RKHunter：检测Rootkit

RKHunter 传送门：http://rkhunter.sourceforge.net/
Root Kit 详解：http://linux.vbird.org/linux_security/0420rkhunter.php

• RKHunter 安装

[root@linuxprobe ~]# yum --enablerepo=epel -y install rkhunter 

• 配置和使用RKHunter，对于常规检查，检查脚本安装在cron.daily目录下，并由Cron每天执行

[root@linuxprobe ~]# vi /etc/sysconfig/rkhunter
# recipient address for report
MAILTO=root@localhost
# if specified "yes",scan more detaily
DIAG_SCAN=no
# update database
[root@linuxprobe ~]# rkhunter --update
# update system file properties
[root@linuxprobe ~]# rkhunter --propupd 
# execute checking
# --sk means sikpping to push Enter key
# if specified --rwo,display only warnings
[root@linuxprobe ~]# rkhunter --check --sk

Lynis

安全审计工具
Lynis 传送门： https://cisofy.com/lynis/

• 安装Lynis

[root@linuxprobe ~]# yum --enablerepo=epel -y install lynis

• 使用Lynis

[root@linuxprobe ~]# lynis audit system

相关文档Lynis 教程：
http://netsecurity.51cto.com/art/201410/455466.htm

AIDE 简介

• AIDE(Advanced Intrusion Detection Environment,高级入侵检测环境)是个入侵检测工具，主要用途是检查文档的完整性。
• 安装和配置基于主机的IDS（入侵检测系统）“AIDE”（高级入侵检测环境）

AIDE 下载地址： https://sourceforge.net/projects/aide/

• 安装AIDE

[root@linuxprobe ~]# yum -y install aide

• 配置AIDE并初始化数据库。可以使用带有默认配置的AIDE，但是如果要自定义设置，请按如下所示更改配置文件。设置规则写在26-84行附近，参考它们。

[root@linuxprobe ~]# vi /etc/aide.conf
# for example,change setting of monitoring /var/log
/var/log   p+u+g+i+n+acl+selinux+xattrs
# initialize database
[root@linuxprobe ~]# aide --init
AIDE,version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
# copy generated DB to master DB
[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

• 执行检查

[root@linuxprobe ~]# aide --check
AIDE,version 0.15.1
### All files match AIDE database. Looks okay!

[root@linuxprobe ~]# chmod 640 /root/anaconda-ks.cfg
[root@linuxprobe ~]# aide --check
# 检测到的差异如下
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-10-27 04:44:55
Summary:
 Total number of files: 31983
 Added files: 0
 Removed files: 0
 Changed files: 1

--------------------------------------------------- Changed files: ---------------------------------------------------
changed: /root/anaconda-ks.cfg --------------------------------------------------
Detailed information about changes: ---------------------------------------------------
File: /root/anaconda-ks.cfg
 Perm : -rw-------,-rw-r-----
 Ctime : 2016-10-25 04:52:57,2016-10-27 04:44:25
 ACL : old = A: ----
user::rw-
group::---
other::--- ----
 D: <NONE>
 new = A: ----
user::rw-
group::r--
other::--- ----
 D: <NONE>

• 如果没有ploblem，即使检测到一些差异，则更新数据库如下

[root@linuxprobe ~]# aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-10-27 04:49:12

Summary:
 Total number of files: 31983
 Added files: 0
 Removed files: 0
 Changed files: 1 ---------------------------------------------------
Changed files: ---------------------------------------------------
changed: /root/anaconda-ks.cfg ---------------------------------------------------
Detailed information about changes: ---------------------------------------------------
... # update database
[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

• 如果检查regulary添加在Cron。日志文件[/var/log/aide/aide.log]每次都更新，如果没有区别，它将用零字节更新，因此如果你想保存日志文件，它需要创建一个shell脚本或发送结果通过电子邮件或其他。

# for example,add daily check in Crontab and send results via email
[root@dlp ~]# vi /etc/cron.d/aide
00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root

Tripwire 简介

• Tripwire是目前最为著名的unix下文件系统完整性检查的软件工具，这一软件采用的技术核心就是对每个要监控的文件产生一个数字签名，保留下来。当文件现在的数字签名与保留的数字签名不一致时，那么现在这个文件必定被改动过了。

  Tripwire 官网： http://www.tripwire.com/

• 安装Tripwire

# install from EPEL
[root@linuxprobe ~]# yum --enablerepo=epel -y install tripwire

• 创建密钥和数据库

# generate keys
[root@linuxprobe ~]# tripwire-setup-keyfiles
.....
.....
Enter the site keyfile passphrase:# set site keyfile passphrase
Verify the site keyfile passphrase:# confirm
....
.....
Enter the local keyfile passphrase:# set local keyfile passphrase
Verify the local keyfile passphrase:# confirm
.....
.....
Please enter your site passphrase: # answer with site keyfile passphrase
.....
.....
Please enter your site passphrase: # answer with site keyfile passphrase
.....
.....
[root@linuxprobe ~]# cd /etc/tripwire
[root@linuxprobe tripwire]# vi twcfg.txt
# line 12: report level (4 is max)
REPORTLEVEL =4
# generate config
[root@linuxprobe tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase:# answer with site keyfile passphrase
Wrote configuration file: /etc/tripwire/tw.cfg # optimize policy file with the script below [root@linuxprobe tripwire]# vi twpolmake.pl #!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License,or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not,write to the Free Software
# Foundation,Inc.,59 Temple Place - Suite 330,Boston,MA 02111-1307,USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;
[root@linuxprobe tripwire]# perl twpolmake.pl twpol.txt > twpol.txt.new
[root@linuxprobe tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

• 创建数据库

[root@linuxprobe tripwire]# tripwire -m i -s -c tw.cfg
Please enter your local passphrase:

• 手动执行检查。 （Cron的每日检查脚本包含在包中）