数据完整性监测系统的构建(Tripwire )

前　　言

当服务器遭到黑客攻击时，在多数情况下，黑客可能对系统文件等等一些重要的文件进行修改。对此，我们用  Tripwire 建立数据完整性监测系统。虽然  它不能抵御黑客攻击以及黑客对一些重要文件的修改，但是可以监测文件是否被修改过以及哪些文件被修改过，从而在被攻击后有的放矢的策划出解决办法。

 

Tripwire 的原理是 Tripwire  被安装、配置后，将当前的系统数据状态建立成数据库，随着文件的添加、删除和修改等等变化，通过系统数据现状与不断更新的数据库进行比较，来判定哪些文件被添加、删除和修改过。正因为初始的数据库是在  Tripwire 本体被安装、配置后建立的原因，我们务必应该在服务器开放前，或者说操作系统刚被安装后用  Tripwire 构建数据完整性监测系统。

 

 

安装  Tripwire

首先来安装  Tripwire  。

 

 

[root@sample ~]# wget  http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz←  下载源代码

 

--02:21:30--  http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz

=> `tripwire-2.3.1-2.tar.gz'

Resolving jaist.dl.sourceforge.net... 150.65.7.130

Connecting to jaist.dl.sourceforge.net|150.65.7.130|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1,514,955 (1.4M) [application/x-gzip]

100%[====================================>] 1,514,955 1.29M/s

02:21:32 (1.28 MB/s) - `tripwire-2.3.1-2.tar.gz' saved [1514955/1514955]

[root@sample ~]# tar zxvf tripwire-2.3.1-2.tar.gz  ←  将被压缩的文件展开

 

[root@sample ~]# cd tripwire-2.3.1-2  ←  进入被解压缩的目录

 

[root@sample tripwire-2.3.1-2]# wget  http://distfiles-od.opendarwin.org/tw-20030919.patch.gz←  下载  Tripwire Patch 文件   

 

--02:28:43--  http://distfiles-od.opendarwin.org/tw-20030919.patch.gz

=> `tw-20030919.patch.gz'

Resolving distfiles-od.opendarwin.org... 216.73.106.93

Connecting to distfiles-od.opendarwin.org|216.73.106.93|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 786,411 (768K) [application/x-gzip]

100%[====================================>] 786,411 164.35K/s ETA 00:00

02:28:50 (154.51 KB/s) - `tw-20030919.patch.gz' saved [786411/786411]

[root@sample tripwire-2.3.1-2]# gunzip tw-20030919.patch.gz  ←  将  Tripwire Patch  文件解压缩

 

[root@sample tripwire-2.3.1-2]# patch -p1 < tw-20030919.patch  ←  Patch 编译   

 

[root@sample tripwire-2.3.1-2]# chmod 755 configure  ←  赋予配置文件  configure 可执行的权限

[root@sample tripwire-2.3.1-2]# ./configure --sysconfdir=/etc/tripwire  ←  运行  configure

checking build system type... i686-pc-linux-gnu

checking host system type... i686-pc-linux-gnu

checking target system type... i686-pc-linux-gnu

checking for a BSD compatible install... /usr/bin/install -c

……………………………………

……………………………………

…… 中间提示信息省略 ……

……………………………………

……………………………………

config.status: creating src/twprint/Makefile

config.status: creating src/twadmin/Makefile

config.status: creating src/siggen/Makefile

config.status: creating src/tripwire/Makefile

config.status: creating config.h

 

[root@sample tripwire-2.3.1-2]# make  ←  编译

 

cd . && /bin/sh /root/tripwire-2.3.1-2/missing --run autoheader

configure.in:9: warning: do not use m4_patsubst: use patsubst or m4_bpatsubst

aclocal.m4:546: AM_CONFIG_HEADER is expanded from...

configure.in:9: the top level

configure.in:401: warning: do not use m4_regexp: use regexp or m4_bregexp

aclocal.m4:559: _AM_DIRNAME is expanded from...

configure.in:401: the top level

cd . \

&& CONFIG_FILES= CONFIG_HEADERS=config.h \

/bin/sh ./config.status

……………………………………

……………………………………

…… 中间提示信息省略 ……

…… 需要花费一段时间 ……

……………………………………

……………………………………

make[2]: Leaving directory `/root/tripwire-2.3.1-2/src'

make[2]: Entering directory `/root/tripwire-2.3.1-2'

make[2]: Nothing to be done for `all-am'.

