分享
 
 
 

安装和配置Tripwire,加强你的Linux系统安全

王朝system·作者佚名  2006-01-08
窄屏简体版  字體: |||超大  

1、为什么要安装 tripwire

在安装完 Linux,做好设定后,建议你马上安装 tripwire 这套软件,它能把文件的特征,如对象大小、拥有者、群组、存取权限等建立成指纹数据库(fingerprints),并定期执行检查。当发现文件现况与指纹数据库不符合时,tripwire 会提出警告,告知你哪些项目与指纹数据库不符。

2、安装程序

说明:本文档使用的linux发行版本为RedHat Linux 7.3。其他的发行版本设置类似。

1. 安装套件:rpm -Uvh tripwire-版本号码.rpm

2. 切换工作目录到 /etc/tripwire,其中有两个配置文件:

§ twcfg.txt:可用来设定 tripwire 的工作环境,可依照你的习惯来调整,

§ twpol.txt:指定 tripwire 对哪些文件的哪些项目进行监控。

3. 预设的 twcfg.txt其中

ROOT =/usr/sbin

POLFILE =/etc/tripwire/tw.pol

DBFILE =/var/lib/tripwire/$(HOSTNAME).twd

REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr

SITEKEYFILE =/etc/tripwire/site.key

LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key

EDITOR =/bin/vi

LATEPROMPTING =false

LOOSEDIRECTORYCHECKING =false

MAILNOVIOLATIONS =true

EMAILREPORTLEVEL =3

REPORTLEVEL =3

MAILMETHOD =SENDMAIL

SYSLOGREPORTING =false

MAILPROGRAM =/usr/sbin/sendmail -oi -t

§ DBFILE 为指纹数据库之文件名。

§ REPORTFILE 为检测报告档之档名。

4. 再来看看 twpol.txt,我们可以设定它来指定 tripwire 对哪些文件的 哪些项目进行监控。tripwire 可监控的项目可在 twpolicy 的 man page 中, 『property masks』一节内找到,如下所示:

- Ignore the following properties

+ Record and check the following properties

a Access timestamp

b Number of blocks allocated

c Inode timestamp (create/modify)

d ID of device on which inode resides

g File owner's group ID

i Inode number

l File is increasing in size (a "growing file")

m Modification timestamp

n Number of links (inode reference count)

p Permissions and file mode bits

r ID of device pointed to by inode

(valid only for device objects)

s File size

t File type

u File owner's user ID

C CRC-32 hash value

H Haval hash value

M MD5 hash value

S SHA hash value

其中『+』与『-』容后说明。

5. 如何要求 tripwire 监控某些文件呢?Red Hat 所附的 twpol.txt 已把重要的配置文件与程序行入监控的范围,你可以找到如附 图内的这一段:(

rulename = "Security Control",

severity = $(SIG_HI)

)

{

/etc/group -> $(SEC_CRIT) ;

/etc/security -> $(SEC_CRIT) ;

}

这一段把 /etc/group 以及 /etc/security 这两个对象纳入 『Security Control』这一组,警戒程度为由 SIG_HI 这个变量定义, 值为 100(稍后会介绍)。而 tripwire 会监控 /etc/group 及 /etc/security 的哪些项目呢?则由 SEC_CRIT 这个变量来定义。

6. 从 twpol.txt 的前端往后浏览,可以找到如附图的这一段:

@@section FS

SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change

SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set

SEC_BIN = $(ReadOnly) ; # Binaries that should not change

SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often

SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership

SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership

SIG_LOW = 33 ; # Non-critical files that are of minimal security impact

SIG_MED = 66 ; # Non-critical files that are of significant security impact

SIG_HI = 100 ; # Critical files that are significant points of vulnerability

你可以发现 SIG_HI 的值就如上一点所提的,为 100。 而 tripwire 会监控 /etc/group 的哪些项目是由 SEC_CRIT 所定义; 在此处你发现 SEC_CRIT 等于『$(IgnoreNone)-SHa』,究竟是哪些项目?

要解开这个谜,必须先找出 IgnoreNone 的变量究竟定义为何。 但找遍 twpol.txt 还是解不开,原来 IgnoreNone 跟下面的 ReadOnly, Dynamic, Growing 等均为 tripwire 预先定义好的变量, 在 twpolicy 的 man page 中『Variables』一节内可以找到如附图的内容:

ReadOnly ReadOnly is good for files that are widely available but are intended to be read-only. Value: +pinugtsdbmCM-rlacSH

Dynamic Dynamic is good for monitoring user direc- tories and files that tend to be dynamic in behavior. value: +pinugtd-srlbamcCMSH

Growing The Growing variable is intended for files that should only get larger. Value: +pinugtdl-srbamcCMSH

Device Device is good for devices or other files that Tripwire should not attempt to open. Value: +pugsdr-intlbamcCMSH

IgnoreAll IgnoreAll tracks a file's presence or absence, but doesn't check any other prop- erties. Value: -pinugtsdrlbamcCMSH

IgnoreNone IgnoreNone turns on all properties and pro-vides a convenient starting point for defining your own property masks. (For example, mymask = $(IgnoreNone) -ar;) Value: +pinugtsdrbamcCMSH-l

从上面得知『IgnoreNone』的值为『+pinugtsdrbamcCMSH-l』, 其中『+』后所列的是要监控的项目,而『-』后所列的则为不监控的项目。那么『$(IgnoreNone)-SHa』呢?就是把 IgnoreNone 内原本列入监控的 SHa 项目改列为不监控。

