HY的工作筆記: Tripwire - 即時發現特定檔案異動

會認識這個套件，是因為某台不重要的主機被入侵，檔案被寫入不該有的文字，雖然對網站影響不大，但這是一個警訊。

Tripwire 主要功能是將檔案製作指紋資料庫，當發現某檔案的指紋被變更時才有辦法即時知道。

環境：

CentOS release 5.8 i386 (Final)

安裝方式：

目前無法使用 yum安裝，必須到 http://sourceforge.net/projects/tripwire/files/ 下載 rpm 自行安裝。
進入 / tripwire-rpms / centos5 / 2.4.2.2 / 目錄，依照系統（32/64 bits）選擇需要的安裝檔。
# rpm -i tripwire-2.4.2.2-1.el5.i386.rpm

目前網路上查到的方式都是要自行 make file，但是新版的已經有rpm可以用。

目錄架構：

主目錄：/etc/tripwire
twcfg.txt：可用來設定 tripwire 的工作環境，可依照你的習慣來調整。
twpol.txt：指定 tripwire 對哪些檔案的哪些項目進行監控。

說明：

twcfg.txt
ROOT                    =/usr/sbin
POLFILE               =/etc/tripwire/tw.pol
DBFILE                   =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE         =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE         =/etc/tripwire/site.key
LOCALKEYFILE    =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR                 =/bin/vi
LATEPROMPTING          =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS        =true
EMAILREPORTLEVEL         =3
REPORTLEVEL               =3
MAILMETHOD            =SENDMAIL
SYSLOGREPORTING                 =false
MAILPROGRAM           =/usr/sbin/sendmail -oi -tGLOBALEMAIL                                ="root@localhost,root@192.168.1.25"

DBFILE 為指紋資料庫之檔名
REPORTFILE 為檢測報告檔之檔名。

twpol.txt
內容太多了，省略....
重點在於 rulename、severity 群組內的設定。
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/                                    -> $(SEC_INVARIANT) (recurse = 0) ;
/home                                -> $(SEC_INVARIANT) (recurse = 0) ;
/etc                                 -> $(SEC_INVARIANT) (recurse = 0) ;
}

基本上可以直接套用預設值。
也可以另外自己創造新的群組，例如我要監控 /var/www 內的網頁資料。
(
rulename = "WWW",
severity = 100
)
{
/var/www/html -> $(SEC_CRIT) ;
}

執行方式：

設定密碼：
- # tripwire-setup-keyfiles
- 執行過程中會要求你設定兩個密碼(pass phrase)：
從twcfg.txt生成加密配置文件tw.cfg
# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
此時會提示「Please enter your site passphrase」
用twadmin對策略文件進行語法檢查
# twadmin -m P /etc/tripwire/twpol.txt
此時會提示「Please enter your site passphrase」
tripwire數據庫初始化
# tripwire --init
會跑1-3分鐘。
測試email電子郵件通知功能
# tripwire -m c | mail -s “Tripwire Daily Report from {$HOSTNAME}” root@localhost (（打上自己的email）
定時檢查
- 在 /etc/cron.daily/ 下新增 script: (tw-check)
  #!/bin/bash
  /usr/sbin/tripwire -m c | mail -s “Tripwire Daily Report from {$HOSTNAME}” root@localhost

email報告內容範例：

第一次執行 # tripwire -m c | mail -s “Tripwire Daily Report from {$HOSTNAME}” root@localhost 時：
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/202-
3-168-16-static.unigate.net.tw-20130205-013834.twr
Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
Report generated by: root
Report created on: 西元2013年02月05日 (週二) 01時38分34秒
Database last updated on: Never
============================================================
Report Summary:
============================================================
Host name: oooooooo
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/oooooooo.twd
Command line used: tripwire -m c
============================================================
Rule Summary:
============================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
* Tripwire Data Files 100 1 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
System boot changes 100 0 0 0
WWW 100 0 0 0
(/var/www/html)
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0
Total objects scanned: 18817
Total violations found: 1
============================================================
Object Summary:
============================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/oooooooo.bak"
============================================================
Error Report:
============================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
1. File system error.
Filename: /dev/kmem
\xe6\xb2\x92\xe6\x9c\x89\xe6\xad\xa4\xe4\xb8\x80\xe6\xaa\x94\xe6\xa1\x88\xe6\x88\x96\xe7\x9b\xae\xe9\x8c\x84
2. File system error.
Filename: /proc/ksyms
\xe6\xb2\x92\xe6\x9c\x89\xe6\xad\xa4\xe4\xb8\x80\xe6\xaa\x94\xe6\xa1\x88\xe6\x88\x96\xe7\x9b\xae\xe9\x8c\x84

＝＝＝＝略＝＝＝＝
-------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
修改 /var/www/html/index.php 之後
Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
Report generated by: root
Report created on: 西元2013年02月05日 (週二) 01時49分02秒

-------------------------------------------------
Rule Name: WWW (/var/www/html)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/var/www/html"
"/var/www/html/index.php"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/root"
"/root/.viminfo"

HY的工作筆記

2013年2月5日星期二

Tripwire - 即時發現特定檔案異動

沒有留言:

張貼留言

2013年2月5日 星期二

Tripwire - 即時發現特定檔案異動

沒有留言:

張貼留言

2013年2月5日星期二