文件入侵: yum install aide -y 1) Customize /etc/aide.conf to your liking. In particular, add 2 importan
文件入侵:
yum install aide -y
1) Customize /etc/aide.conf to your liking. In particular, add
2 important directories and files which you would like to be
3 covered by integrity checks. Avoid files which are expected
4 to change frequently or which don't affect the safety of your
5 system.
6
7 2) Run "/usr/sbin/aide --init" to build the initial database.
8 With the default setup, that creates /var/lib/aide/aide.db.new.gz
9
10 3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
11 in a secure location, e.g. on separate read-only media (such as
12 CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
13 of those files in a secure location, so you have means to verify
14 that nobody modified those files.
15
16 4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
17 which is the location of the input database.
18
19 5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
20 compared with the AIDE database. Prior to running a check manually,
21 ensure that the AIDE binary and database have not been modified
22 without your knowledge.
tripwire:
tripwire-2.4.1.2-11.el6.x86_64.rpm
tripwire-setup-keyfiles
vim /etc/tripwire/twpol.txt
/opt/ks.cfg -> +psmugM;
twadmin -m P -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
tripwire --init
或者:
tripwire --update-policy -Z low /etc/tripwire/twpol.txt
twprint -m r -r /var/lib/tripwire/report/www.up00.com-20130828-141219.twr > /tmp/twr.txt
vim /tmp/twr.txt
tripwire --update -r /var/lib/tripwire/report/www.up00.com-20130828-141219.twr
[x] ....
7. create cfg
40
41 twadmin -m F -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
42 twadmin -m f
43
44
45 create pol:
46
47 twadmin -m P -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
48 twadmin -m p
1 [root@www security3]# 1. 2 [root@www security3]# 3 [root@www security3]# tripwire-setup-keyfiles 4 [root@www security3]# 5 [root@www security3]# 2. 6 [root@www security3]# tripwire --init 7 [root@www security3]# 8 [root@www security3]# ls /var/lib/tripwire/www.up00.com.twd 9 /var/lib/tripwire/www.up00.com.twd 10 [root@www security3]# 11 [root@www security3]# 3. 12 [root@www security3]# 13 [root@www security3]# tripwire --check 14 [root@www security3]# ls /var/lib/tripwire/report/ 15 [root@www security3]# 16 [root@www security3]# 4. 17 [root@www security3]# 18 [root@www security3]# update pol 19 [root@www security3]# 20 [root@www security3]# vim /etc/tripwire/twpol.txt 21 [root@www security3]# /opt/ks.cfg -> +psmugM; 22 [root@www security3]# 23 [root@www security3]# twadmin -m P /etc/tripwire/twpol.txt 24 [root@www security3]# tripwire --init 25 [root@www security3]# or: tripwire --update-policy -Z low /etc/tripwire/twpol.txt 26 [root@www security3]# 27 [root@www security3]# 5. 28 [root@www security3]# 29 [root@www security3]# twprint -m r -r /var/lib/tripwire/report/www.up00.com-20130828-141219.twr > /tmp/twr.txt 30 [root@www security3]# 31 [root@www security3]# vim /tmp/twr.txt 32 [root@www security3]# 33 [root@www security3]# 6. 34 [root@www security3]# 35 [root@www security3]# tripwire --update -r /var/lib/tripwire/report/www.up00.com-20130828-141219.twr 36 [root@www security3]# 37 [root@www security3]# [x] .... 38 39 7. create cfg 40 41 twadmin -m F -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt 42 twadmin -m f 43 44 45 create pol: 46 47 twadmin -m P -S /etc/tripwire/site.key /etc/tripwire/twpol.txt 48 twadmin -m p 48,1 Bot 13,1 Top
