332.2 ホストの侵入検知
課題 332: ホストセキュリティ
332.2 ホストの侵入検知
LPIC303の試験範囲である主題331~335まであるうちの「332: ホストセキュリティ」から「332.2 ホストの侵入検知」についてのまとめ
総重量:5
説明:
一般的なのホスト侵入検知ソフトウエアの利用と設定の知識がある必要がある。これには、Linux Auditシステムとシステムの一貫性の検証が含まれる。主要な知識範囲:
Linux Auditシステムの設定と利用
chkrootkitの利用
rkhunterの利用・設定・アップデート
Linux Malware Detect(マルウェア検出ツール)の利用。
cronを利用したホストのスキャンの自動化。
インストールされたファイルの一貫性の検証のため、RPMやDPKGのパッケージ管理ツールの利用。
ルール管理を含んだAIDEの設定と利用。
OpenSCAPの知識
重要なファイル、用語、ユーティリティ:
auditd
auditctl
ausearch
aureport
auditd.conf
audit.rules
pam_tty_audit.so
chkrootkit
rkhunter
/etc/rkhunter.conf
maldet
conf.maldet
rpm
dpkg
aide
/etc/aide/aide.conf
Linux Auditシステムの設定と利用
設定ファイル
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# cd /etc/audit/
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# pwd
/etc/audit
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# ls -la
合計 24
drwxr-x---. 4 root root 100 1月 21 23:05 .
drwxr-xr-x. 85 root root 8192 2月 2 21:24 ..
-rw-r-----. 1 root root 127 10月 28 17:02 audit-stop.rules
-rw-r-----. 1 root root 107 6月 29 2023 audit.rules
-rw-r-----. 1 root root 882 10月 28 17:02 auditd.conf
drwxr-x---. 2 root root 26 1月 21 23:05 plugins.d
drwxr-x---. 2 root root 25 10月 28 17:02 rules.d
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# tree
.
├─ audit-stop.rules
├─ audit.rules
├─ auditd.conf
├─ plugins.d
│ └─ af_unix.conf
└─ rules.d
└─ audit.rules
2 directories, 5 files
[root@lpic303-rocky34 audit]#auditctlコマンド
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# auditctl -s
enabled 1
failure 1
pid 639
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
loginuid_immutable 0 unlocked
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# ps -ax | grep 639
639 ? S<sl 0:00 /sbin/auditd
:
[root@lpic303-rocky34 audit]#-e [0..2]
enabledを変更する-f [0..2]
failureを変更する-w path
監視するpathを追加する-W path
監視するpathを削除する-p [r|w|x|a]
付与するパーミッション-k キーワード
検索用のキーワードを設定する
ausearchコマンド
監視対象に対して操作した記録を検索表示する。
実行したコマンド(exe)、実行ユーザー(uid)、実行グループなどが確認できる。
★"/etc/passwd" を監視対象に設定する★
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# auditctl -w /etc/passwd -p wrxa -k check_passwd
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# auditctl -l
-w /etc/passwd -p rwxa -k check_passwd
[root@lpic303-rocky34 audit]#
★監視対象のファイルを参照する★
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# cat /etc/passwd
[root@lpic303-rocky34 audit]#
★ausearchで`cat`コマンドで参照したことが記録されている(最後の行)★
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# ausearch -k check_passwd
:
----
time->Fri Feb 2 23:39:57 2024
type=PROCTITLE msg=audit(1706884797.949:88): proctitle=636174002F6574632F706173737764
type=PATH msg=audit(1706884797.949:88): item=0 name="/etc/passwd" inode=67715124 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1706884797.949:88): cwd="/etc/audit"
type=SYSCALL msg=audit(1706884797.949:88): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffdd40ef7c2 a2=0 a3=0 items=1 ppid=1272 pid=1420 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="check_passwd"
[root@lpic303-rocky34 audit]#設定の永続化
"/etc/audit/audit.rules" にルールを追記する
"auditd"を`service`コマンドで再起動する
(`systemctl`コマンドは使えない)
★"audit.rules"に永続化したい設定を追記する★
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# pwd
/etc/audit
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# ls -la
合計 24
drwxr-x---. 4 root root 100 1月 21 23:05 .
drwxr-xr-x. 85 root root 8192 2月 2 21:24 ..
