[关闭]
@cdmonkey 2021-06-09T05:43:59.000000Z 字数 8720 阅读 1245

tripwire

开源工具

https://linux.cn/article-3528-1.html
http://www.linuxfly.org/post/133/1/1/
http://www.freebuf.com/articles/system/19208.html
http://www.ibm.com/developerworks/cn/aix/library/au-usingtripwire

http://www.linuxfromscratch.org/blfs/view/svn/postlfs/tripwire.html
https://www.ibm.com/developerworks/aix/library/au-usingtripwire/index.html

其能够对要求校验的系统文件进行类似md5的运行,而生成一个唯一的标识,即“快照(snapshot)”。当这部分系统文件的大小、inode号、权限、时间等任意属性被修改后,再次运行该工具,其会进行前后属性的对比,并生成相关的详细报告。

  1. [root@svn-test tripwire-2.4.2.2-src]# ./configure --prefix=/usr/local/tripwire
  1. ./configure --prefix=/usr/local/tripwire
  2. make
  3. make install
  4. # 从这里开始就会有一些需要安装着手动输入的内容。
  5. LICENSE AGREEMENT for Tripwire(R) 2.4 Open Source
  7. Please read the following license agreement.  You must accept the
  8. agreement to continue installing Tripwire.
  10. Press ENTER to view the License Agreement.
  11. ...
  12. Please type "accept" to indicate your acceptance of this
  13. license agreement. [do not accept]
  14. ...
  15. This program will copy Tripwire files to the following directories:
  17.         TWBIN: /usr/local/tripwire/sbin
  18.         TWMAN: /usr/local/tripwire/man
  19.      TWPOLICY: /usr/local/tripwire/etc
  20.      TWREPORT: /usr/local/tripwire/lib/tripwire/report
  21.          TWDB: /usr/local/tripwire/lib/tripwire
  22.  TWSITEKEYDIR: /usr/local/tripwire/etc
  23. TWLOCALKEYDIR: /usr/local/tripwire/etc
  25. CLOBBER is false.
  27. Continue with installation? [y/n] 
  28. ...
  29. Creating key files...
  31. (When selecting a passphrase, keep in mind that good passphrases typically
  32. have upper and lower case letters, digits and punctuation marks, and are
  33. at least 8 characters in length.)
  35. Enter the site keyfile passphrase:

Configure Tripwire

安装完成后会于设定文件目录下创建密钥文件、设定文件以及使用密钥加密后的设定文件。

  1. [root@svn-test ~]# ls /usr/local/tripwire/etc/ |sort
  2. site.key
  3. svn-test-local.key
  4. tw.cfg
  5. twcfg.txt     # 设定文件:定义数据库、策略文件及软件的可执行文件的位置。
  6. tw.pol
  7. twpol.txt     # 策略文件:定义检测的对象以及出现问题时采取的行为。
  1. [root@svn-test etc]# vim twcfg.txt 
  2. ROOT          =/usr/local/tripwire/sbin
  3. POLFILE       =/usr/local/tripwire/etc/tw.pol
  4. DBFILE        =/usr/local/tripwire/lib/tripwire/$(HOSTNAME).twd
  5. REPORTFILE    =/usr/local/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
  6. SITEKEYFILE   =/usr/local/tripwire/etc/site.key
  7. LOCALKEYFILE  =/usr/local/tripwire/etc/svn-test-local.key
  8. EDITOR        =/bin/vi
  9. LATEPROMPTING =false
  10. LOOSEDIRECTORYCHECKING =false
  11. MAILNOVIOLATIONS =true
  12. EMAILREPORTLEVEL =3
  13. REPORTLEVEL   =3
  14. MAILMETHOD    =SENDMAIL
  15. SYSLOGREPORTING =false
  16. MAILPROGRAM   =/usr/sbin/sendmail -oi -t

Generating key

Create site-key

  1. [root@svn-test ~]# cd /usr/local/tripwire/sbin/
  2. ./twadmin --generate-keys --site-keyfile /usr/local/tripwire/etc/site.key

Create local-key

  1. [root@svn-test ~]# cd /usr/local/tripwire/sbin/
  2. ./twadmin --generate-keys --site-keyfile /usr/local/tripwire/etc/`hostname`-local.key

Configuration file signature

Create Database

Tripwire的数据库是基于Policy文件建立的。但默认的Policy文件并没有有效的依照我们的需要建立数据完整性监测规则,所以这里通过一段Perl脚本来让数据监测实际满足于我们的需要。

Encryption policy file

我们更新策略原始文件后需要重新进行签名并创建新的策略文件:

