Skip to content


安装Tripwire检查文件完整性

当服务器遭到黑客攻击时,在多数情况下,黑客可能对系统文件等等一些重要的文件进行修改。对此,我们用Tripwire建立数据完整性监测系统。虽然 它不能抵御黑客攻击以及黑客对一些重要文件的修改,但是可以监测文件是否被修改过以及哪些文件被修改过,从而在被攻击后有的放矢的策划出解决办法。

Tripwire的原理是Tripwire被安装、配置后,将当前的系统数据状态建立成数据库,随着文件的添加、删除和修改等等变化,通过系统数据现 状与不断更新的数据库进行比较,来判定哪些文件被添加、删除和修改过。正因为初始的数据库是在Tripwire本体被安装、配置后建立的原因,我们务必应 该在服务器开放前,或者说操作系统刚被安装后用Tripwire构建数据完整性监测系统。

和tripwire差不多的还有AIDE

一.工作原理

二.下载tripwire

tripwire 在sf上的地址

wget http://sourceforge.net/projects/tripwire/files/tripwire-src/tripwire-2.4.1.2-src/tripwire-2.4.1.2-src.tar.bz2/download tar jxvf tripwire-2.4.1.2-src.tar.bz2 cd tripwire-2.4.1.2-src

三.安装tripwire

./configure –prefix=/usr/local/tripwire make make install

license agreement. [do not accept] accept Continue with installation? [y/n] y Enter the site keyfile passphrase:c1gstudio Verify the site keyfile passphrase:c1gstudio Enter the local keyfile passphrase:abcdefgh Verify the local keyfile passphrase:abcdefgh Please enter your site passphrase: c1gstudio Please enter your site passphrase: c1gstudio

四.设置tripwire 编辑twpol.txt来控制对哪些目录进行检查,我这里省略了很多目录 vi /usr/local/tripwire/etc/twpol.txt

#Global Configuration Files #注释以下目录 #/etc/mail/statistics -> $(Growing) ; #OS Boot Files and Mount Points #注释以下目录 #/cdrom -> $(Dynamic) ; #/floppy -> $(Dynamic) ; #/mnt -> $(Dynamic) ; #OS Devices and Misc Directories #禁止检查以下目录 #/opt -> $(Dynamic) ; #/lost+found -> $(Dynamic) ; #/var/lost+found -> $(Dynamic) ; #/home/lost+found -> $(Dynamic) ; #OS Binaries and Libraries #禁止检查以下目录 #/lib -> $(ReadOnly) ; #/usr/lib -> $(ReadOnly) ; #/usr/libexec -> $(ReadOnly) ; #/usr/X11R6/lib -> $(ReadOnly) ; #User Binaries and Libraries #只保留以下三个 /usr/local/bin -> $(ReadOnly) ; /usr/local/etc -> $(ReadOnly) ; /usr/local/sbin -> $(ReadOnly) ; #Temporary Directories #禁止全部目录 #/usr/tmp -> $(Temporary) ; #/var/tmp -> $(Temporary) ; #/tmp -> $(Temporary) ; #Monitor Filesystems #禁止全部目录 #/ -> $(ReadOnly) ; #/home -> $(ReadOnly) ; # Modify as needed #/usr -> $(ReadOnly) ; #/var -> $(ReadOnly) ;

五.初始化数据库 /usr/local/tripwire/sbin/tripwire –init

六.更新数据库 当你更新了twpol.txt后需用此命令更新数据库 cd /usr/local/tripwire ./sbin/tripwire –update-policy –secure-mode low ./etc/twpol.txt

Please enter your local passphrase: abcdefgh Please enter your site passphrase: c1gstudio ======== Policy Update: Processing section Unix File System. ======== Step 1: Gathering information for the new policy. The object: “/etc/rhgb/temp” is on a different file system…ignoring. ### Warning: Policy Update Changed Object. ### An object has been changed since the database was last updated. ### Object name: Conflicting properties for object ### /usr/local/tripwire/etc/tw.pol ### > Modify Time ### > CRC32 ### > MD5 ### Continuing… ### Warning: Policy Update Changed Object. ### An object has been changed since the database was last updated. ### Object name: Conflicting properties for object /etc/cups/certs ### > Modify Time ### > Change Time ### Continuing… ### Warning: Policy Update Changed Object. ### An object has been changed since the database was last updated. ### Object name: Conflicting properties for object /etc/cups/certs/0 ### > Modify Time ### > Change Time ### > CRC32 ### > MD5 ### Continuing… ======== Step 2: Updating the database with new objects. ======== Step 3: Pruning unneeded objects from the database. Wrote policy file: /usr/local/tripwire/etc/tw.pol Wrote database file: /usr/local/tripwire/lib/tripwire/local.c1gstudio.com.twd

七.检查文件异动 安装完tripwire后你可以定期检查文件是否存在异动 加上interactive在当前显示结果 ./sbin/tripwire –check –interactive

