我是靠谱客的博主 暴躁自行车,最近开发中收集的这篇文章主要介绍安装和配置Tripwire,觉得挺不错的,现在分享给大家,希望可以做个参考。

概述

安装和配置Tripwire

(2006-03-20 13:58:00)
转载
 分类: Linux
安装和配置Tripwire,加强你的Linux系统安全
1、为什么要安装tripwire
在安装完Linux,做好设定后,建议你马上安装tripwire这套软件,它能把文件的特征,如对象大小、拥有者、群组、存取权限等建立成指纹数据库(fingerprints),并定期执行检查。当发现文件现况与指纹数据库不符合时,tripwire会提出警告,告知你哪些项目与指纹数据库不符。
2、安装程序
说明:本文档使用的linux发行版本为RedHatLinux7.3。其他的发行版本设置类似。
1.安装套件:rpm-Uvhtripwire-版本号码.rpm
2.切换工作目录到/etc/tripwire,其中有两个配置文件:
§twcfg.txt:可用来设定tripwire的工作环境,可依照你的习惯来调整,
§twpol.txt:指定tripwire对哪些文件的哪些项目进行监控。
3.预设的twcfg.txt其中
ROOT=/usr/sbin
POLFILE=/etc/tripwire/tw.pol
DBFILE=/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE=/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE=/etc/tripwire/site.key
LOCALKEYFILE=/etc/tripwire/$(HOSTNAME)-local.key
EDITOR=/bin/vi
LATEPROMPTING=false
LOOSEDIRECTORYCHECKING=false
MAILNOVIOLATIONS=true
EMAILREPORTLEVEL=3
REPORTLEVEL=3
MAILMETHOD=SENDMAIL
SYSLOGREPORTING=false
MAILPROGRAM=/usr/sbin/sendmail-oi-t
§DBFILE为指纹数据库之文件名。
§REPORTFILE为检测报告档之档名。
4.再来看看twpol.txt,我们可以设定它来指定tripwire对哪些文件的哪些项目进行监控。tripwire可监控的项目可在twpolicy的manpage中,『propertymasks』一节内找到,如下所示:
-Ignorethefollowingproperties
+Recordandcheckthefollowingproperties
aAccesstimestamp
bNumberofblocksallocated
cInodetimestamp(create/modify)
dIDofdeviceonwhichinoderesides
gFileowner'sgroupID
iInodenumber
lFileisincreasinginsize(a"growingfile")
mModificationtimestamp
nNumberoflinks(inodereferencecount)
pPermissionsandfilemodebits
rIDofdevicepointedtobyinode
(validonlyfordeviceobjects)
sFilesize
tFiletype
uFileowner'suserID
CCRC-32hashvalue
HHavalhashvalue
MMD5hashvalue
SSHAhashvalue
其中『+』与『-』容后说明。
5.如何要求tripwire监控某些文件呢?RedHat所附的twpol.txt已把重要的配置文件与程序行入监控的范围,你可以找到如附图内的这一段:(
rulename="SecurityControl",
severity=$(SIG_HI)
)
{
/etc/group->$(SEC_CRIT);
/etc/security->$(SEC_CRIT);
}
这一段把/etc/group以及/etc/security这两个对象纳入『SecurityControl』这一组,警戒程度为由SIG_HI这个变量定义,值为100(稍后会介绍)。而tripwire会监控/etc/group及/etc/security的哪些项目呢?则由SEC_CRIT这个变量来定义。
6.从twpol.txt的前端往后浏览,可以找到如附图的这一段:
@@sectionFS
SEC_CRIT=$(IgnoreNone)-SHa;#Criticalfilesthatcannotchange
SEC_SUID=$(IgnoreNone)-SHa;#BinarieswiththeSUIDorSGIDflagsset
SEC_BIN=$(ReadOnly);#Binariesthatshouldnotchange
SEC_CONFIG=$(Dynamic);#Configfilesthatarechangedinfrequentlybutaccessedoften
SEC_LOG=$(Growing);#Filesthatgrow,butthatshouldneverchangeownership
SEC_INVARIANT=+tpug;#Directoriesthatshouldneverchangepermissionorownership
SIG_LOW=33;#Non-criticalfilesthatareofminimalsecurityimpact
SIG_MED=66;#Non-criticalfilesthatareofsignificantsecurityimpact
SIG_HI=100;#Criticalfilesthataresignificantpointsofvulnerability
你可以发现SIG_HI的值就如上一点所提的,为100。而tripwire会监控/etc/group的哪些项目是由SEC_CRIT所定义;在此处你发现SEC_CRIT等于『$(IgnoreNone)-SHa』,究竟是哪些项目?
要解开这个谜,必须先找出IgnoreNone的变量究竟定义为何。但找遍twpol.txt还是解不开,原来IgnoreNone跟下面的ReadOnly,Dynamic,Growing等均为tripwire预先定义好的变量,在twpolicy的manpage中『Variables』一节内可以找到如附图的内容:
ReadOnlyReadOnlyisgoodforfilesthatarewidelyavailablebutareintendedtoberead-only.Value:+pinugtsdbmCM-rlacSH
DynamicDynamicisgoodformonitoringuserdirec-toriesandfilesthattendtobedynamicinbehavior.value:+pinugtd-srlbamcCMSH
GrowingTheGrowingvariableisintendedforfilesthatshouldonlygetlarger.Value:+pinugtdl-srbamcCMSH
DeviceDeviceisgoodfordevicesorotherfilesthatTripwireshouldnotattempttoopen.Value:+pugsdr-intlbamcCMSH
IgnoreAllIgnoreAlltracksafile'spresenceorabsence,butdoesn'tcheckanyotherprop-erties.Value:-pinugtsdrlbamcCMSH
IgnoreNoneIgnoreNoneturnsonallpropertiesandpro-videsaconvenientstartingpointfordefiningyourownpropertymasks.(Forexample,mymask=$(IgnoreNone)-ar;)Value:+pinugtsdrbamcCMSH-l
从上面得知『IgnoreNone』的值为『+pinugtsdrbamcCMSH-l』,其中『+』后所列的是要监控的项目,而『-』后所列的则为不监控的项目。那么『$(IgnoreNone)-SHa』呢?就是把IgnoreNone内原本列入监控的SHa项目改列为不监控。
你可以按照需求来修改这个文件。。
7.接着在在/etc/tripwire内执行./twinstall.sh。执行过程中会要求你设定两个密码(passphrase):
§sitepassphrase:加密twpol.txt及twcfg.txt时用。
§localpassphrase:加密指纹数据库时用。
之后会再要你输入正确的sitepassphrase,此时会对twpol.txt及twcfg.txt分别进行加密处理,由原始文本文件产生tw.pol及tw.cfg。过程如附图所示:[root@localhosttripwire]#./twinstall.sh

