安裝和配置Tripwire,加強你的Linux系統安全 (轉)[@more@]

1、為什麼要 tripwire
在安裝完，做好設定後，建議你馬上安裝 tripwire 這套，它能把的特徵，如大小、擁有者、群組、存取等建立成指紋(fingerprints)，並定期檢查。當發現檔案現況與指紋資料庫不符合時，tripwire 會提出警告，告知你哪些專案與指紋資料庫不符。 :namespace prefix = o ns = "urn:schemas--com::office" />

2、安裝

說明：本文件使用的linux發行版本為 Linux 7.3。其他的發行版本設定類似。

1. 安裝套件：rpm -Uvh tripwire-版本號碼.rpm

2. 切換工作目錄到 /etc/tripwire，其中有兩個檔案：

§ twcfg.txt:可用來設定 tripwire 的工作環境，可依照你的習慣來調整，

§ twpol.txt：指定 tripwire 對哪些檔案的哪些專案進行。

3. 預設的 twcfg.txt其中

=/usr/sbin

POLFILE =/etc/tripwire/tw.pol

FILE =/var/lib/tripwire/$(HOSTNAME).twd

REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr

SITEKEYFILE =/etc/tripwire/site.key

LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key

EDITOR =/bin/vi

LATEPROMPTING =false

LOOSEDIRECTORYCHECKING =false

NOVIOLATIONS =true

REPORTLEVEL =3

MAILMETHOD =

SYSLOGREPORTING =false

MAILPROGRAM =/usr/sbin/sendmail -oi -t

§ DBFILE 為指紋資料庫之檔名。

§ REPORTFILE 為檢測報告檔之檔名。

4. 再來看看 twpol.txt，我們可以設定它來指定 tripwire 對哪些檔案的哪些專案進行監控。tripwire 可監控的專案可在 twpolicy 的 man page 中，『property masks』一節內找到，如下所示：

- Ignore the following properties

+ Record and check the following properties

a Access timestamp

b Number of blocks allocated

c Inode timestamp (create/modify)

d ID of device on which inode ress

g File owner's group ID

i Inode number

l File is increasing in size (a "growing file")

m Modification timestamp

n Number of links (inode reference count)

p Pessions and file mode bits

r ID of device pointed to by inode

(valid only for device s)

s File size

t File type

u File owner's user ID

C CRC-32 hash value

H Haval hash value

M MD5 hash value

S SHA hash value

其中『+』與『-』容後說明。

5. 如何要求 tripwire 監控某些檔案呢？Red Hat 所附的 twpol.txt 已把重要的配置檔案與程式行入監控的範圍，你可以找到如附圖內的這一段：(

（

rulename = "Security Control",

severity = $(SIG_HI)

)

{

/etc/group -> $(SEC_CRIT) ;

/etc/security -> $(SEC_CRIT) ;

}

這一段把 /etc/group 以及 /etc/security 這兩個物件納入『Security Control』這一組，警戒程度為由 SIG_HI 這個變數定義，值為 100(稍後會介紹)。而 tripwire 會監控 /etc/group 及 /etc/security 的哪些專案呢？則由 SEC_CRIT 這個變數來定義。

6. 從 twpol.txt 的前端往後瀏覽，可以找到如附圖的這一段：

@@section FS

SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change

SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set

SEC_BIN = $(ReadOnly) ; # Binaries that should not change

SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often

SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership

SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership

SIG_LOW = 33 ; # Non-critical files that are of minimal security impact

SIG_MED = 66 ; # Non-critical files that are of significant security impact

SIG_HI = 100 ; # Critical files that are significant points of vulnerability

你可以發現 SIG_HI 的值就如上一點所提的，為 100。而 tripwire 會監控 /etc/group 的哪些專案是由 SEC_CRIT 所定義；在此處你發現 SEC_CRIT 等於『$(IgnoreNone)-SHa』，究竟是哪些專案？

要解開這個謎，必須先找出 IgnoreNone 的變數究竟定義為何。但找遍 twpol.txt 還是解不開，原來 IgnoreNone 跟下面的 ReadOnly, Dynamic, Growing 等均為 tripwire 預先定義好的變數，在 twpolicy 的 man page 中『Variables』一節內可以找到如附圖的內容：

ReadOnly ReadOnly is good for files that are widely available but are intended to be read-only. Value: +pinugtsdbmCM-rlacSH

Dynamic Dynamic is good for monitoring user direc- tories and files that tend to be dynamic in behavior. value: +pinugtd-srlbamcCMSH

Growing The Growing variable is intended for files that should only get larger. Value: +pinugtdl-srbamcCMSH

Device Device is good for devices or other files that Tripwire should not attempt to open. Value: +pugsdr-intlbamcCMSH

IgnoreAll IgnoreAll tracks a file's presence or absence, but doesn't check any other prop- erties. Value: -pinugtsdrlbamcCMSH

IgnoreNone IgnoreNone turns on all properties and pro-vides a convenient starting point for defining your own property masks. (For example, mymask = $(IgnoreNone) -ar;) Value: +pinugtsdrbamcCMSH-l

從上面得知『IgnoreNone』的值為『+pinugtsdrbamcCMSH-l』，其中『+』後所列的是要監控的專案，而『-』後所列的則為不監控的專案。那麼『$(IgnoreNone)-SHa』呢？就是把 IgnoreNone 內原本列入監控的 SHa 專案改列為不監控。

你可以按照需求來修改這個檔案。。

7. 接著在在 /etc/tripwire 內執行 ./twinstall.sh。執行過程中會要求你設定兩個密碼(pass phrase)：

§ site pass phrase ： twpol.txt 及 twcfg.txt 時用。

§ local pass phrase：加密指紋資料庫時用。

之後會再要你輸入正確的 site pass phrase，此時會對 twpol.txt 及 twcfg.txt 分別進行加密處理，由原始文字檔案產生 tw.pol 及 tw.cfg。過程如附圖所示： [root@localhost tripwire]# ./twinstall.sh

----------------------------------------------

The Tripwire site and local passphrases are used to

sign a variety of files, such as the configuration,

policy, and database files.

