当服务器遭到黑客攻击时,在多数情况下,黑客可能对系统文件等等一些重要的文件进行修改。对此,我们用Tripwire建立数据完整性监测系统。虽然 它不能抵御黑客攻击以及黑客对一些重要文件的修改,但是可以监测文件是否被修改过以及哪些文件被修改过,从而在被攻击后有的放矢的策划出解决办法。
Tripwire的原理是Tripwire被安装、配置后,将当前的系统数据状态建立成数据库,随着文件的添加、删除和修改等等变化,通过系统数据现 状与不断更新的数据库进行比较,来判定哪些文件被添加、删除和修改过。正因为初始的数据库是在Tripwire本体被安装、配置后建立的原因,我们务必应 该在服务器开放前,或者说操作系统刚被安装后用Tripwire构建数据完整性监测系统。
和tripwire差不多的还有AIDE
一.工作原理
二.下载tripwire
tripwire 在sf上的地址
wget http://sourceforge.net/projects/tripwire/files/tripwire-src/tripwire-2.4.1.2-src/tripwire-2.4.1.2-src.tar.bz2/download
tar jxvf tripwire-2.4.1.2-src.tar.bz2
cd tripwire-2.4.1.2-src
三.安装tripwire
./configure –prefix=/usr/local/tripwire
make
make install
license agreement. [do not accept] accept
Continue with installation? [y/n] y
Enter the site keyfile passphrase:c1gstudio
Verify the site keyfile passphrase:c1gstudio
Enter the local keyfile passphrase:abcdefgh
Verify the local keyfile passphrase:abcdefgh
Please enter your site passphrase: c1gstudio
Please enter your site passphrase: c1gstudio
四.设置tripwire
编辑twpol.txt来控制对哪些目录进行检查,我这里省略了很多目录
vi /usr/local/tripwire/etc/twpol.txt
#Global Configuration Files
#注释以下目录
#/etc/mail/statistics -> $(Growing) ;
#OS Boot Files and Mount Points
#注释以下目录
#/cdrom -> $(Dynamic) ;
#/floppy -> $(Dynamic) ;
#/mnt -> $(Dynamic) ;
#OS Devices and Misc Directories
#禁止检查以下目录
#/opt -> $(Dynamic) ;
#/lost+found -> $(Dynamic) ;
#/var/lost+found -> $(Dynamic) ;
#/home/lost+found -> $(Dynamic) ;
#OS Binaries and Libraries
#禁止检查以下目录
#/lib -> $(ReadOnly) ;
#/usr/lib -> $(ReadOnly) ;
#/usr/libexec -> $(ReadOnly) ;
#/usr/X11R6/lib -> $(ReadOnly) ;
#User Binaries and Libraries
#只保留以下三个
/usr/local/bin -> $(ReadOnly) ;
/usr/local/etc -> $(ReadOnly) ;
/usr/local/sbin -> $(ReadOnly) ;
#Temporary Directories
#禁止全部目录
#/usr/tmp -> $(Temporary) ;
#/var/tmp -> $(Temporary) ;
#/tmp -> $(Temporary) ;
#Monitor Filesystems
#禁止全部目录
#/ -> $(ReadOnly) ;
#/home -> $(ReadOnly) ; # Modify as needed
#/usr -> $(ReadOnly) ;
#/var -> $(ReadOnly) ;
五.初始化数据库
/usr/local/tripwire/sbin/tripwire –init
六.更新数据库
当你更新了twpol.txt后需用此命令更新数据库
cd /usr/local/tripwire
./sbin/tripwire –update-policy –secure-mode low ./etc/twpol.txt
Please enter your local passphrase: abcdefgh
Please enter your site passphrase: c1gstudio
======== Policy Update: Processing section Unix File System.
======== Step 1: Gathering information for the new policy.
The object: “/etc/rhgb/temp” is on a different file system…ignoring.
### Warning: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object
### /usr/local/tripwire/etc/tw.pol
### > Modify Time
### > CRC32
### > MD5
### Continuing…
### Warning: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object /etc/cups/certs
### > Modify Time
### > Change Time
### Continuing…
### Warning: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object /etc/cups/certs/0
### > Modify Time
### > Change Time
### > CRC32
### > MD5
### Continuing…
======== Step 2: Updating the database with new objects.
======== Step 3: Pruning unneeded objects from the database.
Wrote policy file: /usr/local/tripwire/etc/tw.pol
Wrote database file: /usr/local/tripwire/lib/tripwire/local.c1gstudio.com.twd
七.检查文件异动
安装完tripwire后你可以定期检查文件是否存在异动
加上interactive在当前显示结果
./sbin/tripwire –check –interactive
Parsing policy file: /usr/local/tripwire/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check…
The object: “/etc/rhgb/temp” is on a different file system…ignoring.
