安装和配置Tripwire,加强你的Linux系统安全

原创 2003年08月15日 18:21:00

1、为什么要安装 tripwire
在安装完 Linux,做好设定后,建议你马上安装 tripwire 这套软件,它能把文件的特征,如对象大小、拥有者、群组、存取权限等建立成指纹数据库(fingerprints),并定期执行检查。当发现文件现况与指纹数据库不符合时,tripwire 会提出警告,告知你哪些项目与指纹数据库不符。 <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

2、安装程序

说明:本文档使用的linux发行版本为RedHat Linux 7.3。其他的发行版本设置类似。

1.       安装套件:rpm -Uvh tripwire-版本号码.rpm

2.       切换工作目录到 /etc/tripwire,其中有两个配置文件:

§         twcfg.txt:可用来设定 tripwire 的工作环境,可依照你的习惯来调整,

§         twpol.txt:指定 tripwire 对哪些文件的哪些项目进行监控。

3.       预设的 twcfg.txt其中

ROOT                   =/usr/sbin

POLFILE                =/etc/tripwire/tw.pol

DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd

REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr

SITEKEYFILE            =/etc/tripwire/site.key

LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key

EDITOR                 =/bin/vi

LATEPROMPTING          =false

LOOSEDIRECTORYCHECKING =false

MAILNOVIOLATIONS       =true

EMAILREPORTLEVEL       =3

REPORTLEVEL            =3

MAILMETHOD             =SENDMAIL

SYSLOGREPORTING        =false

MAILPROGRAM            =/usr/sbin/sendmail -oi -t

§         DBFILE 为指纹数据库之文件名。

§         REPORTFILE 为检测报告档之档名。

4.       再来看看 twpol.txt,我们可以设定它来指定 tripwire 对哪些文件的 哪些项目进行监控。tripwire 可监控的项目可在 twpolicy man page 中, property masks』一节内找到,如下所示: 

-     Ignore the following properties

    +     Record and check the following properties

a     Access timestamp

b     Number of blocks allocated

 c     Inode timestamp (create/modify)

 d     ID of device on which inode resides

       g     File owner's group ID

 i     Inode number

 l     File is increasing in size (a "growing file")

m     Modification timestamp

        n     Number of links (inode reference count)

           p     Permissions and file mode bits

            r     ID of device pointed to by inode

                  (valid only for device objects)

            s     File size

            t     File type

            u     File owner's user ID

            C     CRC-32 hash value

            H     Haval hash value

            M     MD5 hash value

S     SHA hash value

其中『+』与『-』容后说明。

5.       如何要求 tripwire 监控某些文件呢?Red Hat 所附的 twpol.txt 已把重要的配置文件与程序行入监控的范围,你可以找到如附 图内的这一段:(

  rulename = "Security Control",

  severity = $(SIG_HI)

)

{

 /etc/group                           -> $(SEC_CRIT) ;

 /etc/security                         -> $(SEC_CRIT) ;

}

这一段把 /etc/group 以及 /etc/security 这两个对象纳入 Security Control』这一组,警戒程度为由 SIG_HI 这个变量定义, 值为 100(稍后会介绍)。而 tripwire 会监控 /etc/group /etc/security 的哪些项目呢?则由 SEC_CRIT 这个变量来定义。

6.       twpol.txt 的前端往后浏览,可以找到如附图的这一段:

@@section FS

SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change

SEC_SUID      = $(IgnoreNone)-SHa ;  # Binaries with the SUID or SGID flags set

SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change

SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often

SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership

SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership

SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact

SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact

SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability

你可以发现 SIG_HI 的值就如上一点所提的,为 100 tripwire 会监控 /etc/group 的哪些项目是由 SEC_CRIT 所定义; 在此处你发现 SEC_CRIT 等于『$(IgnoreNone)-SHa』,究竟是哪些项目?

要解开这个谜,必须先找出 IgnoreNone 的变量究竟定义为何。 但找遍 twpol.txt 还是解不开,原来 IgnoreNone 跟下面的 ReadOnly, Dynamic, Growing 等均为 tripwire 预先定义好的变量, 在 twpolicy 的 man page 中『Variables』一节内可以找到如附图的内容:    

ReadOnly       ReadOnly is good for files that are widely                      available but are intended to be read-only.                      Value: +pinugtsdbmCM-rlacSH

Dynamic        Dynamic is good for monitoring user direc-                      tories and files that tend to be dynamic in                     behavior.  value: +pinugtd-srlbamcCMSH

Growing        The Growing variable is intended for files                      that should only get larger.  Value: +pinugtdl-srbamcCMSH

 Device         Device is good for devices or other files                      that Tripwire should not attempt to open.                      Value: +pugsdr-intlbamcCMSH

IgnoreAll      IgnoreAll tracks a file's presence or                      absence, but doesn't check any other prop-                      erties.  Value: -pinugtsdrlbamcCMSH