  1. [root@svn-test ~]# cd /usr/local/tripwire/etc/
  2. [root@svn-test etc]# ../sbin/twadmin --create-polfile -S site.key twpol.txt 
  3. Please enter your site passphrase: 
  4. Wrote policy file: /usr/local/tripwire/etc/tw.pol
  1. ../sbin/twadmin -m F -c tw.cfg -S site.key twcfg.txt

Display encryption policy file

我么能够使用下面的指令来显示策略文件的内容,从而确认“Tripwire”已经创建了新更新的策略文件。

  1. [root@svn-test ~]# /usr/local/tripwire/sbin/twadmin --print-polfile

修改完策略文件后,可使用“Tripwire”进行一次初始完整性扫描并生成新的数据库。如果已经有了数据库,于运行初始化扫描之前,首先移除原来的文件是一个好习惯,可确保有一个干净的数据库版本。

  1. # Delete old database files:
  2. [root@svn-test ~]# rm /usr/local/tripwire/lib/tripwire/svn-test.twd
  3. # Scan and re-create database files:
  4. [root@svn-test ~]# /usr/local/tripwire/sbin/tripwire --init
  5. Please enter your local passphrase: 
  6. Parsing policy file: /usr/local/tripwire/etc/tw.pol
  7. Generating the database...
  8. *** Processing Unix File System ***
  9. Wrote database file: /usr/local/tripwire/lib/tripwire/svn-test.twd
  10. The database was successfully generated.

至此于系统上使用新的策略文件进行完整性检测后其输出的结果:

  1. [root@svn-test ~]# /usr/local/tripwire/sbin/tripwire --check
  2. Parsing policy file: /usr/local/tripwire/etc/tw.pol
  3. *** Processing Unix File System ***
  4. Performing integrity check...
  5. Wrote report file: /usr/local/tripwire/lib/tripwire/report/svn-test-20160701-102520.twr
  8. Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
  10. Report generated by:          root
  11. Report created on:            Fri Jul  1 10:25:20 2016
  12. Database last updated on:     Never
  14. ===============================================================================
  15. Report Summary:
  16. ===============================================================================
  18. Host name:                    svn-test
  19. Host IP address:              172.16.138.11
  20. Host ID:                      None
  21. Policy file used:             /usr/local/tripwire/etc/tw.pol
  22. Configuration file used:      /usr/local/tripwire/etc/tw.cfg
  23. Database file used:           /usr/local/tripwire/lib/tripwire/svn-test.twd
  24. Command line used:            /usr/local/tripwire/sbin/tripwire --check 
  26. ===============================================================================
  27. Rule Summary: 
  28. ===============================================================================
  30. -------------------------------------------------------------------------------
  31.   Section: Unix File System
  32. -------------------------------------------------------------------------------
  34.   Rule Name                       Severity Level    Added    Removed  Modified 
  35.   ---------                       --------------    -----    -------  -------- 
  36. * Tripwire Data Files             0                 1        0        0        
  37. * Monitor Filesystems             0                 0        0        2        
  38.   Tripwire Binaries               0                 0        0        0        
  39.   User Binaries and Libraries     0                 0        0        0        
  40.   Global Configuration Files      0                 0        0        0        
  41.   RPM Checksum Files              0                 0        0        0        
  43. Total objects scanned:  78177
  44. Total violations found:  3
  46. ===============================================================================
  47. Object Summary: 
  48. ===============================================================================
  50. -------------------------------------------------------------------------------
  51. # Section: Unix File System
  52. -------------------------------------------------------------------------------
  54. -------------------------------------------------------------------------------
  55. Rule Name: Tripwire Data Files (/usr/local/tripwire/lib/tripwire)
  56. Severity Level: 0
  57. -------------------------------------------------------------------------------
  59. Added:
  60. "/usr/local/tripwire/lib/tripwire/svn-test.twd"
  62. -------------------------------------------------------------------------------
  63. Rule Name: Monitor Filesystems (/var)
  64. Severity Level: 0
  65. -------------------------------------------------------------------------------
  67. Modified:
  68. "/var/log/cron"
  69. "/var/log/sa/sa01"
  71. ===============================================================================
  72. Error Report: 
  73. ===============================================================================
  75. No Errors
  77. -------------------------------------------------------------------------------
  78. *** End of report ***
  80. Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
  81. trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
  82. for details use --version. This is free software which may be redistributed
  83. or modified only under certain conditions; see COPYING for details.
  84. All rights reserved.
  85. Integrity check complete.

