歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux綜合 >> 學習Linux

CentOS 7 安全加固、檢測、審計

CentOS 7 安全加固、檢測、審計

CentOS 7 安全加固、檢測、審計


RKHunter:檢測Rootkit

RKHunter 傳送門:http://rkhunter.sourceforge.net/
Root Kit 詳解:http://linux.vbird.org/linux_security/0420rkhunter.php

  • RKHunter 安裝
[root@linuxprobe ~]# yum --enablerepo=epel -y install rkhunter 
  • 配置和使用RKHunter,對於常規檢查,檢查腳本安裝在cron.daily目錄下,並由Cron每天執行
[root@linuxprobe ~]# vi /etc/sysconfig/rkhunter# recipient address for reportMAILTO=root@localhost# if specified "yes", scan more detailyDIAG_SCAN=no# update database[root@linuxprobe ~]# rkhunter --update# update system file properties[root@linuxprobe ~]# rkhunter --propupd # execute checking# --sk means sikpping to push Enter key# if specified --rwo , display only warnings[root@linuxprobe ~]#  rkhunter --check --sk

Lynis

安全審計工具 Lynis 傳送門:https://cisofy.com/lynis/

  • 安裝Lynis
[root@linuxprobe ~]# yum --enablerepo=epel -y install lynis
  • 使用Lynis
[root@linuxprobe ~]# lynis audit system

相關文檔Lynis 教程: http://netsecurity.51cto.com/art/201410/455466.htm

AIDE 簡介

  • AIDE(Advanced Intrusion Detection Environment,高級入侵檢測環境)是個入侵檢測工具,主要用途是檢查文檔的完整性。
  • 安裝和配置基於主機的IDS(入侵檢測系統)“AIDE”(高級入侵檢測環境)

AIDE 下載地址:https://sourceforge.net/projects/aide/

  • 安裝AIDE
[root@linuxprobe ~]# yum -y install aide
  • 配置AIDE並初始化數據庫。可以使用帶有默認配置的AIDE,但是如果要自定義設置,請按如下所示更改配置文件。設置規則寫在26-84行附近,參考它們。
[root@linuxprobe ~]# vi /etc/aide.conf# for example, change setting of monitoring /var/log/var/log   p+u+g+i+n+acl+selinux+xattrs# initialize database[root@linuxprobe ~]# aide --initAIDE, version 0.15.1### AIDE database at /var/lib/aide/aide.db.new.gz initialized.# copy generated DB to master DB[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 
  • 執行檢查
[root@linuxprobe ~]# aide --checkAIDE, version 0.15.1### All files match AIDE database. Looks okay![root@linuxprobe ~]# chmod 640 /root/anaconda-ks.cfg[root@linuxprobe ~]# aide --check# 檢測到的差異如下AIDE 0.15.1 found differences between database and filesystem!!Start timestamp: 2016-10-27 04:44:55Summary:  Total number of files:    31983  Added files:          0  Removed files:        0  Changed files:        1---------------------------------------------------Changed files:---------------------------------------------------changed: /root/anaconda-ks.cfg--------------------------------------------------Detailed information about changes:---------------------------------------------------File: /root/anaconda-ks.cfg Perm     : -rw-------                       , -rw-r----- Ctime    : 2016-10-25 04:52:57              , 2016-10-27 04:44:25 ACL      : old = A:----user::rw-group::---other::-------                  D: <NONE>            new = A:----user::rw-group::r--other::-------                  D: <NONE>
  • 如果沒有ploblem,即使檢測到一些差異,則更新數據庫如下
[root@linuxprobe ~]# aide --updateAIDE 0.15.1 found differences between database and filesystem!!Start timestamp: 2016-10-27 04:49:12Summary:  Total number of files:    31983  Added files:          0  Removed files:        0  Changed files:        1---------------------------------------------------Changed files:---------------------------------------------------changed: /root/anaconda-ks.cfg---------------------------------------------------Detailed information about changes:---------------------------------------------------...# update database[root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 
  • 如果檢查regulary添加在Cron。日志文件[/var/log/aide/aide.log]每次都更新,如果沒有區別,它將用零字節更新,因此如果你想保存日志文件,它需要創建一個shell腳本或發送結果通過電子郵件或其他。
 # for example, add daily check in Crontab and send results via email[root@dlp ~]# vi /etc/cron.d/aide00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root 

Tripwire 簡介

  • Tripwire是目前最為著名的unix下文件系統完整性檢查的軟件工具,這一軟件采用的技術核心就是對每個要監控的文件產生一個數字簽名,保留下來。當文件現在的數字簽名與保留的數字簽名不一致時,那麼現在這個文件必定被改動過了。

    Tripwire 官網:http://www.tripwire.com/

  • 安裝Tripwire

# install from EPEL[root@linuxprobe ~]# yum --enablerepo=epel -y install tripwire
  • 創建密鑰和數據庫
# generate keys[root@linuxprobe ~]# tripwire-setup-keyfiles..........Enter the site keyfile passphrase:# set site keyfile passphraseVerify the site keyfile passphrase:# confirm.........Enter the local keyfile passphrase:# set local keyfile passphraseVerify the local keyfile passphrase:# confirm..........Please enter your site passphrase: # answer with site keyfile passphrase..........Please enter your site passphrase: # answer with site keyfile passphrase..........[root@linuxprobe ~]# cd /etc/tripwire[root@linuxprobe tripwire]# vi twcfg.txt# line 12: report level (4 is max)REPORTLEVEL =4# generate config[root@linuxprobe tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txtPlease enter your site passphrase:# answer with site keyfile passphraseWrote configuration file: /etc/tripwire/tw.cfg# optimize policy file with the script below[root@linuxprobe tripwire]# vi twpolmake.pl#!/usr/bin/perl# Tripwire Policy File customize tool# ----------------------------------------------------------------# Copyright (C) 2003 Hiroaki Izumi# This program is free software; you can redistribute it and/or# modify it under the terms of the GNU General Public License# as published by the Free Software Foundation; either version 2# of the License, or (at your option) any later version.# This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the# GNU General Public License for more details.# You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.# ----------------------------------------------------------------# Usage:#     perl twpolmake.pl {Pol file}# ----------------------------------------------------------------#$POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ;my($myhost,$thost) ;my($sharp,$tpath,$cond) ;my($INRULE) = 0 ;while (<POL>) {    chomp;    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {        $myhost = `hostname` ; chomp($myhost) ;        if ($thost ne $myhost) {            $_="HOSTNAME=\"$myhost\";" ;        }    }    elsif ( /^{/ ) {        $INRULE=1 ;    }    elsif ( /^}/ ) {        $INRULE=0 ;    }    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {        $ret = ($sharp =~ s/\#//g) ;        if ($tpath eq '/sbin/e2fsadm' ) {            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;        }        if (! -s $tpath) {            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;        }        else {            $_ = "$sharp$tpath$cond" ;        }    }    print "$_\n" ;}close(POL) ;[root@linuxprobe tripwire]# perl twpolmake.pl twpol.txt > twpol.txt.new[root@linuxprobe tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.newPlease enter your site passphrase:Wrote policy file: /etc/tripwire/tw.pol
  • 創建數據庫
[root@linuxprobe tripwire]# tripwire -m i -s -c tw.cfgPlease enter your local passphrase:
  • 手動執行檢查。 (Cron的每日檢查腳本包含在包中)

http://xxxxxx/Linuxjc/1184818.html TechArticle

Copyright © Linux教程網 All Rights Reserved