大家好,昨天我们安装完tripwire以后,今天我们来讲讲它的使用。一个工具,如果只会安装,不会使用,那么,这个工具就失去了它的意义。好了,废话不多说,接着我们昨天的讲。
1、学习tripwire的配置文件
先拷贝man文件,这样我们就可以通过man来查看配置帮助信息。
[root@station253 man4]# cp /var/ftp/pub/tripwire-2.4.1.2-x86-bin/man/man4/tw* /usr/share/man/man4/
[root@station253 man4]# cp /var/ftp/pub/tripwire-2.4.1.2-x86-bin/man/man5/tw* /usr/share/man/man5/
[root@station253 man4]# cp /var/ftp/pub/tripwire-2.4.1.2-x86-bin/man/man8/tw* /usr/share/man/man8/
现在我们可以通过
[root@station253 man4]# cp /var/ftp/pub/tripwire-2.4.1.2-x86-bin/man/man8/tw* /usr/share/man/man8/
现在我们可以通过
[root@station253 man4]# man twconfig 4
[root@station253 man4]# man twpolicy
[root@station253 man4]# man twpolicy
来查看相关帮助信息。
[root@station253 tripwire]# vim /etc/tripwire/twcfg.txt
编译文本配置文件twcfg.txt。
编译文本配置文件twcfg.txt。
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/usr/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/usr/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/station253.linux.com-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =trun <-这行改成trun,不检测所有目录的文件完整性,应为我们系统中有些临时文件是随时都在改变的,如果这样监控,每次检测都会收到EMail,毫无意义。
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =4 <-改变检测的报告等级,增加报告的重要性。
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
POLFILE =/etc/tripwire/tw.pol
DBFILE =/usr/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/usr/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/station253.linux.com-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =trun <-这行改成trun,不检测所有目录的文件完整性,应为我们系统中有些临时文件是随时都在改变的,如果这样监控,每次检测都会收到EMail,毫无意义。
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =4 <-改变检测的报告等级,增加报告的重要性。
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
其他配置选项的定义都可以再man中找到,我的E文也差,就不在此乱翻译了。
修改以后保存退出。
修改以后保存退出。
为了安全,我把明文的配置文件加密。使用如下命令
[root@station253 man4]# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase:
Wrote configuration file: /usr/local/etc/tw.cfg
其中输入的密码是安装时候你设置的密码。
Please enter your site passphrase:
Wrote configuration file: /usr/local/etc/tw.cfg
其中输入的密码是安装时候你设置的密码。
如果你想把加密的配置文件转换成明文的配置文件使用如下命令
[root@station253 man4]# twadmin --print-cfgfile
由于程序运行读取的是加密后的配置文件,所以可以防止hack修改我们的配置文件。
由于程序运行读取的是加密后的配置文件,所以可以防止hack修改我们的配置文件。
2、policy文件的修改。
[root@station253 man4]# vim /etc/tripwire/twpol.txt
这个是默认的策略文件,大家可以先看看这个文件什么样子。
这个是默认的策略文件,大家可以先看看这个文件什么样子。
如果对文件里面的配置选项有疑问,可以使用
man twplicy
来查看相关的配置说明。
下面我们使用一个GPL得工具,自动修改twpol.txt文件,让它适合我们系统的配合情况。
####################################################################
[root@station253 tripwire]# cat twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
##################################################################
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
##################################################################
简历这个脚本后,我们来运行它。
[root@station253 tripwire]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.out
删除旧的配置文件,把新配置文件改名字。
[root@station253 tripwire]# rm -f twpol.txt
[root@station253 tripwire]# mv twpol.txt.out twpol.txt
由于数据库的内容肯定是在不断变化的,所以我们要把它放在我们监控的范围外面。
[root@station253 tripwire]# mv twpol.txt.out twpol.txt
由于数据库的内容肯定是在不断变化的,所以我们要把它放在我们监控的范围外面。
编译twpol.txt
← 找到这一行,在这一行的下一行添加语句(113行前后)
!$(TWDB)/$(HOSTNAME).twd ; ← 添加这一句(不对数据库进行监测)
!$(TWDB)/$(HOSTNAME).twd ; ← 添加这一句(不对数据库进行监测)
好了,策略文件配置完成,下面建立加密的策略文件。
[root@station253 tripwire]# twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
配置基本完成了,现在我们要用Tripwire为我们工作了。一般tripwire工作分为三步
1建立数据库
[root@station253 ~]# tripwire --init
Please enter your local passphrase:
比较费时,耐心等待会吧。
Please enter your local passphrase:
比较费时,耐心等待会吧。
[root@station253 ~]# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/misc" is on a different file system...ignoring.