Passphrases should be at least 8 characters in length

and contain both letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------

Creating key files...

(When ing a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the site keyfile passphrase:

Verify the site keyfile passphrase:

Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the local keyfile passphrase:

Verify the local keyfile passphrase:

Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------

Signing configuration file...

Please enter your site passphrase:

Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file

/etc/tripwire/twcfg.txt

has been preserved for your inspection. It is recommended

that you delete this file manually after you have examined it.

----------------------------------------------

Signing policy file...

Please enter your site passphrase:

Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file

/etc/tripwire/twpol.txt

has been preserved for your inspection. This implements

a minimal policy, intended only to test essential

Tripwire functionality. You should edit the policy file

to describe your system, and then use twadmin to generate

a new signed copy of the Tripwire policy.

You have new mail in /var/spool/mail/root

在 twinstall.sh 執行完畢後，建議把 twpol.txt 及 twcfg.txt 這兩個文字檔案刪除或移至別處。

8. 執行 tripwire -m i 來建立指紋資料庫，它會要求你輸入 local pass phase。

[root@localhost tripwire]# tripwire -m i

Please enter your local passphrase:

Parsing policy file: /etc/tripwire/tw.pol

Generating the database...

*** Processing File System ***

### Warning: File system error.

### Filename: /proc/

### No such file or directory

### Continuing...

### Warning: File system error.

### Filename: /usr/sbin/fixrmtab

### No such file or directory

### Continuing...

Wrote database file: /var/lib/tripwire/localhost.localain.twd

The database was succesully generated.

You have new mail in /var/spool/mail/root

9. 或許你懷疑 tripwire 真的能偵測出檔案最細微的改變嗎？以下來做個實驗，我們把 /etc/group 中第一行第二個欄位的『x』改成『X』：

[root@localhost tripwire]#head –1 /etc/group

root:x:0:root

[root@localhost tripwire]#vi /etc/group

[root@localhost tripwire]#head –1 /etc/group

root:X:0:root

10. 接下來執行『tripwire -m c --interactive』進行檢查，最後出現報告清單 (內定使用 vi)，有：

§ 『Rule Summary』：列出所有組別的檢查結果。

===============================================================================

Rule Summary:

===============================================================================

-------------------------------------------------------------------------------

Section: Unix File System

-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified

--------- -------------- ----- ------- --------

Invariant Directories 66 0 0 0

Temporary directories 33 0 0 0

* Tripwire Data Files 100 1 0 0

Critical devices 100 0 0 0

User binaries 66 0 0 0

Tripwire Binaries 100 0 0 0

Critical configuration files 100 0 0 0

Libraries 66 0 0 0

Operating System Utilities 100 0 0 0

Critical system boot files 100 0 0 0

File System and Disk Administraton Programs

100 0 0 0

Kernel Administration Programs 100 0 0 0

working Programs 100 0 0 0

System Administration Programs 100 0 0 0

Hardware and Device Control Programs

100 0 0 0

System Information Programs 100 0 0 0

Application Information Programs

100 0 0 0

Related Programs 100 0 0 0

Critical Utility Sym-Links 100 0 0 0

Shell Binaries 100 0 0 0

System boot changes 100 0 0 0

executables and libraries 100 0 0 0

* Security Control 100 0 0 1

Login Scripts 100 0 0 0

Root config files 100 0 0 0

Total objects scanned: 15675

Total violations found: 2

有兩組有異動，一為 tripwire 的資料檔案(新增)，另一為『System Control』這一組(/etc/group 屬於這一組!)。

『Object Summary』：列出有異動的物件清單。

===============================================================================

Object Summary:

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

Added:

[x] "/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------

Rule Name: Security Control (/etc/group)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

Modified:

[x] "/etc/group"

===============================================================================

Object Detail:

===============================================================================

-------------------------------------------------------------------------------

Section: Unix File System

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

/etc/group 被發現有異動了。如果要把指紋資料庫內 /etc/group 的資料為目前的狀態，請保留 /etc/group 前方 [ ] 內的 x，否則把它改為空格。

『Object Detail』：異動物件的詳細資訊，如哪些專案有異動等。===============================================================================

Object Summary:

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

Added:

[x] "/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------

Rule Name: Security Control (/etc/group)

Severity Level: 100

-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database

with the new values for this object.

Modified:[x] "/etc/group"

雖然僅僅是把 x 改成 X，但有四個專案受到影響。其中最重要的是 MD5 的值。一個檔案的 MD5 值只要跟原先的值不一樣，就可以斷定檔案的內容已被修改過。

§ tripwire 每日均會自動執行檢查，並寄給 root 告知結果。你也應定期執行『tripwire -m c --interactive』來更新指紋資料庫。

安裝和配置Tripwire,加強你的Linux系統安全 (轉)

相關文章