tripwire安装与使用
为什么要安装 tripwire
在安装完 Linux,做好设定后,建议你马上安装 tripwire 这套软件,它能把文件的特征,如对象大小、拥有者、群组、存取权限等建立成指纹数据库(fingerprints),并定期执行检查。当发现文件现况与指纹数据库不符合时,tripwire 会提出警告,告知你哪些项目与指纹数据库不符。
1. 在CentOS 7上安装Tripwire
1.1 tripwire手动安装(未成功)
下载地址 https://sourceforge.net/projects/tripwire/
yum -y install bzip2
tar -jxvf tripwire-2.4.2.2-src.tar.bz2
修改/opt/tripwire-2.4.2.2-src/install/install.cfg,添加
# Tripwire policy files are stored in TWPOLICY.
sysconfdir=/etc/tripwire/
TWPOLICY="${sysconfdir}"
安装
cd /opt/tripwire-2.4.2.2-src/install/
./install.sh install.cfg
详细可参考 https://www.cnblogs.com/yuanermen/archive/2012/10/16/2726441.html
我的机器报错:algebra.h:276:35: error: ‘Equal’ was not declared in this scope, and no declarations were found by argument-dependent lookup at the point of instantiation [-fpermissive]
据了解是机器的C++环境太新了,而软件要求的版本太老,没办法兼容
1.2 tripwire yum安装
yum install -y tripwire
[root@node-251 tripwire]# rpm -ql tripwire
/etc/cron.daily/tripwire-check
/etc/tripwire
/etc/tripwire/twcfg.txt
/etc/tripwire/twpol.txt
/usr/sbin/siggen
/usr/sbin/tripwire
/usr/sbin/tripwire-setup-keyfiles
/usr/sbin/twadmin
/usr/sbin/twprint
...
/var/lib/tripwire
/var/lib/tripwire/report
接着,我们需要手动生成新的tripwire密钥文件(站点和本地密钥)
[root@node-251 tripwire]# tripwire-setup-keyfiles
...
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
...
Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
...
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
...
[root@node-251 tripwire]# ll
total 84
-rw-r----- 1 root root 931 May 31 01:56 node-251-local.key
drwxr-xr-x 3 root root 17 May 31 01:54 share
-rw-r----- 1 root root 931 May 31 01:56 site.key
-rw-r----- 1 root root 4586 May 31 01:56 tw.cfg
-rw-r--r-- 1 root root 602 May 31 01:42 twcfg.txt
-rw-r----- 1 root root 12415 May 31 01:57 tw.pol
-rw-r--r-- 1 root root 46644 May 31 01:39 twpol.txt
现在Tripwire已安装在CentOS 7上,新的tripwire配置和密钥位于/etc/tripwire
目录中。
1.3 关于tripwire的配置文件及规则介绍
-
twcfg.txt:可用来设定 tripwire 的工作环境,可依照你的习惯来调整,
[root@node-251 tripwire_test]# cat /etc/tripwire/twcfg.txt ROOT =/usr/sbin POLFILE =/etc/tripwire/tw.pol DBFILE =/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site.key LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =true MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =4 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t
DBFILE 为指纹数据库之文件名。 REPORTFILE 为检测报告档之档名
-
twpol.txt:指定 tripwire 对哪些文件的哪些项目进行监控。
如何要求 tripwire 监控某些文件呢?Red Hat 所附的 twpol.txt 已把重要的配置文件与程序行入监控的范围,你可以找到如附图内的这一段:#注释 ( rulename = "Security Control", severity = $(SIG_HI) ) { /etc/group -> $(SEC_CRIT) ; /etc/security -> $(SEC_CRIT) ; }
这一段把 /etc/group 以及 /etc/security 这两个对象纳入 『Security Control』这一组,警戒程度为由 SIG_HI 这个变量定义, 值为 100(稍后会介绍)。而 tripwire 会监控 /etc/group 及 /etc/security 的哪些项目呢?则由 SEC_CRIT 这个变量来定义。
从 twpol.txt 的前端往后浏览,可以找到如附图的这一段
