How to use ALDE files for efficient data exchange in Linux

In Linux systems, we usually face situations where data needs to be exchanged between different applications and operating systems. The traditional method is to export data files to formats such as XML or CSV for exchange, but this method is usually cumbersome and inefficient. Today, we will introduce to you a more efficient way of data exchange - ALDE files, and how to use ALDE files for fast data exchange in Linux systems.

AIDE (Advanced Access Detection Environment) is a file integrity checker and access detection program.

characteristic

The main purpose is to check the integrity of files and audit which files on the computer have been changed.
AIDE creates a database based on regular expression rules found in the /etc/aide.conf configuration file. Once the database is initialized, it can be used to verify file integrity. All the usual file attributes can also be checked for inconsistencies. It can read older or newer versions of the database. The AIDE database can save various attributes of files, including: permission, inode number, user, group, file size, last modification time (mtime), and creation time. (ctime), last access time (atime), increased size, and number of connections. AIDE can also use the following algorithms: sha1, md5, rmd160, tiger, to create a checksum or hash number for each file in ciphertext.
This database should not store information about files that change frequently, such as log files, emails, the /proc file system, user real directories, and temporary directories.

background

When an intruder enters your system and plants a Trojan, he will usually find a way to hide the Trojan (in addition to some hidden features of the Trojan itself, he will try to set up obstacles for you to check the system. ), usually the user will modify some files. For example, the administrator usually uses ps aux to view the system process. Then the user is likely to replace the ps program on your system with his own modified ps program to use the ps command. The running Trojan program cannot be found. If the intruder finds that the administrator is running a crontab job, it is possible to replace the crontab program and so on. So it can be seen that it is necessary to check system files or key files. Currently, there are two commonly used tools for system integrity checking: Tripwire and AIDE. The former is a commercial software, and the latter is a free but powerful tool.

Steps

Install

[root@CentOS7 ~]# yum -y install aide

Modify configuration file

/etc/aide.conf

/etc/aide.conf Default configuration file path
/usr/sbin/aide Default binary executable file path
/var/lib/aide default database file path
/var/log/aide default log file path
Initialize the default AIDE library:

`which aide` --init

After performing this step, a database file named "aide.db.new.gz" will be generated under the default database path /var/lib/aide, and all the rules defined in /etc/aide.conf will be written into the database file.
Generate a check database (it is recommended to store the initialized database in a safe place)

mv /var/lib/aide/aide.db{.new,}.gz

Because aide reads the rules defined in the /etc/aide.conf file from the aide.db.gz database file by default to detect file integrity, the initialized library file needs to be renamed.
Detection

`which aide` --check

Update database

`which aide` --update

You need to update the file database after the detection, otherwise the next detection will still read the rules from the old file database to check the integrity of the file. At the same time, you need to rename the database file
AIDE default rules

#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: 
mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux
 security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1
 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger:
 tiger checksum

#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: 
crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)

AIDE rule definition and usage
Rule definition format: rule name = specific rule
[Example]: TEST = a m c

Rule usage format: file/directory rule name
[Example]:/dir1 TEST
Note: If "!" is added in front of the file or directory, it means that the detection is ignored
AIDE rule verification
Define the following rules in the /etc/aide.conf file. The /dir1 directory here is initially empty.

TEST = a c m
/dir1 TES
Test 1:

Create a new file file1 in this directory and write "hello aide"

[root@CentOS7 ~]# aide --check

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

[root@CentOS7 ~]# echo "hello aide" > /dir1/file1
[root@CentOS7 ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2019-11-10 19:12:57

Summary:
Total number of files: 3
Added files: 1
Removed files: 0
Changed files: 1

---------------------------------------------------
Added files:
---------------------------------------------------

added: /dir1/file1

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /dir1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /dir1
Mtime : 2019-11-10 19:12:00 , 2019-11-10 19:12:55
Ctime : 2019-11-10 19:12:00 , 2019-11-10 19:12:55

The above output indicates that the file1 file has been added to the /dir1 directory, and the Ctime and Mtime attributes of the /dir1 directory have been modified
Test 2:

Modify the content of the /dir1/file1 file from "hello aide" to "hello world"

[root@CentOS7 ~]# sed -i '/hello/c hello world' /dir1/file1 ; cat /dir1/file1
hello world
[root@CentOS7 ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2019-11-10 19:14:34

Summary:
Total number of files: 3
Added files: 1
Removed files: 0
Changed files: 1

---------------------------------------------------
Added files:
---------------------------------------------------

added: /dir1/file1

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /dir1

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------

Directory: /dir1
Atime : 2019-11-10 19:12:02 , 2019-11-10 19:12:57
Mtime : 2019-11-10 19:12:00 , 2019-11-10 19:14:31
Ctime : 2019-11-10 19:12:00 , 2019-11-10 19:14:31

At this time, the Atime, Mtime, and Ctime of the /dir1 directory have been modified.

Through the introduction of this article, we understand that ALDE files are a very efficient data exchange format with advantages such as flexibility, security, and scalability. At the same time, it is also very simple to use ALDE files for data exchange in Linux systems. You only need to install the corresponding ALDE package and use the relevant commands. Compared with other formats, using ALDE files for data exchange can effectively improve the efficiency and effect of data exchange, becoming the cutting-edge technology of modern data exchange.

The above is the detailed content of How to use ALDE files for efficient data exchange in Linux. For more information, please follow other related articles on the PHP Chinese website!