ホスト型IDSの導入2008/08/26

[1]

ホスト型IDS(Intrusion Detection System - 侵入検知システム)のTripwireを導入します。 IDSとは、不正行為を検出するシステムです。ホスト型とは、それをコンピュータに対してしてくれるもので(コンピュータのI/Oパケットを監視)、それに対してネットワーク型もあります。ネットワーク型ではネットワーク上のパケットを監視します。ホスト型のTripwireでは、システム上のファイルをデータベース化しておき、追加・変更・削除があった場合はそれを検出し、通知してくれます。

また、以下で Tripwire を configure する際に gcc-c++ が必要となりますので、システムに入ってない場合は「apt-get -y install gcc-c++」として事前に入れておいてください。

[root@ns root]#

wget http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.4.1.2-src.tar.bz2

--17:47:19-- http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.4.1.2-src.tar.bz2 => `tripwire-2.4.1.2-src.tar.bz2'
jaist.dl.sourceforge.net をDNSに問いあわせています... 150.65.7.130
jaist.dl.sourceforge.net|150.65.7.130|:80 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 711,311 (695K) [application/x-bzip2]
100%[=======================================>] 711,311 3.01M/s in 0.2s

17:47:21 (1.85 MB/s) - `tripwire-2.4.1.2-src.tar.bz2' を保存しました [711311/711311]
[root@ns root]#
[root@ns root]#

tar jxvf tripwire-2.4.1.2-src.tar.bz2

[root@ns root]#

cd tripwire-2.4.1.2-src

[root@ns tripwire-2.4.1.2-src]#

./configure

[root@ns tripwire-2.4.1.2-src]#

make

[root@ns tripwire-2.4.1.2-src]#

make install

# インストール中以下のようにしてライセンスに同意する

Press ENTER to view the License Agreement.

～～～～～～～～かなり長い～～～～～～～～～

license agreement. [do not accept]

Continue with installation? [y/n]

Enter the site keyfile passphrase:

# (1)任意のパスフレーズ入力

Verify the site keyfile passphrase:

Enter the local keyfile passphrase:

# (2)任意のパスフレーズ入力

Verify the local keyfile passphrase:

Please enter your site passphrase:

# (1)のパスフレーズで応答

Please enter your site passphrase:

# 再び(1)のパスフレーズで応答

The installation succeeded.

[root@ns tripwire-2.4.1.2-src]#

[root@ns root]#

rm -rf tripwire-2.4.1.2-src

[root@ns root]#

rm -f tripwire-2.4.1.2-src.tar.bz2

[root@ns root]#

cd /usr/local/etc

[root@ns etc]#

vi twcfg.txt

# 9行目：'true'指定でディレクトリにファイルが追加・削除された場合、そのディレクトリの変更は報告されない

LOOSEDIRECTORYCHECKING =

true

# 12行目：報告レベル最大に変更

REPORTLEVEL =

[root@ns etc]#

twadmin -m F -c tw.cfg -S site.key twcfg.txt

Please enter your site passphrase:

# (1)のパスフレーズ入力

Wrote configuration file: /usr/local/etc/tw.cfg

# ポリシーファイル最適化スクリプトが配布されてるのでそちらを使わせていただく

[root@ns etc]#

vi twpolmake.pl

#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#    perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
     chomp;
     if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
          $myhost = `hostname` ; chomp($myhost) ;
          if ($thost ne $myhost) {
               $_="HOSTNAME=\"$myhost\";" ;
          }
     }
     elsif ( /^{/ ) {
          $INRULE=1 ;
     }
     elsif ( /^}/ ) {
          $INRULE=0 ;
     }
     elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
          $ret = ($sharp =~ s/\#//g) ;
          if ($tpath eq '/sbin/e2fsadm' ) {
               $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
          }
          if (! -s $tpath) {
               $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
          }
          else {
               $_ = "$sharp$tpath$cond" ;
          }
     }
     print "$_\n" ;
}
close(POL) ;

[root@ns etc]#

perl twpolmake.pl twpol.txt > twpol.txt.new

[root@ns etc]#

twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

Please enter your site passphrase:

# パスフレーズ

Wrote policy file: /usr/local/etc/tw.pol
[root@ns etc]#

tripwire -m i -s -c tw.cfg

Please enter your local passphrase:
[root@ns etc]#

tripwire -m c -s -c tw.cfg

# チェック実行

Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:

root

Report created on:

Wed 16 May 2007 10:17:40 PM JST

Database last updated on:

Never

======================================================
Report Summary:
======================================================

Host name:

www.srv.world

Host IP address:

127.0.0.1

Host ID:

None

Policy file used:

/usr/local/etc/tw.pol

Configuration file used:

/usr/local/etc/tw.cfg

Database file used:

/usr/local/lib/tripwire/www.srv.world.twd

Command line used:

tripwire -m c -s -c tw.cfg

======================================================
Rule Summary:
======================================================

