当服务器遭到黑客攻击时,在多数情况下,黑客可能对系统文件等等一些重要的文件进行修改。对此,我们用Tripwire建立数据完整性监测系统。虽然 它不能抵御黑客攻击以及黑客对一些重要文件的修改,但是可以监测文件是否被修改过以及哪些文件被修改过,从而在被攻击后有的放矢的策划出解决办法。
Tripwire的原理是Tripwire被安装、配置后,将当前的系统数据状态建立成数据库,随着文件的添加、删除和修改等等变化,通过系统数据现 状与不断更新的数据库进行比较,来判定哪些文件被添加、删除和修改过。正因为初始的数据库是在Tripwire本体被安装、配置后建立的原因,我们务必应 该在服务器开放前,或者说操作系统刚被安装后用Tripwire构建数据完整性监测系统。
Tripwire可以对要求校验的系统文件进行类似md5的运行,而生成一个唯一的标识,即“快照”snapshot。当这些系统文件的大小、inode号、权限、时间等任意属性被修改后,再次运行Tripwire,其会进行前后属性的对比,并生成相关的详细报告。
到网站: http://sourceforge.net/projects/tripwire/files/
下载tripwire-2.4.1.2-src.tar.bz2
环境:
OS:Centos 5.4
软件:tripwire-2.4.1.2-src.tar.bz2
1.安装
解压文件
# bzip2 -d tripwire-2.4.1.2-src.tar.bz2
# tar xvf tripwire-2.4.1.2-src.tar
或
# tar jxvf tripwire-2.4.1.2-src.tar
# cd tripwire-2.4.1.2-src
./configure --prefix=/usr/local/tripwire ←将tripwire安装在/usr/local/tripwire目录中
# make ←编译
-------------------
------编译过程-----
------省略---------
-------------------
#make install ←安装
-------------------
------编译过程-----
------省略---------
-------------------
出现协议说明
Press ENTER to view the License Agreement. ← 按回车键阅读协议
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept ← 输入“accept”同意协议
Using configuration file ./install/install.cfg
Checking for programs specified in install configuration file....
/usr/sbin/sendmail -oi -t exists. Continuing installation.
/bin/vi exists. Continuing installation.
----------------------------------------------
Verifying existence of binaries...
./bin/siggen found
./bin/tripwire found
./bin/twprint found
./bin/twadmin found
This program will copy Tripwire files to the following directories:
TWBIN: /usr/local/tripwire/sbin
TWMAN: /usr/local/tripwire/man
TWPOLICY: /usr/local/tripwire/etc
TWREPORT: /usr/local/tripwire/lib/tripwire/report
TWDB: /usr/local/tripwire/lib/tripwire
TWSITEKEYDIR: /usr/local/tripwire/etc
TWLOCALKEYDIR: /usr/local/tripwire/etc
CLOBBER is false.
Continue with installation? [y/n] y ← 键入y继续安装
----------------------------------------------
Creating directories...
/usr/loca/tripwire/sbin: already exists
/usr/loca/tripwire/etc: created
/usr/loca/tripwire/lib/tripwire/report: created
/usr/loca/tripwire/lib/tripwire: already exists
/usr/loca/tripwire/etc: already exists
/usr/loca/tripwire/etc: already exists
/usr/loca/tripwire/man: created
/usr/loca/tripwire/doc/tripwire: created
----------------------------------------------
Copying files...
/usr/loca/tripwire/doc/tripwire/COPYING: copied
/usr/loca/tripwire/doc/tripwire/TRADEMARK: copied
/usr/loca/tripwire/doc/tripwire/policyguide.txt: copied
/usr/loca/tripwire/etc/twpol-Linux.txt: copied
----------------------------------------------
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.
Passphrases should be at least 8 characters in length
and contain both letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: ← 输入“site keyfile”口令(输入后不会显示),并且记住这个口令
Verify the site keyfile passphrase: ← 再次确认“site keyfile”口令
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ← 输入“local keyfile”口令(输入后不会显示),并且记住这个口令
Verify the local keyfile passphrase: ← 再次确认“local keyfile”口令
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Generating Tripwire configuration file...
----------------------------------------------
Creating signed configuration file...
Please enter your site passphrase: ← 输入“site keyfile”口令(输入后不会显示)
Wrote configuration file: /usr/loca/tripwire/etc/tw.cfg
A clear-text version of the Tripwire configuration file
/usr/loca/tripwire/etc/twcfg.txt
has been preserved for your inspection. It is recommended
that you delete this file manually after you have examined it.
----------------------------------------------
Customizing default policy file...
----------------------------------------------
Creating signed policy file...