make[2]: Leaving directory `/root/tripwire-2.3.1-2'

make[1]: Leaving directory `/root/tripwire-2.3.1-2'

 

[root@sample tripwire-2.3.1-2]# make install  ←  安装配置

 

Making install in man

make[1]: Entering directory `/root/tripwire-2.3.1-2/man'

Making install in man4

make[2]: Entering directory `/root/tripwire-2.3.1-2/man/man4'

make[3]: Entering directory `/root/tripwire-2.3.1-2/man/man4'

make[3]: Nothing to be done for `install-exec-am'.

/bin/sh ../../mkinstalldirs /usr/local/man/man4

mkdir /usr/local/man

……………………………………

……………………………………

…… 中间提示信息省略 …………

……………………………………

……………………………………

Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R)

is a registered trademark of the Purdue Research Foundation and is

licensed exclusively to Tripwire (R) Security Systems, Inc.

LICENSE AGREEMENT for Tripwire(R) 2.3 Open Source

Please read the following license agreement. You must accept the

agreement to continue installing Tripwire.

Press ENTER to view the License Agreement.   ←  按回车键阅读协议

……………………………………

……………………………………

协议浏览中按空格键翻页

……………………………………

……………………………………

Please type "accept" to indicate your acceptance of this

license agreement. [do not accept] accept  ←  输入“  accept” 同意协议  

Using configuration file ./install/install.cfg

Checking for programs specified in install configuration file....

/usr/sbin/sendmail exists. Continuing installation.

/bin/vi exists. Continuing installation.

----------------------------------------------

Verifying existence of binaries...

./bin/siggen found

./bin/tripwire found

./bin/twprint found

./bin/twadmin found

This program will copy Tripwire files to the following directories:

TWBIN: /usr/local/sbin

TWMAN: /usr/local/man

TWPOLICY: /etc/tripwire

TWREPORT: /usr/local/lib/tripwire/report

TWDB: /usr/local/lib/tripwire

TWSITEKEYDIR: /etc/tripwire

TWLOCALKEYDIR: /etc/tripwire

CLOBBER is false.

Continue with installation? [y/n] y  ←  键入  y 继续安装

 

----------------------------------------------

Creating directories...

/usr/local/sbin: already exists

/etc/tripwire: created

/usr/local/lib/tripwire/report: created

/usr/local/lib/tripwire: already exists

/etc/tripwire: already exists

/etc/tripwire: already exists

/usr/local/man: already exists

/usr/local/doc/tripwire: created

----------------------------------------------

Copying files...

/usr/local/doc/tripwire/README: copied

/usr/local/doc/tripwire/Release_Notes: copied

/usr/local/doc/tripwire/COPYING: copied

/usr/local/doc/tripwire/TRADEMARK: copied

/usr/local/doc/tripwire/policyguide.txt: copied

/etc/tripwire/twpol-Linux.txt: copied

----------------------------------------------

The Tripwire site and local passphrases are used to

sign a variety of files, such as the configuration,

policy, and database files.

Passphrases should be at least 8 characters in length

and contain both letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------

Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the site keyfile passphrase:   ←  输入“  site keyfile” 口令（输入后不会显示），并且记住这个口令

Verify the site keyfile passphrase:   ←  再次确认“  site keyfile” 口令

Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the local keyfile passphrase:   ←  输入“  local keyfile” 口令（输入后不会显示），并且记住这个口令

Verify the local keyfile passphrase:   ←  再次确认“  local keyfile” 口令

Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------

Generating Tripwire configuration file...

----------------------------------------------

Creating signed configuration file...

Please enter your site passphrase:   ←  输入“  site keyfile” 口令（输入后不会显示）

Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file

/etc/tripwire/twcfg.txt

has been preserved for your inspection. It is recommended

that you delete this file manually after you have examined it.

----------------------------------------------

Customizing default policy file...

----------------------------------------------

Creating signed policy file...

