安裝Tripwire檢查文件完整性
發佈: 2009-8-07 17:05 | 作者: 守住每一天 | 來源: IT運維專家網
當服務器遭到黑客攻擊時,在多數情況下,黑客可能對系統文件等等一些重要的文件進行修改。對此,我們用Tripwire建立數據完整性監測系統。雖然它不能抵禦黑客攻擊以及黑客對一些重要文件的修改,但是可以監測文件是否被修改過以及哪些文件被修改過,從而在被攻擊後有的放矢的策劃出解決辦法。
Tripwire的原理是Tripwire被安裝、配置後,將當前的系統數據狀態建立成數據庫,隨着文件的添加、刪除和修改等等變化,通過系統數據現狀與不斷更新的數據庫進行比較,來判定哪些文件被添加、刪除和修改過。正因爲初始的數據庫是在Tripwire本體被安裝、配置後建立的原因,我們務必應該在服務器開放前,或者說操作系統剛被安裝後用Tripwire構建數據完整性監測系統。
和tripwire差不多的還有AIDE
一.工作原理
二.下載tripwire
tripwire 在sf上的地址
- wget http://sourceforge.net/projects/ ... rc.tar.bz2/download
- tar jxvf tripwire-2.4.1.2-src.tar.bz2
- cd tripwire-2.4.1.2-src
三.安裝tripwire
- ./configure --prefix=/usr/local/tripwire
- make
- make install
license agreement. [do not accept] accept
Continue with installation? [y/n] y
Enter the site keyfile passphrase:c1gstudio
Verify the site keyfile passphrase:c1gstudio
Enter the local keyfile passphrase:abcdefgh
Verify the local keyfile passphrase:abcdefgh
Please enter your site passphrase: c1gstudio
Please enter your site passphrase: c1gstudio
四.設置tripwire
編輯twpol.txt來控制對哪些目錄進行檢查,我這裏省略了很多目錄
vi /usr/local/tripwire/etc/twpol.txt
- #Global Configuration Files
- #註釋以下目錄
- #/etc/mail/statistics -> $(Growing) ;
- #OS Boot Files and Mount Points
- #註釋以下目錄
- #/cdrom -> $(Dynamic) ;
- #/floppy -> $(Dynamic) ;
- #/mnt -> $(Dynamic) ;
- #OS Devices and Misc Directories
- #禁止檢查以下目錄
- #/opt -> $(Dynamic) ;
- #/lost+found -> $(Dynamic) ;
- #/var/lost+found -> $(Dynamic) ;
- #/home/lost+found -> $(Dynamic) ;
- #OS Binaries and Libraries
- #禁止檢查以下目錄
- #/lib -> $(ReadOnly) ;
- #/usr/lib -> $(ReadOnly) ;
- #/usr/libexec -> $(ReadOnly) ;
- #/usr/X11R6/lib -> $(ReadOnly) ;
- #User Binaries and Libraries
- #只保留以下三個
- /usr/local/bin -> $(ReadOnly) ;
- /usr/local/etc -> $(ReadOnly) ;
- /usr/local/sbin -> $(ReadOnly) ;
- #Temporary Directories
- #禁止全部目錄
- #/usr/tmp -> $(Temporary) ;
- #/var/tmp -> $(Temporary) ;
- #/tmp -> $(Temporary) ;
- #Monitor Filesystems
- #禁止全部目錄
- #/ -> $(ReadOnly) ;
- #/home -> $(ReadOnly) ; # Modify as needed
- #/usr -> $(ReadOnly) ;
- #/var -> $(ReadOnly) ;
五.初始化數據庫
/usr/local/tripwire/sbin/tripwire --init
六.更新數據庫
當你更新了twpol.txt後需用此命令更新數據庫
cd /usr/local/tripwire
./sbin/tripwire --update-policy --secure-mode low ./etc/twpol.txt
- Please enter your local passphrase: abcdefgh
- Please enter your site passphrase: c1gstudio
- ======== Policy Update: Processing section Unix File System.
- ======== Step 1: Gathering information for the new policy.
- The object: "/etc/rhgb/temp" is on a different file system...ignoring.
- ### Warning: Policy Update Changed Object.
- ### An object has been changed since the database was last updated.
