Tripwire 教程:基于 Linux 主机的入侵检测系统
【摘要】 Tripwire 是一个基于主机的 Linux 入侵检测系统。Tripwire 监控 Linux 系统以检测并报告对文件和目录的任何未经授权的更改。创建基线后,tripwire 会监视并检测添加了哪个文件、更改了哪个文件、更改了哪些内容、更改了谁以及何时更改。如果更改是合法的,您可以更新tripwire 数据库以接受这些更改。
Tripwire 是一个基于主机的 Linux 入侵检测系统。Tripwire 监控 Linux 系统以检测并报告对文件和目录的任何未经授权的更改。创建基线后,tripwire 会监视并检测添加了哪个文件、更改了哪个文件、更改了哪些内容、更改了谁以及何时更改。如果更改是合法的,您可以更新tripwire 数据库以接受这些更改。
这个分步说明指南解释了如何安装和配置开源版本的tripwire。
1.下载绊线
从tripwire sourceforget项目网站下载最新的tripwire开源版本。将tripwire 源代码解压到/usr/src 目录,如下所示。
# cd /usr/src
# wget http://internap.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.4.1.2-src.tar.bz2
# bzip2 -d tripwire-2.4.1.2-src.tar.bz2
# tar xvf tripwire-2.4.1.2-src.tar2. 安装绊线
使用如下所示的前缀选项指定安装目录。在这个例子中,我在 /opt/tripwire 下安装了tripwire。在 make install 期间,它会提示您输入各种用户输入,这些输入在下面以红色突出显示。
# cd tripwire-2.4.1.2-src
# ./configure --prefix=/opt/tripwire
# make
# make install
make[3]: Entering directory `/usr/src/tripwire-2.4.1.2-src'
prefix="/opt/tripwire" sysconfdir="/opt/tripwire/etc" \
path_to_vi="/bin/vi" path_to_sendmail="/usr/sbin/sendmail" \
./install/install.sh
Installer program for: Tripwire(R) 2.4 Open Source
LICENSE AGREEMENT for Tripwire(R) 2.4 Open Source
Please read the following license agreement. You must accept the
agreement to continue installing Tripwire.
Press ENTER to view the License Agreement.
[Note: Press enter key as instructed to view the license]
Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept
[Note: Type accept to accept the license]
This program will copy Tripwire files to the following directories:
TWBIN: /opt/tripwire/sbin
TWMAN: /opt/tripwire/man
TWPOLICY: /opt/tripwire/etc
TWREPORT: /opt/tripwire/lib/tripwire/report
TWDB: /opt/tripwire/lib/tripwire
TWSITEKEYDIR: /opt/tripwire/etc
TWLOCALKEYDIR: /opt/tripwire/etc
CLOBBER is false.
Continue with installation? [y/n] y
[Note: Press y to continue the installation]
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
[Note: Assign a passphrase for site keyfile.]
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
[Note: Assign a passphrase for local keyfile.]
Creating signed configuration file...
Please enter your site passphrase:
Wrote configuration file: /opt/tripwire/etc/tw.cfg
[Note: Enter the site passphrase.]
Creating signed policy file...
Please enter your site passphrase:
Wrote policy file: /opt/tripwire/etc/tw.pol
[Note: Enter the site passphrase]
The installation succeeded.- 站点密码将保护 tw.cfg tripwire 配置文件
和 tw.pol tripwire 策略文件。
即使对于单个实例绊线,您也必须分配站点密码。 - 本地密码将保护tripwire 数据库和报告文件。
3. 初始化 Tripwire 数据库
首次使用时,应如下图初始化tripwire数据库。
# cd /opt/tripwire/sbin/
# ./tripwire --init
Please enter your local passphrase:
Parsing policy file: /opt/tripwire/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/sys" is on a different file system...ignoring.
### Warning: File system error.
### Filename: /cdrom
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /floppy
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /initrd
### No such file or directory
### Continuing...
### Warning: File system error.
Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd
The database was successfully generated.4.修改绊线策略文件
如上图所示,在tripwire数据库初始化过程中,对于tripwire策略文件中提到的一些默认文件,可能会显示“No such file or directory”的错误信息。如果您的系统没有这些文件,请编辑策略文件并注释这些条目。
比如修改/opt/tripwire/etc/twpol.txttripwire策略文件,注释掉/cdrom和/floppy,如下图。
(
rulename = "OS Boot Files and Mount Points",
)
{
/boot -> $(ReadOnly) ;
# /cdrom -> $(Dynamic) ;
# /floppy -> $(Dynamic) ;
/mnt -> $(Dynamic) ;
}
使用tripwire 策略文件,您可以定义需要监视更改的目录和文件。您还可以更细化并指定应监视或忽略的文件属性。
以下是tripwire 监视的一些UNIX 系统属性。
- 文件增删改查
- 文件权限和属性
- 访问时间戳
- 修改时间戳
- 文件类型和文件大小
- 所有者的用户 ID 和所有者的组 ID
- Hash checking:CRC-32、POSIX 1003.2 兼容的 32 位循环冗余校验;MD5,RSA 安全消息摘要算法;SHA,SHS/SHA算法的一部分;HAVAL,一种强大的 128 位签名算法
5. 更新 Tripwire 策略文件
修改策略文件后,需要按如下所示进行更新。
# ./tripwire --update-policy --secure-mode low ../etc/twpol.txt
Parsing policy file: /opt/tripwire/etc/twpol.txt
Please enter your local passphrase:
Please enter your site passphrase:
======== Policy Update: Processing section Unix File System.
