本帖最后由 zhaorong 于 2017-3-9 15:26 编辑
RKHunter:检测Rootkit
RKHunter 传送门:http://rkhunter.sourceforge.net/
Root Kit 详解:http://linux.vbird.org/linux_security/0420rkhunter.php
RKHunter 安装
- [root@linuxprobe ~]# yum --enablerepo=epel -y install rkhunter
复制代码
配置和使用RKHunter,对于常规检查,检查脚本安装在cron.daily目录下,并由Cron每天执行
- [root@linuxprobe ~]# vi /etc/sysconfig/rkhunter
- # recipient address for report
- MAILTO=root@localhost
- # if specified "yes", scan more detaily
- DIAG_SCAN=no
- # update database
- [root@linuxprobe ~]# rkhunter --update
- # update system file properties
- [root@linuxprobe ~]# rkhunter --propupd
- # execute checking
- # --sk means sikpping to push Enter key
- # if specified --rwo , display only warnings
- [root@linuxprobe ~]# rkhunter --check --sk
复制代码
Lynis
- 安全审计工具 Lynis 传送门: https://cisofy.com/lynis/
复制代码
安装Lynis
- [root@linuxprobe ~]# yum --enablerepo=epel -y install lynis
复制代码
使用Lynis
- [root@linuxprobe ~]# lynis audit system
复制代码
相关文档Lynis 教程: http://netsecurity.51cto.com/art/201410/455466.htm
AIDE 简介
AIDE(Advanced Intrusion Detection Environment,高级入侵检测环境)是个入侵检测工具,主要用途是检查文档的完整性。
安装和配置基于主机的IDS(入侵检测系统)“AIDE”(高级入侵检测环境)
- AIDE 下载地址: https://sourceforge.net/projects/aide/
复制代码
安装AIDE
- [root@linuxprobe ~]# yum -y install aide
复制代码
配置AIDE并初始化数据库。可以使用带有默认配置的AIDE,但是如果要自定义设置,请按如下所示更改配置文件。
设置规则写在26-84行附近,参考它们。
- [code][root@linuxprobe ~]# vi /etc/aide.conf
- # for example, change setting of monitoring /var/log
- /var/log p+u+g+i+n+acl+selinux+xattrs
- # initialize database
- [root@linuxprobe ~]# aide --init
- AIDE, version 0.15.1
- ### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
- # copy generated DB to master DB
- [root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
复制代码
执行检查
- [root@linuxprobe ~]# aide --check
- AIDE, version 0.15.1
- ### All files match AIDE database. Looks okay!
- [root@linuxprobe ~]# chmod 640 /root/anaconda-ks.cfg
- [root@linuxprobe ~]# aide --check
复制代码
# 检测到的差异如下
- AIDE 0.15.1 found differences between database and filesystem!!
- Start timestamp: 2016-10-27 04:44:55
- Summary:
- Total number of files: 31983
- Added files: 0
- Removed files: 0
- Changed files: 1
- ---------------------------------------------------
- Changed files:
- ---------------------------------------------------
- changed: /root/anaconda-ks.cfg
- --------------------------------------------------
- Detailed information about changes:
- ---------------------------------------------------
- File: /root/anaconda-ks.cfg
- Perm : -rw------- , -rw-r-----
- Ctime : 2016-10-25 04:52:57 , 2016-10-27 04:44:25
- ACL : old = A:
- ----
- user::rw-
- group::---
- other::---
- ----
- D: <NONE>
- new = A:
- ----
- user::rw-
- group::r--
- other::---
- ----
- D: <NONE>
复制代码 [/code]
如果没有ploblem,即使检测到一些差异,则更新数据库如下
[- root@linuxprobe ~]# aide --update
- AIDE 0.15.1 found differences between database and filesystem!!
- Start timestamp: 2016-10-27 04:49:12
- Summary:
- Total number of files: 31983
- Added files: 0
- Removed files: 0
- Changed files: 1
- ---------------------------------------------------
- Changed files:
- ---------------------------------------------------
- changed: /root/anaconda-ks.cfg
- ---------------------------------------------------
- Detailed information about changes:
- ---------------------------------------------------
- ...
