安装 Tripwire
wget [url]http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz[/url]
← 下载源代码
tar zxvf tripwire-2.3.1-2.tar.gz
cd tripwire-2.3.1-2
wget [url]http://www.frenchfries.net/paul/tripwire/tw-20030919.patch.gz[/url]
gunzip tw-20030919.patch.gz
patch -p1 < tw-20030919.patch
chmod 755 configure
./configure --sysconfdir=/etc/tripwire
make
make install
之后要按enter阅读许可协议,然后输入accept,然后按Y继续
接下来要输入“site keyfile”口令(2次)
然后是输入“local keyfile”口令(2次)
完成后会重新提示输入site keyfile
生成配置文件
然后又提示输入输入site keyfile”口令
生成策略文件
到此安装结束
配置 Tripwire
vi /etc/tripwire/twcfg.txt ← 修改文本格式的Tripwire配置文件
LOOSEDIRECTORYCHECKING =false ← 找到这一个行,将false的值变为true(不监测所属目录的数据完整性)
REPORTLEVEL =3 ← 找到这一行,将3变为4(改变监测结果报告的等级)
twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt ← 从文本配置文件建立加密格式配置文件
输入“site keyfile”口令,稍后就生成了配置文件
rm -f /etc/tripwire/twcfg.txt ← 为不留安全隐患,删除文本格式的配置文件
注:恢复文本格式的Tripwire配置文件,可通过执行“twadmin --print-cfgfile > /etc/tripwire/twcfg.txt”。
Policy文件的配置
vi /etc/tripwire/twpolmake.pl ← 建立用于建立Policy文件的Perl脚本
脚本内容
vi /etc/tripwire/twpolmake.pl ← 建立用于建立Policy文件的Perl脚本
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.out
← 建立Policy文件
rm -f /etc/tripwire/twpol.txt ← 删除默认Policy文件
mv /etc/tripwire/twpol.txt.out /etc/tripwire/twpol.txt ← 将新建立的Policy文件的名改为默认Policy文件的文件名
vi /etc/tripwire/twpol.txt ← 编辑Policy文件
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; ← 找到这一行,在这一行的下一行添加语句(113行前后)
!$(TWDB)/$(HOSTNAME).twd ; ← 添加这一句(不对数据库进行监测)
twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt ← 从文本配置文件建立加密格式配置文件
输入“site keyfile”口令
rm -f /etc/tripwire/twcfg.txt ← 为不留安全隐患,删除文本格式的配置文件
注:恢复文本格式的Tripwire配置文件,可通过执行“twadmin --print-cfgfile > /etc/tripwire/twcfg.txt”。
tripwire --init ← 建立数据库
输入“local keyfile”口令
运行 Tripwire
vi tripwire-check ← 建立Tripwire运行脚本
#!/bin/bash
PATH=/usr/local/sbin:/usr/bin:/bin
SITEPASS=
******** # Site Key Passphrase
← 将星号部分换为Site Keyfile的口令
LOCALPASS=
******** # Local Key Passphrase
← 将星号部分换为Local Keyfile的口令
REPORTFILE=/usr/local/lib/tripwire/report/`hostname`-`date +%Y%m%d`.twr
# Run the Tripwire
tripwire --check -r "$REPORTFILE"| logger -t tripwire
# Mail the Tripwire Report to root
cd /etc/tripwire
REPORTPRINT=`mktemp`
twprint -m r -c tw.cfg -r "$REPORTFILE" -L `hostname`-local.key -t 4 > $REPORTPRINT
if [ -z "$(grep 'Total violations found: 0' $REPORTPRINT)" ]; then
cat $REPORTPRINT | mail -s "Tripwire(R) Integrity Check Report in `hostname`" root
fi
rm -f $REPORTPRINT
# Update the Policy File
cd /etc/tripwire
twadmin --print-polfile > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.out
twadmin --create-polfile -S site.key -Q $SITEPASS twpol.txt.out | logger -t tripwire
rm -f twpol.*
# update the Database
rm -f /usr/local/lib/tripwire/`hostname`.twd
tripwire --init -P $LOCALPASS | logger -t tripwire
chmod 700 tripwire-check
[2] 测试运行脚本
./tripwire-check
← 运行一次脚本
由于增加了运行脚本本身,也被认作系统被作了改动,会发邮件通知root…查看邮箱回收到监测报告
[3] 在服务器本地监测报告的浏览
ls -l /usr/local/lib/tripwire/report/ ← 监测报告所在目录的文件列表
cd /etc/tripwire
twprint -m r -c tw.cfg -r "/usr/local/lib/tripwire/report/sample.centospub.com-20060823.twr" -L sample.centospub.com-local.key -t 4 > tripwire-report ← 将监测报告保存到名为tripwire-report的文件中
cat tripwire-report ← 浏览监测报告
rm -f tripwire-report ← 删除监测报告
mv tripwire-check /etc/cron.daily/ ← 转移脚本到每天自动运行的目录中
这样系统中有任何变化,都会在邮件中看到
如果以后安装了其他软件需要更新数据库
需要重新运行
tripwire --init