======== Step 1: Gathering information for the new policy.
The object: "/sys" is on a different file system...ignoring.
======== Step 2: Updating the database with new objects.
======== Step 3: Pruning unneeded objects from the database.
Wrote policy file: /opt/tripwire/etc/tw.pol
Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd注意:如果从完成tripwire初始化到tripwire更新策略有任何文件被修改,它们将列在上述命令的“步骤1:收集新策略的信息”输出下。
### Warning: Policy Update Changed Object.
### An object has been changed since the database was last updated.
### Object name: Conflicting properties for object
### /u01/app/oracle/oradata/dbfiles/prod01.dbf
### > Modify Time
### > CRC32
### > MD56. 检查文件是否有任何更改并更新tripwire 数据库。
绊线设置完成后,您应该定期执行检查以找出自上次更新绊线数据库时添加或修改的文件。您可以从命令行以交互方式执行此检查,如下所示。
# ./tripwire --check --interactive
Parsing policy file: /opt/tripwire/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file:
/opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336.twr
这将自动打开 vi 中的以下tripwire 报告文件,您可以在其中查看所有已添加或修改到系统的文件。如下图,“Added”和“Modified”文件前面都会有一个复选标记,表示您接受这些更改要更新到tripwire数据库。
===============================================================================
Report Summary:
===============================================================================
Host name: prod-db-srv
Host IP address: 192.168.1.10
Host ID: None
Policy file used: /opt/tripwire/etc/tw.pol
Configuration file used: /opt/tripwire/etc/tw.cfg
Database file used: /opt/tripwire/lib/tripwire/prod-db-srv.twd
Command line used: ./tripwire --check --interactive
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Added:
[x] "/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trc"
[x] "/u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trm"
Modified:
[x] "/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_CONFIG.ams"
[x] "/u01/app/oracle/diag/rdbms/proddb/proddb/metadata/INC_METER_INFO.ams"
Added object name: /u01/app/oracle/diag/rdbms/proddb/proddb/trace/proddb_m000_11376.trc
Property: Expected Observed
------------- ----------- -----------
* Object Type --- Regular File
* Device Number --- 2049
* Inode Number --- 12026017
* Mode --- -rw-r-----
* Num Links --- 1
* UID --- oracle (1082)
* GID --- oinstall (1083)
* Size --- 837
* Modify Time --- Sat 06 Dec 2008 10:01:51 AM PST
* Blocks --- 8
* CRC32 --- AYxMeo
* MD5 --- AXSkOul8R/np0fQP4q3QLv
Modified object name: /u01/app/oracle/diag/tnslsnr/proddb/listener/trace/listener.log
Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 2049 2049
Inode Number 2295281 2295281
Mode -rw-r----- -rw-r-----
Num Links 1 1
UID oracle (1082) oracle (1082)
GID oinstall (1083) oinstall (1083)
* Size 5851880 5858608
* Modify Time Sat 06 Dec 2008 09:58:53 AM PST
Sat 06 Dec 2008 11:39:56 AM PST
* Blocks 11456 11472
* CRC32 ANdM8R CK+bWM
* MD5 DCW84lCuD2YJOhQd/EuVsn CV8BMvZNJB9KQBXAf5yRDY
Please enter your local passphrase:
Incorrect local passphrase.
Please enter your local passphrase:
Wrote database file: /opt/tripwire/lib/tripwire/prod-db-srv.twd7.如何查看twr报告文件?
所有带*.twr 扩展名的tripwire 报告文件都存储在/opt/tripwire/lib/tripwire/report 目录下。tripwire 报告文件 *.twr 不是文本文件,您可以直接查看。要查看报告,请使用 twprint 并将 *.twr 文件转换为可读的文本格式,如下所示。
# ./twprint --print-report --twrfile \
/opt/tripwire/lib/tripwire/report/prod-db-srv-20081204-114336.twr > \
/tmp/readable-output.txt8. 定期监控 Linux 系统完整性
将绊线检查添加为 cron 作业,以持续监控和报告任何更改。例如,将以下行添加到您的 crontab 以在每天凌晨 4:00 执行tripwire check
# Tripwire Monitor process
00 4 * * * /opt/tripwire/sbin/tripwire --check9. Tripwire 配置和策略文件位置
使用 twadmin 查看当前的tripwire 策略文件。下面仅显示部分输出。
#./twadmin --print-polfile
@@section GLOBAL
TWDOCS="/opt/tripwire/doc/tripwire";
TWBIN="/opt/tripwire/sbin";
TWPOL="/opt/tripwire/etc";
TWDB="/opt/tripwire/lib/tripwire";
TWSKEY="/opt/tripwire/etc";
TWLKEY="/opt/tripwire/etc";
TWREPORT="/opt/tripwire/lib/tripwire/report";
HOSTNAME=prod-db-srv;使用 twadmin 获取有关所有 tripwire 配置文件的信息,如下所示。
# ./twadmin --print-cfgfile
ROOT =/opt/tripwire/sbin
POLFILE =/opt/tripwire/etc/tw.pol
DBFILE =/opt/tripwire/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/opt/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/opt/tripwire/etc/site.key
LOCALKEYFILE =/opt/tripwire/etc/prod-db-srv-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱:
cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)