----------------------------------------------
TheTripwiresiteandlocalpassphrasesareusedto
signavarietyoffiles,suchastheconfiguration,
policy,anddatabasefiles.

Passphrasesshouldbeatleast8charactersinlength
andcontainbothlettersandnumbers.

SeetheTripwiremanualformoreinformation.

----------------------------------------------
Creatingkeyfiles...

(Whenselectingapassphrase,keepinmindthatgoodpassphrasestypically
haveupperandlowercaseletters,digitsandpunctuationmarks,andare
atleast8charactersinlength.)
Enterthesitekeyfilepassphrase:
Verifythesitekeyfilepassphrase:
Generatingkey(thismaytakeseveralminutes)...Keygenerationcomplete.
(Whenselectingapassphrase,keepinmindthatgoodpassphrasestypically
haveupperandlowercaseletters,digitsandpunctuationmarks,andare
atleast8charactersinlength.)

Enterthelocalkeyfilepassphrase:
Verifythelocalkeyfilepassphrase:
Generatingkey(thismaytakeseveralminutes)...Keygenerationcomplete.

----------------------------------------------
Signingconfigurationfile...
Pleaseenteryoursitepassphrase:
Wroteconfigurationfile:/etc/tripwire/tw.cfg

Aclear-textversionoftheTripwireconfigurationfile
/etc/tripwire/twcfg.txt
hasbeenpreservedforyourinspection.Itisrecommended
thatyoudeletethisfilemanuallyafteryouhaveexaminedit.
 
----------------------------------------------
Signingpolicyfile...
Pleaseenteryoursitepassphrase:
Wrotepolicyfile:/etc/tripwire/tw.pol

Aclear-textversionoftheTripwirepolicyfile
/etc/tripwire/twpol.txt
hasbeenpreservedforyourinspection.Thisimplements
aminimalpolicy,intendedonlytotestessential
Tripwirefunctionality.Youshouldeditthepolicyfile
todescribeyoursystem,andthenusetwadmintogenerate
anewsignedcopyoftheTripwirepolicy.

