10.2. 周期性入侵检测
通常完成安装后, 一条基本准则是(即, 如 第 4.19 节 “生成系统快照” 所描述)应当经常进行系统完整性检查. 完整性检查有助于发现入侵者对文件系统的改动, 或系统管理的操作失误.
Integrity checks should be, if possible, done offline.[64] That is, without using the operating system of the system to review, in order to avoid a false sense of security (i.e. false negatives) produced by, for example, installed rootkits. The integrity database that the system is checked against should also be used from read-only media.
您可以考虑使用有效的文件系统完整性检查工具(如 ref id=”check-integ” /> 中所述)在线完成完整性检查, 如果离线完成这一工作不太可能. 但是, 除了使用只读数据库这一预防措施, 还要确保完整性检查工具(和操作系统内核)未被篡.
Some of the tools mentioned in the integrity tools section, such as aide
, integrit
or samhain
are already prepared to do periodic reviews (through the crontab in the first two cases and through a standalone daemon in samhain
) and can warn the administrator through different channels (usually e-mail, but samhain
can also send pages, SNMP traps or syslog alerts) when the filesystem changes.
当然, 如果您对系统进行了安全更新, 应当重新制作系统快照, 以包容安全更新所产生的改动.
[64] An easy way to do this is using a Live CD, such as http://www.knoppix-std.org/ which includes both the file integrity tools and the integrity database for your system.