@@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SIG_LOW = 33 ; # Non-critical files that are of minimal security impact SIG_MED = 66 ; # Non-critical files that are of significant security impact SIG_HI = 100 ; # Critical files that are significant points of vulnerability
你可以发现
SIG_HI
的值就如上一点所提的,为 100。 而 tripwire 会监控 /etc/group 的哪些项目是由 SEC_CRIT 所定义; 在此处你发现 SEC_CRIT 等于$(IgnoreNone)-SHa
,究竟是哪些项目?要解开这个谜,必须先找出 IgnoreNone 的变量究竟定义为何。 但找遍 twpol.txt 还是解不开,原来 IgnoreNone 跟下面的 ReadOnly, Dynamic, Growing 等均为 tripwire 预先定义好的变量, 在 twpolicy 的 man page 中
Variables
一节内可以找到如附图的内容:A number of variables are predefined by Tripwire and may not be changed. These variables represent different ways that files can change, and can be used on the right side of rules to design a policy file quickly. ReadOnly ReadOnly is good for files that are widely available but are intended to be read-only. Value: +pinugtsdbmCM‐rlacSH Dynamic Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior. Value: +pinugtd‐srlbamcCMSH Growing The Growing variable is intended for files that should only get larger. Value: +pinugtdl‐srbamcCMSH Device Device is good for devices or other files that Tripwire should not attempt to open. Value: +pugsdr‐intlbamcCMSH IgnoreAll IgnoreAll tracks a file's presence or absence, but doesn't check any other properties. Value: ‐pinugtsdrlbamcCMSH IgnoreNone IgnoreNone turns on all properties and provides a convenient starting point for defining your own property masks. (For example, mymask = $(IgnoreNone) -ar;) Value: +pinugtsdrbamcCMSH‐l
从上面得知『IgnoreNone』的值为『+pinugtsdrbamcCMSH-l』, 其中『+』后所列的是要监控的项目,而『-』后所列的则为不监控的项目。那么『$(IgnoreNone)-SHa』呢?就是把
IgnoreNone 内原本列入监控的 SHa 项目改列为不监控
。 -
site pass phrase :加密 twpol.txt 及 twcfg.txt 时用。
-
local pass phrase:加密指纹数据库时用
2. 为CentOS 7配置Tripwire策略
使用下面的tripwire命令初始化tripwire数据库。
tripwire --init
您将被问到“local-key”密码短语,您可能会收到错误消息“no such directory”
我们得到错误是因为系统没有在tripwire配置中已经定义的目录和文件。 为了解决这个错误,我们需要编辑tripwire配置’twpol.txt’并重新签署tripwire配置。
现在使用下面的命令从tripwire生成日志错误。
[root@node-251 tripwire]# cat no-directory.txt
Filename: /usr/sbin/fixrmtab
Filename: /usr/share/grub/i386-redhat/e2fs_stage1_5
Filename: /usr/share/grub/i386-redhat/fat_stage1_5
Filename: /usr/share/grub/i386-redhat/ffs_stage1_5
Filename: /usr/share/grub/i386-redhat/minix_stage1_5
Filename: /usr/share/grub/i386-redhat/reiserfs_stage1_5
Filename: /usr/share/grub/i386-redhat/stage1
...
所有不存在于CentOS 7系统上的目录和文件都列在文件’no-directory.txt’中
使用以下bash脚本编辑tripwire配置’twpol.txt’ - 在终端上运行此脚本
for f in $(grep "Filename:" no-directory.txt | cut -f2 -d:); do
sed -i "s|\($f\) |#\\1|g" /etc/tripwire/twpol.txt
done
毕竟,我们需要使用twadmin命令重新生成并重新签署tripwire配置,如下所示。
twadmin -m P /etc/tripwire/twpol.txt
重新初始化tripwire数据库,并确保没有错误。
[root@node-251 tripwire]# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/node-251.twd
The database was successfully generated.
