CentOS 6
Sponsored Link

Tripwire : インストール2015/04/06

 
ホスト型 IDS (Intrusion Detection System - 侵入検知システム) の Tripwire のインストールと設定です。
[1] Tripwire をインストールします。
# EPEL からインストール

[root@dlp ~]#
yum --enablerepo=epel -y install tripwire
[2] キーの作成やデータベース作成等の初期設定をします。
# キーを生成

[root@dlp ~]#
tripwire-setup-keyfiles
.....
.....
Enter the site keyfile passphrase:    
# サイトキーファイルのパスフレーズ設定

Verify the site keyfile passphrase:    
# 確認再入力

.....
.....
Enter the local keyfile passphrase:    
# ローカルキーファイルのパスフレーズ設定

Verify the local keyfile passphrase:    
# 確認再入力

.....
.....
Please enter your site passphrase:    
# サイトキーファイルのパスフレーズで応答

.....
.....
Please enter your site passphrase:    
# サイトキーファイルのパスフレーズで応答

.....
.....
[root@dlp ~]#
cd /etc/tripwire

[root@dlp tripwire]#
vi twcfg.txt
# 12行目:報告レベル最大に変更

REPORTLEVEL =
4
# 設定ファイル生成

[root@dlp tripwire]#
twadmin -m F -c tw.cfg -S site.key twcfg.txt

Please enter your site passphrase:    
# サイトキーパスフレーズで応答

Wrote configuration file: /etc/tripwire/tw.cfg
# デフォルトでは、存在しないファイル/ディレクトリを多数チェックにいくため、

# 以下のポリシー最適化スクリプトを利用させていただき、ポリシーを最適化する

[root@dlp tripwire]#
vi twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#     perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;

[root@dlp tripwire]#
perl twpolmake.pl twpol.txt > twpol.txt.new

[root@dlp tripwire]#
twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
# データベース作成

[root@dlp tripwire]#
tripwire -m i -s -c tw.cfg

Please enter your local passphrase:
[3] チェックを実行します。 なお、定期チェックのスクリプトはパッケージに含まれており日次でチェック実行されます。
[root@dlp ~]#
tripwire -m c -s -c /etc/tripwire/tw.cfg

Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:          root
Report created on:            Tue 06 Apr 2015 11:32:49 PM JST
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    dlp.srv.world
Host IP address:              10.0.0.30
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/dlp.srv.world.twd
Command line used:            tripwire -m c -s -c /etc/tripwire/tw.cfg

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  Invariant Directories           66                0        0        0
  Temporary directories           33                0        0        0
* Tripwire Data Files             100               1        0        0
  Critical devices                100               0        0        0
  (/proc/kcore)
  User binaries                   66                0        0        0
  Tripwire Binaries               100               0        0        0
  Libraries                       66                0        0        0
  Operating System Utilities      100               0        0        0
  File System and Disk Administraton Programs
                                  100               0        0        0
  Kernel Administration Programs  100               0        0        0
  Networking Programs             100               0        0        0
  System Administration Programs  100               0        0        0
  Hardware and Device Control Programs
                                  100               0        0        0
  System Information Programs     100               0        0        0
  Application Information Programs
                                  100               0        0        0
  (/sbin/rtmon)
  Shell Related Programs          100               0        0        0
  (/sbin/getkey)
  Critical Utility Sym-Links      100               0        0        0
  Shell Binaries                  100               0        0        0
  Critical system boot files      100               0        0        0
  System boot changes             100               0        0        0
  OS executables and libraries    100               0        0        0
  Critical configuration files    100               0        0        0
  Security Control                100               0        0        0
  Login Scripts                   100               0        0        0
* Root config files               100               0        0        1

Total objects scanned:  18283
Total violations found:  2

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
---------------------------

Added:
"/var/lib/tripwire/dlp.srv.world.twd"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/root"

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
[4] チェックの結果、変更が検出されたが内容に問題ない場合にデータベースの更新を行う場合は以下のようにします。
# チェック結果は以下の場所へ保管されている

[root@dlp ~]#
ll /var/lib/tripwire/report

total 32
-rw-r--r-- 1 root root 7198 Apr  7 13:40 dlp.srv.world-20150407-134032.twr
-rw-r--r-- 1 root root 7206 Apr  7 13:46 dlp.srv.world-20150407-134637.twr
-rw-r--r-- 1 root root 7150 Apr  7 13:50 dlp.srv.world-20150407-135026.twr

# 問題無しのレポートを指定してデータベースを更新

[root@dlp ~]#
tripwire -m u -a -s -c /etc/tripwire/tw.cfg \
-r /var/lib/tripwire/report/dlp.srv.world-20150407-135026.twr

Please enter your local passphrase:
関連コンテンツ