我学习TRIPWIRE

监测系统文件被改动的情况

GPL

http://sourceforce.net/projects/tripwire/

http://www.rpmfind.com

http://www.redhat.com

还有商业版本

http://www.tripwiresecurity.com

我使用:

yum install tripwire

版本:tripwire-2.3.1-22

有一些不太常用的rpm用法

rpm -qd tripwire

rpm -q --chagelog tripwire |less

安装之后的文件：

[root@localhost misc]# rpm -ql tripwire

/etc/cron.daily/tripwire-check

/etc/tripwire

/etc/tripwire/twcfg.txt

/etc/tripwire/twpol.txt

/usr/sbin/siggen

/usr/sbin/tripwire

/usr/sbin/tripwire-setup-keyfiles -------------------------密钥对生成文件

/usr/sbin/twadmin

/usr/sbin/twprint

/usr/share/doc/tripwire-2.3.1 -------------------------------帮助文件

/usr/share/doc/tripwire-2.3.1/COPYING

/usr/share/doc/tripwire-2.3.1/ChangeLog

/usr/share/doc/tripwire-2.3.1/Latest-Changes

/usr/share/doc/tripwire-2.3.1/License-Issues

/usr/share/doc/tripwire-2.3.1/README

/usr/share/doc/tripwire-2.3.1/README.RPM

/usr/share/doc/tripwire-2.3.1/Release_Notes

/usr/share/doc/tripwire-2.3.1/TRADEMARK

/usr/share/doc/tripwire-2.3.1/policyguide.txt

/usr/share/doc/tripwire-2.3.1/quickstart.gif

/usr/share/doc/tripwire-2.3.1/quickstart.txt

/usr/share/man/man4/twconfig.4.gz

/usr/share/man/man4/twpolicy.4.gz

/usr/share/man/man5/twfiles.5.gz

/usr/share/man/man8/siggen.8.gz

/usr/share/man/man8/tripwire.8.gz

/usr/share/man/man8/twadmin.8.gz

/usr/share/man/man8/twintro.8.gz

/usr/share/man/man8/twprint.8.gz

/var/lib/tripwire

/var/lib/tripwire/report

/usr/sbin/tripwire-setup-keyfiles

tripwire配置文件

twadmin --print-cfgfile （-m -f）打印出配置文件的样本

我的tripwire的配置文件(twcfg.txt)

ROOT =/usr/sbin

POLFILE =/etc/tripwire/tw.pol

DBFILE =/var/lib/tripwire/$(HOSTNAME).twd

REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr

SITEKEYFILE =/etc/tripwire/site.key

LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key

EDITOR =/bin/vi

#LATEPROMPTING =false

LATEPROMPTING =true

LOOSEDIRECTORYCHECKING =true

MAILNOVIOLATIONS =true

EMAILREPORTLEVEL =3

REPORTLEVEL =3

MAILMETHOD =SENDMAIL

SYSLOGREPORTING =true

MAILPROGRAM =/usr/sbin/sendmail -oi -t

TEMPDIRECTORY =/var/run/tripwire

GLOBALEMAIL ="root@localhost,charles@192.168.1.25"

从twcfg.txt生成加密配置文件tw.cfg

twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

会提示

Please enter your site passphrase：

确认配置的更改是否反映到加密文件中

twadmin --print--cfgfile

然后删除/etc/tripwire/cfg.txt

关于tripwire配置文件的更多，参照 twconfig(4)

tripwire 策略文件 （twpol.txt）

语法以后再说。

用twadmin对策略文件进行语法检查

twadmin -m P /etc/tripwire/twpol.txt

(more about policy file,you can see twpolicy(4))

tripwire命令

tripwire --check -------compare mode

tripwire --init -------initalize mode

tripwire --update -------update mode ------------------------------------- -m u

tripwire --update-policy -------update policy mode--------------------- -m p

tripwire --test -------check wether mail is active

tripwire数据库初始化

tripwire --init

tripwire -m c 输出样本

测试email电子邮件通知功能

sudo sh -c "/usr/sbin/tripwire -m t --email wd4242@163.com"

打印单个目标的信息

sudo sh -c "/usr/sbin/twprint -m d /etc/xinetd.conf"

• ·lwIP――TCP/IP协议栈的一种实现
• ·计算机取证：磁盘映像概述
• ·移动通信中的语音编码技术
• ·CVSNT用户管理方案
• ·实战：用单片机演奏音乐
• ·这三件事 女人睡醒后千万别做 生活_美丽顾问
• ·FreeBSD packages中文描述(3)
• ·FreeBSD packages中文描述(2)
• ·FreeBSD packages中文描述(1)
• ·[项目管理]关于项目管理和项目计划制定的对话