-rw-r-----. 1 root root 127 10月 28 17:02 audit-stop.rules
-rw-r-----. 1 root root 107 6月 29 2023 audit.rules
-rw-r-----. 1 root root 882 10月 28 17:02 auditd.conf
drwxr-x---. 2 root root 26 1月 21 23:05 plugins.d
drwxr-x---. 2 root root 25 10月 28 17:02 rules.d
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# vi audit.rules
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 60000
## Set failure mode to syslog
-f 1
## add rule check /etc/passwd
-w /etc/passwd -p wrxa -k check_passwd <--- 追記する
[root@lpic303-rocky34 audit]#
★`service`コマンドで再起動する(`systemctl`コマンドは使えない)★
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# systemctl restart auditd.service
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# cat audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 60000
-w /etc/passwd -p wrxa -k check_passwd <---初歌された
[root@lpic303-rocky34 audit]#システムコールルール
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# auditctl -a always,exit -F arch=b64 -S kill -k check_kill
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# auditctl -l
-w /etc/passwd -p rwxa -k check_passwd
-a always,exit -F arch=b64 -S kill -F key=check_kill <--- 追加された
[root@lpic303-rocky34 ~]#-a アクション
-S システムコール名 | システムコール番号 | all
別記事「Appendix システムコール一覧」参照-F フィールド=値
-k キーワード
aureportコマンド
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# aureport
Summary Report
======================
Range of time in logs: 2023年06月29日 13:05:10.438 - 2024年02月03日 00:38:16.356
Selected time for report: 2023年06月29日 13:05:10 - 2024年02月03日 00:38:16.356
Number of changes in configuration: 96
Number of changes to accounts, groups, or roles: 22
Number of logins: 22
Number of failed logins: 2
Number of authentications: 64
Number of failed authentications: 4
Number of users: 3
Number of terminals: 10
Number of host names: 5
Number of executables: 25
Number of commands: 25
Number of files: 3
Number of AVC's: 6
Number of MAC events: 58
Number of failed syscalls: 3
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 112
Number of integrity events: 0
Number of virt events: 0
Number of keys: 2
Number of process IDs: 243
Number of events: 3326
[root@lpic303-rocky34 ~]#-a, --avc
Report about Avc messages-f, --file
Report about files and af_unix sockets-h, --host
Report about hosts-k, --key
Report about audit rule keys-l, --login
Report about logins-p, --pid
Report about processes--summary
Run the summary report that gives a total of the elements of the main report. Not all reports have a summary.-u, --user
Report about users--tty
Report about tty keystrokes-te, --end [end-date] [end-time]
Search for events with time stamps equal to or before the given end time.-ts, --start [start-date] [start-time]
Search for events with time stamps equal to or after the given end time.
参考
Auditd Tutorial | Cyber Lessons
※英語ですが字幕自動生成機能で同時翻訳してくれる※Auditd Tutorial Part 1
https://youtu.be/vv038-XB228?si=SzyYJXq7FZ0p6QfpAuditd Tutorial Part 2
https://youtu.be/hi3b4p7m62c?si=5K8yRzpsbIVAy-LuAuditd Tutorial Part 3
https://youtu.be/usCzu3w7H94?si=hHLdb9rIdWxJebe1
chkrootkitの利用
インストール
RockyLinux9の場合
chkrootkitのサイトからダウンロードして任意のディレクトリに配置する
Ubuntu22.04の場合
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# apt install chkrootkit
root@lpic303-ubuntu35:~#実行例
root@lpic303-ubuntu35:~# chkrootkit -h
Usage: /usr/sbin/chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-e 'FILE1 FILE2' exclude files/dirs from results. Must be followed by a space-separated list of files/dirs.
Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
-s REGEXP filter results of sniffer test through 'grep -Ev REGEXP' to exclude expected
PACKET_SNIFFERs. Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first.