- ### Object name: Conflicting properties for object
- ### /usr/local/tripwire/etc/tw.pol
- ### > Modify Time
- ### > CRC32
- ### > MD5
- ### Continuing...
- ### Warning: Policy Update Changed Object.
- ### An object has been changed since the database was last updated.
- ### Object name: Conflicting properties for object /etc/cups/certs
- ### > Modify Time
- ### > Change Time
- ### Continuing...
- ### Warning: Policy Update Changed Object.
- ### An object has been changed since the database was last updated.
- ### Object name: Conflicting properties for object /etc/cups/certs/0
- ### > Modify Time
- ### > Change Time
- ### > CRC32
- ### > MD5
- ### Continuing...
- ======== Step 2: Updating the database with new objects.
- ======== Step 3: Pruning unneeded objects from the database.
- Wrote policy file: /usr/local/tripwire/etc/tw.pol
- Wrote database file: /usr/local/tripwire/lib/tripwire/local.c1gstudio.com.twd
七.檢查文件異動
安裝完tripwire後你可以定期檢查文件是否存在異動
加上interactive在當前顯示結果
./sbin/tripwire --check --interactive
- Parsing policy file: /usr/local/tripwire/etc/tw.pol
- *** Processing Unix File System ***
- Performing integrity check...
- The object: "/etc/rhgb/temp" is on a different file system...ignoring.
- Wrote report file: /usr/local/tripwire/lib/tripwire/report/local.c1gstudio.com-20090807-112337.twr
- Open Source Tripwire(R) 2.4.1 Integrity Check Report
- Report generated by: root
- Report created on: 2009年08月07日 星期五 11時23分37秒
- Database last updated on: 2009年08月07日 星期五 11時09分27秒
- ===============================================================================
- Report Summary:
- ===============================================================================
- Host name: local.c1gstudio.com
- Host IP address: 127.0.0.1
- Host ID: None
- Policy file used: /usr/local/tripwire/etc/tw.pol
- Configuration file used: /usr/local/tripwire/etc/tw.cfg
- Database file used: /usr/local/tripwire/lib/tripwire/local.c1gstudio.com.twd
- Command line used: ./sbin/tripwire --check --interactive
- ===============================================================================
- Rule Summary:
- ===============================================================================
- -------------------------------------------------------------------------------
- Section: Unix File System
- -------------------------------------------------------------------------------
- Rule Name Severity Level Added Removed Modified
- --------- -------------- ----- ------- --------
- * Tripwire Data Files 0 0 0 1
- Tripwire Binaries 0 0 0 0
- User Binaries and Libraries 0 0 0 0
- OS Binaries and Libraries 0 0 0 0
- * Global Configuration Files 0 0 0 2
- System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0
- (/boot) OS Devices and Misc Directories 0 0 0 0 Root Directory and Files 0 0 0 0
- Total objects scanned: 64406
- Total violations found: 3
- ===============================================================================
- Object Summary:===============================================================================
- -------------------------------------------------------------------------------
- # Section: Unix File System-------------------------------------------------------------------------------
- -------------------------------------------------------------------------------
- Rule Name: Tripwire Data Files (/usr/local/tripwire/etc/tw.pol)
- Severity Level: 0-------------------------------------------------------------------------------
- Remove the "x" from the adjacent box to prevent updating the database
- with the new values for this object.
- Modified:
- [x] "/usr/local/tripwire/etc/tw.pol"
- -------------------------------------------------------------------------------Rule Name: Global Configuration Files (/etc)
- Severity Level: 0-------------------------------------------------------------------------------
- Remove the "x" from the adjacent box to prevent updating the databasewith the new values for this object.