重新初始化tripwire数据库,没有任何错误。
3. 验证Tripwire配置和检查系统
要验证tripwire配置,我们可以运行系统检查命令如下
[root@node-251 tripwire]# tripwire --check
你应该得到类似于以下的结果
[root@node-251 tripwire]# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/node-251-20230531-021457.twr
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Wed 31 May 2023 02:14:57 AM CST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: node-251
Host IP address: 192.168.71.251
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/node-251.twd
Command line used: tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Critical configuration files 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
Total objects scanned: 25716
Total violations found: 1
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/node-251.twd.bak"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
所以这意味着在我们的系统上没有发现错误和系统违规。
现在我们将尝试在根目录下添加一个新文件,并使用tripwire再次检查。
转到根目录并创建一个新文件’hakase-labs.txt’。
cd ~/
touch hakase-labs.txt
现在使用tripwire命令再次检查系统。
tripwire --check
您将在系统中得到严重程度为100的新违规的结果,如下所示。
[root@node-251 ~]# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/node-251-20230531-021809.twr
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Wed 31 May 2023 02:18:09 AM CST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: node-251
Host IP address: 192.168.71.251
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/node-251.twd
Command line used: tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Critical configuration files 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
* Root config files 100 1 0 0
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
Total objects scanned: 25717
Total violations found: 2
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/node-251.twd.bak"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/root/hakase-labs.txt"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
4. 将新规则添加到Tripwire策略
在这一步中,我们将向您展示如何将新规则添加到tripwire策略配置“twpol.txt”。
要执行这项工作,我们需要定义规则名称,严重程度,监视目录和文件类型。 在这一步中,我们将在’/opt/tripwire_test/
‘目录下为我们的redis安装创建一个名为’redis Data’的新规则,严重程度为’HIGH / SIG_HI’,并且该目录中的所有文件都是关键的以及源代码不能更改)。
[root@node-251 redis]# pwd
/opt/tripwire_test/redis
[root@node-251 redis]# ll
total 268
-rw-rw-r-- 1 root root 43972 Apr 17 20:54 00-RELEASENOTES
-rw-rw-r-- 1 root root 51 Apr 17 20:54 BUGS
-rw-rw-r-- 1 root root 5027 Apr 17 20:54 CODE_OF_CONDUCT.md
-rw-rw-r-- 1 root root 2634 Apr 17 20:54 CONTRIBUTING.md
-rw-rw-r-- 1 root root 1487 Apr 17 20:54 COPYING
drwxrwxr-x 7 root root 119 Apr 17 20:54 deps
-rw-rw-r-- 1 root root 11 Apr 17 20:54 INSTALL
-rw-rw-r-- 1 root root 151 Apr 17 20:54 Makefile
-rw-rw-r-- 1 root root 6888 Apr 17 20:54 MANIFESTO
-rw-rw-r-- 1 root root 22441 Apr 17 20:54 README.md
-rw-rw-r-- 1 root root 106545 Apr 17 20:54 redis.conf
-rwxrwxr-x 1 root root 279 Apr 17 20:54 runtest
-rwxrwxr-x 1 root root 283 Apr 17 20:54 runtest-cluster
-rwxrwxr-x 1 root root 1613 Apr 17 20:54 runtest-moduleapi
-rwxrwxr-x 1 root root 285 Apr 17 20:54 runtest-sentinel
-rw-rw-r-- 1 root root 1695 Apr 17 20:54 SECURITY.md
-rw-rw-r-- 1 root root 14005 Apr 17 20:54 sentinel.conf
drwxrwxr-x 4 root root 8192 Apr 17 20:54 src
drwxrwxr-x 11 root root 199 Apr 17 20:54 tests
-rw-rw-r-- 1 root root 3055 Apr 17 20:54 TLS.md
drwxrwxr-x 8 root root 4096 Apr 17 20:54 utils
转到tripwire配置目录’/etc/tripwire’并使用vim编辑配置文件’twpol.txt’。
cd /etc/tripwire/
cat twpol.txt
....
# Ruleset for redis
(
rulename = "redis Data",
severity= $(SIG_HI)
)
{
/opt/tripwire_test -> $(SEC_CRIT);
}
...
保存并退出。
使用twadmin命令重新生成并重新签名配置,如下所示。
[root@node-251 redis]# twadmin -m P /etc/tripwire/twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
现在我们需要再次重新生成tripwire数据库。
[root@node-251 redis]# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/node-251.twd
The database was successfully generated.
