Yadda ake Bincika Mutuncin Fayil da Darakta Ta amfani da AIDE a cikin Linux


A cikin jagorar mega don ƙarfafawa da kiyaye CentOS 7, a ƙarƙashin sashin kare tsarin ciki, ɗaya daga cikin kayan aikin tsaro masu amfani da muka jera don kare tsarin ciki daga ƙwayoyin cuta, rootkits, malware, da gano ayyukan da ba a ba da izini ba shine AIDE.

AIDE (Babban Muhalli na Gane Kutse) ƙaramin ƙarami ne mai ƙarfi, kayan aikin gano kutse na buɗe tushen kyauta, wanda ke amfani da ƙayyadaddun ƙa'idodin don bincika amincin fayil da adireshi a cikin tsarin aiki kamar Unix kamar Linux. Binary ne mai zaman kansa don sauƙaƙan abokin ciniki/sabis na sa ido.

Yana da arziƙin fasali: yana amfani da fayil ɗin daidaitawar rubutu a sarari da bayanan bayanai yana sauƙaƙa amfani da shi; yana goyan bayan algorithms narkar da saƙo da yawa kamar amma ba'a iyakance ga md5, sha1, rmd160, tiger ba; yana goyan bayan halayen fayil gama gari; Hakanan yana goyan bayan maganganu na yau da kullun masu ƙarfi don haɗawa ko ware fayiloli da kundayen adireshi don dubawa.

Hakanan ana iya haɗa shi tare da goyan baya na musamman don matsawa Gzip, Posix ACL, SELinux, XAttrs da Fayilolin tsarin Fayil ɗin Fayil.

Aide yana aiki ta hanyar ƙirƙirar bayanai (wanda shine kawai hoto na zaɓaɓɓun sassan tsarin fayil), daga ƙa'idodin furci na yau da kullun da aka ayyana a cikin fayil (s). Da zarar an fara wannan bayanan, za ku iya tabbatar da amincin fayilolin tsarin a kansa. Wannan jagorar zai nuna yadda ake shigarwa da amfani da taimako a cikin Linux.

Yadda ake Sanya AIDE a Linux

An tattara mataimaki a cikin ma'ajiyar kayan aikin rarraba Linux na yau da kullun, don shigar da shi yana gudanar da umarnin don rarraba ku ta amfani da mai sarrafa fakiti.

# apt install aide 	   [On Debian/Ubuntu]
# yum install aide	   [On RHEL/CentOS] 	
# dnf install aide	   [On Fedora 22+]
# zypper install aide	   [On openSUSE]
# emerge aide 	           [On Gentoo]

Bayan shigar da shi, babban fayil ɗin sanyi shine /etc/aide.conf. Don duba sigar da aka shigar da kuma tattara sigogin lokaci, gudanar da umarnin da ke ƙasa akan tashar ku:

# aide -v
Aide 0.14

Compiled with the following options:

WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Kuna iya buɗe saitin ta amfani da editan da kuka fi so.

# vi /etc/aide.conf

Yana da umarni waɗanda ke ayyana wurin adana bayanai, wurin ba da rahoto, ƙa'idodin tsoho, kundayen adireshi/fayil ɗin da za a haɗa a cikin bayanan.

Amfani da tsoffin ƙa'idodin da ke sama, zaku iya ayyana sabbin ƙa'idodin al'ada a cikin fayil aide.conf misali.

PERMS = p+u+g+acl+selinux+xattrs

Ana amfani da ka'idar PERMS don ikon samun dama kawai, zai gano duk wani canje-canje ga fayil ko kundayen adireshi bisa la'akari da izini na fayil/kundin adireshi, mai amfani, rukuni, izinin sarrafawa, mahallin SELinux da halayen fayil.

Wannan zai duba abun cikin fayil da nau'in fayil kawai.

CONTENT = sha256+ftype

Wannan ƙarin sigar ƙa'idar da ta gabata ce, tana bincika ƙarin abun ciki, nau'in fayil da samun dama.

CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs

Dokar DATAONLY da ke ƙasa za ta taimaka gano duk wani canje-canje a cikin bayanai a cikin duk fayiloli/littafi.

DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

Ƙayyadaddun Dokoki don Kallon Fayiloli da kundayen adireshi

Da zarar kun ayyana dokoki, zaku iya saka fayil ɗin da kundayen adireshi don kallo. Yin la'akari da dokar PERMS da ke sama, wannan ma'anar za ta bincika izini ga duk fayiloli a cikin tushen directory.