-r DIR use DIR as the root directory
-p DIR1:DIR2:DIRN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
root@lpic303-ubuntu35:~#root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
:
root@lpic303-ubuntu35:~#quiet mode
疑わしい結果のみ表示
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# chkrootkit -q
The following suspicious files and directories were found:
/usr/lib/modules/5.15.0-92-generic/vdso/.build-id
/usr/lib/modules/5.15.0-94-generic/vdso/.build-id
/usr/lib/ruby/vendor_ruby/rubygems/optparse/.document
/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs/.document
/usr/lib/ruby/vendor_ruby/rubygems/tsort/.document
/usr/lib/ruby/gems/3.0.0/gems/power_assert-1.2.0/.travis.yml
/usr/lib/ruby/gems/3.0.0/gems/minitest-5.14.2/.autotest
/usr/lib/ruby/gems/3.0.0/gems/rbs-1.0.4/.rubocop.yml
Output from ifpromisc:
lo: PACKET SNIFFER(/usr/sbin/ntopng[1060])
enp0s3: PACKET SNIFFER(/usr/sbin/snort[1119], /usr/sbin/ntopng[1060], /usr/sbin/ntopng[1060], /usr/lib/systemd/systemd-networkd[589])
enp0s8: PACKET SNIFFER(/usr/sbin/snort[1256], /usr/sbin/ntopng[1060], /usr/sbin/ntopng[1060], /usr/lib/systemd/systemd-networkd[589])
root@lpic303-ubuntu35:~#expert mode
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# chkrootkit -x
ROOTDIR is `/'
not found
###
### Output of: /usr/bin/strings -a /usr/bin/basename
###
/lib64/ld-linux-x86-64.so.2
__cxa_finalize
__libc_start_main
__cxa_atexit
dcgettext
stderr
__fprintf_chk
__printf_chk
stdout
fputs_unlocked
strcmp
setlocale
strncmp
error
abort
:
root@lpic303-ubuntu35:~#参考
rkhunterの利用・設定・アップデート
インストール
RockyLinux9の場合
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# dnf install rkhunter
[root@lpic303-rocky34 ~]#Ubuntu22.04の場合
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# apt install rkhunter
root@lpic303-ubuntu35:~#設定ファイル
/etc/rkhunter.conf
DBDIR=/var/lib/rkhunter/db
LANGUAGE=en
LOGFILE=/var/log/rkhunter/rkhunter.log
データベース
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -la /var/lib/rkhunter/db
合計 44
drwxr-xr-x. 3 root root 136 2月 12 16:24 .
drwx------. 3 root root 43 2月 12 16:28 ..
-rw-------. 1 root root 1055 2月 12 16:19 backdoorports.dat
drwxr-xr-x. 2 root root 96 2月 12 16:19 i18n
-rw-------. 1 root root 97 2月 12 16:21 mirrors.dat
-rw-------. 1 root root 3605 2月 12 16:19 programs_bad.dat
-rw-------. 1 root root 25313 2月 12 16:24 rkhunter_prop_list.dat
-rw-------. 1 root root 1904 2月 12 16:19 suspscan.dat
[root@lpic303-rocky34 ~]#ログファイル
/var/log/rkhunter/rkhunter.log
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -la /var/log/rkhunter
合計 140
drwxr-xr-x. 2 root root 26 2月 12 16:19 .
drwxr-xr-x. 12 root root 4096 2月 12 13:20 ..
-rw-------. 1 root root 139040 2月 12 16:28 rkhunter.log
[root@lpic303-rocky34 ~]#実行例
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# rkhunter -h
Usage: rkhunter {--check | --unlock | --update | --versioncheck |
--propupd [{filename | directory | package name},...] |
--list [{tests | {lang | languages} | rootkits | perl | propfiles}] |
--config-check | --version | --help} [options]
[root@lpic303-rocky34 ~]#-c, --check
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# rkhunter -c
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ Warning ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/depmod [ OK ]
:
[root@lpic303-rocky34 ~]#-C, --config-check
--update
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# rkhunter --update
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter data files...