Wrote report file: /usr/local/tripwire/lib/tripwire/report/local.c1gstudio.com-20090807-112337.twr
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root
Report created on: 2009年08月07日 星期五 11时23分37秒
Database last updated on: 2009年08月07日 星期五 11时09分27秒
===============================================================================
Report Summary:
===============================================================================
Host name: local.c1gstudio.com
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /usr/local/tripwire/etc/tw.pol
Configuration file used: /usr/local/tripwire/etc/tw.cfg
Database file used: /usr/local/tripwire/lib/tripwire/local.c1gstudio.com.twd
Command line used: ./sbin/tripwire –check –interactive
===============================================================================
Rule Summary:
===============================================================================
——————————————————————————-
Section: Unix File System
——————————————————————————-
Rule Name Severity Level Added Removed Modified
——— ————– —– ——- ——–
* Tripwire Data Files 0 0 0 1
Tripwire Binaries 0 0 0 0
User Binaries and Libraries 0 0 0 0
OS Binaries and Libraries 0 0 0 0
* Global Configuration Files 0 0 0 2
System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0
(/boot) OS Devices and Misc Directories 0 0 0 0 Root Directory and Files 0 0 0 0
Total objects scanned: 64406
Total violations found: 3
===============================================================================
Object Summary:===============================================================================
——————————————————————————-
# Section: Unix File System——————————————————————————-
——————————————————————————-
Rule Name: Tripwire Data Files (/usr/local/tripwire/etc/tw.pol)
Severity Level: 0——————————————————————————-
Remove the “x” from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] “/usr/local/tripwire/etc/tw.pol”
——————————————————————————-Rule Name: Global Configuration Files (/etc)
Severity Level: 0——————————————————————————-
Remove the “x” from the adjacent box to prevent updating the databasewith the new values for this object.
Modified:[x] “/etc/cups/certs”
[x] “/etc/cups/certs/0”
===============================================================================
Object Detail:===============================================================================
——————————————————————————-
Section: Unix File System——————————————————————————-
——————————————————————————-Rule Name: Tripwire Data Files (/usr/local/tripwire/etc/tw.pol)
Severity Level: 0——————————————————————————-
—————————————-
Modified Objects: 1
—————————————-
Modified object name: /usr/local/tripwire/etc/tw.pol
Property: Expected Observed ————- ———– ———– Object Type Regular File Regular File Device Number 64768 64768 Mode -rw-r—– -rw-r—– Num Links 1 1 UID root (0) root (0) GID root (0) root (0) Size 4159 4159
* Modify Time 2009年08月07日 星期五 11时05分06秒 2009年08月07日 星期五 11时16分18秒 Blocks 24 24 * CRC32 BbMp+k CasvDM * MD5 AedDw/7U0K3jGZeAQ+TluE BqtFj3lGlb5i44+KkjyB9u
——————————————————————————-Rule Name: Global Configuration Files (/etc)
Severity Level: 0——————————————————————————- —————————————-
Modified Objects: 2 —————————————-
Modified object name: /etc/cups/certs
Property: Expected Observed ————- ———– ———– Object Type Directory Directory Device Number 64768 64768 File Device Number 0 0 Inode Number 1557621 1557621 Mode drwx–x–x drwx–x–x Num Links 2 2 UID root (0) root (0) GID sys (3) sys (3) Size 4096 4096
* Modify Time 2009年08月07日 星期五 11时07分09秒 2009年08月07日 星期五 11时22分12秒
* Change Time 2009年08月07日 星期五 11时07分09秒 2009年08月07日 星期五 11时22分12秒 Blocks 16 16
Modified object name: /etc/cups/certs/0
Property: Expected Observed ————- ———– ———– Object Type Regular File Regular File Device Number 64768 64768 File Device Number 0 0 Inode Number 1556488 1556488 Mode -r–r—– -r–r—– Num Links 1 1 UID root (0) root (0) GID sys (3) sys (3) Size 32 32
* Modify Time 2009年08月07日 星期五 11时07分09秒 2009年08月07日 星期五 11时22分12秒
* Change Time 2009年08月07日 星期五 11时07分09秒 2009年08月07日 星期五 11时22分12秒 Blocks 16 16 * CRC32 Bh604c DClI5t * MD5 CYQG5hqBS+c69bcyXaK6Wl DDovWtxN44ScT7sn/IJiZa
===============================================================================
Error Report:===============================================================================
No Errors
——————————————————————————-*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registeredtrademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;for details use –version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.All rights reserved.
八.查看报告
所有tripwire的报告以.twr后缀保存在lib/tripwire目录下,需要使用twprint命令来转化成文本格式
./sbin/twprint –print-report –twrfile ./lib/tripwire/report/local.c1gstudio.com-20090807-112337.twr >/tmp/tripwire_readable.txt
cat /tmp/tripwire_readable.txt
九.定期检查
每天4点定期检查
00 4 * * * /usr/local/tripwire/sbin/tripwire –check
十.查看当前配置
./sbin/twadmin –print-polfile
@@section GLOBAL
TWDOCS=”/usr/local/tripwire/doc/tripwire”;
TWBIN=”/usr/local/tripwire/sbin”;
TWPOL=”/usr/local/tripwire/etc”;
TWDB=”/usr/local/tripwire/lib/tripwire”;
TWSKEY=”/usr/local/tripwire/etc”;
TWLKEY=”/usr/local/tripwire/etc”;
TWREPORT=”/usr/local/tripwire/lib/tripwire/report”;
HOSTNAME=local.c1gstudio.com;
./sbin/twadmin –print-cfgfile
ROOT =/usr/local/tripwire/sbin
POLFILE =/usr/local/tripwire/etc/tw.pol
DBFILE =/usr/local/tripwire/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/usr/local/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/usr/local/tripwire/etc/site.key
LOCALKEYFILE =/usr/local/tripwire/etc/local.c1gstudio.com-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
参考:
Tripwire Tutorial: Linux Host Based Intrusion Detection System
Tripwire-2.4.1.2 tutorial
One Response
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
Continuing the Discussion