1
2
3
4
5
6
7
作者:李晓辉

联系方式:

1. 微信:Lxh_Chat

2. 邮箱:939958092@qq.com

AIDE介绍

可以用⾼级⼊侵检测环境 (Advanced Intrusion Detection Environment,AIDE)工具来检测 OpenStack 集群呢!它超级厉害,能帮咱看看文件和目录有没有被改过。第一次运行的时候,它会把一些关键信息(比如散列)存到本地数据库里,之后每次再运行,就会拿新的情况和之前存的对比一下。要是发现有啥不一样,它就会在日志里记下来,还能设置成自动运行脚本或者发邮件提醒你。

除了在部署集群的时候让它跑一下,平时咱也可以手动让它检查一下,这样心里更踏实,不用担心集群里有啥异常情况。

安装配置AIDE

软件安装

1
2
3
(undercloud) [stack@director ~]$ sudo -i
 [root@director ~]#
 [root@director ~]# yum install aide -y

初始化AIDE数据库

先看看aide的参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 [root@director ~]# aide -h
Aide 0.16

Usage: aide [options] command

Commands:
  -i, --init            Initialize the database
  -C, --check           Check the database
  -u, --update          Check and update the database non-interactively
  -E, --compare         Compare two databases

Miscellaneous:
  -D, --config-check    Test the configuration file
  -v, --version         Show version of AIDE and compilation options
  -h, --help            Show this help message

Options:
  -c [cfgfile]  --config=[cfgfile]      Get config options from [cfgfile]
  -l [REGEX]    --limit=[REGEX]         Limit command to entries matching [REGEX]
  -B "OPTION"   --before="OPTION"       Before configuration file is read define OPTION
  -A "OPTION"   --after="OPTION"        After configuration file is read define OPTION
  -r [reporter] --report=[reporter]     Write report output to [reporter] url
  -V[level]     --verbose=[level]       Set debug message level to [level]

 [root@director ~]# ls /var/lib/aide/

初始化一下数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 [root@director ~]# aide --init
Start timestamp: 2023-12-31 11:25:33 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:      144181

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : N3jo/T6T68sdRudTB4XUaA==
  SHA1     : YV7ltgxMp+DzwotyGU1qSKhSRL8=
  RMD160   : 98Du16QkCtcM++4jDq4wkluYO+A=
  TIGER    : IFzLXzFPjGnSwpFDNtUnjS/LXg0Jzpuh
  SHA256   : pMKZF0q6SFTc7pKyvQRGJ3kb9xwTvUen
             9TSnqwO3tJs=
  SHA512   : wjnPYyZnPXjMW0UDqjkLeYjV3iOlhGLO
             on1MrRdPjuBBNw1zOQnRwdtBlJIVrb3H
             wtGIbWJaQxgLfC66gfAVbA==


End timestamp: 2023-12-31 11:26:16 -0500 (run time: 0m 43s)

需要注意的是,默认aide生成的数据库和检测时它用的数据库名称不一致,需要改名才行,这也是为了防止新生成的覆盖掉

1
2
3
 [root@director ~]# aide --check
Couldn't open file /var/lib/aide/aide.db.gz for reading
 [root@director ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

强制 AIDE 执⾏检查

手工触发一次现有文件和数据库记录的比对

1
2
3
 [root@director ~]# aide --check
Start timestamp: 2023-12-31 11:28:35 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

测试文件修改和新增

新增一个文件,并且修改一个文件,看看它的对比结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 [root@director ~]# aide --check
Start timestamp: 2023-12-31 11:35:39 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:      144181
  Added entries:                0
  Removed entries:              0
  Changed entries:              2

---------------------------------------------------
Changed entries:
---------------------------------------------------

f = .u.    . ... : /var/log/containers/ironic-inspector/dnsmasq.log
f = ...    . A.. : /var/log/journal/f874df04639f474cb0a9881041f4f7d4/system.journal

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /var/log/containers/ironic-inspector/dnsmasq.log
  Uid      : 42461                            | 995