Checking file mirrors.dat [ Updated ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ Updated ]
Checking file suspscan.dat [ Updated ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ Updated ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ Updated ]
Checking file i18n/tr.utf8 [ Updated ]
Checking file i18n/zh [ Updated ]
Checking file i18n/zh.utf8 [ Updated ]
Checking file i18n/ja [ Updated ]
[root@lpic303-rocky34 ~]#--lang, --language <language>
参考
Linux Malware Detectの利用
インストール
maldetect-current.tar.gz をダウンロードし、解凍して、`install.sh`を実行する
デフォルトではスキャンエンジンに ClamAV を使うので、インストールしておく
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# maldet
Linux Malware Detect v1.6.5
(C) 2002-2023, R-fx Networks <proj@rfxn.com>
(C) 2023, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
signature set: 202402101326004
usage maldet [-h|--help] [-a|--scan-all PATH] [-r|--scan-recent PATH DAYS]
[-f|--file-list PATH] [-i|--include-regex] [-x|--exclude-regex]
[-b|--background] [-m|--monitor] [-k|--kill-monitor] [-c|--checkout]
[-q|--quarantine] [-s|--restore] [-n|--clean] [-l|--log] [-e|--report]
[-u|--update-sigs] [-d|--update-ver]
[root@lpic303-rocky34 ~]#[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# dnf install epel-release
[root@lpic303-rocky34 ~]# dnf install clamav
[root@lpic303-rocky34 ~]#設定ファイル
/usr/local/maldetect/conf.maldet
実行例
-d, --update-ver
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# maldet -d
Linux Malware Detect v1.6.5
(C) 2002-2023, R-fx Networks <proj@rfxn.com>
(C) 2023, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(101785): {update} checking for available updates...
maldet(101785): {update} hashing install files and checking against server...
maldet(101785): {update} latest version already installed.
[root@lpic303-rocky34 ~]#-u, --update-sigs
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# maldet -u
Linux Malware Detect v1.6.5
(C) 2002-2023, R-fx Networks <proj@rfxn.com>
(C) 2023, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(101940): {sigup} performing signature update check...
maldet(101940): {sigup} local signature set is version 202402101326004
maldet(101940): {sigup} latest signature set already installed
[root@lpic303-rocky34 ~]#-a, --scan-all PATH
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# maldet -a /var/tmp/
Linux Malware Detect v1.6.5
(C) 2002-2023, R-fx Networks <proj@rfxn.com>
(C) 2023, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(102069): {scan} signatures loaded: 17637 (14801 MD5 | 2053 HEX | 783 YARA | 0 USER)
maldet(102069): {scan} building file list for /var/tmp/, this might take awhile...
maldet(102069): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(102069): {scan} file list completed in 0s, found 32 files...
maldet(102069): {scan} found clamav binary at /usr/bin/clamscan, using clamav scanner engine...
maldet(102069): {scan} scan of /var/tmp/ (32 files) in progress...
maldet(102069): {scan} processing scan results for hits: 2 hits 0 cleaned
maldet(102069): {scan} scan completed on /var/tmp/: files 32, malware hits 2, cleaned hits 0, time 31s
maldet(102069): {scan} scan report saved, to view run: maldet --report 240212-2023.102069
maldet(102069): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 240212-2023.102069
[root@lpic303-rocky34 ~]#-q, --quarantine SCANID
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# maldet -q 240212-2023.102069
Linux Malware Detect v1.6.5
(C) 2002-2023, R-fx Networks <proj@rfxn.com>
(C) 2023, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
maldet(102462): {quar} malware quarantined from '/var/tmp/chkrootkit-0.58b/chkrootkit' to '/usr/local/maldetect/quarantine/chkrootkit.1337815609'
[root@lpic303-rocky34 ~]#-e, --report SCANID
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# maldet --report 240212-2023.102069
HOST: lpic303-rocky34
SCAN ID: 240212-2023.102069
STARTED: 2月 12 2024 20:23:49 +0900
COMPLETED: 2月 12 2024 20:24:20 +0900
ELAPSED: 31s [find: 0s]
PATH: /var/tmp/
TOTAL FILES: 32
TOTAL HITS: 2
TOTAL CLEANED: 0
WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 240212-2023.102069
FILE HIT LIST:
{YARA}r57shell_php_php : /var/tmp/chkrootkit-0.58b/chkrootkit
{YARA}r57shell_php_php : /var/tmp/chkrootkit-0.58b/chkrootkit
===============================================
Linux Malware Detect v1.6.5 < proj@rfxn.com >[root@lpic303-rocky34 ~]#-l, --log
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# maldet -l
Linux Malware Detect v1.6.5
(C) 2002-2023, R-fx Networks <proj@rfxn.com>
(C) 2023, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2
Viewing last 50 lines from /usr/local/maldetect/logs/event_log:
2月 12 2024 20:11:36 lpic303-rocky34 maldet(100763): {sigup} performing signature update check...