IgnoreNone     IgnoreNone turns on all properties and pro-vides a convenient starting point for                      defining your own property masks.                      (For example, mymask = $(IgnoreNone) -ar;)                      Value: +pinugtsdrbamcCMSH-l

从上面得知『IgnoreNone』的值为『+pinugtsdrbamcCMSH-l』, 其中『+』后所列的是要监控的项目,而『-』后所列的则为不监控的项目。那么『$(IgnoreNone)-SHa』呢?就是把 IgnoreNone 内原本列入监控的 SHa 项目改列为不监控。

你可以按照需求来修改这个文件。。

7.       接着在 /etc/tripwire 内执行 ./twinstall.sh 执行过程中会要求你设定两个密码(pass phrase)

§         site pass phrase :加密 twpol.txt twcfg.txt 时用。

§         local pass phrase:加密指纹数据库时用。

之后会再要你输入正确的 site pass phrase 此时会对 twpol.txt twcfg.txt 分别进行加密处理, 由原始文本文件产生 tw.pol tw.cfg。过程如附图所示: [root@localhost tripwire]# ./twinstall.sh

 

----------------------------------------------

The Tripwire site and local passphrases are used to

sign a variety of files, such as the configuration,

policy, and database files.

 

Passphrases should be at least 8 characters in length

and contain both letters and numbers.

 

See the Tripwire manual for more information.

 

----------------------------------------------

Creating key files...

 

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the site keyfile passphrase:

Verify the site keyfile passphrase:

Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

 

Enter the local keyfile passphrase:

Verify the local keyfile passphrase:

Generating key (this may take several minutes)...Key generation complete.

 

----------------------------------------------

Signing configuration file...

Please enter your site passphrase:

Wrote configuration file: /etc/tripwire/tw.cfg

 

A clear-text version of the Tripwire configuration file

/etc/tripwire/twcfg.txt

has been preserved for your inspection.  It is recommended

that you delete this file manually after you have examined it.

 

 

----------------------------------------------

Signing policy file...

Please enter your site passphrase:

Wrote policy file: /etc/tripwire/tw.pol

 

A clear-text version of the Tripwire policy file

/etc/tripwire/twpol.txt

has been preserved for your inspection.  This implements

a minimal policy, intended only to test essential

Tripwire functionality.  You should edit the policy file

to describe your system, and then use twadmin to generate

a new signed copy of the Tripwire policy.

 

You have new mail in /var/spool/mail/root

twinstall.sh 执行完毕后,建议把 twpol.txt twcfg.txt 这两个文本文件删除或移至别处。

8.       执行 tripwire -m i 来建立指纹数据库,它会要求你输入 local pass phase

[root@localhost tripwire]# tripwire -m i

Please enter your local passphrase:

Parsing policy file: /etc/tripwire/tw.pol

Generating the database...

*** Processing Unix File System ***

### Warning: File system error.

### Filename: /proc/scsi

### No such file or directory

### Continuing...

### Warning: File system error.

### Filename: /usr/sbin/fixrmtab

### No such file or directory

### Continuing...

Wrote database file: /var/lib/tripwire/localhost.localdomain.twd

The database was successfully generated.

You have new mail in /var/spool/mail/root

9.       或许你怀疑 tripwire 真的能侦测出文件最细微的改变吗? 以下来做个实验,我们把 /etc/group 中第一行第二个字段的『x』改成『X』:

[root@localhost tripwire]#head –1 /etc/group

root:x:0:root

[root@localhost tripwire]#vi /etc/group

[root@localhost tripwire]#head –1 /etc/group

root:X:0:root

10.   接下来执行『tripwire -m c --interactive』进行检查,最后出现报告清单 (内定使用 vi),有:

§         Rule Summary』:列出所有组别的检查结果。

===============================================================================

Rule Summary:

===============================================================================

 

-------------------------------------------------------------------------------

  Section: Unix File System

-------------------------------------------------------------------------------

 

  Rule Name                       Severity Level    Added    Removed  Modified

  ---------                       --------------    -----    -------  --------

  Invariant Directories           66                0        0        0

  Temporary directories           33                0        0        0

* Tripwire Data Files             100               1        0        0

  Critical devices                100               0        0        0

  User binaries                   66                0        0        0

  Tripwire Binaries               100               0        0        0

  Critical configuration files    100               0        0        0

  Libraries                       66                0        0        0

  Operating System Utilities      100               0        0        0

  Critical system boot files      100               0        0        0

  File System and Disk Administraton Programs

                                  100               0        0        0

  Kernel Administration Programs  100               0        0        0

  Networking Programs             100               0        0        0

  System Administration Programs  100               0        0        0

  Hardware and Device Control Programs

                                  100               0        0        0

  System Information Programs     100               0        0        0

  Application Information Programs

                                  100               0        0        0

  Shell Related Programs          100               0        0        0

  Critical Utility Sym-Links      100               0        0        0

  Shell Binaries                  100               0        0        0

  System boot changes             100               0        0        0

  OS executables and libraries    100               0        0        0

* Security Control                100               0        0        1

  Login Scripts                   100               0        0        0

  Root config files               100               0        0        0

Total objects scanned:  15675

Total violations found:  2

有两组有异动,一为 tripwire 的资料文件(新增),另一为 System Control』这一组(/etc/group 属于这一组!)

