监视服务器中文件系统变化的最佳方法

tag-icon tag-icon filesystems monitoring
监视服务器中文件系统变化的最佳方法

最近我的一台服务器遭到攻击。除了加强当地的安全措施外,我还计划安装一个工具来监控文件系统的变化。

我想要一个免费工具(免费),并希望它通过电子邮件发送报告或远程保存结果以避免操纵。

我一直在检查家庭,我认为它可以完成这项工作。不过我想知道是否还有其他解决方案。

答案1

如果您使用的是基于 CentOS / RHEL 的系统,您可以audit.x86_64为服务器安装和配置默认审核系统,用于命令、文件以及您想要审核的内容。下面有一个 Cent OS 的操作方法,我还链接了 RHEL 站点,但它可能需要一个帐户。我不熟悉基于 Debian 的系统或 Ubuntu,因此它可能是具有类似软件包的相同命令。快速谷歌搜索也可以很快找到 Ubuntu 的一些东西。

RHEL/CentOS:
CentOS 7 如何使用Linux审计系统
RHEL 7 系统审计
RHEL 6 系统审计

经过进一步研究,相同的auditctl系统似乎可以像RHEL 7一样安装在Ubunutu上。

乌班图:
下面的命令将在 Ubuntu 上安装它。手册页应该解释它是如何工作的,尽管我相当确定它与 RPM 安装版本几乎相同。
sudo apt-get install auditd

答案2

tripwire已经有点老了,但仍然工作得很好,并且完成了它应该做的工作(向您发送电子邮件警告受监视文件的任何和所有更改 - 例如将其设置为默认监视所有文件并排除您不这样做的文件/目录不在乎)。

可以为大多数(如果不是全部)Linux 发行版(以及 *bsd)预先打包。以下是 debian tripwire 包中的描述:

Package: tripwire
Description-en: file and directory integrity checker
 Tripwire is a tool that aids system administrators and users in
 monitoring a designated set of files for any changes.  Used with
 system files on a regular (e.g., daily) basis, Tripwire can notify
 system administrators of corrupted or tampered files, so damage
 control measures can be taken in a timely manner.

Homepage: https://github.com/Tripwire/tripwire-open-source

我还建议用于git所有重要文件的版本控制(并将git push更改推送到远程存储库作为备份,以防止损坏和意外或故意删除)。

当然,etckeeper对于自动化版本控制(git默认情况下)/etc

Package: etckeeper
Description-en: store /etc in git, mercurial, bzr or darcs
 The etckeeper program is a tool to let /etc be stored in a git, mercurial,
 bzr or darcs repository. It hooks into APT to automatically commit changes
 made to /etc during package upgrades. It tracks file metadata that version
 control systems do not normally support, but that is important for /etc, such
 as the permissions of /etc/shadow. It's quite modular and configurable, while
 also being simple to use if you understand the basics of working with version
 control.

Homepage: https://etckeeper.branchable.com/

答案3

AIDE is a tool for monitoring file system changes. It can be used
to detect unauthorized monitored files and directories. AIDE was
written to be a simple and free alternative to Tripwire. Features
currently included in AIDE are as follows:

    o  File attributes monitored: permissions, inode, user, group
       file size, mtime, atime, ctime, links and growing size.
    o  Checksums and hashes supported: SHA1, MD5, RMD160, and TIGER.
       CRC32, HAVAL and GOST if Mhash support is compiled in.
    o  Plain text configuration files and database for simplicity.
    o  Rules, variables and macros that can be customized to local
       site or system policies.
    o  Powerful regular expression support to selectively include or
       exclude files and directories to be monitored.
    o  gzip database compression if zlib support is compiled in.
    o  Free software licensed under the GNU General Public License.

The homepage of AIDE is https://aide.github.io

相关内容