2月 12 2024 20:11:36 lpic303-rocky34 maldet(100763): {sigup} local signature set is version 20230331490193
2月 12 2024 20:11:36 lpic303-rocky34 maldet(100763): {sigup} downloaded https://cdn.rfxn.com/downloads/ma
:
[root@lpic303-rocky34 ~]#参考
cronを利用したホストのスキャンの自動化
<・・・調査中・・・>
パッケージ管理ツールの利用
<・・・調査中・・・>
ルール管理を含んだAIDEの設定と利用
AIDEとは
Advanced Intrusion Detection Environment の略称で、侵入検知システムIDS(Intrusion Detection System)です。
インストール
RockyLinux9の場合
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# dnf install aide
[root@lpic303-rocky34 ~]#Ubuntu22.04の場合
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# apt install aide
root@lpic303-ubuntu35:~#設定ファイル
/etc/aide.conf
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
database=file:@@{DBDIR}/aide.db.gz
report_url=file:@@{LOGDIR}/aide.log
実行例
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# aide --help
Aide 0.16
Usage: aide [options] command
Commands:
-i, --init Initialize the database
-C, --check Check the database
-u, --update Check and update the database non-interactively
-E, --compare Compare two databases
Miscellaneous:
-D, --config-check Test the configuration file
-v, --version Show version of AIDE and compilation options
-h, --help Show this help message
Options:
-c [cfgfile] --config=[cfgfile] Get config options from [cfgfile]
-l [REGEX] --limit=[REGEX] Limit command to entries matching [REGEX]
-B "OPTION" --before="OPTION" Before configuration file is read define OPTION
-A "OPTION" --after="OPTION" After configuration file is read define OPTION
-r [reporter] --report=[reporter] Write report output to [reporter] url
-V[level] --verbose=[level] Set debug message level to [level]
[root@lpic303-rocky34 ~]#-i, --init
データベースを初期化をする。
"/var/lib/aide/aide.db.new.gz" ができるので、"/var/lib/aide/aide.db.gz" に名前を変更する。
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# aide --init
Start timestamp: 2024-02-12 17:41:54 +0900 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz
Number of entries: 44336
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.new.gz
MD5 : QWaCvnr2CdLNVnMOLXvRFw==
SHA1 : bxa1IiBhAue314IKaymuuMnUTpQ=
RMD160 : zeVrTmBcJkVMyJ/l42pNagdTIfk=
TIGER : wOjAnv+zC+wIIq3+KbPAt9xbE9j3l202
SHA256 : kInEUug7b0dD8MH4eKjQiUrQolZ0YyqW
GWbU4horD7M=
SHA512 : lQzYAOjadrbGZ8Y5Fp4jUl61sYgUyu4M
m2ypIAqxrVnOPeB61IbR/VPYZzUatAnf
Y7bhihtv3pqEZPn4A/vayw==
End timestamp: 2024-02-12 17:42:56 +0900 (run time: 1m 2s)
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -la /var/lib/aide
合計 2520
drwx------. 2 root root 28 2月 12 17:53 .
drwxr-xr-x. 27 root root 4096 2月 12 13:20 ..