Object Summary』:列出有异动的对象清单。

===============================================================================

Object Summary:

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

Added:

[x] "/var/lib/tripwire/localhost.localdomain.twd"

 

-------------------------------------------------------------------------------

Rule Name: Security Control (/etc/group)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

 

Modified:

[x] "/etc/group"

 

===============================================================================

Object Detail:

===============================================================================

-------------------------------------------------------------------------------

  Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

/etc/group 被发现有异动了。如果要把指纹数据库内 /etc/group 的资料 更新为目前的状态,请保留 /etc/group 前方 [ ] 内的 x 否则把它改为空格。

Object Detail』:异动对象的详细信息,如哪些项目有异动等。===============================================================================

Object Summary:

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

 

Added:

[x] "/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------

Rule Name: Security Control (/etc/group)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

 

Modified:[x] "/etc/group"

虽然仅仅是把 x 改成 X,但有四个项目受到影响。其中最重要的是 MD5 的值。一个文件的 MD5 值只要跟原先的值不一样,就可以断定文件的内容 已被修改过。

§         tripwire 每日均会自动执行检查,并寄 e-mail root 告知结果。 你也应定期执行『tripwire -m c --interactive』来更新指纹数据库。

 

Tripwire 配置 使用

关于Tripwire的使用,在网上找到如下两个比较全的文章,一开始找到这个,按照其所述去做,但是始终不太清楚,最终能建立database,但是在执行tripwire --check时找不到tw.cfg...
  • sclxf
  • sclxf
  • 2010年05月17日 20:38
  • 2022

利用Tripwire检测系统完整性

http://school.21tx.com/2005/08/10/13540.htmlhttp://school.21tx.com/2005/08/11/14087_2.htmlhttp://sch...
  • cnbird2008
  • cnbird2008
  • 2008年01月23日 19:01
  • 950

tripwire安装过程

在AS4上测试通过。首先下载tripwire的源码包,使用rpmbuild --rebuild xxxx.src.rpm进行编译,对编译产生的rpm包进行安装即可。找到twinstall.sh文件所在...
  • rubilly
  • rubilly
  • 2007年05月23日 21:59
  • 1358

java 8 与 java 7 , 包 与 类 新增和删除的对比

java8 新增: java.time java.util.function java.util.stream com.sun.source.doctree com.sun.org.apache.x...
  • u012500127
  • u012500127
  • 2014年04月10日 23:04
  • 3015

Linux文件系统保护最佳实践:Tripwire

Tripwire是UNIX安全规范中最有用的工具之一,Tripwire可检测多达10多种的UNIX文件系统属性和20多种的NT文件系统(包括注册表)属性。Tripwire首先使用特定的特征码函数为需要...
  • xo_zhang
  • xo_zhang
  • 2013年06月23日 09:14
  • 832

数据完整性监测系统的构建(Tripwire )

前  言 当服务器遭到黑客攻击时,在多数情况下,黑客可能对系统文件等等一些重要的文件进行修改。对此,我们用 Tripwire建立数据完整性监测系统。虽然 它不能抵御黑客攻击以及黑客对一些重要文件...
  • hikelee
  • hikelee
  • 2013年12月18日 13:56
  • 161

怎样使用 Tripwire 来检测 Ubuntu VPS 服务器的入侵

介绍当管理联网服务器时,服务器的安全是一个非常复杂的问题。尽管可以配置防火墙、设置日志策略、购买安全服务或者锁定应用,如果你想确保阻止每次入侵这远远不够。 一个 HIDS 可以收集你电脑的文件系统和...
  • tan6600
  • tan6600
  • 2016年04月05日 13:17
  • 1377

TripWire公司威胁情报产品做了什么

原文链接:Threat Intelligence: Reduce the Gap无论如何,面对安全威胁事件,有三个方面必须考虑: 检测 应急响应 预防 ADVANCED MALWARE IDENTIF...
  • wang471003247
  • wang471003247
  • 2015年06月18日 15:14
  • 1050

常见黑客渗透测试工具

 因为上面要转了一篇,里面好多我都觉得过时了。不过确实好多我也还在用。哈哈 留个备份吧,免得上面又要找我要 一、Nessus     是扫描UNIX漏洞的主力工具,随后栖身...
  • frank_good
  • frank_good
  • 2017年03月24日 22:43
  • 2876

linux 通过rpm包安装和配置 jenkins

前提:按照CI搭建一中的配置,先配置好Linux服务器,然后再配置jenkins 1、jenkins安装和启动 [html] view plaincopy ...
  • tea_wu
  • tea_wu
  • 2014年11月03日 17:08
  • 10608
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:安装和配置Tripwire,加强你的Linux系统安全
举报原因:
原因补充:

(最多只允许输入30个字)