你可以按照需求来修改这个文件。。

7. 接着在 在 /etc/tripwire 内执行 ./twinstall.sh。 执行过程中会要求你设定两个密码(pass phrase):

§ site pass phrase :加密 twpol.txt 及 twcfg.txt 时用。

§ local pass phrase:加密指纹数据库时用。

之后会再要你输入正确的 site pass phrase, 此时会对 twpol.txt 及 twcfg.txt 分别进行加密处理, 由原始文本文件产生 tw.pol 及 tw.cfg。过程如附图所示: [root@localhost tripwire]# ./twinstall.sh

----------------------------------------------

The Tripwire site and local passphrases are used to

sign a variety of files, such as the configuration,

policy, and database files.

Passphrases should be at least 8 characters in length

and contain both letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------

Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the site keyfile passphrase:

Verify the site keyfile passphrase:

Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the local keyfile passphrase:

Verify the local keyfile passphrase:

Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------

Signing configuration file...

Please enter your site passphrase:

Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file

/etc/tripwire/twcfg.txt

has been preserved for your inspection. It is recommended

that you delete this file manually after you have examined it.

----------------------------------------------

Signing policy file...

Please enter your site passphrase:

Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file

/etc/tripwire/twpol.txt

has been preserved for your inspection. This implements

a minimal policy, intended only to test essential

Tripwire functionality. You should edit the policy file

to describe your system, and then use twadmin to generate

a new signed copy of the Tripwire policy.

You have new mail in /var/spool/mail/root

在 twinstall.sh 执行完毕后,建议把 twpol.txt 及 twcfg.txt 这两个文本文件删除或移至别处。

8. 执行 tripwire -m i 来建立指纹数据库,它会要求你输入 local pass phase。

[root@localhost tripwire]# tripwire -m i

Please enter your local passphrase:

Parsing policy file: /etc/tripwire/tw.pol

Generating the database...

*** Processing Unix File System ***

### Warning: File system error.

### Filename: /proc/scsi

### No such file or directory

### Continuing...

### Warning: File system error.

### Filename: /usr/sbin/fixrmtab

### No such file or directory

### Continuing...

Wrote database file: /var/lib/tripwire/localhost.localdomain.twd

The database was successfully generated.

You have new mail in /var/spool/mail/root

9. 或许你怀疑 tripwire 真的能侦测出文件最细微的改变吗? 以下来做个实验,我们把 /etc/group 中第一行第二个字段的『x』改成『X』:

[root@localhost tripwire]#head –1 /etc/group

root:x:0:root

[root@localhost tripwire]#vi /etc/group

[root@localhost tripwire]#head –1 /etc/group

root:X:0:root

10. 接下来执行『tripwire -m c --interactive』进行检查,最后出现报告清单 (内定使用 vi),有:

§ 『Rule Summary』:列出所有组别的检查结果。

===============================================================================

Rule Summary:

===============================================================================

-------------------------------------------------------------------------------

Section: Unix File System

-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified

--------- -------------- ----- ------- --------

Invariant Directories 66 0 0 0

Temporary directories 33 0 0 0

* Tripwire Data Files 100 1 0 0

Critical devices 100 0 0 0

User binaries 66 0 0 0

Tripwire Binaries 100 0 0 0

Critical configuration files 100 0 0 0

Libraries 66 0 0 0

Operating System Utilities 100 0 0 0

Critical system boot files 100 0 0 0

File System and Disk Administraton Programs

100 0 0 0

Kernel Administration Programs 100 0 0 0

Networking Programs 100 0 0 0

System Administration Programs 100 0 0 0

Hardware and Device Control Programs

100 0 0 0

System Information Programs 100 0 0 0

Application Information Programs

100 0 0 0

Shell Related Programs 100 0 0 0

Critical Utility Sym-Links 100 0 0 0

Shell Binaries 100 0 0 0

System boot changes 100 0 0 0

OS executables and libraries 100 0 0 0

* Security Control 100 0 0 1

Login Scripts 100 0 0 0

Root config files 100 0 0 0

Total objects scanned: 15675

Total violations found: 2

有两组有异动,一为 tripwire 的资料文件(新增),另一为 『System Control』这一组(/etc/group 属于这一组!)。

『Object Summary』:列出有异动的对象清单。

===============================================================================

Object Summary:

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

Added:

[x] "/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------

Rule Name: Security Control (/etc/group)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

Modified:

[x] "/etc/group"

===============================================================================

Object Detail:

===============================================================================

-------------------------------------------------------------------------------

Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

/etc/group 被发现有异动了。如果要把指纹数据库内 /etc/group 的资料 更新为目前的状态,请保留 /etc/group 前方 [ ] 内的 x, 否则把它改为空格。

『Object Detail』:异动对象的详细信息,如哪些项目有异动等。===============================================================================

Object Summary:

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

Added:

[x] "/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------

Rule Name: Security Control (/etc/group)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

Modified:[x] "/etc/group"

虽然仅仅是把 x 改成 X,但有四个项目受到影响。其中最重要的是 MD5 的值。一个文件的 MD5 值只要跟原先的值不一样,就可以断定文件的内容 已被修改过。

§ tripwire 每日均会自动执行检查,并寄 e-mail 给 root 告知结果。 你也应定期执行『tripwire -m c --interactive』来更新指纹数据库。

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有