CentOS 7 安全加固、检测、审计
2016-11-07 09:22
351 查看
RKHunter:检测Rootkit
RKHunter 传送门:http://rkhunter.sourceforge.net/Root Kit 详解:http://linux.vbird.org/linux_security/0420rkhunter.php
RKHunter 安装
[root@linuxprobe ~]# yum --enablerepo=epel -y install rkhunter
配置和使用RKHunter,对于常规检查,检查脚本安装在cron.daily目录下,并由Cron每天执行
[root@linuxprobe ~]# vi /etc/sysconfig/rkhunter # recipient address for report MAILTO=root@localhost # if specified "yes", scan more detaily DIAG_SCAN=no # update database [root@linuxprobe ~]# rkhunter --update # update system file properties [root@linuxprobe ~]# rkhunter --propupd # execute checking # --sk means sikpping to push Enter key # if specified --rwo , display only warnings [root@linuxprobe ~]# rkhunter --check --sk
Lynis
安全审计工具Lynis 传送门: https://cisofy.com/lynis/
安装Lynis
[root@linuxprobe ~]# yum --enablerepo=epel -y install lynis
使用Lynis
[root@linuxprobe ~]# lynis audit system
相关文档Lynis 教程:
http://netsecurity.51cto.com/art/201410/455466.htm
AIDE 简介
AIDE(Advanced Intrusion Detection Environment,高级入侵检测环境)是个入侵检测工具,主要用途是检查文档的完整性。安装和配置基于主机的IDS(入侵检测系统)“AIDE”(高级入侵检测环境)
AIDE 下载地址: https://sourceforge.net/projects/aide/
安装AIDE
[root@linuxprobe ~]# yum -y install aide
配置AIDE并初始化数据库。可以使用带有默认配置的AIDE,但是如果要自定义设置,请按如下所示更改配置文件。设置规则写在26-84行附近,参考它们。
[root@linuxprobe ~]# vi /etc/aide.conf # for example, change setting of monitoring /var/log /var/log p+u+g+i+n+acl+selinux+xattrs # initialize database [root@linuxprobe ~]# aide --init AIDE, version 0.15.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. # copy generated DB to master DB [root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
执行检查
[root@linuxprobe ~]# aide --check AIDE, version 0.15.1 ### All files match AIDE database. Looks okay! [root@linuxprobe ~]# chmod 640 /root/anaconda-ks.cfg [root@linuxprobe ~]# aide --check # 检测到的差异如下 AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2016-10-27 04:44:55 Summary: Total number of files: 31983 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /root/anaconda-ks.cfg -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /root/anaconda-ks.cfg Perm : -rw------- , -rw-r----- Ctime : 2016-10-25 04:52:57 , 2016-10-27 04:44:25 ACL : old = A: ---- user::rw- group::--- other::--- ---- D: <NONE> new = A: ---- user::rw- group::r-- other::--- ---- D: <NONE>
如果没有ploblem,即使检测到一些差异,则更新数据库如下
[root@linuxprobe ~]# aide --update AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2016-10-27 04:49:12 Summary: Total number of files: 31983 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /root/anaconda-ks.cfg --------------------------------------------------- Detailed information about changes: --------------------------------------------------- ... # update database [root@linuxprobe ~]# cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
如果检查regulary添加在Cron。日志文件[/var/log/aide/aide.log]每次都更新,如果没有区别,它将用零字节更新,因此如果你想保存日志文件,它需要创建一个shell脚本或发送结果通过电子邮件或其他。
# for example, add daily check in Crontab and send results via email [root@dlp ~]# vi /etc/cron.d/aide 00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root
Tripwire 简介
Tripwire是目前最为著名的unix下文件系统完整性检查的软件工具,这一软件采用的技术核心就是对每个要监控的文件产生一个数字签名,保留下来。当文件现在的数字签名与保留的数字签名不一致时,那么现在这个文件必定被改动过了。Tripwire 官网: http://www.tripwire.com/
安装Tripwire
# install from EPEL [root@linuxprobe ~]# yum --enablerepo=epel -y install tripwire
创建密钥和数据库
# generate keys [root@linuxprobe ~]# tripwire-setup-keyfiles ..... ..... Enter the site keyfile passphrase:# set site keyfile passphrase Verify the site keyfile passphrase:# confirm .... ..... Enter the local keyfile passphrase:# set local keyfile passphrase Verify the local keyfile passphrase:# confirm ..... ..... Please enter your site passphrase: # answer with site keyfile passphrase ..... ..... Please enter your site passphrase: # answer with site keyfile passphrase ..... ..... [root@linuxprobe ~]# cd /etc/tripwire [root@linuxprobe tripwire]# vi twcfg.txt # line 12: report level (4 is max) REPORTLEVEL =4 # generate config [root@linuxprobe tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txt Please enter your site passphrase:# answer with site keyfile passphrase Wrote configuration file: /etc/tripwire/tw.cfg # optimize policy file with the script below [root@linuxprobe tripwire]# vi twpolmake.pl #!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; [root@linuxprobe tripwire]# perl twpolmake.pl twpol.txt > twpol.txt.new [root@linuxprobe tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol
创建数据库
[root@linuxprobe tripwire]# tripwire -m i -s -c tw.cfg Please enter your local passphrase:
手动执行检查。 (Cron的每日检查脚本包含在包中)
相关文章推荐
- CentOS 6.5安全加固及性能优化
- CentOS 6.5安全加固及性能优化
- CentOS 中使用 Google Skipfish(Web安全检测)
- Linux服务器风险检测与安全加固
- CentOS之——CentOS 6.5安全加固及性能优化
- CentOS 6.5安全加固及性能优化
- 完全指南:如何在 CentOS 7 中安装、配置和安全加固 FTP 服务
- CentOS 6.5安全加固及性能优化
- 阿里云Centos 6.3 64位 安全加固版 升级 Php 中的 Curl 7.19 到 7.35
- CentOS 6.5服务器安全加固及性能优化
- RH413企业安全加固 第15章 配置系统审计
- Centos 安全加固
- centos 安全加固及性能升级加内核优化
- CentOS 6.5安全加固及性能优化
- CentOS 6.5安全加固及性能优化(推荐)
- CentOS 6.5安全加固及性能优化
- Oracle 10g安全加固(审计、监听密码)
- CentOS 6.5安全加固及性能优化
- centos mysql 实战 第一节课 安全加固 mysql安装
- CentOS 6.5安全加固及性能优化_操作系统