/root/\..*  PERMS

Wannan zai duba duk fayiloli a cikin /tushen directory don kowane canje-canje.

/root/   CONTENT_EX

Don taimaka maka gano kowane canje-canje a cikin bayanai a cikin duk fayiloli/directory ƙarƙashin /etc/, yi amfani da wannan.

/etc/   DATAONLY 

Yin amfani da AIDE don Bincika Fayil da Mutuwar Rubutu a cikin Linux

Fara da gina ma'ajin bayanai dangane da cak ɗin da za a yi ta amfani da tutar --init. Ana sa ran yin wannan kafin a haɗa tsarin ku zuwa hanyar sadarwa.

Umurnin da ke ƙasa zai ƙirƙiri bayanan bayanai wanda ya ƙunshi duk fayilolin da kuka zaɓa a cikin fayil ɗin daidaitawar ku.

# aide --init

Sa'an nan kuma sake suna database zuwa /var/lib/aide/aide.db.gz kafin a ci gaba, ta amfani da wannan umarni.

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Ana ba da shawarar matsar da bayanan zuwa wuri amintacce maiyuwa a cikin kafofin watsa labarai masu karantawa kawai ko akan wani inji, amma tabbatar da sabunta fayil ɗin sanyi don karanta shi daga can.

Bayan an ƙirƙiri ma'ajin bayanai, yanzu zaku iya bincika amincin fayiloli da kundayen adireshi ta amfani da alamar --check.

# aide --check

Zai karanta hoton hoton da ke cikin bayanan kuma ya kwatanta shi da fayilolin/kundayen adireshi da aka samo ku faifan tsarin. Idan ta sami canje-canje a wuraren da ƙila ba za ku yi tsammani ba, yana samar da rahoto wanda zaku iya dubawa.

Tun da ba a yi canje-canje ga tsarin fayil ba, kawai za ku sami fitarwa kwatankwacin wanda ke sama. Yanzu gwada ƙirƙirar wasu fayiloli a cikin tsarin fayil, a cikin wuraren da aka ayyana a cikin fayil ɗin sanyi.

# vi /etc/script.sh
# touch all.txt

Sa'an nan kuma sake sake yin rajistan, wanda ya kamata ya ba da rahoton fayilolin da aka ƙara a sama. Fitowar wannan umarni ya dogara da sassan tsarin fayil ɗin da kuka saita don dubawa, yana iya ɗaukar lokaci mai tsawo.

# aide --check

Kuna buƙatar gudanar da binciken mataimaki akai-akai, kuma idan akwai wani canje-canje ga fayilolin da aka riga aka zaɓa ko ƙarin sabbin ma'anar fayil a cikin fayil ɗin sanyi, koyaushe sabunta bayanan ta amfani da zaɓin --update:

# aide --update

Bayan gudanar da sabuntawar bayanai, don amfani da sabon bayanan don bincike na gaba, koyaushe sake suna zuwa /var/lib/aide/aide.db.gz:

# mv /var/lib/aide/aide.db.new.gz  /var/lib/aide/aide.db.gz

Wannan ke nan a yanzu! Amma ku lura da waɗannan mahimman abubuwan:

    Ɗaya daga cikin halayen mafi yawan tsarin gano kutsen AIDE wanda ya haɗa da shi, shine cewa ba za su samar da mafita ga mafi yawan ramukan madauki na tsaro akan tsarin ba. Duk da haka, suna taimakawa wajen sauƙaƙe tsarin amsa kutse ta hanyar taimaka wa masu gudanar da tsarin su bincika kowane canje-canje ga fayilolin tsarin/kundayen adireshi. Don haka ya kamata ku kasance a faɗake kuma ku ci gaba da sabunta matakan tsaro na yanzu. An ba da shawarar sosai don adana sabon bayanan da aka ƙirƙira, fayil ɗin daidaitawa da binary AIDE a cikin amintaccen wuri kamar kafofin watsa labarai masu karantawa kawai (maiyuwa idan kun girka daga tushe).
  • Don ƙarin tsaro, yi la'akari da sanya hannu kan daidaitawa da/ko bayanan bayanai.

Don ƙarin bayani da daidaitawa, duba shafin mutum ko duba Shafin Gida na AIDE: http://aide.sourceforge.net/