-rw-------. 1 root root 2574019 2月 12 17:54 aide.db.new.gz
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# cd /var/lib/aide
[root@lpic303-rocky34 aide]#
[root@lpic303-rocky34 aide]# ls -l
合計 2516
-rw-------. 1 root root 2574019 2月 12 17:54 aide.db.new.gz
[root@lpic303-rocky34 aide]#
[root@lpic303-rocky34 aide]# mv aide.db.new.gz aide.db.gz
[root@lpic303-rocky34 aide]#
[root@lpic303-rocky34 aide]# ls -l
合計 2516
-rw-------. 1 root root 2574019 2月 12 17:54 aide.db.gz
[root@lpic303-rocky34 aide]#-C, --check
改ざんがないかチェックをする
以下の実行例では "/root/aide-test.txt" を作成し、その変更を検知していることがわかります。
[root@lpic303-rocky34 aide]#
[root@lpic303-rocky34 aide]# echo "AIDE test" > /root/aide-test.txt
[root@lpic303-rocky34 aide]#
[root@lpic303-rocky34 aide]# aide -C
Start timestamp: 2024-02-12 17:59:26 +0900 (AIDE 0.16)
AIDE found differences between database and filesystem!!
Summary:
Total number of entries: 44337
Added entries: 1
Removed entries: 0
Changed entries: 0
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /root/aide-test.txt
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : Cgx4is0bYeTbAx3poOarAQ==
SHA1 : tUmkoasxHhVJ4hwO37SrWZE2f6g=
RMD160 : dFQPL/yMbCIjJOqmYNBcYyNK5Fo=
TIGER : sP+vtd+O+uCJj7ocSImF/AHdjvybXu6D
SHA256 : marTph5RADODJU7zHNbxALSvsQm2UNld
7IiB1OkJbbk=
SHA512 : 9ssrcVhadDSOHPtjIT4AY2qa6+7Jp9VP
9H2XUHnDiW1ntku73yAcQkT1eKwWRoMn
bNybhxT51ZFzPCQhJZcdvw==
End timestamp: 2024-02-12 18:00:07 +0900 (run time: 0m 41s)
[root@lpic303-rocky34 aide]#
-u, --update
データベースを更新する
[root@lpic303-rocky34 aide]#
[root@lpic303-rocky34 aide]# aide -u
Start timestamp: 2024-02-12 17:56:54 +0900 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!
New AIDE database written to /var/lib/aide/aide.db.new.gz
Number of entries: 44336
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : Cgx4is0bYeTbAx3poOarAQ==
SHA1 : tUmkoasxHhVJ4hwO37SrWZE2f6g=
RMD160 : dFQPL/yMbCIjJOqmYNBcYyNK5Fo=
TIGER : sP+vtd+O+uCJj7ocSImF/AHdjvybXu6D
SHA256 : marTph5RADODJU7zHNbxALSvsQm2UNld
7IiB1OkJbbk=
SHA512 : 9ssrcVhadDSOHPtjIT4AY2qa6+7Jp9VP
9H2XUHnDiW1ntku73yAcQkT1eKwWRoMn
bNybhxT51ZFzPCQhJZcdvw==
/var/lib/aide/aide.db.new.gz
MD5 : aHDIZh+M6RxFqGmiISrT0g==
SHA1 : 2zq7WVY92eTEly2zEPPEg2oIJ9M=
RMD160 : HcCcsq0IMuuRYluHRZOxKbHEvKU=
TIGER : fIj1rGQXWW7KR+ZJuLsC7ILzhgvrM03I
SHA256 : G8Bl+pdSCFtYj9h0MiXMX9Vnt2NUro1f
sBgmd2ulnUw=
SHA512 : nyHF3vCzJdLj5dPlNFcj4vRdE9sxnu9B
B0/5J8GYThbjJCXL31Qa1omvxXdEVuR8
iZTUoyEGduMLK/Xqvqto8A==
End timestamp: 2024-02-12 17:57:36 +0900 (run time: 0m 42s)
[root@lpic303-rocky34 aide]#
[root@lpic303-rocky34 aide]# ls -l
合計 5032
-rw-------. 1 root root 2574019 2月 12 17:54 aide.db.gz
-rw-------. 1 root root 2574019 2月 12 17:57 aide.db.new.gz
[root@lpic303-rocky34 aide]#-E, --compare
データベースを比較する
事前に設定ファイルに "database_new" を追記する必要がある
[root@lpic303-rocky34 aide]#
[root@lpic303-rocky34 aide]# vi /etc/aide.conf
:
database_new=file:@@{DBDIR}/aide.db.new.gz
:
[root@lpic303-rocky34 aide]#
[root@lpic303-rocky34 aide]# aide -E
Start timestamp: 2024-02-12 18:07:48 +0900 (AIDE 0.16)
AIDE found NO differences between the two databases. Looks okay!!
