Tripwireはサーバーのファイルの改竄を検知するシステム。 Tripwireを使用すると、重要なシステムファイルとディレクトリに対する変更をすべて検出することで、それらの保全性を確保することができる。セキュリティを万全にするために、ファイルが改竄される前に、Tripwireをインストールして基準データベースを作成しておく。基準データベースが作成されると、Tripwireは現在のファイルをこれと比較し、変更、追加、削除のいずれかがあれば報告するようにする。
■Tripwireのインストール
Tripwireをダウンロード(最新版 をダウンロード)
[root@server1 ~]# wget http://downloads.sourceforge.net/tripwire/tripwire-2.4.2.2-src.tar.bz2
ダウンロードしたtripwireを展開
[root@server1 ~]# tar jxvf tripwire-2.4.2.2-src.tar.bz2
Tripwireの展開先ディレクトリへ移動
[root@server1 ~]# cd tripwire-2.4.2.2-src
tripwireのインストール
[root@server1 tripwire-2.4.2.2-src]# ./configure --prefix=/usr/local/tripwire sysconfdir=/etc/tripwire && make && make install
Press ENTER to view the License Agreement. ← 空ENTER
SPACEキー押下でライセンス表示を流す
Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept ← acceptを入力
Continue with installation? [y/n] y ← y
Enter the site keyfile passphrase: ← サイトパスフレーズを設定
Verify the site keyfile passphrase: ← サイトパスフレーズを再度入力
Enter the local keyfile passphrase: ← ローカルパスフレーズを設定
Verify the local keyfile passphrase: ← ローカルパスフレーズを再度入力
Creating signed configuration file...
Please enter your site passphrase: ← サイトパスフレーズを入力
Creating signed policy file...
Please enter your site passphrase: ← サイトパスフレーズを入力
The installation succeeded.
tripwire展開先ディレクトリを抜ける
[root@server1 tripwire-2.4.2.-2src1]# cd
tripwire展開先ディレクトリを削除
[root@server1 ~]# rm -rf tripwire-2.4.2.2-src
tripwireを削除
[root@server1 ~]# rm -f tripwire-2.4.2.2-src.tar.bz2
tripwire実行ファイル格納ディレクトリへパスを通す
[root@server1 ~]# echo PATH=$PATH:/usr/local/tripwire/sbin >> .bashrc ; source .bashrc
■Tripwireの設定
設定ファイル(テキスト版)を編集
[root@server1 ~]# vi /etc/tripwire/twcfg.txt
ROOT =/usr/local/tripwire/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/usr/local/tripwire/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/usr/local/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/server1.yokensaka.com-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
↓
LOOSEDIRECTORYCHECKING =true
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
↓
REPORTLEVEL =4
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
設定ファイル(テキスト版⇒暗号署名版)を作成
[root@server1 ~]# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ← サイトパスフレーズを入力
Wrote configuration file: /etc/tripwire/tw.cfg
セキュリティ確保のため設定ファイル(テキスト版)を削除
[root@server1 ~]# rm -f /etc/tripwire/twcfg.txt
設定ファイル(テキスト版)を復活させる場合は以下のコマンドで復活できる
[root@server1~]# twadmin --print-cfgfile > /etc/tripwire/twcfg.txt
■ポリシーファイルの設定
ポリシーファイルの最適化スクリプトを作成
[root@server1 ~]# vi /etc/tripwire/twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
ポリシーファイルの最適化
[root@server1 ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
ポリシーファイル(暗号署名版)を作成
[root@server1 ~]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: ← サイトパスフレーズを入力
Wrote policy file: /etc/tripwire/tw.pol
ポリシーファイル(テキスト版)を削除
[root@server1 ~]# rm -f /etc/tripwire/twpol.txt*
ポリシーファイル(テキスト版)を復活させる場合は以下のコマンドで復活できる
[root@server1 ~]# twadmin -m p -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key > /etc/tripwire/twpol.txt
■Tripwireのデータベース作成
ポリシーファイルよりデータベースを作成
[root@server1 ~]# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ← ローカルパスフレーズを入力
※データベースを作成するには結構時間かかる
■Tripwireの確認
ファイル変更をチェック ※結構時間かかる
[root@server1 ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
Report generated by: root
Report created on: 2013年01月15日 02時44分53秒
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: server1.yokensaka.com
Host IP address: 60.34.241.151
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /usr/local/tripwire/lib/tripwire/server1.yokensaka.com.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
