates (changeable) default.


# Logs grow in size. Log rotation of these logs will be reported, so
# this should only be used for logs that are not rotated daily.
Log = OwnerMode+n+S+X

# Logs that are frequently rotated
FreqRotLog = Log-S

# The first instance of a rotated log: After the log has stopped being
# written to, but before rotation
LowLog = Log-S

# Rotated logs change their file name but retain all their other properties
SerMemberLog  = Full+I

# The first instance of a compressed, rotated log: After a LowLog was
# compressed.
LoSerMemberLog = SerMemberLog+ANF

# The last instance of a compressed, rotated log: After this name, a log
# will be removed
HiSerMemberLog = SerMemberLog+ARF

# Not-yet-compressed log created by logrotate's dateext option:
# These files appear one rotation (renamed from the live log) and are gone
# the next rotation (being compressed)
LowDELog = SerMemberLog+ANF+ARF

# Compressed log created by logrotate's dateext option: These files appear
# once and are not touched any more.
SerMemberDELog = Full+ANF

# For daemons that log to a variable file name and have the live log
# hardlinked to a static file name
LinkedLog = Log-n

根据配置文件的说明，可以将需要监控的文件以及需要监控的等级写入配置文件中

比如需要对/etc目录下的所有配置做全面的监控，可以写：

/etc Full

参考配置文件中的说明，可以对log文件进行监控，可以使用正则表达式来精确定位文件：

/var/log/foo$ Log

在这里，Full 和Log都对应规则，截取配置文件中的内容：

Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger

# check permissions, owner, group and file type
OwnerMode = p+u+g+ftype

# Check size and block count
Size = s+b

# Files that stay static
InodeData = OwnerMode+n+i+Size+l+X
StaticFile = m+c+Checksums

# Check everything
Full = InodeData+StaticFile

规则列表参考如下，参考在线手册

 # Here are all the things we can check - these are the default rules
   #
   #p:      permissions
   #ftype:  file type
   #i:      inode
   #n:      number of links
   #l:      link name
   #u:      user
   #g:      group
   #s:      size
   #b:      block count
   #m:      mtime
   #a:      atime
   #c:      ctime
   #S:      check for growing size
   #I:      ignore changed filename
   #md5:    md5 checksum
   #sha1:   sha1 checksum
   #sha256: sha256 checksum
   #sha512: sha512 checksum
   #rmd160: rmd160 checksum
   #tiger:  tiger checksum
   #haval:  haval checksum
   #crc32:  crc32 checksum
   #R:      p+ftupe+i+l+n+u+g+s+m+c+md5
   #L:      p+ftype+i+l+n+u+g
   #E:      Empty group
   #>:      Growing file p+ftype+l+u+g+i+n+S
   #The following are available if you have mhash support enabled:
   #gost:   gost checksum
   #whirlpool: whirlpool checksum
   #The following are available and added to the default groups R, L and >
   #only when explicitly enabled using configure:
   #acl:    access control list
   #selinux SELinux security context
   #xattrs:  extended file attributes
   #e2fsattrs: file attributes on a second extended file system

   # You can also create custom rules - my home made rule definition goes like this
   # 你可以创建属于自己的规则：
   MyRule = p+i+n+u+g+s+b+m+c+md5+sha1

数据库初始化

使用aide 的-i参数，对数据库进行初始化：

sudo aide -c /etc/aide/aide.conf -i

admin@debian ~> sudo aide -c /etc/aide/aide.conf -i
Start timestamp: 2018-01-08 01:29:02 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new
Verbose level: 6

Number of entries:      51972

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new
  RMD160   : DNBI9Ac01S2jSxe61datOzbAy0A=
  TIGER    : rnQ7OHB3rqryyWHf9qAIo7LmU7rmer0/
  SHA256   : 3/oFTjV+IIkHpeb5JwcRpdbkot5EEWEf
             U83L3ng5ZSc=
  SHA512   : ZzAOSgA3l2GYXYXCUrJCAkjP+UWruyNz
             6WC2HkKJT3XzjLKwVyPSLvq/+YbcymTY
             HMRhJi1jsYNssiHPaKD9wQ==
  CRC32    : jkFdSw==
  HAVAL    : uc8r8sSDbIAWzz2mGBLiBVIplZKnmd6F
             mYTF2cwMf5I=
  GOST     : hn7RfiLqK53ufMUz7ko99L+dzQlcEsnz
             s6FR76hjp1Y=


End timestamp: 2018-01-08 01:31:21 -0500 (run time: 2m 19s)

初始化后，需要将数据库修改一下

cd /var/lib/aide/
sudo cp aide.db.new aide.db

检查文件是否被篡改

使用-C参数或者--check，检查文件是否被篡改。

admin@debian /v/l/aide> sudo aide -c /etc/aide/aide.conf  -C
Start timestamp: 2018-01-08 02:06:11 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
Verbose level: 6

Number of entries:      51972

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db
  RMD160   : DNBI9Ac01S2jSxe61datOzbAy0A=
  TIGER    : rnQ7OHB3rqryyWHf9qAIo7LmU7rmer0/
  SHA256   : 3/oFTjV+IIkHpeb5JwcRpdbkot5EEWEf
             U83L3ng5ZSc=
  SHA512   : ZzAOSgA3l2GYXYXCUrJCAkjP+UWruyNz
             6WC2HkKJT3XzjLKwVyPSLvq/+YbcymTY
             HMRhJi1jsYNssiHPaKD9wQ==
  CRC32    : jkFdSw==
  HAVAL    : uc8r8sSDbIAWzz2mGBLiBVIplZKnmd6F
             mYTF2cwMf5I=
  GOST     : hn7RfiLqK53ufMUz7ko99L+dzQlcEsnz
             s6FR76hjp1Y=


End timestamp: 2018-01-08 02:08:32 -0500 (run time: 2m 21s)

也可以将输出保存到指定文件中，例如：

sudo aide -c /etc/aide/aide.conf  -C --report=file:/tmp/aide-report-`date +%Y%m%d`.txt

-V 参数报告的详细程度可以通过-V选项来调控，级别为0-255， -V0 最简略，-V255 最详细。

正常修改系统文件，可以使用update来更新数据库：

#如果是正常的改动 更新改动到基础数据库
aide --update -c /etc/aide/aide.conf
cd /var/lib/aide/
#覆盖替换旧的数据库
mv aide.db.new aide.db

关于aide-common

aide-common是debian为aide方便部署而提供的一个组件，其中包括了aideinit脚本，update-aide.conf自动生成配置脚本，以及在/etc/aide/aide.conf.d中一系列常规配置文件。

在使用时，可以直接执行

# aideinit -y

其会自动在/var/lib/aide/下生成aide.conf.autogenerated 配置文件，并生成数据库aide.db.new与aide.db。

aide.conf.autogenerated 配置文件的自动生成依赖与/etc/aide/aide.conf.d目录下的文件。如果你不小心删除了其中的文件，可以重新安装aide-common这个软件包获得。

在使用aideinit过程时，可能会遇到语法报错的情况。一般可以根据输出来定位到是aide.conf.autogenerated文件的哪一行，再对其进行排查解决。

参考连接

1. https://www.iamle.com/archives/1664.html　（部分内容过时)
2. https://www.cyberciti.biz/faq/debian-ubuntu-linux-software-integrity-checking-with-aide/
3. https://www.linux.com/learn/weekend-project-intrusion-detection-linux-AIDE