Number of entries: 44336
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db.gz
MD5 : Cgx4is0bYeTbAx3poOarAQ==
SHA1 : tUmkoasxHhVJ4hwO37SrWZE2f6g=
RMD160 : dFQPL/yMbCIjJOqmYNBcYyNK5Fo=
TIGER : sP+vtd+O+uCJj7ocSImF/AHdjvybXu6D
SHA256 : marTph5RADODJU7zHNbxALSvsQm2UNld
7IiB1OkJbbk=
SHA512 : 9ssrcVhadDSOHPtjIT4AY2qa6+7Jp9VP
9H2XUHnDiW1ntku73yAcQkT1eKwWRoMn
bNybhxT51ZFzPCQhJZcdvw==
/var/lib/aide/aide.db.new.gz
MD5 : aHDIZh+M6RxFqGmiISrT0g==
SHA1 : 2zq7WVY92eTEly2zEPPEg2oIJ9M=
RMD160 : HcCcsq0IMuuRYluHRZOxKbHEvKU=
TIGER : fIj1rGQXWW7KR+ZJuLsC7ILzhgvrM03I
SHA256 : G8Bl+pdSCFtYj9h0MiXMX9Vnt2NUro1f
sBgmd2ulnUw=
SHA512 : nyHF3vCzJdLj5dPlNFcj4vRdE9sxnu9B
B0/5J8GYThbjJCXL31Qa1omvxXdEVuR8
iZTUoyEGduMLK/Xqvqto8A==
End timestamp: 2024-02-12 18:07:50 +0900 (run time: 0m 2s)
[root@lpic303-rocky34 aide]#参考
OpenSCAPの知識
SCAP
Security Content Automation Protocol:セキュリティ設定共通化手順
脆弱性を識別するためのCVE
Common Vulnerabilities and Exposures
共通脆弱性識別子セキュリティ設定を識別するためのCCE
Common Configuration Enumeration
共通セキュリティ設定一覧製品を識別するためのCPE
Common Platform Enumeration
共通プラットフォーム一覧脆弱性の深刻度を評価するためのCVSS
Common Vulnerability Scoring System
共通脆弱性評価システムチェックリストを記述するためのXCCDF
eXtensible Configuration Checklist Description Format
セキュリティ設定チェックリスト記述形式脆弱性やセキュリティ設定をチェックするためのOVAL
Open Vulnerability and Assessment Language
セキュリティ検査言語
インストール
RockyLinux9の場合
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# dnf install openscap-scanner
[root@lpic303-rocky34 ~]# dnf install scap-security-guide
[root@lpic303-rocky34 ~]#Ubuntu22.04の場合
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# apt install libopenscap8
root@lpic303-ubuntu35:コマンドヘルプ
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# oscap -h
oscap
OpenSCAP command-line tool
Usage: oscap [options] module operation [operation-options-and-arguments]
Common options:
--verbose <verbosity_level> - Turn on verbose mode at specified verbosity level.
Verbosity level must be one of: DEVEL, INFO, WARNING, ERROR.
--verbose-log-file <file> - Write verbose information into file.
oscap options:
-h --help - show this help
-q --quiet - quiet mode
-V --version - print info about supported SCAP versions
Commands:
ds - Data stream utilities
oval - Open Vulnerability and Assessment Language
xccdf - eXtensible Configuration Checklist Description Format
cvss - Common Vulnerability Scoring System
cpe - Common Platform Enumeration
cve - Common Vulnerabilities and Exposures
cvrf - Common Vulnerability Reporting Framework
info - Print information about a SCAP file.
[root@lpic303-rocky34 ~]#セキュリティガイド
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -la /usr/share/xml/scap/ssg/content/
合計 46776
drwxr-xr-x. 2 root root 52 2月 12 19:30 .
drwxr-xr-x. 3 root root 21 2月 12 19:30 ..
