防篡改Tripwire
一、安装
1.准备(centos7的yum不带tripwire)
wget https://mirrors.ustc.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm
rpm -ivh epel-release-7-14.noarch.rpm
yum -y install tripwire
另一个方法
cd /etc/yum.repos.d/mv CentOS-Base.repo CentOS-Base.repo.bakwget http://mirrors.aliyun.com/repo/Centos-7.repomv Centos-7.repo CentOS-Base.repoyum clean allyum makecacheyum install tripwire --enablerepo=epel 2.安装
yum -y install tripwire
3.设置密钥
tripwire-setup-keyfiles
设置网站密钥和本地密钥
网站密钥:对配置和策略文件加密(可共享到其他机器)
本地密钥:对本地数据存储加密
密钥放在/etc/tripwire下
4.配置文件说明
安装完后有两个配置文件在/etc/tripwire
twcfg.txt:软件配置
twpol.txt:策略配置
twcfg.txt如下:
[root@node-251 tripwire_test]# cat /etc/tripwire/twcfg.txt
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =true
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =4
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
twpol.txt如下
# Rule for Security Control
(rulename = "Security Control",规则名severity = $(SIG_HI)监测等级
)
{/etc/group -> $(SEC_CRIT) ;# 监测目录和监测什么/etc/security -> $(SEC_CRIT) ;
}
监测参数说明如下
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # 无法更改的关键文件,Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # 设置了SUID或SGID标志的二进制文件,Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # 不应更改的二进制文件,Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # 配置不经常更改但经常访问的文件,Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # 文件不断增长,但不应更改所有权,Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # 不应更改权限或所有权的目录,Directories that should never change permission or ownership
SIG_LOW = 33 ; # 安全影响最小的非关键文件,Non-critical files that are of minimal security impact
SIG_MED = 66 ; # 具有重大安全影响的非关键文件,Non-critical files that are of significant security impact
SIG_HI = 100 ; # 作为重要漏洞点的关键文件,Critical files that are significant points of vulnerability监测参数中参数的说明如下A number of variables are predefined by Tripwire and may not be changed. These variables represent different ways that filescan change, and can be used on the right side of rules to design a policy file quickly.
Tripwire预定义了许多变量,这些变量可能不会更改。这些变量表示文件
可以更改,并且可以在规则的右侧使用,以便快速设计策略文件。ReadOnly ReadOnly is good for files that are widely available but are intended to be read-only.ReadOnly适用于广泛可用但只读的文件。Value: +pinugtsdbmCM‐rlacSHDynamic Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior.Dynamic有利于监视用户目录和文件,这些目录和文件的行为往往是动态的。Value: +pinugtd‐srlbamcCMSHGrowing The Growing variable is intended for files that should only get larger.Growing变量适用于只会变得更大的文件。Value: +pinugtdl‐srbamcCMSHDevice Device is good for devices or other files that Tripwire should not attempt to open.设备适用于Tripwire不应尝试打开的设备或其他文件。Value: +pugsdr‐intlbamcCMSHIgnoreAll IgnoreAll tracks a file's presence or absence, but doesn't check any other properties.IgnoreAll跟踪文件的存在或不存在,但不检查任何其他属性。Value: ‐pinugtsdrlbamcCMSHIgnoreNone IgnoreNone turns on all properties and provides a convenient starting point for defining your own propertyIgnoreNone打开所有属性,并为定义自己的属性提供了一个方便的起点masks. (For example, mymask = $(IgnoreNone) -ar;)Value: +pinugtsdrbamcCMSH‐l二、使用
1.初始化
tripwire --init
第一次执行init一般都会报错,那是因为策略配置中的一些文件并不存在,所以我们需要执行一个脚本
sh -c "tripwire --check | grep Filename > no-directory.txt"
把报错目录放入txt,再执行脚本进行注释
touch init.sh
vim init.sh
写入以下内容:
#!/bin/bash
for f in $(grep "Filename:" no-directory.txt | cut -f2 -d:); do
sed -i "s|\($f\) |#\\1|g" /etc/tripwire/twpol.txt
done
执行这个脚本:
bash init.sh
处理完报错目录后,需要重新加密配置文件
twadmin -m P /etc/tripwire/twpol.txt
再初始化数据库。其实就是对本地文件进行快照
tripwire --init
2.测试
tripwire --check
3.监测项目
在twpol.txt中加入配置即可,以下为示例说明
# Rule for Security Control
(rulename = "Security Control",#规则名severity = $(SIG_HI)#监测等级
)
{/etc/group -> $(SEC_CRIT) ;#监测目录和监测什么/etc/security -> $(SEC_CRIT) ;
}
4.电子邮件通知
测试邮箱是否接收信息
tripwire --test --email xxxx@163.com
在twpol.txt文件策略中加入以下示例
# Ruleset for lnmp
(rulename = "lnmp Data", severity= $(SIG_HI),emailto = xxxx@163.com){/mnt/www -> $(SEC_CRIT);}
重新加密策略文件和初始化数据库
twadmin -m P /etc/tripwire/twpol.txt
tripwire --init
检查系统并发送邮件
tripwire --check --email-report
测试没问题便设置定时任务
cd ~/
crontab -e -u root
0 0 * * * tripwire --check --email-report
重启下定时任务
systemctl restart crond
如果以上方法不起作用,可以用另一个方法:使用sh文件
touch check.sh
vim check.sh#!/bin/bash
export PATH="/usr/sbin:$PATH"
tripwire --check --email-reportcrontab -e
0 0 * * * bash /root/check.sh
每天十二点执行
*/2表示每2执行一次
systemctl restart crond
三、常用命令
初始化数据库
tripwire –-init
测试
tripwire –-check
加密配置文件
twadmin -m P /etc/tripwire/twpol.txt
更新数据库
tripwire --update
检查系统并发送邮件
tripwire --check --email-report
测试邮箱是否可用
tripwire --test --email xxxx@163.com
查看报告
twprint -m r --twrfile xxx
)
)
线性表的顺序存储及其运算的实现)
)
)
