安装和配置Tripwire

安装和配置Tripwire

(2006-03-20 13:58:00)

转载▼

分类： Linux

安装和配置Tripwire,加强你的Linux系统安全

1、为什么要安装tripwire
在安装完Linux，做好设定后，建议你马上安装tripwire这套软件，它能把文件的特征，如对象大小、拥有者、群组、存取权限等建立成指纹数据库(fingerprints)，并定期执行检查。当发现文件现况与指纹数据库不符合时，tripwire会提出警告，告知你哪些项目与指纹数据库不符。

2、安装程序

说明：本文档使用的linux发行版本为RedHatLinux7.3。其他的发行版本设置类似。

1.安装套件：rpm-Uvhtripwire-版本号码.rpm

2.切换工作目录到/etc/tripwire，其中有两个配置文件：

§twcfg.txt:可用来设定tripwire的工作环境，可依照你的习惯来调整，

§twpol.txt：指定tripwire对哪些文件的哪些项目进行监控。

3.预设的twcfg.txt其中

ROOT=/usr/sbin

POLFILE=/etc/tripwire/tw.pol

DBFILE=/var/lib/tripwire/$(HOSTNAME).twd

REPORTFILE=/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr

SITEKEYFILE=/etc/tripwire/site.key

LOCALKEYFILE=/etc/tripwire/$(HOSTNAME)-local.key

EDITOR=/bin/vi

LATEPROMPTING=false

LOOSEDIRECTORYCHECKING=false

MAILNOVIOLATIONS=true

EMAILREPORTLEVEL=3

REPORTLEVEL=3

MAILMETHOD=SENDMAIL

SYSLOGREPORTING=false

MAILPROGRAM=/usr/sbin/sendmail-oi-t

§DBFILE为指纹数据库之文件名。

§REPORTFILE为检测报告档之档名。

4.再来看看twpol.txt，我们可以设定它来指定tripwire对哪些文件的哪些项目进行监控。tripwire可监控的项目可在twpolicy的manpage中，『propertymasks』一节内找到，如下所示：

-Ignorethefollowingproperties

+Recordandcheckthefollowingproperties

aAccesstimestamp

bNumberofblocksallocated

cInodetimestamp(create/modify)

dIDofdeviceonwhichinoderesides

gFileowner'sgroupID

iInodenumber

lFileisincreasinginsize(a"growingfile")

mModificationtimestamp

nNumberoflinks(inodereferencecount)

pPermissionsandfilemodebits

rIDofdevicepointedtobyinode

(validonlyfordeviceobjects)

sFilesize

tFiletype

uFileowner'suserID

CCRC-32hashvalue

HHavalhashvalue

MMD5hashvalue

SSHAhashvalue

其中『+』与『-』容后说明。

5.如何要求tripwire监控某些文件呢？RedHat所附的twpol.txt已把重要的配置文件与程序行入监控的范围，你可以找到如附图内的这一段：(

（

rulename="SecurityControl",

severity=$(SIG_HI)

)

{

/etc/group->$(SEC_CRIT);

/etc/security->$(SEC_CRIT);

}

这一段把/etc/group以及/etc/security这两个对象纳入『SecurityControl』这一组，警戒程度为由SIG_HI这个变量定义，值为100(稍后会介绍)。而tripwire会监控/etc/group及/etc/security的哪些项目呢？则由SEC_CRIT这个变量来定义。

6.从twpol.txt的前端往后浏览，可以找到如附图的这一段：

@@sectionFS

SEC_CRIT=$(IgnoreNone)-SHa;#Criticalfilesthatcannotchange

SEC_SUID=$(IgnoreNone)-SHa;#BinarieswiththeSUIDorSGIDflagsset

SEC_BIN=$(ReadOnly);#Binariesthatshouldnotchange

SEC_CONFIG=$(Dynamic);#Configfilesthatarechangedinfrequentlybutaccessedoften

SEC_LOG=$(Growing);#Filesthatgrow,butthatshouldneverchangeownership

SEC_INVARIANT=+tpug;#Directoriesthatshouldneverchangepermissionorownership

SIG_LOW=33;#Non-criticalfilesthatareofminimalsecurityimpact

SIG_MED=66;#Non-criticalfilesthatareofsignificantsecurityimpact

SIG_HI=100;#Criticalfilesthataresignificantpointsofvulnerability

你可以发现SIG_HI的值就如上一点所提的，为100。而tripwire会监控/etc/group的哪些项目是由SEC_CRIT所定义；在此处你发现SEC_CRIT等于『$(IgnoreNone)-SHa』，究竟是哪些项目？