-rw-r--r--. 1 root root 24116960 1月 5 01:58 ssg-rhel9-ds.xml
-rw-r--r--. 1 root root 23780682 1月 5 01:59 ssg-rl9-ds.xml
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Document type: Source Data Stream
Imported: 2024-01-05T01:58:58
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2' file which is referenced from datastream
Status: draft
Generated: 2024-01-04
Resolved: true
Profiles:
Title: ANSSI-BP-028 (enhanced)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
Title: ANSSI-BP-028 (high)
:
:
[root@lpic303-rocky34 ~]#システムを評価する
以下の実行例では XCCDF を評価し、結果をXMLファイルに出力している
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# oscap xccdf eval -h
oscap -> xccdf -> eval
Perform evaluation driven by XCCDF file and use OVAL as checking engine
Usage: oscap [options] xccdf eval [options] INPUT_FILE [oval-definitions-files]
Common options:
--verbose <verbosity_level> - Turn on verbose mode at specified verbosity level.
Verbosity level must be one of: DEVEL, INFO, WARNING, ERROR.
--verbose-log-file <file> - Write verbose information into file.
INPUT_FILE - XCCDF file or a source data stream file
Options:
--profile <name> - The name of Profile to be evaluated.
--rule <name> - The name of a single rule to be evaluated.
--skip-rule <name> - The name of the rule to be skipped.
--tailoring-file <file> - Use given XCCDF Tailoring file.
--tailoring-id <component-id> - Use given DS component as XCCDF Tailoring file.
--cpe <name> - Use given CPE dictionary or language (autodetected)
for applicability checks.
--oval-results - Save OVAL results as well.
--check-engine-results - Save results from check engines loaded from plugins as well.
--export-variables - Export OVAL external variables provided by XCCDF.
--results <file> - Write XCCDF Results into file.
--results-arf <file> - Write ARF (result data stream) into file.
--stig-viewer <file> - Writes XCCDF results into FILE in a format readable by DISA STIG Viewer
--thin-results - Thin Results provides only minimal amount of information in OVAL/ARF results.
The option --without-syschar is automatically enabled when you use Thin Results.
--without-syschar - Don't provide system characteristic in OVAL/ARF result files.
--report <file> - Write HTML report into file.
--skip-valid - Skip validation.
--skip-validation
--skip-signature-validation - Skip data stream signature validation.
(only applicable for source data streams)
--enforce-signature - Process only signed data streams.
--fetch-remote-resources - Download remote content referenced by XCCDF.
--local-files <dir> - Use locally downloaded copies of remote resources stored in the given directory.
--progress - Switch to sparse output suitable for progress reporting.
Format is "$rule_id:$result\n".
--progress-full - Switch to sparse but a bit more saturated output also suitable for progress reporting.
Format is "$rule_id|$rule_title|$result\n".
--datastream-id <id> - ID of the data stream in the collection to use.
(only applicable for source data streams)
--xccdf-id <id> - ID of component-ref with XCCDF in the data stream that should be evaluated.
(only applicable for source data streams)
--benchmark-id <id> - ID of XCCDF Benchmark in some component in the data stream that should be evaluated.
(only applicable for source data streams)
(only applicable when datastream-id AND xccdf-id are not specified)
--remediate - Automatically execute XCCDF fix elements for failed rules.
Use of this option is always at your own risk.
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_pci-dss --results ./scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
Downloading: https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2 ... ok
--- Starting Evaluation ---
Title Verify File Hashes with RPM
Rule xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Ident CCE-90841-8
Result notapplicable
Title Verify and Correct File Permissions with RPM
Rule xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Ident CCE-90840-0
Result notapplicable
:
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# ls -l scan-xccdf-results.xml
-rw-r--r--. 1 root root 16392349 2月 12 19:43 scan-xccdf-results.xml
[root@lpic303-rocky34 ~]#参考
脆弱性検査を行うOSSツール「OpenSCAP」で何が分かるのか:OpenSCAPで脆弱性対策はどう変わる?(4) - @IT
Security: Intro to OpenSCAP | Into the Terminal 61 - YouTube
この記事が気に入ったらサポートをしてみませんか?