The object: "/net" is on a different file system...ignoring.
The object: "/selinux" is on a different file system...ignoring.
The object: "/sys" is on a different file system...ignoring.
The object: "/var/lib/nfs/rpc_pipefs" is on a different file system...ignoring.
Wrote database file: /usr/lib/tripwire/station253.linux.com.twd
The database was successfully generated.
成功创建了。
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/misc" is on a different file system...ignoring.
The object: "/net" is on a different file system...ignoring.
The object: "/selinux" is on a different file system...ignoring.
The object: "/sys" is on a different file system...ignoring.
The object: "/var/lib/nfs/rpc_pipefs" is on a different file system...ignoring.
Wrote database file: /usr/lib/tripwire/station253.linux.com.twd
The database was successfully generated.
成功创建了。
2、完成性检查
[root@station253 report]# tripwire --check -r "/usr/lib/tripwire/report/station253.linux.com-20090827.twr" | logger -t tripwire
3、把加密的日志转换成明文查看。
twprint -m r -c /etc/tripwire/tw.cfg -r "/usr/lib/tripwire/report/station253.linux.com-20090827.twr" -L /etc/tripwire/station253.linux.com-local.key > tripwire-repot
下面我们可以通过查看tripwire-repot,就可以看见系统那些文件被改过了。
为了让tripwire自动化提供服务器,发现文件改变的时候给管理发送邮件,所有有了下面的脚本。
###################################################################
#!/bin/bash
PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
SITEPASS=123321 # Site Key Passphrase.. .......Site Keyfile...
LOCALPASS=123321 # Local Key Passphrase.. .......Local Keyfile...
REPORTFILE=/usr/lib/tripwire/report/`hostname`-`date +%Y%m%d`.twr
SITEPASS=123321 # Site Key Passphrase.. .......Site Keyfile...
LOCALPASS=123321 # Local Key Passphrase.. .......Local Keyfile...
REPORTFILE=/usr/lib/tripwire/report/`hostname`-`date +%Y%m%d`.twr
# Run the Tripwire
tripwire --check -r "$REPORTFILE"| logger -t tripwire
tripwire --check -r "$REPORTFILE"| logger -t tripwire
# Mail the Tripwire Report to root
cd /etc/tripwire
REPORTPRINT=`mktemp`
twprint -m r -c tw.cfg -r "$REPORTFILE" -L `hostname`-local.key -t 4 > $REPORTPRINT
if [ -z "$(grep 'Total violations found: 0' $REPORTPRINT)" ]; then
cat $REPORTPRINT | mail -s "Tripwire(R) Integrity Check Report in `hostname`" root
fi
rm -f $REPORTPRINT
cd /etc/tripwire
REPORTPRINT=`mktemp`
twprint -m r -c tw.cfg -r "$REPORTFILE" -L `hostname`-local.key -t 4 > $REPORTPRINT
if [ -z "$(grep 'Total violations found: 0' $REPORTPRINT)" ]; then
cat $REPORTPRINT | mail -s "Tripwire(R) Integrity Check Report in `hostname`" root
fi
rm -f $REPORTPRINT
# Update the Policy File
cd /etc/tripwire
twadmin --print-polfile > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.out
twadmin --create-polfile -S site.key -Q $SITEPASS twpol.txt.out | logger -t tripwire
rm -f twpol.*
cd /etc/tripwire
twadmin --print-polfile > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.out
twadmin --create-polfile -S site.key -Q $SITEPASS twpol.txt.out | logger -t tripwire
rm -f twpol.*
# update the Database
rm -f /usr/lib/tripwire/`hostname`.twd
tripwire --init -P $LOCALPASS | logger -t tripwire
################################################################
rm -f /usr/lib/tripwire/`hostname`.twd
tripwire --init -P $LOCALPASS | logger -t tripwire
################################################################
基本会自动检测数据库和现在系统状态的不同的地方。
然后发现不同的话,会mail通知制定用户,我们这里是root。
然后会跟新policy file和数据库,一般policy file都可以不用每次更新,这个大家根据自己的实际情况来修改脚本。
最后每天用计划任务来运行这个脚本,就完成了对系统的自动监控。
不过最好还是手动检测系统,应为这样密码就暴露在hack的面前,而且hack也可以通过截取Email来修改邮件内容等方式欺骗admin。所以最好还是手动检测,
最后就是删除明文的配置文件.txt结尾的,和程序的安装文件,这样可以提高程序安全度。
Tripwire的教程基本到这里。谢谢。tripwire这个名字真的好难记。郁闷
本文转自 fenghao.cn 51CTO博客,原文链接:http://blog.51cto.com/linuxguest/200665,如需转载请自行联系原作者
