ホスト型IDSの導入2008/08/26 |
[1] | ホスト型IDS(Intrusion Detection System - 侵入検知システム)のTripwireを導入します。
IDSとは、不正行為を検出するシステムです。ホスト型とは、それをコンピュータに対してしてくれるもので(コンピュータのI/Oパケットを監視)、
それに対してネットワーク型もあります。ネットワーク型ではネットワーク上のパケットを監視します。
ホスト型のTripwireでは、システム上のファイルをデータベース化しておき、
追加・変更・削除があった場合はそれを検出し、通知してくれます。 また、以下で Tripwire を configure する際に gcc-c++ が必要となりますので、システムに入ってない場合は 「apt-get -y install gcc-c++」として事前に入れておいてください。 |
[root@ns root]# wget http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.4.1.2-src.tar.bz2 --17:47:19-- http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.4.1.2-src.tar.bz2 => `tripwire-2.4.1.2-src.tar.bz2' jaist.dl.sourceforge.net をDNSに問いあわせています... 150.65.7.130 jaist.dl.sourceforge.net|150.65.7.130|:80 に接続しています... 接続しました。 HTTP による接続要求を送信しました、応答を待っています... 200 OK 長さ: 711,311 (695K) [application/x-bzip2] 100%[=======================================>] 711,311 3.01M/s in 0.2s 17:47:21 (1.85 MB/s) - `tripwire-2.4.1.2-src.tar.bz2' を保存しました [711311/711311] [root@ns root]# [root@ns root]# tar jxvf tripwire-2.4.1.2-src.tar.bz2 [root@ns root]# cd tripwire-2.4.1.2-src [root@ns tripwire-2.4.1.2-src]# ./configure [root@ns tripwire-2.4.1.2-src]# make [root@ns tripwire-2.4.1.2-src]# make install # インストール中以下のようにしてライセンスに同意する Press ENTER to view the License Agreement. ~~~~~~~~かなり長い~~~~~~~~~ license agreement. [do not accept] accept Continue with installation? [y/n] y Enter the site keyfile passphrase: # (1)任意のパスフレーズ入力 Verify the site keyfile passphrase: Enter the local keyfile passphrase: # (2)任意のパスフレーズ入力 Verify the local keyfile passphrase: Please enter your site passphrase: # (1)のパスフレーズで応答 Please enter your site passphrase: # 再び(1)のパスフレーズで応答 The installation succeeded. [root@ns tripwire-2.4.1.2-src]# cd [root@ns root]# rm -rf tripwire-2.4.1.2-src [root@ns root]# rm -f tripwire-2.4.1.2-src.tar.bz2 [root@ns root]# cd /usr/local/etc [root@ns etc]# vi twcfg.txt # 9行目:'true'指定でディレクトリにファイルが追加・削除された場合、
そのディレクトリの変更は報告されない LOOSEDIRECTORYCHECKING = true # 12行目:報告レベル最大に変更 REPORTLEVEL = 4 [root@ns etc]# twadmin -m F -c tw.cfg -S site.key twcfg.txt Please enter your site passphrase: # (1)のパスフレーズ入力 Wrote configuration file: /usr/local/etc/tw.cfg # ポリシーファイル最適化スクリプトが配布されてるのでそちらを使わせていただく [root@ns etc]# vi twpolmake.pl
#!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; [root@ns etc]# perl twpolmake.pl twpol.txt > twpol.txt.new [root@ns etc]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new Please enter your site passphrase: # パスフレーズ Wrote policy file: /usr/local/etc/tw.pol [root@ns etc]# tripwire -m i -s -c tw.cfg Please enter your local passphrase: [root@ns etc]# tripwire -m c -s -c tw.cfg # チェック実行 Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Wed 16 May 2007 10:17:40 PM JST Database last updated on: Never ====================================================== Report Summary: ====================================================== Host name: www.srv.world Host IP address: 127.0.0.1 Host ID: None Policy file used: /usr/local/etc/tw.pol Configuration file used: /usr/local/etc/tw.cfg Database file used: /usr/local/lib/tripwire/www.srv.world.twd Command line used: tripwire -m c -s -c tw.cfg ====================================================== Rule Summary: ====================================================== ------------------------------------------------------ Section: Unix File System ------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Tripwire Data Files 0 0 0 0 * Monitor Filesystems 0 0 0 2 User Binaries and Libraries 0 0 0 0 Tripwire Binaries 0 0 0 0 OS Binaries and Libraries 0 0 0 0 Temporary Directories 0 0 0 0 Global Configuration Files 0 0 0 0 System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 (/var/lib/rpm) OS Devices and Misc Directories 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0 Root Directory and Files 0 0 0 0 Total objects scanned: 60551 Total violations found: 2 ====================================================== Object Summary: ====================================================== ------------------------------------------------------ # Section: Unix File System ------------------------------------------------------ ------------------------------------------------------ Rule Name: Monitor Filesystems (/var) Severity Level: 0 ------------------------------------------------------ Modified: "/var/yp/binding/srv.world.1" "/var/yp/binding/srv.world.2" ====================================================== Error Report: ====================================================== No Errors ------------------------------------------------------ *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
[2] | ファイルを追加してテストしてみます。 |