新的规则集已添加并应用于Tripwire策略配置。
使用下面的tripwire命令检查您的系统。
[root@node-251 redis]# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/node-251-20230531-170328.twr
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Wed 31 May 2023 05:03:28 PM CST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: node-251
Host IP address: 192.168.71.251
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/node-251.twd
Command line used: tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
Tripwire Data Files 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Critical configuration files 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0
redis Data 100 0 0 0
(/opt/tripwire_test)
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
Total objects scanned: 27193
Total violations found: 0
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
得到结果说没有错误和违反。
现在进入’/opt/tripwire_test/'目录并在其中创建一个新文件。
cd /opt/tripwire_test
touch hakase-labs.php
再次使用tripwire进行系统检查。
tripwire --check
并且您将在安全级别为高100的’/ var / www /'目录中得到说明系统违规的结果。
[root@node-251 tripwire_test]# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/node-251-20230531-170548.twr
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Wed 31 May 2023 05:05:48 PM CST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: node-251
Host IP address: 192.168.71.251
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/node-251.twd
Command line used: tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
Tripwire Data Files 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Critical configuration files 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0
* redis Data 100 1 0 0
(/opt/tripwire_test)
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
Total objects scanned: 27194
Total violations found: 1
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: redis Data (/opt/tripwire_test)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/opt/tripwire_test/hakase-labs.php"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
新规则已添加并应用于Tripwire策略配置。
5. 安装Tripwire电子邮件通知和Cron
在这一步中,我们将为特定tripwire规则集策略配置通知,并配置用于自动系统检查的cronjob。 我们会将任何违反’redis Data’规则的报告发送到电子邮件地址’ myemail@gmail.com '。
对于电子邮件通知,tripwire在配置中提供了一个’emailto’功能。 默认情况下,tripwire使用Postfix或Sendmail通过电子邮件发送报告。
在配置电子邮件通知之前,请使用以下命令测试tripwire通知功能。
tripwire --test --email email@gmail.com
检查你的电子邮件,你应该从你的服务器得到电子邮件报告如下。
现在进入’/ etc / tripwire’目录并编辑’twpol.txt’配置。
cd /etc/tripwire/
vim twpol.txt
在’redis data’规则中添加新行’emailto’,如下所示。
# Ruleset for redis
(
rulename = "redis Data",
severity= $(SIG_HI),
emailto = myemail@gmail.com
)
{
/opt/tripwire_test -> $(SEC_CRIT);
}
保存并退出。
使用twadmin命令重新生成并签署配置。
[root@node-251 tripwire_test]# twadmin -m P /etc/tripwire/twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
并重新生成tripwire数据库。
sudo tripwire --init
输入您的tripwire’local-key’密码。
Tripwire电子邮件通知的配置已完成。
现在通过在’/opt/tripwire_test’目录中再次创建一个新文件来做一些测试。
cd /opt/tripwire_test/
touch hakase.txt
使用下面的命令再次检查您的系统。
tripwire --check --email-report
注意:
--email-report
:将系统报告发送到每个规则中定义的电子邮件地址。
检查你的电子邮件,你应该在电子邮件中得到结果。
Content-Description: Undelivered Message
Content-Type: message/rfc822
Return-Path: <root@node-251.localdomain>
Received: by node-251.localdomain (Postfix, from userid 0)
id 54CF757F1FE; Wed, 31 May 2023 17:32:34 +0800 (CST)
MIME-Version: 1.0
Date: Wed, 31 May 2023 17:32:33 +0800
From: "Open Source Tripwire(R) 2.4.3.7.0" <tripwire@node-251.localdomain>
To: myemail@gmail.com
Subject: TWReport node-251 20230531173145 V:1 S:100 A:1 R:0 C:0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-Id: <20230531093234.54CF757F1FE@node-251.localdomain>
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Wed 31 May 2023 05:31:45 PM CST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: node-251
Host IP address: 192.168.71.251
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/node-251.twd
Command line used: tripwire --check --email-report
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
* redis Data 100 1 0 0
(/opt/tripwire_test)
Total objects scanned: 27195
Total violations found: 1
===============================================================================
Object Detail:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: redis Data (/opt/tripwire_test)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Added Objects: 1
----------------------------------------
Added object name: /opt/tripwire_test/hakase.txt
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
--54CF757F1FE.1685525556/node-251.localdomain--
Tripwire的电子邮件通知已启用并应用。
接下来,我们将使用cron setup启用自动Tripwire系统检查。 为此,请使用下面的crontab命令在root用户下创建一个新的cron脚本。
crontab -e -u root
粘贴以下cron配置。
0 0 * * * tripwire --check --email-report
保存并退出。
注意:
- cron
脚本将每天0点进行tripwire系统检查。
现在重新启动CentOS 7上的crond服务。
systemctl restart crond
现在,您将每天收到tripwire报告通知到您的电子邮件。
Tripwire已经安装并配置用于CentOS 7系统。