Please enter your site passphrase: ← 输入“site keyfile”口令(输入后不会显示)
Wrote policy file: /usr/loca/tripwire/etc/tw.pol
A clear-text version of the Tripwire policy file
/usr/loca/tripwire/etc/twpol.txt
has been preserved for your inspection. This implements
a minimal policy, intended only to test essential
Tripwire functionality. You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.
----------------------------------------------
The installation succeeded.
Please refer to
for release information and to the printed user documentation
for further instructions on using Tripwire 2.4 Open Source.
make[3]: Leaving directory `/home/admin/tripwire-2.4.1.2-src'
make[2]: Leaving directory `/home/admin/tripwire-2.4.1.2-src'
make[1]: Leaving directory `/home/admin/tripwire-2.4.1.2-src'
安装完成。
.配置文件:定义数据库、策略文件和Tripwire可执行文件的位置:
/usr/local/tripwire/etc/twcfg.txt
.策略:定义检测的对象及违规时采取的行为:
/usr/local/tripwire/etc/twpol.txt
.数据库:用于存放生成的快照:
/usr/local/tripwire/lib/tripwire/$(HOSTNAME).twd
另外,Tripwire为了自身的安全,防止自身被篡改,也会对自身进行加密和签名处理。其中,包括两个密钥:
.site密钥:用于保护策略文件和配置文件,只要使用相同的策略和配置的机器,都可以使用相同的site密钥:
/usr/local/tripwire/etcsite.key
.local密钥:用户保护数据库和分析报告,这肯定不会重复的:
/usr/local/tripwire/etc/$(HOSTNAME)-local.key
2.设置tripwire
vi /etc/tripwire/twcfg.txt ← 修改文本格式的Tripwire配置文件
LOOSEDIRECTORYCHECKING =false ← 找到这一个行,将false的值变为true(不监测所属目录的数据完整性)
↓
LOOSEDIRECTORYCHECKING =true ← 变为此状态
REPORTLEVEL =3 ← 找到这一行,将3变为4(改变监测结果报告的等级)
↓
REPORTLEVEL =4 ← 变为此状态
#/usr/local/tripwire/sbin/twadmin --create-cfgfile -S site.key twcfg.txt ← 从文本配置文件建立加密格式配置文件
Please enter your site passphrase: ← 输入“site keyfile”口令
Wrote configuration file: /usr/local/tripwire/etc/tw.cfg
编辑twpol.txt来控制对哪些目录进行检查,把不需要扫描的路径注释或删除即可.
修改完成后保存twpool.txt文件。
3.初始化数据库
#/usr/local/tripwire/sbin/tripwire --init
Please enter your local passphrase: ← 输入“local keyfile”口令
Parsing policy file: /usr/local/tripwire/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/sys" is on a different file system...ignoring.
-------------------
------过程---------
------省略---------
-------------------
Wrote database file: /usr/local/tripwire/lib/tripwire/localhost.localdomain.twd
The database was successfully generated.
4.更新数据库
当你更新了twpol.txt后需用此命令更新数据库
cd /usr/local/tripwire
#./sbin/tripwire --update-policy --secure-mode low /usr/local/tripwire/etc/twpol.txt
Parsing policy file: /usr/local/tripwire/etc/twpol.txt
Please enter your local passphrase: ← 输入“local keyfile”口令
Please enter your site passphrase: ← 输入“site keyfile”口令
======== Policy Update: Processing section Unix File System.
======== Step 1: Gathering information for the new policy.
The object: "/sys" is on a different file system...ignoring.
-------------------
------过程---------
------省略---------
-------------------
Wrote policy file: /usr/local/tripwire/etc/tw.pol
Wrote database file: /usr/local/tripwire/lib/tripwire/localhost.localdomain.twd
5.检查文件异动
安装完tripwire后你可以定期检查文件是否存在异动
加上interactive在当前显示结果
./sbin/tripwire --check --interactive
Parsing policy file: /usr/local/tripwire/etc/tw.pol
*** Processing Unix File System ***
-------------------
------过程---------
------省略---------
-------------------
6.查看报告
所有tripwire的报告以.twr后缀保存在lib/tripwire目录下,需要使用twprint命令来转化成文本格式
#./sbin/twprint --print-report --twrfile./lib/tripwire/report/localhost.localdomain-20100225-164220.twr>/tmp/tripwire_readable.txt
#cat /tmp/tripwire_readable.txt
Tripwire的使用和维护都比较简单。但要实现对系统的监控,关键还是需要依靠管理员定制完整的策略和检查周期,以便及时发现问题。另外,Tripwire只能告诉您那些文件被修改,以及修改的属性。但判断和维护是依赖管理员操作的,Tripwire是一个“事后诸葛亮”的工具。
参考文章:
Red Hat Linux Reference Guide
Tripwire Tutorial: Linux Host Based Intrusion Detection System
数据完整性监测系统的构建(Tripwire)