要解开这个谜，必须先找出IgnoreNone的变量究竟定义为何。但找遍twpol.txt还是解不开，原来IgnoreNone跟下面的ReadOnly,Dynamic,Growing等均为tripwire预先定义好的变量，在twpolicy的manpage中『Variables』一节内可以找到如附图的内容：

ReadOnlyReadOnlyisgoodforfilesthatarewidelyavailablebutareintendedtoberead-only.Value:+pinugtsdbmCM-rlacSH

DynamicDynamicisgoodformonitoringuserdirec-toriesandfilesthattendtobedynamicinbehavior.value:+pinugtd-srlbamcCMSH

GrowingTheGrowingvariableisintendedforfilesthatshouldonlygetlarger.Value:+pinugtdl-srbamcCMSH

DeviceDeviceisgoodfordevicesorotherfilesthatTripwireshouldnotattempttoopen.Value:+pugsdr-intlbamcCMSH

IgnoreAllIgnoreAlltracksafile'spresenceorabsence,butdoesn'tcheckanyotherprop-erties.Value:-pinugtsdrlbamcCMSH

IgnoreNoneIgnoreNoneturnsonallpropertiesandpro-videsaconvenientstartingpointfordefiningyourownpropertymasks.(Forexample,mymask=$(IgnoreNone)-ar;)Value:+pinugtsdrbamcCMSH-l

从上面得知『IgnoreNone』的值为『+pinugtsdrbamcCMSH-l』，其中『+』后所列的是要监控的项目，而『-』后所列的则为不监控的项目。那么『$(IgnoreNone)-SHa』呢？就是把IgnoreNone内原本列入监控的SHa项目改列为不监控。

你可以按照需求来修改这个文件。。

7.接着在在/etc/tripwire内执行./twinstall.sh。执行过程中会要求你设定两个密码(passphrase)：

§sitepassphrase：加密twpol.txt及twcfg.txt时用。

§localpassphrase：加密指纹数据库时用。

之后会再要你输入正确的sitepassphrase，此时会对twpol.txt及twcfg.txt分别进行加密处理，由原始文本文件产生tw.pol及tw.cfg。过程如附图所示：[root@localhosttripwire]#./twinstall.sh

----------------------------------------------

TheTripwiresiteandlocalpassphrasesareusedto

signavarietyoffiles,suchastheconfiguration,

policy,anddatabasefiles.

Passphrasesshouldbeatleast8charactersinlength

andcontainbothlettersandnumbers.

SeetheTripwiremanualformoreinformation.

----------------------------------------------

Creatingkeyfiles...

(Whenselectingapassphrase,keepinmindthatgoodpassphrasestypically

haveupperandlowercaseletters,digitsandpunctuationmarks,andare

atleast8charactersinlength.)

Enterthesitekeyfilepassphrase:

Verifythesitekeyfilepassphrase:

Generatingkey(thismaytakeseveralminutes)...Keygenerationcomplete.

(Whenselectingapassphrase,keepinmindthatgoodpassphrasestypically

haveupperandlowercaseletters,digitsandpunctuationmarks,andare

atleast8charactersinlength.)

Enterthelocalkeyfilepassphrase:

Verifythelocalkeyfilepassphrase:

Generatingkey(thismaytakeseveralminutes)...Keygenerationcomplete.

----------------------------------------------

Signingconfigurationfile...

Pleaseenteryoursitepassphrase:

Wroteconfigurationfile:/etc/tripwire/tw.cfg

Aclear-textversionoftheTripwireconfigurationfile

/etc/tripwire/twcfg.txt

hasbeenpreservedforyourinspection.Itisrecommended

thatyoudeletethisfilemanuallyafteryouhaveexaminedit.

 

----------------------------------------------

Signingpolicyfile...

Pleaseenteryoursitepassphrase:

Wrotepolicyfile:/etc/tripwire/tw.pol

Aclear-textversionoftheTripwirepolicyfile

/etc/tripwire/twpol.txt

hasbeenpreservedforyourinspection.Thisimplements

aminimalpolicy,intendedonlytotestessential

Tripwirefunctionality.Youshouldeditthepolicyfile

todescribeyoursystem,andthenusetwadmintogenerate

anewsignedcopyoftheTripwirepolicy.

Youhavenewmailin/var/spool/mail/root

在twinstall.sh执行完毕后，建议把twpol.txt及twcfg.txt这两个文本文件删除或移至别处。

8.执行tripwire-mi来建立指纹数据库，它会要求你输入localpassphase。

[root@localhosttripwire]#tripwire-mi

Pleaseenteryourlocalpassphrase:

Parsingpolicyfile:/etc/tripwire/tw.pol

Generatingthedatabase...