File: /var/log/journal/f874df04639f474cb0a9881041f4f7d4/system.journal
  ACL      : A: user::rw-                     | A: user::rw-
             A: group::r-x      #effective:r--     | A: group::r-x      #effective:r--
             A: group:adm:r-x   #effective:r--  | A: group:adm:r--
             A: group:wheel:r-x #effective:r- | A: group:wheel:r--
             -                                |
             A: mask::r--                     | A: mask::r--
             A: other::---                    | A: other::---


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : N3jo/T6T68sdRudTB4XUaA==
  SHA1     : YV7ltgxMp+DzwotyGU1qSKhSRL8=
  RMD160   : 98Du16QkCtcM++4jDq4wkluYO+A=
  TIGER    : IFzLXzFPjGnSwpFDNtUnjS/LXg0Jzpuh
  SHA256   : pMKZF0q6SFTc7pKyvQRGJ3kb9xwTvUen
             9TSnqwO3tJs=
  SHA512   : wjnPYyZnPXjMW0UDqjkLeYjV3iOlhGLO
             on1MrRdPjuBBNw1zOQnRwdtBlJIVrb3H
             wtGIbWJaQxgLfC66gfAVbA==


End timestamp: 2023-12-31 11:36:19 -0500 (run time: 0m 40s)

更新数据库

如果确认本次修改是应该的,需要将当前状态更新到数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 [root@director ~]# aide --update
Start timestamp: 2023-12-31 11:40:10 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:      144181
  Added entries:                0
  Removed entries:              0
  Changed entries:              2

---------------------------------------------------
Changed entries:
---------------------------------------------------

f = .u.    . ... : /var/log/containers/ironic-inspector/dnsmasq.log
f = ...    . A.. : /var/log/journal/f874df04639f474cb0a9881041f4f7d4/system.journal

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

File: /var/log/containers/ironic-inspector/dnsmasq.log
  Uid      : 42461                            | 995

File: /var/log/journal/f874df04639f474cb0a9881041f4f7d4/system.journal
  ACL      : A: user::rw-                     | A: user::rw-
             A: group::r-x      #effective:r--     | A: group::r-x      #effective:r--
             A: group:adm:r-x   #effective:r--  | A: group:adm:r--
             A: group:wheel:r-x #effective:r- | A: group:wheel:r--
             -                                |
             A: mask::r--                     | A: mask::r--
             A: other::---                    | A: other::---


---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.gz
  MD5      : N3jo/T6T68sdRudTB4XUaA==
  SHA1     : YV7ltgxMp+DzwotyGU1qSKhSRL8=
  RMD160   : 98Du16QkCtcM++4jDq4wkluYO+A=
  TIGER    : IFzLXzFPjGnSwpFDNtUnjS/LXg0Jzpuh
  SHA256   : pMKZF0q6SFTc7pKyvQRGJ3kb9xwTvUen
             9TSnqwO3tJs=
  SHA512   : wjnPYyZnPXjMW0UDqjkLeYjV3iOlhGLO
             on1MrRdPjuBBNw1zOQnRwdtBlJIVrb3H
             wtGIbWJaQxgLfC66gfAVbA==

/var/lib/aide/aide.db.new.gz
  MD5      : AAGejLjdpBczmchBp8F7Kg==
  SHA1     : XSIuLwPV+oEB/IMu0TgnlHFCV/A=
  RMD160   : Zx3FzhtoIPACjPqITg7ydAl9zZs=
  TIGER    : uAWV1mr+FRWmnfqUGG5/uh7xVnOuxP99
  SHA256   : J7vYv+vO4qSpz2AFo+7o8cub4gequJqc
             qVlKeKHBJ5E=
  SHA512   : Qv1mBiUeyTJFlKn/K/H/FNg+FxFOa3N/
             VXdFD4hTUAM/GRouUSgdcQn3KCCbIP0I
             +0z18+44eSicC6rZtv7bzw==


End timestamp: 2023-12-31 11:40:52 -0500 (run time: 0m 42s)

记得把新生成的数据库改名

1
2
 [root@director ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
mv: overwrite '/var/lib/aide/aide.db.gz'? y