Tripswireをインストールしてファイル改ざんをチェックできるようにしていきます。
Tripwireインストール
[root@sl6 ~]# yum --enablerepo=epel -y install tripwire
epel/metalink | 6.2 kB 00:00
epel | 4.3 kB 00:00
epel/primary_db | 3.8 MB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package tripwire.x86_64 0:2.4.1.2-11.el6 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
============================================================
Package Arch Version Repository Size
============================================================
Installing:
tripwire x86_64 2.4.1.2-11.el6 epel 1.2 M
Transaction Summary
============================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 1.2 M
Installed size: 3.7 M
Downloading Packages:
tripwire-2.4.1.2-11.el6.x86_64.rpm | 1.2 MB 00:00
警告: rpmts_HdrFromFdno: ヘッダ V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
epel/gpgkey | 3.2 kB 00:00 ...
Importing GPG key 0x0608B895 "EPEL (6)
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : tripwire-2.4.1.2-11.el6.x86_64 1/1
Installed:
tripwire.x86_64 0:2.4.1.2-11.el6
Complete!
[root@sl6 ~]# tripwire-setup-keyfiles
----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: 任意のサイトパスフレーズを入力
Verify the site keyfile passphrase: 任意のサイトパスフレーズを再入力
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: 任意のローカルパスフレーズを入力
Verify the local keyfile passphrase: 任意のローカルパスフレーズを再入力
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase: 最初に入力したサイトパスフレーズを入力
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase: 最初に入力したサイトパスフレーズを入力
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
Tripwire設定ファイルの変更
[root@sl6 ~]# vi /etc/tripwire/twcfg.txt
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =true ←falseからtrueに変更
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =4 ←3から4に変更
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
[:]キー、[w]キー、[q]キーを順に押下して内容を保存しviエディタを終了します
# Tripwire設定ファイルに暗号署名を行います
[root@sl6 ~]# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: サイトパスフレーズ応答
Wrote configuration file: /etc/tripwire/tw.cfg
# Tripwire設定ファイルを削除します
[root@sl6 ~]# rm /etc/tripwire/twcfg.txt
※Tripwire暗号署名設定ファイルから設定ファイルを復元する場合
[root@sl6 ~]# twadmin -m f -c /etc/tripwire/tw.cfg > /etc/tripwire/twcfg.txt
ポリシーファイルの設定
初期状態のポリシーファイルは実在しないファイルが設定されていたり実在するファイルがコメント化されているので、Perlスクリプトでファイルの有無をチェックしポリシーファイルを再作成します。
※Perlファイルはファイル改竄検知システム導入(Tripwire) - CentOSで自宅サーバー構築のスクリプトを利用させていただきました。
[root@sl6 ~]# vi /etc/tripwire/twpolmake.pl
#!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL);
[:]キー、[w]キー、[q]キーを順に押下して内容を保存しviエディタを終了します
# ファイルの存在チェック用Perlスクリプトを使ってポリシーファイルを最適化する
[root@sl6 ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
# 最適化ポリシーファイルに暗号署名を行います
[root@sl6 ~]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: サイトパスフレーズ応答
Wrote policy file: /etc/tripwire/tw.pol
# ポリシーファイルファイルを削除します
[root@sl6 ~]# rm -f /etc/tripwire/twpol.txt*
※暗号署名したポリシーファイルからポリシーファイルを復元する場合
[root@sl6 ~]# twadmin -m p -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key > /etc/tripwire/twpol.txt
データベース作成
Tripwireのデータベースを作成します
Please enter your local passphrase: ローカルパスフレーズ応答
Tripwire動作確認
Tripwireの動作確認を行います。
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root
Report created on: 2011年03月29日 14時59分50秒
Database last updated on: Never
============================================================
Report Summary:
============================================================
Host name: sl6
Host IP address: 192.168.xx.xx
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /usr/local/tripwire/lib/tripwire/sl6.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg
============================================================
Rule Summary:
============================================================
------------------------------------------------------------
Section: Unix File System
------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
* Tripwire Data Files 0 1 0 0
* Monitor Filesystems 0 0 0 1
User Binaries and Libraries 0 0 0 0
Tripwire Binaries 0 0 0 0
OS Binaries and Libraries 0 0 0 0
Temporary Directories 0 0 0 0
Global Configuration Files 0 0 0 0
System Boot Changes 0 0 0 0
RPM Checksum Files 0 0 0 0
OS Boot Files and Mount Points 0 0 0 0
* OS Devices and Misc Directories 0 0 0 1
Root Directory and Files 0 0 0 0
Total objects scanned: 88098
Total violations found: 3
============================================================
Object Summary:
============================================================
------------------------------------------------------------
# Section: Unix File System
------------------------------------------------------------
------------------------------------------------------------
Rule Name: Tripwire Data Files (/usr/local/tripwire/lib/tripwire)
Severity Level: 0
------------------------------------------------------------
Added:
"/usr/local/tripwire/lib/tripwire/sl6.twd"
------------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
------------------------------------------------------------
Modified:
"/var/spool/postfix/public/pickup"
------------------------------------------------------------
Rule Name: OS Devices and Misc Directories (/dev)
Severity Level: 0
------------------------------------------------------------
Modified:
"/dev/.udev/queue.bin"
============================================================
Error Report:
============================================================
No Errors
------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Tripwire自動実行設定
Tripwireを自動実行するようcronに設定します。
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # パスフレーズ設定 LOCALPASS=ローカルパスフレーズ SITEPASS=サイトパスフレーズ cd /etc/tripwire # Tripwireチェック実行 tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # ポリシーファイル最新化 twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # データベース最新化 rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS
[:]キー、[w]キー、[q]キーを順に押下して内容を保存しviエディタを終了します
# 実行権限を付与します
[root@sl6 ~]# chmod 700 tripwire.sh
# 毎日3時に自動実行設定を行います
[root@sl6 ~]# crontab -e
0 3 * * * /root/tripwire.sh
[:]キー、[w]キー、[q]キーを順に押下して内容を保存しviエディタを終了します