20170328-aide-tripwire等

文件入侵：

 yum install aide -y

1) Customize /etc/aide.conf to your liking. In particular, add
  2    important directories and files which you would like to be
  3    covered by integrity checks. Avoid files which are expected
  4    to change frequently or which don't affect the safety of your
  5    system.
  6
  7 2) Run "/usr/sbin/aide --init" to build the initial database.
  8    With the default setup, that creates /var/lib/aide/aide.db.new.gz
  9
 10 3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
 11    in a secure location, e.g. on separate read-only media (such as
 12    CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
 13    of those files in a secure location, so you have means to verify
 14    that nobody modified those files.
 15
 16 4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
 17    which is the location of the input database.
 18
 19 5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
 20    compared with the AIDE database. Prior to running a check manually,
 21    ensure that the AIDE binary and database have not been modified
 22    without your knowledge.

 

tripwire:

 tripwire-2.4.1.2-11.el6.x86_64.rpm

tripwire-setup-keyfiles

vim /etc/tripwire/twpol.txt

/opt/ks.cfg   -> +psmugM;

twadmin -m P -S /etc/tripwire/site.key   /etc/tripwire/twpol.txt

tripwire --init

或者：

 tripwire --update-policy -Z low /etc/tripwire/twpol.txt

twprint  -m r -r /var/lib/tripwire/report/www.up00.com-20130828-141219.twr  > /tmp/twr.txt

 vim /tmp/twr.txt

tripwire --update -r /var/lib/tripwire/report/www.up00.com-20130828-141219.twr

 [x] ....

 7. create cfg
 40
 41 twadmin -m F -S /etc/tripwire/site.key   /etc/tripwire/twcfg.txt
 42 twadmin -m f
 43
 44
 45 create pol:
 46
 47 twadmin -m P -S /etc/tripwire/site.key   /etc/tripwire/twpol.txt
 48 twadmin -m p

  1 [root@www security3]# 1.
  2 [root@www security3]#
  3 [root@www security3]# tripwire-setup-keyfiles
  4 [root@www security3]#
  5 [root@www security3]# 2.
  6 [root@www security3]# tripwire --init
  7 [root@www security3]#
  8 [root@www security3]# ls /var/lib/tripwire/www.up00.com.twd
  9 /var/lib/tripwire/www.up00.com.twd
 10 [root@www security3]# 
 11 [root@www security3]# 3.
 12 [root@www security3]#
 13 [root@www security3]# tripwire --check
 14 [root@www security3]# ls /var/lib/tripwire/report/
 15 [root@www security3]#
 16 [root@www security3]# 4.
 17 [root@www security3]#
 18 [root@www security3]# update pol
 19 [root@www security3]#
 20 [root@www security3]# vim /etc/tripwire/twpol.txt
 21 [root@www security3]# /opt/ks.cfg   -> +psmugM;
 22 [root@www security3]#
 23 [root@www security3]# twadmin -m P /etc/tripwire/twpol.txt
 24 [root@www security3]# tripwire --init
 25 [root@www security3]# or: tripwire --update-policy -Z low /etc/tripwire/twpol.txt
 26 [root@www security3]#
 27 [root@www security3]# 5.
 28 [root@www security3]#
                                                                                                 29 [root@www security3]# twprint  -m r -r /var/lib/tripwire/report/www.up00.com-20130828-141219.twr  > /tmp/twr.txt
 30 [root@www security3]#
 31 [root@www security3]# vim /tmp/twr.txt
 32 [root@www security3]#
 33 [root@www security3]# 6.
 34 [root@www security3]#
 35 [root@www security3]# tripwire --update -r /var/lib/tripwire/report/www.up00.com-20130828-141219.twr
 36 [root@www security3]#
 37 [root@www security3]# [x] ....
 38 
 39 7. create cfg
 40 
 41 twadmin -m F -S /etc/tripwire/site.key   /etc/tripwire/twcfg.txt
 42 twadmin -m f
 43 
 44 
 45 create pol:
 46 
 47 twadmin -m P -S /etc/tripwire/site.key   /etc/tripwire/twpol.txt
 48 twadmin -m p
                                                                                                        48,1          Bot
   13,1          Top

 

转载于:https://my.oschina.net/u/3217381/blog/869434