Tripwire : インストール2019/12/16 |
ホスト型 IDS (Intrusion Detection System), Tripwire のインストールと設定です。
|
|
[1] | Tripwire をインストールします。 |
# EPEL からインストール [root@dlp ~]# dnf --enablerepo=epel -y install tripwire
|
[2] | キーの作成やデータベース作成等の初期設定をします。 |
# キーを生成 [root@dlp ~]# tripwire-setup-keyfiles ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: # サイトキーファイルのパスフレーズ設定 Verify the site keyfile passphrase: # 確認再入力 Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: # ローカルキーファイルのパスフレーズ設定 Verify the local keyfile passphrase: # 確認再入力 Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: # サイトキーファイルのパスフレーズで応答 Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: # サイトキーファイルのパスフレーズで応答 Wrote policy file: /etc/tripwire/tw.pol ..... .....[root@dlp ~]# cd /etc/tripwire
[root@dlp tripwire]#
vi twcfg.txt # 12行目:報告レベル最大に変更 REPORTLEVEL = 4
# 設定ファイル生成 [root@dlp tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase:
# サイトキーパスフレーズで応答 Wrote configuration file: /etc/tripwire/tw.cfg # デフォルトでは存在しないファイル/ディレクトリを多数チェックにいくため、 # 以下のポリシー最適化スクリプトを利用させていただいてポリシーを最適化する [root@dlp tripwire]# vi twpolmake.pl #!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ;
[root@dlp tripwire]#
perl twpolmake.pl twpol.txt > twpol.txt.new [root@dlp tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol # データベース作成 [root@dlp tripwire]# tripwire -m i -s -c tw.cfg Please enter your local passphrase: |
[3] | チェックを実行します。 なお、定期チェックのスクリプトはパッケージに含まれており日次でチェック実行されます。 |
[root@dlp ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Mon 15 Dec 2019 19:49:44 AM JST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: dlp.srv.world Host IP address: 10.0.0.30 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/dlp.srv.world.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 (/sbin/rtmon) Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical system boot files 100 0 0 0 * Tripwire Data Files 100 1 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 Critical configuration files 100 0 0 0 Operating System Utilities 100 0 0 0 Root config files 100 0 0 0 Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 Critical devices 100 0 0 0 (/proc/kcore) Total objects scanned: 29268 Total violations found: 1 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/lib/tripwire/dlp.srv.world.twd" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
[4] | チェックの結果、変更が検出されたが内容に問題ない場合にデータベースの更新を行う場合は以下のようにします。 |
# チェック結果は以下の場所へ保管されている [root@dlp ~]# ll /var/lib/tripwire/report total 8 -rw-r--r--. 1 root root 5934 Dec 15 19:49 dlp.srv.world-20191216-114944.twr # 問題無しのレポートを指定してデータベースを更新 [root@dlp ~]# tripwire -m u -a -s -c /etc/tripwire/tw.cfg \ -r /var/lib/tripwire/report/dlp.srv.world-20191216-114944.twr Please enter your local passphrase: |
Sponsored Link |
|