- # update database
- [root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
复制代码
如果检查regulary添加在Cron。日志文件[/var/log/aide/aide.log]每次都更新,如果没有区别,它将用零字节更新,
因此如果你想保存日志文件,它需要创建一个shell脚本或发送结果通过电子邮件或其他。
- # for example, add daily check in Crontab and send results via email
- [root@dlp ~]# vi /etc/cron.d/aide
- 00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root
复制代码
Tripwire 简介
Tripwire是目前最为著名的unix下文件系统完整性检查的软件工具,这一软件采用的技术核心就是对每个要监控的文件产生一个数字签名,
保留下来。当文件现在的数字签名与保留的数字签名不一致时,那么现在这个文件必定被改动过了。
- Tripwire 官网: http://www.tripwire.com/
复制代码
安装Tripwire
- # install from EPEL
- [root@linuxprobe ~]# yum --enablerepo=epel -y install tripwire
复制代码
创建密钥和数据库
- # generate keys
- [root@linuxprobe ~]# tripwire-setup-keyfiles
- .....
- .....
- Enter the site keyfile passphrase:# set site keyfile passphrase
- Verify the site keyfile passphrase:# confirm
- ....
- .....
- Enter the local keyfile passphrase:# set local keyfile passphrase
- Verify the local keyfile passphrase:# confirm
- .....
- .....
- Please enter your site passphrase: # answer with site keyfile passphrase
- .....
- .....
- Please enter your site passphrase: # answer with site keyfile passphrase
- .....
- .....
- [root@linuxprobe ~]# cd /etc/tripwire
- [root@linuxprobe tripwire]# vi twcfg.txt
- # line 12: report level (4 is max)
- REPORTLEVEL =4
- # generate config
- [root@linuxprobe tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txt
- Please enter your site passphrase:# answer with site keyfile passphrase
- Wrote configuration file: /etc/tripwire/tw.cfg
- # optimize policy file with the script below
- [root@linuxprobe tripwire]# vi twpolmake.pl
- #!/usr/bin/perl
- # Tripwire Policy File customize tool
- # ----------------------------------------------------------------
- # Copyright (C) 2003 Hiroaki Izumi
- # This program is free software; you can redistribute it and/or
- # modify it under the terms of the GNU General Public License
- # as published by the Free Software Foundation; either version 2
- # of the License, or (at your option) any later version.
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- # You should have received a copy of the GNU General Public License
- # along with this program; if not, write to the Free Software
- # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- # ----------------------------------------------------------------
- # Usage:
- # perl twpolmake.pl {Pol file}
- # ----------------------------------------------------------------
- #
- $POLFILE=$ARGV[0];
- open(POL,"$POLFILE") or die "open error: $POLFILE" ;
- my($myhost,$thost) ;
- my($sharp,$tpath,$cond) ;
- my($INRULE) = 0 ;
- while (<POL>) {
- chomp;
- if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
- $myhost = `hostname` ; chomp($myhost) ;
- if ($thost ne $myhost) {
- $_="HOSTNAME="$myhost";" ;
- }
- }
- elsif ( /^{/ ) {
- $INRULE=1 ;
- }
- elsif ( /^}/ ) {
- $INRULE=0 ;
- }
- elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
- $ret = ($sharp =~ s/\#//g) ;
- if ($tpath eq '/sbin/e2fsadm' ) {
- $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
- }
- if (! -s $tpath) {
- $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
- }
- else {
- $_ = "$sharp$tpath$cond" ;
- }
- }
- print "$_\n" ;
- }
- close(POL) ;
- [root@linuxprobe tripwire]# perl twpolmake.pl twpol.txt > twpol.txt.new
- [root@linuxprobe tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new
- Please enter your site passphrase:
- Wrote policy file: /etc/tripwire/tw.pol
复制代码
创建数据库
- [root@linuxprobe tripwire]# tripwire -m i -s -c tw.cfg
- Please enter your local passphrase:
复制代码
手动执行检查。 (Cron的每日检查脚本包含在包中)
|