RKHunter 傳送門:http://rkhunter.sourceforge.net/
Root Kit 詳解:http://linux.vbird.org/linux_security/0420rkhunter.php
[root@linuxprobe ~]# yum --enablerepo=epel -y install rkhunter [root@linuxprobe ~]# vi /etc/sysconfig/rkhunter# recipient address for reportMAILTO=root@localhost# if specified "yes", scan more detailyDIAG_SCAN=no# update database[root@linuxprobe ~]# rkhunter --update# update system file properties[root@linuxprobe ~]# rkhunter --propupd # execute checking# --sk means sikpping to push Enter key# if specified --rwo , display only warnings[root@linuxprobe ~]# rkhunter --check --sk安全審計工具 Lynis 傳送門:https://cisofy.com/lynis/
[root@linuxprobe ~]# yum --enablerepo=epel -y install lynis[root@linuxprobe ~]# lynis audit system相關文檔Lynis 教程: http://netsecurity.51cto.com/art/201410/455466.htm
AIDE 下載地址:https://sourceforge.net/projects/aide/
[root@linuxprobe ~]# yum -y install aide[root@linuxprobe ~]# vi /etc/aide.conf# for example, change setting of monitoring /var/log/var/log p+u+g+i+n+acl+selinux+xattrs# initialize database[root@linuxprobe ~]# aide --initAIDE, version 0.15.1### AIDE database at /var/lib/aide/aide.db.new.gz initialized.# copy generated DB to master DB[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz [root@linuxprobe ~]# aide --checkAIDE, version 0.15.1### All files match AIDE database. Looks okay![root@linuxprobe ~]# chmod 640 /root/anaconda-ks.cfg[root@linuxprobe ~]# aide --check# 檢測到的差異如下AIDE 0.15.1 found differences between database and filesystem!!Start timestamp: 2016-10-27 04:44:55Summary: Total number of files: 31983 Added files: 0 Removed files: 0 Changed files: 1---------------------------------------------------Changed files:---------------------------------------------------changed: /root/anaconda-ks.cfg--------------------------------------------------Detailed information about changes:---------------------------------------------------File: /root/anaconda-ks.cfg Perm : -rw------- , -rw-r----- Ctime : 2016-10-25 04:52:57 , 2016-10-27 04:44:25 ACL : old = A:----user::rw-group::---other::------- D: <NONE> new = A:----user::rw-group::r--other::------- D: <NONE>[root@linuxprobe ~]# aide --updateAIDE 0.15.1 found differences between database and filesystem!!Start timestamp: 2016-10-27 04:49:12Summary: Total number of files: 31983 Added files: 0 Removed files: 0 Changed files: 1---------------------------------------------------Changed files:---------------------------------------------------changed: /root/anaconda-ks.cfg---------------------------------------------------Detailed information about changes:---------------------------------------------------...# update database[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz # for example, add daily check in Crontab and send results via email[root@dlp ~]# vi /etc/cron.d/aide00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root Tripwire是目前最為著名的unix下文件系統完整性檢查的軟件工具,這一軟件采用的技術核心就是對每個要監控的文件產生一個數字簽名,保留下來。當文件現在的數字簽名與保留的數字簽名不一致時,那麼現在這個文件必定被改動過了。
Tripwire 官網:http://www.tripwire.com/
安裝Tripwire
# install from EPEL[root@linuxprobe ~]# yum --enablerepo=epel -y install tripwire# generate keys[root@linuxprobe ~]# tripwire-setup-keyfiles..........Enter the site keyfile passphrase:# set site keyfile passphraseVerify the site keyfile passphrase:# confirm.........Enter the local keyfile passphrase:# set local keyfile passphraseVerify the local keyfile passphrase:# confirm..........Please enter your site passphrase: # answer with site keyfile passphrase..........Please enter your site passphrase: # answer with site keyfile passphrase..........[root@linuxprobe ~]# cd /etc/tripwire[root@linuxprobe tripwire]# vi twcfg.txt# line 12: report level (4 is max)REPORTLEVEL =4# generate config[root@linuxprobe tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txtPlease enter your site passphrase:# answer with site keyfile passphraseWrote configuration file: /etc/tripwire/tw.cfg# optimize policy file with the script below[root@linuxprobe tripwire]# vi twpolmake.pl#!/usr/bin/perl# Tripwire Policy File customize tool# ----------------------------------------------------------------# Copyright (C) 2003 Hiroaki Izumi# This program is free software; you can redistribute it and/or# modify it under the terms of the GNU General Public License# as published by the Free Software Foundation; either version 2# of the License, or (at your option) any later version.# This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.# You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.# ----------------------------------------------------------------# Usage:# perl twpolmake.pl {Pol file}# ----------------------------------------------------------------#$POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ;my($myhost,$thost) ;my($sharp,$tpath,$cond) ;my($INRULE) = 0 ;while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ;}close(POL) ;[root@linuxprobe tripwire]# perl twpolmake.pl twpol.txt > twpol.txt.new[root@linuxprobe tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.newPlease enter your site passphrase:Wrote policy file: /etc/tripwire/tw.pol[root@linuxprobe tripwire]# tripwire -m i -s -c tw.cfgPlease enter your local passphrase:http://xxxxxx/Linuxjc/1184818.html TechArticle