Youhavenewmailin/var/spool/mail/root
在twinstall.sh执行完毕后,建议把twpol.txt及twcfg.txt这两个文本文件删除或移至别处。
8.执行tripwire-mi来建立指纹数据库,它会要求你输入localpassphase。
[root@localhosttripwire]#tripwire-mi
Pleaseenteryourlocalpassphrase:
Parsingpolicyfile:/etc/tripwire/tw.pol
Generatingthedatabase...
***ProcessingUnixFileSystem***
###Warning:Filesystemerror.
###Filename:/proc/scsi
###Nosuchfileordirectory
###Continuing...
###Warning:Filesystemerror.
###Filename:/usr/sbin/fixrmtab
###Nosuchfileordirectory
###Continuing...
Wrotedatabasefile:/var/lib/tripwire/localhost.localdomain.twd
Thedatabasewassuccessfullygenerated.
Youhavenewmailin/var/spool/mail/root
9.或许你怀疑tripwire真的能侦测出文件最细微的改变吗?以下来做个实验,我们把/etc/group中第一行第二个字段的『x』改成『X』:
[root@localhosttripwire]#head–1/etc/group
root:x:0:root
[root@localhosttripwire]#vi/etc/group
[root@localhosttripwire]#head–1/etc/group
root:X:0:root
10.接下来执行『tripwire-mc--interactive』进行检查,最后出现报告清单(内定使用vi),有:
§『RuleSummary』:列出所有组别的检查结果。
===============================================================================
RuleSummary:
===============================================================================

-------------------------------------------------------------------------------
Section:UnixFileSystem
-------------------------------------------------------------------------------

RuleNameSeverityLevelAddedRemovedModified
-------------------------------------------
InvariantDirectories66000
Temporarydirectories33000
*TripwireDataFiles100100
Criticaldevices100000
Userbinaries66000
TripwireBinaries100000
Criticalconfigurationfiles100000
Libraries66000
OperatingSystemUtilities100000
Criticalsystembootfiles100000
FileSystemandDiskAdministratonPrograms
100000
KernelAdministrationPrograms100000
NetworkingPrograms100000
SystemAdministrationPrograms100000
HardwareandDeviceControlPrograms
100000
SystemInformationPrograms100000
ApplicationInformationPrograms
100000
ShellRelatedPrograms100000
CriticalUtilitySym-Links100000
ShellBinaries100000
Systembootchanges100000
OSexecutablesandlibraries100000
*SecurityControl100001
LoginScripts100000
Rootconfigfiles100000
Totalobjectsscanned:15675
Totalviolationsfound:2
有两组有异动,一为tripwire的资料文件(新增),另一为『SystemControl』这一组(/etc/group属于这一组!)。
『ObjectSummary』:列出有异动的对象清单。
===============================================================================
ObjectSummary:
===============================================================================
-------------------------------------------------------------------------------
#Section:UnixFileSystem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
RuleName:TripwireDataFiles(/var/lib/tripwire)
SeverityLevel:100
-------------------------------------------------------------------------------
Removethe"x"fromtheadjacentboxtopreventupdatingthedatabase
withthenewvaluesforthisobject.
Added:
[x]"/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------
RuleName:SecurityControl(/etc/group)
SeverityLevel:100
-------------------------------------------------------------------------------
Removethe"x"fromtheadjacentboxtopreventupdatingthedatabase
withthenewvaluesforthisobject.

Modified:
[x]"/etc/group"

===============================================================================
ObjectDetail:
===============================================================================
-------------------------------------------------------------------------------
Section:UnixFileSystem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
RuleName:TripwireDataFiles(/var/lib/tripwire)
/etc/group被发现有异动了。如果要把指纹数据库内/etc/group的资料更新为目前的状态,请保留/etc/group前方[]内的x,否则把它改为空格。
『ObjectDetail』:异动对象的详细信息,如哪些项目有异动等。===============================================================================
ObjectSummary:
===============================================================================
-------------------------------------------------------------------------------
#Section:UnixFileSystem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
RuleName:TripwireDataFiles(/var/lib/tripwire)
SeverityLevel:100
-------------------------------------------------------------------------------
Removethe"x"fromtheadjacentboxtopreventupdatingthedatabase
withthenewvaluesforthisobject.

Added:
[x]"/var/lib/tripwire/localhost.localdomain.twd"
-------------------------------------------------------------------------------
RuleName:SecurityControl(/etc/group)
SeverityLevel:100
-------------------------------------------------------------------------------
Removethe"x"fromtheadjacentboxtopreventupdatingthedatabase
withthenewvaluesforthisobject.

Modified:[x]"/etc/group"
虽然仅仅是把x改成X,但有四个项目受到影响。其中最重要的是MD5的值。一个文件的MD5值只要跟原先的值不一样,就可以断定文件的内容已被修改过。
§tripwire每日均会自动执行检查,并寄e-mail给root告知结果。你也应定期执行『tripwire-mc--interactive』来更新指纹数据库。

转载于:https://blog.51cto.com/wlinux/1192220

最后

以上就是暴躁自行车为你收集整理的安装和配置Tripwire的全部内容,希望文章能够帮你解决安装和配置Tripwire所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。

本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
点赞(34)

评论列表共有 0 条评论

立即
投稿
返回
顶部