linux完整性监视工具 tripwire 作者:smz0102
Tripwire是目前最为著名的unix下文件系统完整性检查的软件工具,这一软件 采用的技术核心就是对每个要监控的文件产生一个数字签名,保留下来。当文件现在的数字签名与保留的 数字签名不一致时,那么现在这个文件必定被改动过了。
使用Tripwire和aide等检测工具能够及时地帮助你发现*** 者的***,它们能够很好地提供系统完整性的检查。这类工具不同于其它的***检测工具,它们不是通过所谓的***特征码来检测***行为,而是监视和检查系统发生的变化。这个对保护一些重要系统,是很有帮助的.
提醒:这是个检查工具,要检查出被修改的文件的前提是先建立指纹数据库,然后利用这个指纹数据库来对比找出不同.所以如果你怀疑你的文件被动了,而且事先没有做这步哪就没用了哦.
下面是总结的一些安装使用方法.
目前sourceforge上的新版本是2.14
wget http://kent.dl.sourceforge.net/s ... 2.4.1.2-src.tar.bz2
bunzip2 tripwire-2.4.1.2-src.tar.bz2
tar -xvf tripwire-2.4.1.2-src.tar
cd tripwire-2.4.1.2-src
./configure
make
make install
中间会问 global和local密码,要记住啊。安装后配置文件都在 /usr/local/etc下。
cd /usr/local/etc/
vi twcfg.txt
修改这个文件,去掉不必要的监控目录和文件,并在将你要监控的目录加 入,比如www目录。
twadmin -m P twpol.txt 上面这个命令生成新的配置文件 twpol.cfg
tripwire -m i -v 建立指纹数据库
tripwire -m c 进行完整性检查
如果修 改了twpol.txt 要重新执行生成配置文件
twadmin -m P twpol.txt
若 要查看一条规则所对应的所有文件,用以下命令:
# tripwire --check --rule-name "My funky files"
可以自定义检查目录,方法如下
twpol.txt 添加如下规则
(
rulename = "web check",
)
{
/home/web1 -> $(Temporary) ;
/home/web -> $(Temporary) ;
/home/copyweb -> $(Temporary) ;
}
twadmin -m P twpol.txt
tripwire -m i -v 重新建立指纹数据库
检查web check规则下的文件
tripwire --check --rule-name "web check"
这些命令可以对指定的文件或目录检测:
tripwire -m c /bin/cp /etc
一 切都完成之后就可以随时执行tripwire -m c命令来进行完整性检查。
测试:
添加/home /web/sdd.txt
修改/home/web/2.txt
[root@zr-20 etc]# tripwire -m c
Parsing policy file: /usr/local/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /usr/local/lib/tripwire/report/zr-20-20090820-171207.twr
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root
Report created on: Thu 20 Aug 2009 05:12:07 PM CST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: zr-20
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /usr/local/etc/tw.pol
Configuration file used: /usr/local/etc/tw.cfg
Database file used: /usr/local/lib/tripwire/zr-20.twd
Command line used: tripwire -m c
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Tripwire Data Files 0 0 0 0
* User Binaries and Libraries 0 0 0 1
Tripwire Binaries 0 0 0 0
OS Binaries and Libraries 0 0 0 0
* Temporary Directories 0 2 0 0
Global Configuration Files 0 0 0 0
System Boot Changes 0 0 0 0
RPM Checksum Files 0 0 0 0
OS Boot Files and Mount Points 0 0 0 0
OS Devices and Misc Directories 0 0 0 0
* Root Directory and Files 0 0 0 2
* Monitor Filesystems 0 1 0 2
(/home/web)
Total objects scanned: 42294
Total violations found: 8
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: User Binaries and Libraries (/usr/local/etc)
Severity Level: 0
-------------------------------------------------------------------------------
Modified:
"/usr/local/etc"
-------------------------------------------------------------------------------
Rule Name: Root Directory and Files (/root)
Severity Level: 0
-------------------------------------------------------------------------------
Modified:
"/root"
"/root/.viminfo"
-------------------------------------------------------------------------------
Rule Name: Temporary Directories (/tmp)
Severity Level: 0
-------------------------------------------------------------------------------
Added:
"/tmp/ssh-sIJQY28939"
"/tmp/ssh-sIJQY28939/agent.28939"
-------------------------------------------------------------------------------
Rule Name: Monitor Filesystems (/home/web)
Severity Level: 0
-------------------------------------------------------------------------------
Added:
"/home/web/sdd.txt"
Modified:
"/home/web"
"/home/web/2.txt"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
自己写 的一个检查脚本,发邮件的
可以做个定时执行的任务,每天检查一遍,将改变的文件列表发到邮箱里.
#!/bin/bash
date=`date +%Y%m%d%H%M`
logdir=/backup/tripwirelog
echo "Check Time: $date">$logdir/tmplog
tripwire --check --rule-name "web check" >$logdir/$date.log
sed -n '/Object\ Summary/,/Error\ Report/p' $logdir/$date.log|grep -v .gif|grep -v .jpg|grep -v .txt|grep -v .swf>>$logdir/tmplog
/home/sendEmail -f smz0102@163.com -t 137000@qq.com -u "webfile check" -s 121.14.48.194 -o message-file=$logdir/tmplog
转载于:https://blog.51cto.com/liweizhong/882539