Yadda ake Bincika Mutuncin Fayil da Darakta Ta amfani da AIDE a cikin Linux
A cikin jagorar mega don ƙarfafawa da kiyaye CentOS 7, a ƙarƙashin sashin kare tsarin ciki, ɗaya daga cikin kayan aikin tsaro masu amfani da muka jera don kare tsarin ciki daga ƙwayoyin cuta, rootkits, malware, da gano ayyukan da ba a ba da izini ba shine AIDE.
AIDE (Babban Muhalli na Gane Kutse) ƙaramin ƙarami ne mai ƙarfi, kayan aikin gano kutse na buɗe tushen kyauta, wanda ke amfani da ƙayyadaddun ƙa'idodin don bincika amincin fayil da adireshi a cikin tsarin aiki kamar Unix kamar Linux. Binary ne mai zaman kansa don sauƙaƙan abokin ciniki/sabis na sa ido.
Yana da arziƙin fasali: yana amfani da fayil ɗin daidaitawar rubutu a sarari da bayanan bayanai yana sauƙaƙa amfani da shi; yana goyan bayan algorithms narkar da saƙo da yawa kamar amma ba'a iyakance ga md5, sha1, rmd160, tiger ba; yana goyan bayan halayen fayil gama gari; Hakanan yana goyan bayan maganganu na yau da kullun masu ƙarfi don haɗawa ko ware fayiloli da kundayen adireshi don dubawa.
Hakanan ana iya haɗa shi tare da goyan baya na musamman don matsawa Gzip, Posix ACL, SELinux, XAttrs da Fayilolin tsarin Fayil ɗin Fayil.
Aide yana aiki ta hanyar ƙirƙirar bayanai (wanda shine kawai hoto na zaɓaɓɓun sassan tsarin fayil), daga ƙa'idodin furci na yau da kullun da aka ayyana a cikin fayil (s). Da zarar an fara wannan bayanan, za ku iya tabbatar da amincin fayilolin tsarin a kansa. Wannan jagorar zai nuna yadda ake shigarwa da amfani da taimako a cikin Linux.
Yadda ake Sanya AIDE a Linux
An tattara mataimaki a cikin ma'ajiyar kayan aikin rarraba Linux na yau da kullun, don shigar da shi yana gudanar da umarnin don rarraba ku ta amfani da mai sarrafa fakiti.
# apt install aide [On Debian/Ubuntu] # yum install aide [On RHEL/CentOS] # dnf install aide [On Fedora 22+] # zypper install aide [On openSUSE] # emerge aide [On Gentoo]
Bayan shigar da shi, babban fayil ɗin sanyi shine /etc/aide.conf. Don duba sigar da aka shigar da kuma tattara sigogin lokaci, gudanar da umarnin da ke ƙasa akan tashar ku:
# aide -v
Aide 0.14 Compiled with the following options: WITH_MMAP WITH_POSIX_ACL WITH_SELINUX WITH_PRELINK WITH_XATTR WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_GCRYPT WITH_AUDIT CONFIG_FILE = "/etc/aide.conf"
Kuna iya buɗe saitin ta amfani da editan da kuka fi so.
# vi /etc/aide.conf
Yana da umarni waɗanda ke ayyana wurin adana bayanai, wurin ba da rahoto, ƙa'idodin tsoho, kundayen adireshi/fayil ɗin da za a haɗa a cikin bayanan.
Amfani da tsoffin ƙa'idodin da ke sama, zaku iya ayyana sabbin ƙa'idodin al'ada a cikin fayil aide.conf misali.
PERMS = p+u+g+acl+selinux+xattrs
Ana amfani da ka'idar PERMS don ikon samun dama kawai, zai gano duk wani canje-canje ga fayil ko kundayen adireshi bisa la'akari da izini na fayil/kundin adireshi, mai amfani, rukuni, izinin sarrafawa, mahallin SELinux da halayen fayil.
Wannan zai duba abun cikin fayil da nau'in fayil kawai.
CONTENT = sha256+ftype
Wannan ƙarin sigar ƙa'idar da ta gabata ce, tana bincika ƙarin abun ciki, nau'in fayil da samun dama.
CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs
Dokar DATAONLY da ke ƙasa za ta taimaka gano duk wani canje-canje a cikin bayanai a cikin duk fayiloli/littafi.
