{{tag>Brouillon Sécurité}}
= Contrôle d'intégrité des fichiers avec AIDE
Voir aussi
* [[verifier_integrite_des_fichiers]]
* [[Vérifier l'intégrité des fichiers avec Fim]]
* [[https://en.wikipedia.org/wiki/OSSEC|OSSEC]]
* [[http://devloop.users.sourceforge.net/index.php?article68/initiation-au-systeme-de-detection-d-intrusion-samhain|Samhain]]
* Tripwire
Voir :
* https://kifarunix.com/install-and-configure-aide-on-debian-10/
* https://www.server-world.info/en/note?os=Ubuntu_18.04&p=aide
* https://www.it-connect.fr/aide-utilisation-et-configuration-dune-solution-de-controle-dintegrite-sous-linux/
* https://linuxhint.com/debian_linux_advanced_instrusion_detection_env/
* https://www.howtoforge.com/how-to-install-and-use-aide-on-centos-8/
== Install
apt-get install aide aide-common
== Utilisation
Initialisation
aideinit
Contrôle
aide.wrapper --check
aide.wrapper --check --limit /etc
Mise à jour de la base
aide.wrapper -u
== Configuration
#/var/log$ VarDir
# Exlusion list
!/var/lib/docker/
!/var/log/journal/
!/var/log/commands.log
!/run/
!/mnt/
!/etc/.git/
!/etc/.etckeeper
!/var/tmp/
!/var/log/
!/root/.viminfo
!/root/.bash_history
!/root/.lesshst
!/var/lib/sss/mc/passwd
!/usr/NX/var/tmp/
!/var/lib/sss/db/
Check conf
aide.wrapper --config-check
== Pb
=== Segmentation fault (core dumped)
# aideinit
Overwrite existing /var/lib/aide/aide.db.new [Yn]? Y
Running aide --init...
Segmentation fault (core dumped)
AIDE --init return code 139
# dmesg |tail
[169712.662630] aide[428807]: segfault at 0 ip 00007f9fd5e7b14b sp 00007ffc48052578 error 4 in libc-2.31.so[7f9fd5d80000+178000]
[169712.662645] Code: 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 8b 05 25 ad 0c 00 48 83 ff 10 74 47 48 83 ff 1a 74 49 48 8b 40 60 <48> 8b 10 48 85 d2 75 12 eb 1b 0f 1f 00
48 8b 50 10 48 83 c0 10 48
==== Solution : Exclure les dossiers problématiques
Trouver la où se plante avec ''lsof'' ou ''strace''
aideinit &
while PID_AIDE=$(pgrep aide ||exit 2) ; do lsof -p $(pgrep -n aide) |tee -a aide_lsof.log ; done
watch -d lsof -p $(pgrep -n aide)
Créer une liste d'exclusions
!/var/lib/docker/
!/var/log/journal/
puis relancer
aideinit
=== Erreur Database does not have attr field.
aide --check -c /etc/aide/aide.conf
Database does not have attr field.
Comparation may be incorrect
Generating attr-field from dbspec
It might be a good Idea to regenerate databases. Sorry.
db_char2line():Error while reading database
La base n'est pas complete. Vérifier la taille de /var/lib/aide/aide.db.new.
==== Solution
Si paquet **aide-common** installé
aideinit
Sinon
aide --init -c /etc/aide/aide.conf
cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
== Notes
Debug
aide -D
aide -V255 --config=/etc/aide/aide.conf -C
== Conf
#/var/log$ VarDir
!/var/lib/docker/
!/var/log/journal/
!/var/log/commands.log
!/run/
!/etc/.git/
!/etc/.etckeeper
!/var/tmp/
!/var/log/
!/root/.viminfo
!/root/.bash_history
!/root/.lesshst
Source : https://raw.githubusercontent.com/duritong/puppet-aide/master/files/aide.conf
# AIDE conf
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes
# Here are all the things we can check - these are the default rules
#
#p: permissions
#i: inode
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#R: p+i+n+u+g+s+m+c+md5
#L: p+i+n+u+g
#E: Empty group
#>: Growing logfile p+u+g+i+n+S
#haval: haval checksum
#gost: gost checksum
#crc32: crc32 checksum
# Defines formerly set here have been moved to /etc/default/aide.
# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
# Next decide what directories/files you want in the database
# Kernel, system map, etc.
=/boot$ Binlib
# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
#/usr/games Binlib
# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib
# Log files
#=/var/log$ StaticDir
#!/var/log/ksymoops
#/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
#/var/log/aide/error.log(.[0-9])?(.gz)? Databases
#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
#!/var/log/aide
#/var/log Logs
# Devices
!/dev/pts
# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
# you may uncomment this to get rid of them. They're harmless but sometimes
# annoying.
#!/dev/cpu/mtrr
#!/dev/xconsole
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
!/var/run
# Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc
# You can look through these examples to get further ideas
# MD5 sum files - especially useful with debsums -g
#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1
# Check crontabs
#/var/spool/anacron/cron.daily Databases
#/var/spool/anacron/cron.monthly Databases
#/var/spool/anacron/cron.weekly Databases
#/var/spool/cron Databases
#/var/spool/cron/crontabs Databases
# manpages can be trojaned, especially depending on *roff implementation
#/usr/man ManPages
/usr/share/man ManPages
/usr/local/man ManPages
# docs
#/usr/doc ManPages
/usr/share/doc ManPages
# check users' home directories
#/home Binlib
# check sources for modifications
#/usr/src L
#/usr/local/src L
# Check headers for same
/usr/include L
#/usr/local/include L
#!/var/log/portage/elog
#!/var/log/puppet/puppet.log
!/var/log # ignore the log dir it changes too often
!/dev/disk/by-uuid # ignore, because its only crypt-swap, that changes every boot ...