Parsing policy file: /usr/local/tripwire/etc/tw.pol *** Processing Unix File System *** Performing integrity check… The object: “/etc/rhgb/temp” is on a different file system…ignoring. Wrote report file: /usr/local/tripwire/lib/tripwire/report/local.c1gstudio.com-20090807-112337.twr Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: 2009年08月07日 星期五 11时23分37秒 Database last updated on: 2009年08月07日 星期五 11时09分27秒 =============================================================================== Report Summary: =============================================================================== Host name: local.c1gstudio.com Host IP address: 127.0.0.1 Host ID: None Policy file used: /usr/local/tripwire/etc/tw.pol Configuration file used: /usr/local/tripwire/etc/tw.cfg Database file used: /usr/local/tripwire/lib/tripwire/local.c1gstudio.com.twd Command line used: ./sbin/tripwire –check –interactive =============================================================================== Rule Summary: =============================================================================== ——————————————————————————- Section: Unix File System ——————————————————————————- Rule Name Severity Level Added Removed Modified ——— ————– —– ——- ——– * Tripwire Data Files 0 0 0 1 Tripwire Binaries 0 0 0 0 User Binaries and Libraries 0 0 0 0 OS Binaries and Libraries 0 0 0 0 * Global Configuration Files 0 0 0 2 System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0 (/boot) OS Devices and Misc Directories 0 0 0 0 Root Directory and Files 0 0 0 0 Total objects scanned: 64406 Total violations found: 3 =============================================================================== Object Summary:=============================================================================== ——————————————————————————- # Section: Unix File System——————————————————————————- ——————————————————————————- Rule Name: Tripwire Data Files (/usr/local/tripwire/etc/tw.pol) Severity Level: 0——————————————————————————- Remove the “x” from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] “/usr/local/tripwire/etc/tw.pol” ——————————————————————————-Rule Name: Global Configuration Files (/etc) Severity Level: 0——————————————————————————- Remove the “x” from the adjacent box to prevent updating the databasewith the new values for this object. Modified:[x] “/etc/cups/certs” [x] “/etc/cups/certs/0” =============================================================================== Object Detail:=============================================================================== ——————————————————————————- Section: Unix File System——————————————————————————- ——————————————————————————-Rule Name: Tripwire Data Files (/usr/local/tripwire/etc/tw.pol) Severity Level: 0——————————————————————————- —————————————- Modified Objects: 1 —————————————- Modified object name: /usr/local/tripwire/etc/tw.pol Property: Expected Observed ————- ———– ———– Object Type Regular File Regular File Device Number 64768 64768 Mode -rw-r—– -rw-r—– Num Links 1 1 UID root (0) root (0) GID root (0) root (0) Size 4159 4159 * Modify Time 2009年08月07日 星期五 11时05分06秒 2009年08月07日 星期五 11时16分18秒 Blocks 24 24 * CRC32 BbMp+k CasvDM * MD5 AedDw/7U0K3jGZeAQ+TluE BqtFj3lGlb5i44+KkjyB9u ——————————————————————————-Rule Name: Global Configuration Files (/etc) Severity Level: 0——————————————————————————- —————————————- Modified Objects: 2 —————————————- Modified object name: /etc/cups/certs Property: Expected Observed ————- ———– ———– Object Type Directory Directory Device Number 64768 64768 File Device Number 0 0 Inode Number 1557621 1557621 Mode drwx–x–x drwx–x–x Num Links 2 2 UID root (0) root (0) GID sys (3) sys (3) Size 4096 4096 * Modify Time 2009年08月07日 星期五 11时07分09秒 2009年08月07日 星期五 11时22分12秒 * Change Time 2009年08月07日 星期五 11时07分09秒 2009年08月07日 星期五 11时22分12秒 Blocks 16 16 Modified object name: /etc/cups/certs/0 Property: Expected Observed ————- ———– ———– Object Type Regular File Regular File Device Number 64768 64768 File Device Number 0 0 Inode Number 1556488 1556488 Mode -r–r—– -r–r—– Num Links 1 1 UID root (0) root (0) GID sys (3) sys (3) Size 32 32 * Modify Time 2009年08月07日 星期五 11时07分09秒 2009年08月07日 星期五 11时22分12秒 * Change Time 2009年08月07日 星期五 11时07分09秒 2009年08月07日 星期五 11时22分12秒 Blocks 16 16 * CRC32 Bh604c DClI5t * MD5 CYQG5hqBS+c69bcyXaK6Wl DDovWtxN44ScT7sn/IJiZa =============================================================================== Error Report:=============================================================================== No Errors ——————————————————————————-*** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registeredtrademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;for details use –version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details.All rights reserved.

八.查看报告 所有tripwire的报告以.twr后缀保存在lib/tripwire目录下,需要使用twprint命令来转化成文本格式 ./sbin/twprint –print-report –twrfile ./lib/tripwire/report/local.c1gstudio.com-20090807-112337.twr >/tmp/tripwire_readable.txt cat /tmp/tripwire_readable.txt

九.定期检查 每天4点定期检查

00 4 * * * /usr/local/tripwire/sbin/tripwire –check

十.查看当前配置 ./sbin/twadmin –print-polfile

@@section GLOBAL TWDOCS=”/usr/local/tripwire/doc/tripwire”; TWBIN=”/usr/local/tripwire/sbin”; TWPOL=”/usr/local/tripwire/etc”; TWDB=”/usr/local/tripwire/lib/tripwire”; TWSKEY=”/usr/local/tripwire/etc”; TWLKEY=”/usr/local/tripwire/etc”; TWREPORT=”/usr/local/tripwire/lib/tripwire/report”; HOSTNAME=local.c1gstudio.com;

./sbin/twadmin –print-cfgfile

ROOT =/usr/local/tripwire/sbin POLFILE =/usr/local/tripwire/etc/tw.pol DBFILE =/usr/local/tripwire/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/usr/local/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/usr/local/tripwire/etc/site.key LOCALKEYFILE =/usr/local/tripwire/etc/local.c1gstudio.com-local.key EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t

参考: Tripwire Tutorial: Linux Host Based Intrusion Detection System Tripwire-2.4.1.2 tutorial

Posted in 安全, 技术.

Tagged with .


One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Continuing the Discussion

  1. linux基本安全配置手册 linked to this post on 2010/08/17

    […] 安装Tripwire检查文件完整性 ====================================================================== […]



Some HTML is OK

or, reply to this post via trackback.