- Modified:[x] "/etc/cups/certs"
- [x] "/etc/cups/certs/0"
- ===============================================================================
- Object Detail:===============================================================================
- -------------------------------------------------------------------------------
- Section: Unix File System-------------------------------------------------------------------------------
- -------------------------------------------------------------------------------RuleName: Tripwire Data Files (/usr/local/tripwire/etc/tw.pol)
- Severity Level: 0-------------------------------------------------------------------------------
- ----------------------------------------
- Modified Objects: 1
- ----------------------------------------
- Modified object name: /usr/local/tripwire/etc/tw.pol
- Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64768 64768 Mode -rw-r----- -rw-r----- Num Links 1 1 UID root (0) root (0) GID root (0) root (0) Size 4159 4159
- * Modify Time 2009年08月07日 星期五 11時05分06秒 2009年08月07日 星期五 11時16分18秒 Blocks 24 24 * CRC32 BbMp+k CasvDM * MD5 AedDw/7U0K3jGZeAQ+TluE BqtFj3lGlb5i44+KkjyB9u
- -------------------------------------------------------------------------------Rule Name: Global Configuration Files (/etc)
- Severity Level:0------------------------------------------------------------------------------- ----------------------------------------
- Modified Objects: 2 ----------------------------------------
- Modified object name: /etc/cups/certs
- Property: Expected Observed ------------- ----------- ----------- Object Type Directory Directory Device Number 64768 64768 File Device Number 0 0 Inode Number 1557621 1557621 Mode drwx--x--x drwx--x--x Num Links 2 2 UID root (0) root (0) GID sys (3) sys (3) Size 4096 4096
- * Modify Time 2009年08月07日 星期五 11時07分09秒 2009年08月07日 星期五 11時22分12秒
- * Change Time 2009年08月07日 星期五 11時07分09秒 2009年08月07日 星期五 11時22分12秒 Blocks 16 16
- Modified object name: /etc/cups/certs/0
- Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64768 64768 File Device Number 0 0 Inode Number 1556488 1556488 Mode -r--r----- -r--r----- Num Links 1 1 UID root (0) root (0) GID sys (3) sys (3) Size 32 32
- * Modify Time 2009年08月07日 星期五 11時07分09秒 2009年08月07日 星期五 11時22分12秒
- * Change Time 2009年08月07日 星期五 11時07分09秒 2009年08月07日 星期五 11時22分12秒 Blocks 16 16 * CRC32 Bh604c DClI5t * MD5 CYQG5hqBS+c69bcyXaK6Wl DDovWtxN44ScT7sn/IJiZa
- ===============================================================================
- Error Report:===============================================================================
- No Errors
- -------------------------------------------------------------------------------*** End of report ***
- Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc.Tripwire is a registeredtrademark of Tripwire, Inc. This software comeswith ABSOLUTELY NO WARRANTY;for details use --version. This is freesoftware which may be redistributed
- or modified only under certain conditions; see COPYING for details.All rights reserved.
八.查看報告
所有tripwire的報告以.twr後綴保存在lib/tripwire目錄下,需要使用twprint命令來轉化成文本格式
./sbin/twprint --print-report --twrfile./lib/tripwire/report/local.c1gstudio.com-20090807-112337.twr>/tmp/tripwire_readable.txt
cat /tmp/tripwire_readable.txt
九.定期檢查
每天4點定期檢查
- 00 4 * * * /usr/local/tripwire/sbin/tripwire --check
十.查看當前配置
./sbin/twadmin --print-polfile
- @@section GLOBAL
- TWDOCS="/usr/local/tripwire/doc/tripwire";
- TWBIN="/usr/local/tripwire/sbin";
- TWPOL="/usr/local/tripwire/etc";
- TWDB="/usr/local/tripwire/lib/tripwire";
- TWSKEY="/usr/local/tripwire/etc";
- TWLKEY="/usr/local/tripwire/etc";
- TWREPORT="/usr/local/tripwire/lib/tripwire/report";
- HOSTNAME=local.c1gstudio.com;
./sbin/twadmin --print-cfgfile
- ROOT =/usr/local/tripwire/sbin
- POLFILE =/usr/local/tripwire/etc/tw.pol
- DBFILE =/usr/local/tripwire/lib/tripwire/$(HOSTNAME).twd
- REPORTFILE =/usr/local/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
- SITEKEYFILE =/usr/local/tripwire/etc/site.key
- LOCALKEYFILE =/usr/local/tripwire/etc/local.c1gstudio.com-local.key
- EDITOR =/bin/vi
- LATEPROMPTING =false
- LOOSEDIRECTORYCHECKING =false
- MAILNOVIOLATIONS =true
- EMAILREPORTLEVEL =3
- REPORTLEVEL =3
- MAILMETHOD =SENDMAIL
- SYSLOGREPORTING =false
- MAILPROGRAM =/usr/sbin/sendmail -oi -t
參考:
Tripwire Tutorial: Linux Host Based Intrusion Detection System
Tripwire-2.4.1.2 tutorial