Tripwire 主要功能是將檔案製作指紋資料庫,當發現某檔案的指紋被變更時才有辦法即時知道。
環境:
- CentOS release 5.8 i386 (Final)
- 目前無法使用 yum安裝,必須到 http://sourceforge.net/projects/tripwire/files/ 下載 rpm 自行安裝。
- 進入 / tripwire-rpms / centos5 / 2.4.2.2 / 目錄,依照系統(32/64 bits)選擇需要的安裝檔。
- # rpm -i tripwire-2.4.2.2-1.el5.i386.rpm
目錄架構:
- 主目錄:/etc/tripwire
- twcfg.txt:可用來設定 tripwire 的工作環境,可依照你的習慣來調整。
- twpol.txt:指定 tripwire 對哪些檔案的哪些項目進行監控。
- twcfg.txt
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -tGLOBALEMAIL ="root@localhost,root@192.168.1.25" - DBFILE 為指紋資料庫之檔名
- REPORTFILE 為檢測報告檔之檔名。
- twpol.txt
內容太多了,省略....
重點在於 rulename、severity 群組內的設定。(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/etc -> $(SEC_INVARIANT) (recurse = 0) ;
} - 基本上可以直接套用預設值。
- 也可以另外自己創造新的群組,例如我要監控 /var/www 內的網頁資料。
(
rulename = "WWW",
severity = 100
)
{
/var/www/html -> $(SEC_CRIT) ;
}
- 設定密碼:
- # tripwire-setup-keyfiles
- 執行過程中會要求你設定兩個密碼(pass phrase):
- site pass phrase :加密 twpol.txt 及 twcfg.txt 時用。
- local pass phrase:加密指紋資料庫時用。
- 從twcfg.txt生成加密配置文件tw.cfg
# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
此時會提示「Please enter your site passphrase」 - 用twadmin對策略文件進行語法檢查
# twadmin -m P /etc/tripwire/twpol.txt
此時會提示「Please enter your site passphrase」 - tripwire數據庫初始化
# tripwire --init
會跑1-3分鐘。 - 測試email電子郵件通知功能
# tripwire -m c | mail -s “Tripwire Daily Report from {$HOSTNAME}” root@localhost ((打上自己的email) - 定時檢查
- 在 /etc/cron.daily/ 下新增 script: (tw-check)
#!/bin/bash
/usr/sbin/tripwire -m c | mail -s “Tripwire Daily Report from {$HOSTNAME}” root@localhost
- 在 /etc/cron.daily/ 下新增 script: (tw-check)
- 第一次執行 # tripwire -m c | mail -s “Tripwire Daily Report from {$HOSTNAME}” root@localhost 時:
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/202-3-168-16-static.unigate.net. tw-20130205-013834.twr
Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
Report generated by: root
Report created on: 西元2013年02月05日 (週二) 01時38分34秒
Database last updated on: Never
============================================================
Report Summary:
============================================================
Host name: oooooooo
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/oooooooo.twd
Command line used: tripwire -m c
============================================================
Rule Summary:
============================================================
------------------------------------------------------------ -------------------
Section: Unix File System
------------------------------------------------------------ -------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
* Tripwire Data Files 100 1 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
System boot changes 100 0 0 0
WWW 100 0 0 0
(/var/www/html)
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0
Total objects scanned: 18817
Total violations found: 1
============================================================
Object Summary:
============================================================
------------------------------------------------------------ -------------------
# Section: Unix File System
------------------------------------------------------------ -------------------
------------------------------------------------------------ -------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
------------------------------------------------------------ -------------------
Added:
"/var/lib/tripwire/oooooooo.bak"
============================================================
Error Report:
============================================================
------------------------------------------------------------ -------------------
Section: Unix File System
------------------------------------------------------------ -------------------
1. File system error.
Filename: /dev/kmem
\xe6\xb2\x92\xe6\x9c\x89\xe6\xad\xa4\xe4\xb8\x80\xe6\xaa\ x94\xe6\xa1\x88\xe6\x88\x96\ xe7\x9b\xae\xe9\x8c\x84
2. File system error.
Filename: /proc/ksyms
\xe6\xb2\x92\xe6\x9c\x89\xe6\xad\xa4\xe4\xb8\x80\xe6\xaa\ x94\xe6\xa1\x88\xe6\x88\x96\ xe7\x9b\xae\xe9\x8c\x84 ------------------------------ -------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete. - 修改 /var/www/html/index.php 之後
Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
Report generated by: root
Report created on: 西元2013年02月05日 (週二) 01時49分02秒
------------------------------ -------------------
Rule Name: WWW (/var/www/html)
Severity Level: 100
------------------------------------------------------------ -------------------
Modified:
"/var/www/html"
"/var/www/html/index.php"
------------------------------------------------------------ -------------------
Rule Name: Root config files (/root)
Severity Level: 100
------------------------------------------------------------ -------------------
Modified:
"/root"
"/root/.viminfo"
沒有留言:
張貼留言