我学习TRIPWIRE

王朝other·作者佚名  2006-01-10
窄屏简体版  字體: |||超大  

监测系统文件被改动的情况

GPL

http://sourceforce.net/projects/tripwire/

http://www.rpmfind.com

http://www.redhat.com

还有商业版本

http://www.tripwiresecurity.com

我使用:

yum install tripwire

版本:tripwire-2.3.1-22

有一些不太常用的rpm用法

rpm -qd tripwire

rpm -q --chagelog tripwire |less

安装之后的文件:

[root@localhost misc]# rpm -ql tripwire

/etc/cron.daily/tripwire-check

/etc/tripwire

/etc/tripwire/twcfg.txt

/etc/tripwire/twpol.txt

/usr/sbin/siggen

/usr/sbin/tripwire

/usr/sbin/tripwire-setup-keyfiles -------------------------密钥对生成文件

/usr/sbin/twadmin

/usr/sbin/twprint

/usr/share/doc/tripwire-2.3.1 -------------------------------帮助文件

/usr/share/doc/tripwire-2.3.1/COPYING

/usr/share/doc/tripwire-2.3.1/ChangeLog

/usr/share/doc/tripwire-2.3.1/Latest-Changes

/usr/share/doc/tripwire-2.3.1/License-Issues

/usr/share/doc/tripwire-2.3.1/README

/usr/share/doc/tripwire-2.3.1/README.RPM

/usr/share/doc/tripwire-2.3.1/Release_Notes

/usr/share/doc/tripwire-2.3.1/TRADEMARK

/usr/share/doc/tripwire-2.3.1/policyguide.txt

/usr/share/doc/tripwire-2.3.1/quickstart.gif

/usr/share/doc/tripwire-2.3.1/quickstart.txt

/usr/share/man/man4/twconfig.4.gz

/usr/share/man/man4/twpolicy.4.gz

/usr/share/man/man5/twfiles.5.gz

/usr/share/man/man8/siggen.8.gz

/usr/share/man/man8/tripwire.8.gz

/usr/share/man/man8/twadmin.8.gz

/usr/share/man/man8/twintro.8.gz

/usr/share/man/man8/twprint.8.gz

/var/lib/tripwire

/var/lib/tripwire/report

/usr/sbin/tripwire-setup-keyfiles

tripwire配置文件

twadmin --print-cfgfile (-m -f)打印出配置文件的样本

我的tripwire的配置文件(twcfg.txt)

ROOT =/usr/sbin

POLFILE =/etc/tripwire/tw.pol

DBFILE =/var/lib/tripwire/$(HOSTNAME).twd

REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr

SITEKEYFILE =/etc/tripwire/site.key

LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key

EDITOR =/bin/vi

#LATEPROMPTING =false

LATEPROMPTING =true

LOOSEDIRECTORYCHECKING =true

MAILNOVIOLATIONS =true

EMAILREPORTLEVEL =3

REPORTLEVEL =3

MAILMETHOD =SENDMAIL

SYSLOGREPORTING =true

MAILPROGRAM =/usr/sbin/sendmail -oi -t

TEMPDIRECTORY =/var/run/tripwire

GLOBALEMAIL ="root@localhost,charles@192.168.1.25"

从twcfg.txt生成加密配置文件tw.cfg

twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

会提示

Please enter your site passphrase:

确认配置的更改是否反映到加密文件中

twadmin --print--cfgfile

然后删除/etc/tripwire/cfg.txt

关于tripwire配置文件的更多,参照 twconfig(4)

tripwire 策略文件 (twpol.txt)

语法以后再说。

用twadmin对策略文件进行语法检查

twadmin -m P /etc/tripwire/twpol.txt

(more about policy file,you can see twpolicy(4))

tripwire命令

tripwire --check -------compare mode

tripwire --init -------initalize mode

tripwire --update -------update mode ------------------------------------- -m u

tripwire --update-policy -------update policy mode--------------------- -m p

tripwire --test -------check wether mail is active

tripwire数据库初始化

tripwire --init

tripwire -m c 输出样本

测试email电子邮件通知功能

sudo sh -c "/usr/sbin/tripwire -m t --email wd4242@163.com"

打印单个目标的信息

sudo sh -c "/usr/sbin/twprint -m d /etc/xinetd.conf"

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航