Scientific Linux 6
Sponsored Link

ホスト型IDS - Tripwire2011/04/27

[1] ホスト型IDS(Intrusion Detection System - 侵入検知システム)のTripwireをインストールします。 IDSとは、不正行為を検出するシステムです。ホスト型とは、それをコンピュータに対してしてくれるもので(コンピュータのI/Oパケットを監視)、 それに対してネットワーク型もあります。ネットワーク型ではネットワーク上のパケットを監視します。
[root@www ~]#
yum --enablerepo=epel -y install tripwire
 
# EPELからインストール
[root@www ~]#
tripwire-setup-keyfiles
# 以下のようにパスフレーズを何度か求められるので入力する

Enter the site keyfile passphrase:
# (1) 任意のパスフレーズを設定

Verify the site keyfile passphrase:
# 再入力
Enter the local keyfile passphrase:
# (2) 任意のパスフレーズを設定

Verify the local keyfile passphrase:
# 再入力
Please enter your site passphrase:
# (1)のパスフレーズで応答
Please enter your site passphrase:
# 再び(1)のパスフレーズで応答
[root@www ~]#
cd /etc/tripwire

[root@www tripwire]#
vi twcfg.txt
# 9行目:'true'指定でディレクトリにファイルが追加・削除された場合、 そのディレクトリの変更は報告されない

LOOSEDIRECTORYCHECKING =
true
# 12行目:報告レベル最大に変更

REPORTLEVEL =
4
# 暗号署名設定ファイル作成

[root@www tripwire]#
twadmin -m F -c tw.cfg -S site.key twcfg.txt

Please enter your site passphrase:
# (1)のパスフレーズ入力

Wrote configuration file: /etc/tripwire/tw.cfg
# ポリシーファイル最適化スクリプトが配布されてるので使わせていただく

[root@www tripwire]#
vi twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#     perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
   chomp;
   if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
      $myhost = `hostname` ; chomp($myhost) ;
      if ($thost ne $myhost) {
         $_="HOSTNAME=\"$myhost\";" ;
      }
   }
   elsif ( /^{/ ) {
      $INRULE=1 ;
   }
   elsif ( /^}/ ) {
      $INRULE=0 ;
   }
   elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
      $ret = ($sharp =~ s/\#//g) ;
      if ($tpath eq '/sbin/e2fsadm' ) {
         $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
      }
      if (! -s $tpath) {
         $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
      }
      else {
         $_ = "$sharp$tpath$cond" ;
      }
   }
   print "$_\n" ;
}
close(POL) ;

[root@www tripwire]#
perl twpolmake.pl twpol.txt > twpol.txt.new

[root@www tripwire]#
twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

Please enter your site passphrase:
# パスフレーズ

Wrote policy file: /etc/tripwire/tw.pol
[root@www tripwire]#
tripwire -m i -s -c tw.cfg
# データベース作成

Please enter your local passphrase:
# パスフレーズ

[root@www tripwire]#
tripwire -m c -s -c tw.cfg
# チェック実行

Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by:
root

Report created on:
Wed 27 Apr 2011 09:47:32 PM JST

Database last updated on:
Never
======================================================
Report Summary:
======================================================
Host name:
www.srv.world

Host IP address:
10.0.0.31

Host ID:
None

Policy file used:
/etc/tripwire/tw.pol

Configuration file used:
/etc/tripwire/tw.cfg

Database file used:
/var/lib/tripwire/www.srv.world.twd

Command line used:
tripwire -m c -s -c tw.cfg
======================================================
Rule Summary:
======================================================
-------------------------------------------------------
Section: Unix File System
-------------------------------------------------------
Rule Name
Severity Level
Added
Removed
Modified

---------
--------------
-----
-------
--------

Invariant Directories
66
0
0
0

Temporary directories
33
0
0
0

Tripwire Data Files
100
0
0
0

Critical devices
100
0
0
0

(/proc/kcore)
User binaries
66
0
0
0

Tripwire Binaries
100
0
0
0

Libraries
66
0
0
0

Operating System Utilities
100
0
0
0

File System and Disk Administraton Programs
100
0
0
0

Kernel Administration Programs
100
0
0
0

Networking Programs
100
0
0
0

System Administration Programs
100
0
0
0

Hardware and Device Control Programs
100
0
0
0

System Information Programs
100
0
0
0

Application Information Programs
100
0
0
0

(/sbin/rtmon)
Shell Related Programs
100
0
0
0

(/sbin/getkey)
Critical Utility Sym-Links
100
0
0
0

Shell Binaries
100
0
0
0

Critical system boot files
100
0
0
0

System boot changes
100
0
0
0

OS executables and libraries
100
0
0
0

Critical configuration files
100
0
0
0

Security Control
100
0
0
0

Login Scripts
100
0
0
0

Root config files
100
0
0
0
Total objects scanned: 14589
Total violations found: 0
======================================================
Object Summary:
======================================================
-------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------
No violations.
======================================================
Error Report:
======================================================
No Errors
-------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
[2] ファイルを追加してテストしてみます。
[root@www ~]#
touch test.txt

[root@www ~]#
tripwire -m c -s -c /etc/tripwire/tw.cfg

Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by:
root

Report created on:
Wed 27 Apr 2011 09:47:32 PM JST

Database last updated on:
Never
======================================================
Report Summary:
======================================================
Host name:
www.srv.world

Host IP address:
10.0.0.31

Host ID:
None

Policy file used:
/etc/tripwire/tw.pol

Configuration file used:
/etc/tripwire/tw.cfg

Database file used:
/var/lib/tripwire/www.srv.world.twd

Command line used:
tripwire -m c -s -c tw.cfg
======================================================
Rule Summary:
======================================================
-------------------------------------------------------
Section: Unix File System
-------------------------------------------------------
Rule Name
Severity Level
Added
Removed
Modified

---------
--------------
-----
-------
--------

Invariant Directories
66
0
0
0

Temporary directories
33
0
0
0

Tripwire Data Files
100
0
0
0

Critical devices
100
0
0
0

(/proc/kcore)
User binaries
66
0
0
0

Tripwire Binaries
100
0
0
0

Libraries
66
0
0
0

Operating System Utilities
100
0
0
0

File System and Disk Administraton Programs
100
0
0
0

Kernel Administration Programs
100
0
0
0

Networking Programs
100
0
0
0

System Administration Programs
100
0
0
0

Hardware and Device Control Programs
100
0
0
0

System Information Programs
100
0
0
0

Application Information Programs
100
0
0
0

(/sbin/rtmon)
Shell Related Programs
100
0
0
0

(/sbin/getkey)
Critical Utility Sym-Links
100
0
0
0

Shell Binaries
100
0
0
0

Critical system boot files
100
0
0
0

System boot changes
100
0
0
0

OS executables and libraries
100
0
0
0

Critical configuration files
100
0
0
0

Security Control
100
0
0
0

Login Scripts
100
0
0
0

* Root config files
100
1
0
0
Total objects scanned: 14590
Total violations found: 1
======================================================
Object Summary:
======================================================
-------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------
-------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------
Added:
"/root/test.txt"
# 検出された
======================================================
Error Report:
======================================================
No Errors
-------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
# 検出されたファイルが問題なければ次回から検出しないようデータベースをアップデートしておく

[root@www ~]#
tripwire -m u -r /var/lib/tripwire/report/www.srv.world-20110427-170215.twr
# 内容を確認したら保存して終了
Please enter your local passphrase:
# パスフレーズ

Wrote database file: /var/lib/tripwire/www.srv.world.twd
関連コンテンツ