------------------------------------------------------
Section: Unix File System
-------------------------------------------------------
Rule Name

Severity Level

Added

Removed

Modified

---------

--------------

-----

-------

--------

Tripwire Data Files

* Monitor Filesystems

User Binaries and Libraries

Tripwire Binaries

OS Binaries and Libraries

Temporary Directories

Global Configuration Files

System Boot Changes

RPM Checksum Files

(/var/lib/rpm)
OS Devices and Misc Directories

OS Boot Files and Mount Points

Root Directory and Files

Total objects scanned: 60551
Total violations found: 2

======================================================
Object Summary:
======================================================

------------------------------------------------------
# Section: Unix File System
------------------------------------------------------

------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
------------------------------------------------------

Modified:
"/var/yp/binding/srv.world.1"
"/var/yp/binding/srv.world.2"

======================================================
Error Report:
======================================================

No Errors

------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved.

[2]	ファイルを追加してテストしてみます。

[root@ns etc]#

[root@ns root]#

touch hacking

[root@ns root]#

tripwire -m c -s -c /usr/local/etc/tw.cfg

Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:

root

Report created on:

Wed 16 May 2007 10:17:40 PM JST

Database last updated on:

Never

======================================================
Report Summary:
======================================================

Host name:

www.srv.world

Host IP address:

127.0.0.1

Host ID:

None

Policy file used:

/usr/local/etc/tw.pol

Configuration file used:

/usr/local/etc/tw.cfg

Database file used:

/usr/local/lib/tripwire/www.srv.world.twd

Command line used:

tripwire -m c -s -c tw.cfg

Severity Level

Added

Removed

Modified

---------

--------------

-----

-------

--------

Tripwire Data Files

* Monitor Filesystems

User Binaries and Libraries

Tripwire Binaries

OS Binaries and Libraries

Temporary Directories

Global Configuration Files

System Boot Changes

RPM Checksum Files

(/var/lib/rpm)
OS Devices and Misc Directories

OS Boot Files and Mount Points

* Root Directory and Files

Total objects scanned: 60552
Total violations found: 3

======================================================
Object Summary:
======================================================

------------------------------------------------------
# Section: Unix File System
------------------------------------------------------

------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
------------------------------------------------------

Modified:
"/var/yp/binding/srv.world.1"
"/var/yp/binding/srv.world.2"

------------------------------------------------------
Rule Name: Root Directory and Files (/root)
Severity Level: 0
------------------------------------------------------

Added:
"/root/hacking"

# しっかり検出

======================================================
Error Report:
======================================================

No Errors

------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved.

[3]	ファイルの変更前に整合性チェックをし、ファイルの変更をしたらデータベースのアップデートをします。しないと整合性のとれないファイルがどんどん増えていき、ほんとにわけ分からんよになってきます。アップデートをするには下記コマンドに、変更を検知しているが問題のないレポートファイルを続けて指定してデータベースに反映させ、次からは検知しないようにします。下記コマンドを実行するとエディタでレポートが開きます。変更のあった箇所の行頭に[×]がついているので、問題なければそのままにして保存終了します。

[root@ns root]#

tripwire -m u -r /usr/local/lib/tripwire/report/ns.srv.world-20070729-180736.twr

Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:

root

Report created on:

Wed 16 May 2007 10:17:40 PM JST

Database last updated on:

Never

======================================================
Report Summary:
======================================================

Host name:

www.srv.world

Host IP address:

127.0.0.1

Host ID:

None

Policy file used:

/usr/local/etc/tw.pol

Configuration file used:

/usr/local/etc/tw.cfg

Database file used:

/usr/local/lib/tripwire/www.srv.world.twd

Command line used:

tripwire -m c -s -c tw.cfg

Severity Level

Added

Removed

Modified

---------

--------------

-----

-------

--------

Tripwire Data Files

* Monitor Filesystems

User Binaries and Libraries

Tripwire Binaries

OS Binaries and Libraries

Temporary Directories

Global Configuration Files

System Boot Changes

RPM Checksum Files

(/var/lib/rpm)
OS Devices and Misc Directories

OS Boot Files and Mount Points

* Root Directory and Files

Total objects scanned: 60552
Total violations found: 3

======================================================
Object Summary:
======================================================

------------------------------------------------------
# Section: Unix File System
------------------------------------------------------

------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Modified:
[x] "/var/yp/binding/srv.world.1"

# 整合性がとれなかったので[x] がついている

[x] "/var/yp/binding/srv.world.2"

------------------------------------------------------
Rule Name: Root Directory and Files (/root)
Severity Level: 0
------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Added:
[x] "/root/hacking"

# 整合性がとれなかったので[x] がついている

# 問題なければ保存終了する。すると以下のようにパスフレーズを求められるので入力

Please enter your local passphrase:
Wrote database file: /usr/local/lib/tripwire/www.srv.world.twd