[root@ns etc]# cd [root@ns root]# touch hacking [root@ns root]# tripwire -m c -s -c /usr/local/etc/tw.cfg Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Wed 16 May 2007 10:17:40 PM JST Database last updated on: Never ====================================================== Report Summary: ====================================================== Host name: www.srv.world Host IP address: 127.0.0.1 Host ID: None Policy file used: /usr/local/etc/tw.pol Configuration file used: /usr/local/etc/tw.cfg Database file used: /usr/local/lib/tripwire/www.srv.world.twd Command line used: tripwire -m c -s -c tw.cfg ====================================================== Rule Summary: ====================================================== ------------------------------------------------------ Section: Unix File System ------------------------------------------------------ Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Tripwire Data Files 0 0 0 0 * Monitor Filesystems 0 0 0 2 User Binaries and Libraries 0 0 0 0 Tripwire Binaries 0 0 0 0 OS Binaries and Libraries 0 0 0 0 Temporary Directories 0 0 0 0 Global Configuration Files 0 0 0 0 System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 (/var/lib/rpm) OS Devices and Misc Directories 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0 * Root Directory and Files 0 1 0 0 Total objects scanned: 60552 Total violations found: 3 ====================================================== Object Summary: ====================================================== ------------------------------------------------------ # Section: Unix File System ------------------------------------------------------ ------------------------------------------------------ Rule Name: Monitor Filesystems (/var) Severity Level: 0 ------------------------------------------------------ Modified: "/var/yp/binding/srv.world.1" "/var/yp/binding/srv.world.2" ------------------------------------------------------ Rule Name: Root Directory and Files (/root) Severity Level: 0 ------------------------------------------------------ Added: "/root/hacking" # しっかり検出 ====================================================== Error Report: ====================================================== No Errors ------------------------------------------------------ *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
[3] | ファイルの変更前に整合性チェックをし、ファイルの変更をしたらデータベースのアップデートをします。 しないと整合性のとれないファイルがどんどん増えていき、 ほんとにわけ分からんよになってきます。アップデートをするには下記コマンドに、 変更を検知しているが問題のないレポートファイルを続けて指定してデータベースに反映させ、次からは検知しないようにします。 下記コマンドを実行するとエディタでレポートが開きます。変更のあった箇所の行頭に[×]がついているので、問題なければそのままにして 保存終了します。 |
[root@ns root]# tripwire -m u -r /usr/local/lib/tripwire/report/ns.srv.world-20070729-180736.twr Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Wed 16 May 2007 10:17:40 PM JST Database last updated on: Never ====================================================== Report Summary: ====================================================== Host name: www.srv.world Host IP address: 127.0.0.1 Host ID: None Policy file used: /usr/local/etc/tw.pol Configuration file used: /usr/local/etc/tw.cfg Database file used: /usr/local/lib/tripwire/www.srv.world.twd Command line used: tripwire -m c -s -c tw.cfg ====================================================== Rule Summary: ====================================================== ------------------------------------------------------ Section: Unix File System ------------------------------------------------------ Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Tripwire Data Files 0 0 0 0 * Monitor Filesystems 0 0 0 2 User Binaries and Libraries 0 0 0 0 Tripwire Binaries 0 0 0 0 OS Binaries and Libraries 0 0 0 0 Temporary Directories 0 0 0 0 Global Configuration Files 0 0 0 0 System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 (/var/lib/rpm) OS Devices and Misc Directories 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0 * Root Directory and Files 0 1 0 0 Total objects scanned: 60552 Total violations found: 3 ====================================================== Object Summary: ====================================================== ------------------------------------------------------ # Section: Unix File System ------------------------------------------------------ ------------------------------------------------------ Rule Name: Monitor Filesystems (/var) Severity Level: 0 ------------------------------------------------------ Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/var/yp/binding/srv.world.1" # 整合性がとれなかったので[x] がついている [x] "/var/yp/binding/srv.world.2" ------------------------------------------------------ Rule Name: Root Directory and Files (/root) Severity Level: 0 ------------------------------------------------------ Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/root/hacking" # 整合性がとれなかったので[x] がついている ====================================================== Error Report: ====================================================== No Errors ------------------------------------------------------ *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. # 問題なければ保存終了する。すると以下のようにパスフレーズを求められるので入力 Please enter your local passphrase: Wrote database file: /usr/local/lib/tripwire/www.srv.world.twd |
|