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
Ƙayyadaddun Dokoki don Kallon Fayiloli da kundayen adireshi
Da zarar kun ayyana dokoki, zaku iya saka fayil ɗin da kundayen adireshi don kallo. Yin la'akari da dokar PERMS da ke sama, wannan ma'anar za ta bincika izini ga duk fayiloli a cikin tushen directory.
/root/\..* PERMS
Wannan zai duba duk fayiloli a cikin /tushen directory don kowane canje-canje.
/root/ CONTENT_EX
Don taimaka maka gano kowane canje-canje a cikin bayanai a cikin duk fayiloli/directory ƙarƙashin /etc/, yi amfani da wannan.
/etc/ DATAONLY
Yin amfani da AIDE don Bincika Fayil da Mutuwar Rubutu a cikin Linux
Fara da gina ma'ajin bayanai dangane da cak ɗin da za a yi ta amfani da tutar --init
. Ana sa ran yin wannan kafin a haɗa tsarin ku zuwa hanyar sadarwa.
Umurnin da ke ƙasa zai ƙirƙiri bayanan bayanai wanda ya ƙunshi duk fayilolin da kuka zaɓa a cikin fayil ɗin daidaitawar ku.
# aide --init
Sa'an nan kuma sake suna database zuwa /var/lib/aide/aide.db.gz kafin a ci gaba, ta amfani da wannan umarni.
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Ana ba da shawarar matsar da bayanan zuwa wuri amintacce maiyuwa a cikin kafofin watsa labarai masu karantawa kawai ko akan wani inji, amma tabbatar da sabunta fayil ɗin sanyi don karanta shi daga can.
Bayan an ƙirƙiri ma'ajin bayanai, yanzu zaku iya bincika amincin fayiloli da kundayen adireshi ta amfani da alamar --check
.
# aide --check
Zai karanta hoton hoton da ke cikin bayanan kuma ya kwatanta shi da fayilolin/kundayen adireshi da aka samo ku faifan tsarin. Idan ta sami canje-canje a wuraren da ƙila ba za ku yi tsammani ba, yana samar da rahoto wanda zaku iya dubawa.
Tun da ba a yi canje-canje ga tsarin fayil ba, kawai za ku sami fitarwa kwatankwacin wanda ke sama. Yanzu gwada ƙirƙirar wasu fayiloli a cikin tsarin fayil, a cikin wuraren da aka ayyana a cikin fayil ɗin sanyi.
# vi /etc/script.sh # touch all.txt
Sa'an nan kuma sake sake yin rajistan, wanda ya kamata ya ba da rahoton fayilolin da aka ƙara a sama. Fitowar wannan umarni ya dogara da sassan tsarin fayil ɗin da kuka saita don dubawa, yana iya ɗaukar lokaci mai tsawo.
# aide --check
Kuna buƙatar gudanar da binciken mataimaki akai-akai, kuma idan akwai wani canje-canje ga fayilolin da aka riga aka zaɓa ko ƙarin sabbin ma'anar fayil a cikin fayil ɗin sanyi, koyaushe sabunta bayanan ta amfani da zaɓin --update
:
# aide --update
Bayan gudanar da sabuntawar bayanai, don amfani da sabon bayanan don bincike na gaba, koyaushe sake suna zuwa /var/lib/aide/aide.db.gz:
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
Wannan ke nan a yanzu! Amma ku lura da waɗannan mahimman abubuwan:
- Ɗaya daga cikin halayen mafi yawan tsarin gano kutsen AIDE wanda ya haɗa da shi, shine cewa ba za su samar da mafita ga mafi yawan ramukan madauki na tsaro akan tsarin ba. Duk da haka, suna taimakawa wajen sauƙaƙe tsarin amsa kutse ta hanyar taimaka wa masu gudanar da tsarin su bincika kowane canje-canje ga fayilolin tsarin/kundayen adireshi. Don haka ya kamata ku kasance a faɗake kuma ku ci gaba da sabunta matakan tsaro na yanzu. An ba da shawarar sosai don adana sabon bayanan da aka ƙirƙira, fayil ɗin daidaitawa da binary AIDE a cikin amintaccen wuri kamar kafofin watsa labarai masu karantawa kawai (maiyuwa idan kun girka daga tushe).
- Don ƙarin tsaro, yi la'akari da sanya hannu kan daidaitawa da/ko bayanan bayanai.
Don ƙarin bayani da daidaitawa, duba shafin mutum ko duba Shafin Gida na AIDE: http://aide.sourceforge.net/