10.2. 周期性入侵检测

通常完成安装后, 一条基本准则是(即, 如 第 4.19 节 “生成系统快照” 所描述)应当经常进行系统完整性检查. 完整性检查有助于发现入侵者对文件系统的改动, 或系统管理的操作失误.

Integrity checks should be, if possible, done offline.[64] That is, without using the operating system of the system to review, in order to avoid a false sense of security (i.e. false negatives) produced by, for example, installed rootkits. The integrity database that the system is checked against should also be used from read-only media.

您可以考虑使用有效的文件系统完整性检查工具(如 ref id=”check-integ” /> 中所述)在线完成完整性检查, 如果离线完成这一工作不太可能. 但是, 除了使用只读数据库这一预防措施, 还要确保完整性检查工具(和操作系统内核)未被篡.

Some of the tools mentioned in the integrity tools section, such as aide, integrit or samhain are already prepared to do periodic reviews (through the crontab in the first two cases and through a standalone daemon in samhain) and can warn the administrator through different channels (usually e-mail, but samhain can also send pages, SNMP traps or syslog alerts) when the filesystem changes.

当然, 如果您对系统进行了安全更新, 应当重新制作系统快照, 以包容安全更新所产生的改动.


[64] An easy way to do this is using a Live CD, such as http://www.knoppix-std.org/ which includes both the file integrity tools and the integrity database for your system.