aide文件入侵檢測
阿新 • • 發佈:2018-04-24
aide 入侵檢測 使用AIDE進行文件夾及文件的MD5值效驗;判斷文件是否被篡改
yum install aide -y
根據需求修改/etc/aide.conf
配置文件
初始化校驗數據庫
aide -i && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
效驗
aide
發現文件正常改動更新效驗庫
aide --update && mv /var/lib/aide/aide.db.gz /var/lib/aide/aide.db.gz-`date +"%F"` mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
通過添加計劃任務實現每日入侵巡檢:
效果圖:
所有服務器同步腳本/data/bin/files_testing.sh
#!/bin/bash date=`date -d "1 day ago" +"%F"` backupdir="/data/backup/aide" AIDE="/sbin/aide" MV="/bin/mv" newfile="/var/lib/aide/aide.db.new.gz" file="/var/lib/aide/aide.db.gz" if [[ ! -d $backupdir ]]; then mkdir $backupdir -p fi $AIDE > ${backupdir}/log 2>&1 cat ${backupdir}/log |grep -E "File|added|removed|changed" #根據情況進行條件過濾 $AIDE --update > /dev/null 2>&1 $MV ${file} ${backupdir}/${date}-aide.db.gz $MV ${newfile} ${file}
添加計劃任務腳本files_testing.py
# -*- coding: utf-8 -*- import time import threading import smtplib from email.mime.text import MIMEText from email.header import Header import urllib2, urllib, json, re #郵件配置 email_host=‘xxx‘ email_prot=465 email_user=‘xxx‘ enail_passwd=‘xxx‘ #salt-API接口配置 salt_api_host="http://127.0.0.1:58080" salt_api_user="salt" salt_api_pass="salt" cmd=‘/data/bin/files_testing.sh ‘ #發送郵件列表 to_list=["xx.com","xx.com","xx.com"] #郵件主題(正常) title="%s xxx文件巡檢報告"%(time.strftime(‘%Y-%m-%d‘, time.localtime(time.time()))) #平臺及主機定義 host_list=["xxx","xxx","xxx","xxx","xxx"] class saltAPI(): def __init__(self,host,user,password): self.sat_url = host self.sat_user = user self.sat_password =password self.salt_token = self.salt_login() def salt_login(self): params = {‘eauth‘: ‘pam‘, ‘username‘: self.sat_user, ‘password‘: self.sat_password} encode = urllib.urlencode(params) obj = urllib.unquote(encode) headers = {‘X-Auth-Token‘: ‘‘} url = self.sat_url + ‘/login‘ req = urllib2.Request(url, obj, headers) opener = urllib2.urlopen(req) content = json.loads(opener.read()) token = content[‘return‘][0][‘token‘] return token def postRequest(self, obj, prefix=‘/‘): url = self.sat_url + prefix headers = {‘X-Auth-Token‘: self.salt_token} req = urllib2.Request(url, obj, headers) opener = urllib2.urlopen(req) content = json.loads(opener.read()) return content[‘return‘] def saltCmd(self, params): obj = urllib.urlencode(params) obj, number = re.subn("arg\d", ‘arg‘, obj) res = self.postRequest(obj) return res def send_mail(to_list,subject,content): msg = MIMEText(content,‘html‘,_charset=‘utf-8‘) msg[‘Subject‘] = Header(subject, ‘utf-8‘) msg[‘From‘] = email_user msg[‘to‘] = to_list try: s = smtplib.SMTP_SSL() s.connect(email_host,email_prot) s.login(email_user,enail_passwd) s.sendmail(email_user,to_list,msg.as_string()) s.close() return True except Exception,e: print str(e) return False #初始化saltAPI接口 salt=saltAPI(host=salt_api_host,user=salt_api_user,password=salt_api_pass) #監控接口 backup_info=[] def salt_get(host): info = "" for i in salt.saltCmd({‘client‘: ‘local‘, ‘fun‘: ‘cmd.run‘,‘tgt‘:host,‘arg‘:cmd})[0][host].split(‘\n‘): info += ‘<p>%s</p>‘%(i) cmd_info=dict(dict({‘hostname‘:host,‘info‘:info}).items()) if cmd_info[‘info‘]: backup_info.append(cmd_info) for host in host_list: agent=threading.Thread(target=salt_get,args=(host,)) agent.setDaemon(True) agent.start() agent.join() time.sleep(60) ``` #定義郵件html html = u""" <style type="text/css"> table.gridtable { font-family: verdana,arial,sans-serif; font-size:15px; color:#333333; border-width: 1px; border-color: #666666; border-collapse: collapse; } table.gridtable th { border-width: 1px; padding: 12px; border-style: solid; border-color: #666666; background-color: #dedede; } table.gridtable td { border-width: 1px; padding: 12px; border-style: solid; border-color: #666666; background-color: #ffffff; } </style> <div> <table class="gridtable"> <tr><th>主機名</th> <th>改動的文件</th> <tr> """ backup_info.sort() for i in backup_info: html = html + u""" <tr> <td>%s</td> <td>%s</td> </tr> """%(i[‘hostname‘],i[‘info‘]) html+=u""" </table> </div> """ for i in to_list: if backup_info: send_mail(i,title,html) else: send_mail(i,title,‘當天沒有核心文件更改‘)
修改腳本發件人配置,收件人列表to_list
,主機列表host_list
添加計劃任務:
45 23 * * * /bin/python /data/bin/files_testing.py
aide文件入侵檢測