Please enter your site passphrase:   ←  输入“  site keyfile” 口令（输入后不会显示）

Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file

/etc/tripwire/twpol.txt

has been preserved for your inspection. This implements

a minimal policy, intended only to test essential

Tripwire functionality. You should edit the policy file

to describe your system, and then use twadmin to generate

a new signed copy of the Tripwire policy.

----------------------------------------------

The installation succeeded.

Please refer to /usr/local/doc/tripwire/Release_Notes

for release information and to the printed user documentation

for further instructions on using Tripwire 2.3 Open Source.

make[3]: Leaving directory `/root/tripwire-2.3.1-2'

make[2]: Leaving directory `/root/tripwire-2.3.1-2'

make[1]: Leaving directory `/root/tripwire-2.3.1-2'

 

[root@sample tripwire-2.3.1-2]# cd  ←  回到  root 用户的根目录

 

[root@sample ~]# rm -rf tripwire-2.3.1-2 tripwire-2.3.1-2.tar.gz  ←  删除安装用过的原文件

 

配置  Tripwire

 

[root@sample ~]# vi /etc/tripwire/twcfg.txt   ←  修改文本格式的  Tripwire 配置文件

 

LOOSEDIRECTORYCHECKING =false   ←  找到这一个行，将  false 的值变为 true  （不监测所属目录的数据完整性）

↓

LOOSEDIRECTORYCHECKING =true    ←  变为此状态

 

REPORTLEVEL =3  ←  找到这一行，将  3 变为 4  （改变监测结果报告的等级）

↓

REPORTLEVEL =4  ←  变为此状态

 

[root@sample ~]# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt   ←  从文本配置文件建立加密格式配置文件

 

Please enter your site passphrase:  ←  输入“  site keyfile” 口令（输入后不会显示）

Wrote configuration file: /etc/tripwire/tw.cfg

 

[root@sample ~]# rm -f /etc/tripwire/twcfg.txt  ←  为不留安全隐患，删除文本格式的配置文件

注：恢复文本格式的  Tripwire 配置文件，可通过执行“  twadmin --print-cfgfile > /etc/tripwire/twcfg.txt” 。

 

[2] Policy 文件的配置  

 

Tripwire 的数据库是基于 Policy 文件建立的。但默认的  Policy 文件并没有有效的依照我们的需要建立数据完整性监测规则，所以这里通过一段  Perl 脚本来让数据监测实际满足于我们的需要。

 

 

[root@sample ~]# vi /etc/tripwire/twpolmake.pl   ←  建立用于建立  Policy 文件的 Perl  脚本

#!/usr/bin/perl

# Tripwire Policy File customize tool

# ----------------------------------------------------------------

# Copyright (C) 2003 Hiroaki Izumi

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

# ----------------------------------------------------------------

# Usage:

# perl twpolmake.pl {Pol file}

# ----------------------------------------------------------------

#

$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;

my($myhost,$thost) ;

my($sharp,$tpath,$cond) ;

my($INRULE) = 0 ;

while (<POL>) {

chomp;

if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {

$myhost = `hostname` ; chomp($myhost) ;

if ($thost ne $myhost) {

$_="HOSTNAME=\"$myhost\";" ;

}

}

elsif ( /^{/ ) {

$INRULE=1 ;

}

elsif ( /^}/ ) {

$INRULE=0 ;

}

elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {

$ret = ($sharp =~ s/\#//g) ;

if ($tpath eq '/sbin/e2fsadm' ) {

$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;

}

if (! -s $tpath) {

$_ = "$sharp#$tpath$cond" if ($ret == 0) ;

}

else {

$_ = "$sharp$tpath$cond" ;

}

}

print "$_\n" ;

}

close(POL) ;

[root@sample ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.out  ←  建立 Policy  文件

 

[root@sample ~]# rm -f /etc/tripwire/twpol.txt    ←  删除默认  Policy 文件  

 

[root@sample ~]# mv /etc/tripwire/twpol.txt.out /etc/tripwire/twpol.txt   ←  将新建立的  Policy 文件的名改为默认 Policy 文件的文件名

 

[root@sample ~]# vi /etc/tripwire/twpol.txt   ←  编辑  Policy 文件

 

$(TWREPORT)  　　　 -> $(SEC_CONFIG) (recurse=0) ;   ←  找到这一行，在这一行的下一行添加语句（  113 行前后）