* Tripwire Data Files 0 1 0 0
* Monitor Filesystems 0 0 0 5
User Binaries and Libraries 0 0 0 0
Tripwire Binaries 0 0 0 0
OS Binaries and Libraries 0 0 0 0
Temporary Directories 0 0 0 0
Global Configuration Files 0 0 0 0
System Boot Changes 0 0 0 0
RPM Checksum Files 0 0 0 0
* OS Boot Files and Mount Points 0 0 0 1
* OS Devices and Misc Directories 0 0 24 1
Root Directory and Files 0 0 0 0
Total objects scanned: 186790
Total violations found: 32
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/usr/local/tripwire/lib/tripwire)
Severity Level: 0
-------------------------------------------------------------------------------
Added:
"/usr/local/tripwire/lib/tripwire/server1.yokensaka.com.twd"
-------------------------------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
-------------------------------------------------------------------------------
Modified:
"/var/lib/NetworkManager/timestamps"
"/var/lib/samba/browse.dat"
"/var/lib/samba/unexpected.tdb"
"/var/spool/postfix/public/pickup"
"/var/spool/postfix/public/qmgr"
-------------------------------------------------------------------------------
Rule Name: OS Boot Files and Mount Points (/boot)
Severity Level: 0
-------------------------------------------------------------------------------
Modified:
"/boot/grub/stage2"
-------------------------------------------------------------------------------
Rule Name: OS Devices and Misc Directories (/dev)
Severity Level: 0
-------------------------------------------------------------------------------
Removed:
"/dev/char/13:33"
"/dev/char/13:67"
"/dev/char/189:503"
"/dev/char/250:0"
"/dev/input/by-id/usb-Logitech_USB_Optical_Mouse-event-mouse"
"/dev/input/by-id/usb-Logitech_USB_Optical_Mouse-mouse"
"/dev/input/by-path/pci-0000:00:12.0-usb-0:2:1.0-event-mouse"
"/dev/input/by-path/pci-0000:00:12.0-usb-0:2:1.0-mouse"
"/dev/input/event3"
"/dev/input/mouse1"
"/dev/.udev/db/hidraw:hidraw0"
"/dev/.udev/db/input:event3"
"/dev/.udev/db/input:mouse1"
"/dev/.udev/db/usb:4-2"
"/dev/.udev/links/input\\x2fby-id\\x2fusb-Logitech_USB_Optical_Mouse-event-mouse"
"/dev/.udev/links/input\\x2fby-id\\x2fusb-Logitech_USB_Optical_Mouse-event-mouse/c13:67"
"/dev/.udev/links/input\\x2fby-id\\x2fusb-Logitech_USB_Optical_Mouse-mouse"
"/dev/.udev/links/input\\x2fby-id\\x2fusb-Logitech_USB_Optical_Mouse-mouse/c13:33"
"/dev/.udev/links/input\\x2fby-path\\x2fpci-0000:00:12.0-usb-0:2:1.0-event-mouse"
"/dev/.udev/links/input\\x2fby-path\\x2fpci-0000:00:12.0-usb-0:2:1.0-event-mouse/c13:67"
"/dev/.udev/links/input\\x2fby-path\\x2fpci-0000:00:12.0-usb-0:2:1.0-mouse"
"/dev/.udev/links/input\\x2fby-path\\x2fpci-0000:00:12.0-usb-0:2:1.0-mouse/c13:33"
"/dev/bus/usb/004/120"
"/dev/hidraw0"
Modified:
"/dev/.udev/queue.bin"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
■Tripwireの定期自動実行設定
Tripwireの定期実行スクリプトを作成
[root@server1 ~]# vi tripwire.sh
#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
# パスフレーズ設定
LOCALPASS=xxxxxxxx # ローカルパスフレーズ
SITEPASS=xxxxxxxx # サイトパスフレーズ
cd /etc/tripwire
# Tripwireチェック実行
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root
# ポリシーファイル最新化
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
# データベース最新化
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
実行スクリプトに実行権を与える
[root@server1 ~]# chmod 700 tripwire.sh
cronを編集
[root@server1 ~]# crontab -e
00 01 * * * /root/tripwire.sh
毎日1:00にTripwireの定期実行スクリプトを実行
Tripwireのアンインストール方法
[root@server1 ~]# rm -rf /usr/local/tripwire/
[root@server1 ~]# rm -rf /etc/tripwire/