简介
Tripwire是目前最为著名的unix下文件系统完整性检查的软件工具,这一软件采用的技术核心就是对每个要监控的文件产生一个数字签名,保留下来。当文件现在的数字签名与保留的数字签名不一致时,那么现在这个文件必定被改动过了。
安装Tripwire
# install from EPEL
[root@linuxprobe ~]# yum --enablerepo=epel -y install tripwire
通过下面也可以
wget https:
//sourceforge.net/projects/tripwire/files/tripwire-rpms/centos6/tripwire-2.4.2.1-1.el6.x86_64.rpm
rpm -ivh tripwire-
2.4
.
2.1
-
1
.el6.x86_64.rpm
创建密钥和数据库
Tripwire 生成一个站点(site)密钥和一个本地(local)密钥。
# generate keys [root@linuxprobe ~]# tripwire-setup-keyfiles ..... ..... Enter the site keyfile passphrase:# set site keyfile passphrase Verify the site keyfile passphrase:# confirm .... ..... Enter the local keyfile passphrase:# set local keyfile passphrase Verify the local keyfile passphrase:# confirm ..... ..... Please enter your site passphrase: # answer with site keyfile passphrase ..... ..... Please enter your site passphrase: # answer with site keyfile passphrase ..... .....本地密钥用于数据库文件,站点密钥用于配置文件和策略文件。
配置 tripwire
twcfg.txt 文件确定 Tripwire 使用的变量(例如 tripwire 报告文件的位置、e-mail 地址、报告级别)。
[root
@u22e.com
tripwire ]# more twcfg.txt
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =
false
LOOSEDIRECTORYCHECKING =
true
MAILNOVIOLATIONS =
true
EMAILREPORTLEVEL =
3
REPORTLEVEL =
4
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =
false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
################ twpol.txt 策略文件告诉 Tripwire 监视什么样的文件。
[root
@u22e.com
tripwire ]# more twpol.txt
#
this
is a comment
# system binaries
SYSBIN = +pngu+sm;
/usr/bin -> $(SYSBIN);
/usr/sbin -> $(SYSBIN);
/etc/security -> +pug (recurse=-
1
);
# ignore last log
#!/etc/security/lastlog;
# logs
SYSLOGS = +p-lum;
#/var/adm/messages -> $(SYSLOGS);
# ignore these
do
not scan
!/opt/dump;
!/opt/freeware;
執行twadmin 指令以更新加密的策略和配置檔案
twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
初始化 tripwire 资料库
[root@u22e tripwire]# tripwire --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** Wrote database file: /var/lib/tripwire/u22e.twd The database was successfully generated.
完整性检测
tripwire --check
tripwire --check --interactive #
这是和平时相同的运行测试,但是最后不会输出到屏幕,而是生成文本文件在默认编辑器中打开。
更新策略
tripwire --update --twrfile /var/lib/tripwire/report/<hostname_date_stamp>.twr
执行该命令之后,您就进入了一个编辑器。搜索所报告的文件名。所有侵害或更新都在文件名前面有一个 [x]。
如果您希望接受这些更改为正当的,则只需保存并退出文件即可。Tripwire 不再报告此文件。如果您想要这个文件不被添加到数据库,那么请删除
'x'
。
查看报告
twprint -m r --twrfile /var/lib/tripwire/report/<hostname_date_stamp>.twr
定期检测
crontab 执行:
10
1
* * * /usr/sbin/tripwire --check > /tmp/tripwire`date +_
"%Y%m%d"
`.log
10
1
* * * /usr/sbin/tripwire --check |mail -s
"Tripwire report for $HOSTNAME `date +_"
%Y%m%d
"`"
pengwu
@emotibot
.com
没 mail 命令的需要安装 yum -y install mailx