!$(TWDB)/$(HOSTNAME).twd ;   ←  添加这一句（不对数据库进行监测）

 

[root@sample ~]# twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt   ←  从文本配置文件建立加密格式配置文件

 

Please enter your site passphrase:  ←  输入“  site keyfile” 口令（输入后不会显示）

Wrote policy file: /etc/tripwire/tw.pol

 

[root@sample ~]# rm -f /etc/tripwire/twcfg.txt  ←  为不留安全隐患，删除文本格式的配置文件

注：恢复文本格式的  Tripwire 配置文件，可通过执行“  twadmin --print-cfgfile > /etc/tripwire/twcfg.txt” 。

 

[3]  建立数据库  

 

 

[root@sample ~]# tripwire --init  ←  建立数据库

 

Please enter your local passphrase:   ←  输入“  local keyfile” 口令（输入后不会显示）

Parsing policy file: /etc/tripwire/tw.pol

Generating the database...

*** Processing Unix File System ***

Wrote database file: /usr/local/lib/tripwire/sample.centospub.com.twd

The database was successfully generated.

 

运行  Tripwire

下面开始测试并让  Tripwire 开始工作。

 

[1]  建立 Tripwire  运行脚本：

 

 

[root@sample ~]# vi tripwire-check  ←  建立  Tripwire 运行脚本

#!/bin/bash

PATH=/usr/local/sbin:/usr/bin:/bin

SITEPASS=******** # Site Key Passphrase  ←  将星号部分换为  Site Keyfile 的口令  

LOCALPASS=******** # Local Key Passphrase  ←  将星号部分换为  Local Keyfile 的口令

REPORTFILE=/usr/local/lib/tripwire/report/`hostname`-`date +%Y%m%d`.twr

# Run the Tripwire

tripwire --check -r "$REPORTFILE"| logger -t tripwire

# Mail the Tripwire Report to root

cd /etc/tripwire

REPORTPRINT=`mktemp`

twprint -m r -c tw.cfg -r "$REPORTFILE" -L `hostname`-local.key -t 4 > $REPORTPRINT

if [ -z "$(grep 'Total violations found: 0' $REPORTPRINT)" ]; then

cat $REPORTPRINT | mail -s "Tripwire(R) Integrity Check Report in `hostname`" root

fi

rm -f $REPORTPRINT

# Update the Policy File

cd /etc/tripwire

twadmin --print-polfile > twpol.txt

perl twpolmake.pl twpol.txt > twpol.txt.out

twadmin --create-polfile -S site.key -Q $SITEPASS twpol.txt.out | logger -t tripwire

rm -f twpol.*

# update the Database

rm -f /usr/local/lib/tripwire/`hostname`.twd

tripwire --init -P $LOCALPASS | logger -t tripwire

 

[root@sample ~]# chmod 700 tripwire-check  ←  赋予运行脚本文件可执行的权限

注：  Tripwire 的监测报告会被加密保存到  /usr/local/lib/tripwire/report 目录下。日志被保存在 /var/log/messages 中。

[2]  测试运行脚本

[root@sample ~]# ./tripwire-check   ←  运行一次脚本

由于增加了运行脚本本身，也被认作系统被作了改动，会发邮件通知  root… 查看邮箱回收到监测报告

 

[root@sample ~]# ./tripwire-check  ←  再次运行一次脚本

由于两次连续运行，之间不太可能有文件变更，所以请确认不会发送  E-mail 给 root

[3]  在服务器本地监测报告的浏览

 

 

[root@sample ~]# ls -l /usr/local/lib/tripwire/report/  ←  监测报告所在目录的文件列表

total 32

-rw-r--r-- 1 root root 8222 Aug 23 05:46 sample.centospub.com-20060823.twr  ←  比如想浏览此篇报告

-rw-r--r-- 1 root root 8230 Aug 23 05:46 sample.centospub.com-20060823.twr.bak

 

[root@sample ~]# cd /etc/tripwire  ←  进入  Tripwire 配置文件所在目录

 

[root@sample tripwire]# twprint -m r -c tw.cfg -r "/usr/local/lib/tripwire/report/sample.centospub.com-20060823.twr" -L sample.centospub.com-local.key -t 4 > tripwire-report ←  将监测报告保存到名为 tripwire-report 的文件中

 

[root@sample tripwire]# cat tripwire-report  ←  浏览监测报告

Note: Report is not encrypted.