***ProcessingUnixFileSystem***

###Warning:Filesystemerror.

###Filename:/proc/scsi

###Nosuchfileordirectory

###Continuing...

###Warning:Filesystemerror.

###Filename:/usr/sbin/fixrmtab

###Nosuchfileordirectory

###Continuing...

Wrotedatabasefile:/var/lib/tripwire/localhost.localdomain.twd

Thedatabasewassuccessfullygenerated.

Youhavenewmailin/var/spool/mail/root

9.或许你怀疑tripwire真的能侦测出文件最细微的改变吗？以下来做个实验，我们把/etc/group中第一行第二个字段的『x』改成『X』：

[root@localhosttripwire]#head–1/etc/group

root:x:0:root

[root@localhosttripwire]#vi/etc/group

[root@localhosttripwire]#head–1/etc/group

root:X:0:root

10.接下来执行『tripwire-mc--interactive』进行检查，最后出现报告清单(内定使用vi)，有：

§『RuleSummary』：列出所有组别的检查结果。

===============================================================================

RuleSummary:

===============================================================================

-------------------------------------------------------------------------------

Section:UnixFileSystem

-------------------------------------------------------------------------------

RuleNameSeverityLevelAddedRemovedModified

-------------------------------------------

InvariantDirectories66000

Temporarydirectories33000

*TripwireDataFiles100100

Criticaldevices100000

Userbinaries66000

TripwireBinaries100000

Criticalconfigurationfiles100000

Libraries66000

OperatingSystemUtilities100000

Criticalsystembootfiles100000

FileSystemandDiskAdministratonPrograms

100000

KernelAdministrationPrograms100000

NetworkingPrograms100000

SystemAdministrationPrograms100000

HardwareandDeviceControlPrograms

100000

SystemInformationPrograms100000

ApplicationInformationPrograms

100000

ShellRelatedPrograms100000

CriticalUtilitySym-Links100000

ShellBinaries100000

Systembootchanges100000

OSexecutablesandlibraries100000

*SecurityControl100001

LoginScripts100000

Rootconfigfiles100000

Totalobjectsscanned:15675

Totalviolationsfound:2

有两组有异动，一为tripwire的资料文件(新增)，另一为『SystemControl』这一组(/etc/group属于这一组!)。

『ObjectSummary』：列出有异动的对象清单。

===============================================================================

ObjectSummary:

===============================================================================

-------------------------------------------------------------------------------

#Section:UnixFileSystem

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

RuleName:TripwireDataFiles(/var/lib/tripwire)

SeverityLevel:100

-------------------------------------------------------------------------------

Removethe"x"fromtheadjacentboxtopreventupdatingthedatabase

withthenewvaluesforthisobject.

Added:

[x]"/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------

RuleName:SecurityControl(/etc/group)

SeverityLevel:100

-------------------------------------------------------------------------------

Removethe"x"fromtheadjacentboxtopreventupdatingthedatabase

withthenewvaluesforthisobject.

Modified:

[x]"/etc/group"

===============================================================================

ObjectDetail:

===============================================================================

-------------------------------------------------------------------------------

Section:UnixFileSystem

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

RuleName:TripwireDataFiles(/var/lib/tripwire)

/etc/group被发现有异动了。如果要把指纹数据库内/etc/group的资料更新为目前的状态，请保留/etc/group前方[]内的x，否则把它改为空格。

『ObjectDetail』：异动对象的详细信息，如哪些项目有异动等。===============================================================================

ObjectSummary:

===============================================================================

-------------------------------------------------------------------------------

#Section:UnixFileSystem

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

RuleName:TripwireDataFiles(/var/lib/tripwire)

SeverityLevel:100

-------------------------------------------------------------------------------

Removethe"x"fromtheadjacentboxtopreventupdatingthedatabase

withthenewvaluesforthisobject.

Added:

[x]"/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------

RuleName:SecurityControl(/etc/group)

SeverityLevel:100

-------------------------------------------------------------------------------

Removethe"x"fromtheadjacentboxtopreventupdatingthedatabase

withthenewvaluesforthisobject.

Modified:[x]"/etc/group"

虽然仅仅是把x改成X，但有四个项目受到影响。其中最重要的是MD5的值。一个文件的MD5值只要跟原先的值不一样，就可以断定文件的内容已被修改过。

§tripwire每日均会自动执行检查，并寄e-mail给root告知结果。你也应定期执行『tripwire-mc--interactive』来更新指纹数据库。

转载于:https://blog.51cto.com/wlinux/1192220