Check and repair the damage

从上面的监测结果看,使用我们特制的策略文件,没有报出任何错误。

Policy File

  1. [root@svn-test ~]# cat /usr/local/tripwire/etc/twpol.txt 
  2. ########## Policy file for Red Hat Linux ##########
  4. # Global Variable Definitions
  5. @@section GLOBAL
  6. TWDOCS="/usr/local/tripwire/doc/tripwire";
  7. TWBIN="/usr/local/tripwire/sbin";
  8. TWPOL="/usr/local/tripwire/etc";
  9. TWDB="/usr/local/tripwire/lib/tripwire";
  10. TWSKEY="/usr/local/tripwire/etc";
  11. TWLKEY="/usr/local/tripwire/etc";
  12. TWREPORT="/usr/local/tripwire/lib/tripwire/report";
  13. HOSTNAME=svn-test;
  15. # Predefined Variables
  16. Device        = +pugsdr-intlbamcCMSH ;
  17. Dynamic       = +pinugtd-srlbamcCMSH ;
  18. Growing       = +pinugtdl-srbamcCMSH ;
  19. IgnoreAll     = -pinugtsdrlbamcCMSH ;
  20. IgnoreNone    = +pinugtsdrbamcCMSH-l ;
  21. ReadOnly      = +pinugtsdbmCM-rlacSH ;
  22. Temporary     = +pugt ;
  24. @@section FS
  25. # Tripwire Binaries and Data Files
  26. # Tripwire Binaries
  27. (
  28.   rulename = "Tripwire Binaries",
  29. )
  30. {
  31.   $(TWBIN)/siggen                      -> $(ReadOnly) ;
  32.   $(TWBIN)/tripwire                    -> $(ReadOnly) ;
  33.   $(TWBIN)/twadmin                     -> $(ReadOnly) ;
  34.   $(TWBIN)/twprint                     -> $(ReadOnly) ;
  35. }
  36. # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
  37. (
  38.   rulename = "Tripwire Data Files",
  39. )
  40. {
  41.   $(TWDB)                              -> $(Dynamic) -i ;
  42.   $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
  43.   $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
  44.   $(TWLKEY)/$(HOSTNAME)-local.key      -> $(ReadOnly) ;
  45.   $(TWSKEY)/site.key                   -> $(ReadOnly) ;
  46.   $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
  47. }
  49. # User Binaries and Libraries
  50. ( 
  51.   rulename = "User Binaries and Libraries",
  52. )
  53. { 
  54.   /usr/local/bin                -> $(ReadOnly) ;
  55.   /usr/local/include            -> $(ReadOnly) ;
  56.   /usr/local/lib                -> $(ReadOnly) ;
  57.   /usr/local/libexec            -> $(ReadOnly) ;
  58.   /usr/local/sbin               -> $(ReadOnly) ;
  59. }
  61. # Global Configuration Files (/etc/)
  62. (
  63.   rulename = "Global Configuration Files",
  64. )
  65. {
  66.   /etc                           -> $(IgnoreNone) -SHa ;
  67.   /etc/bashrc                    -> $(Dynamic) ;
  68.   /etc/profile                   -> $(Dynamic) -i ;
  69.   /etc/rc.d                      -> $(IgnoreNone) -SHa ;
  70.   /etc/sysconfig                 -> $(IgnoreNone) -SHa ;
  71. }
  73. # Monitor Filesystems
  74. (
  75.   rulename = "Monitor Filesystems",
  76. )
  77. {
  78.   /usr                          -> $(ReadOnly) ;
  79.   /var                          -> $(ReadOnly) ;
  80. }

Email

  1. /usr/local/tripwire/sbin/tripwire --check|mailx -s "Tripwire Report for `hostname`" wang_hz@suixingpay.com

排错

不小心把tw.cfg以及tw.pol文件移除了。

  1. [root@PBSWeChat02 etc]# /usr/local/tripwire/sbin/tripwire --init
  2. ### Error: File could not be opened.
  3. ### Filename: /usr/local/tripwire/etc/tw.cfg
  4. ### \xe6\xb2\xa1\xe6\x9c\x89\xe9\x82\xa3\xe4\xb8\xaa\xe6\x96\x87\xe4\xbb\xb6\xe6\x88\x96\xe7\x9b\xae\xe5\xbd\x95
  5. ### Configuration file could not be read.
  6. ### Exiting...

解决方法:

  1. [root@PBSWeChat02 etc]# ../sbin/twadmin -m F -c tw.cfg -S site.key twcfg.txt
  2. [root@PBSWeChat02 etc]# ../sbin/twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注