Tripwire(R) 2.3.0 Integrity Check Report

Report generated by: root

Report created on: Wed 23 Aug 2006 05:45:01 AM CST

Database last updated on: Never

===============================================================================

Report Summary:

===============================================================================

Host name: sample.centospub.com

Host IP address: 127.0.0.1

Host ID: None

Policy file used: /etc/tripwire/tw.pol

Configuration file used: /etc/tripwire/tw.cfg

Database file used: /usr/local/lib/tripwire/sample.centospub.com.twd

Command line used: tripwire --check -r /usr/local/lib/tripwire/report/sample.centospub.com-20060823.twr

===============================================================================

Rule Summary:

===============================================================================

-------------------------------------------------------------------------------

Section: Unix File System

-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified

--------- -------------- ----- ------- --------

Invariant Directories 66 0 0 0

Tripwire Data Files 100 0 0 0

Temporary directories 33 0 0 0

Critical devices 100 0 0 0

(/proc/kcore)

Tripwire Binaries 100 0 0 0

Libraries 66 0 0 0

User binaries 66 0 0 0

Critical system boot files 100 0 0 0

File System and Disk Administraton Programs

100 0 0 0

Kernel Administration Programs 100 0 0 0

Networking Programs 100 0 0 0

System Administration Programs 100 0 0 0

Hardware and Device Control Programs

100 0 0 0

System Information Programs 100 0 0 0

Application Information Programs

100 0 0 0

(/sbin/rtmon)

Shell Related Programs 100 0 0 0

Operating System Utilities 100 0 0 0

Critical Utility Sym-Links 100 0 0 0

Shell Binaries 100 0 0 0

OS executables and libraries 100 0 0 0

System boot changes 100 0 0 0

Critical configuration files 100 0 0 0

Security Control 100 0 0 0

Login Scripts 100 0 0 0

* Root config files 100 0 0 1

Total objects scanned: 17363

Total violations found: 1

===============================================================================

Object Summary:

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Root config files (/root)

Severity Level: 100

-------------------------------------------------------------------------------

Modified:

"/root/tripwire-check"

===============================================================================

Object Detail:

===============================================================================

-------------------------------------------------------------------------------

Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Root config files (/root)

Severity Level: 100

-------------------------------------------------------------------------------

----------------------------------------

Modified Objects: 1

----------------------------------------

Modified object name: /root/tripwire-check

Property: Expected Observed

------------- ----------- -----------

Object Type Regular File Regular File

Device Number 64768 64768

File Device Number 0 0

Inode Number 351317 351317

Mode -rwx------ -rwx------

Num Links 1 1

UID root (0) root (0)

GID root (0) root (0)

* Size 953 951

* Modify Time Wed 23 Aug 2006 05:21:26 AM CST

Wed 23 Aug 2006 05:43:10 AM CST

* Change Time Wed 23 Aug 2006 05:21:26 AM CST

Wed 23 Aug 2006 05:43:10 AM CST

Blocks 16 16

* CRC32 Ay0oV9 BDzM8Y

* MD5 BoeMoWfjEKCSLOJCs/E7mj ABQN3hl5wF0PyTcXugPE5U

 

===============================================================================

Error Report:

===============================================================================

No Errors

-------------------------------------------------------------------------------

*** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered

trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;

for details use --version. This is free software which may be redistributed

or modified only under certain conditions; see COPYING for details.

All rights reserved.

 

[root@sample tripwire]# rm -f tripwire-report  ←  删除监测报告

[4]  让监测脚本每天自动运行

 

 

[root@sample tripwire]# cd   ←  进入  Tripwire 运行脚本所在的 root 目录

 

[root@sample ~]# mv tripwire-check /etc/cron.daily/   ←  转移脚本到每天自动运行的目录中

放在  /etc/cron.daily 下的脚本，会在每天 4 点  02 分自动被运行。这样通过数据完整性监测来监视系统文件的状况。如果增加、修改或删除的情况，将会给  root 发送邮件，并自动转送到初始环境设置中设置的转送邮箱中。