Tripwire文件完整性检查
2010-06-01 TsengYia#126.com http://tsengyia.blog.chinaunix.net/
####################################################################
系统环境:
RHEL5.3 [ 2.6.18-128.el5PAE ]
软件环境:
####################################################################
一、安装Tripwire软件包
[root@localhost ~]# tar jxf tripwire-2.4.2-src.tar.bz2 -C /usr/src/
[root@localhost ~]# cd /usr/src/tripwire-2.4.2
[root@localhost tripwire-2.4.2-src]# ./configure
[root@localhost tripwire-2.4.2-src]# make
[root@localhost tripwire-2.4.2-src]# make install
……
Press Enter to view the License Agreement //回车后开始查阅许可协议
……
Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept //输入accpt接受许可协议
……
CLOBBER is false.
Continue with installation?[y/n]y //输入y确认继续安装
……
Enter the site keyfile passphrase: //设置站点口令(用于保护策略和配置文件)
Verify the site keyfile passphrase:
……
Enter the local keyfile passphrase: //设置本地口令(用于保护数据库和分析报告)
Verify the local keyfile passphrase:
……
Creating signed configuration file...
Please enter your site passphrase: //使用站点口令验证,签署配置文件tw.cfg
Wrote configuration file:/usr/local/etc/tw.cfg
……
Create signed policy file...
Please enter you site passphrase: //使用站点口令验证,签署策略文件tw.pol
……
..............................
the installation succeeded.
Please refer to
for release information and to the printed user documentation
for further instructions on using Tripwire 2.4 Open Source.
……
二、设置安全检查策略
1. 调整策略内容
[root@localhost ~]# cd /usr/local/etc/
[root@localhost etc]# cp -p twpol.txt twpol.txt.bak
[root@localhost etc]# vi twpol.txt //注释掉不需检测的目录,添加需新增检测的目录项(关于策略配置说明,详细可参考随Tripwire
包安装的文档:/usr/local/doc/tripwire/policyguide.txt)
……
# /etc/mail/statistics -> $(Growing);
# /cdrom -> $(Dynamic);
# /flopy -> $(Dynamic);
# /mnt -> $(Dynamic);
……
2. 创建策略数据库
[root@localhost etc]# twadmin --create-polfile -S site.key twpol.txt
Please enter your site passhrase:
Wrote policy file:/usr/local/etc/tw.pol
三、修改配置文件(可选)
1. 调整配置内容
[root@localhost etc]# vi twcfg.txt
ROOT =/usr/local/sbin
POLFILE =/usr/local/etc/tw.pol
DBFILE =/usr/local/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/usr/local/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/usr/local/etc/site.key
LOCALKEYFILE =/usr/local/etc/localhost.localdomain-local.key
EDIOR =/usr/bin/vi
LATEROMPTING =false
LOOSEDIRECTORYCHECKING=TRUE
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =4
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
2. 创建配置数据库
[root@localhost etc]# twadmin --create-cfgfile -S site.key twcfg.txt
Please enter your site passphrase:
Wrote configuration file:/usr/local/etc/tw.cfg
四、初始化系统文件数据库,作为安全检测的基础(建议在断网、对系统无其他写入时执行)
[root@localhost etc]# tripwire --init //初始化数据库
Please enter your local passphrase:
Parsing policy file:/usr/local/etc/tw.pol
Generating the database...
…… // 需执行一段时间
五、检查系统变动
1. 手动执行检查,即时显示结果
[root@localhost etc]# tripwire --check
2. 定期进行文件完整性检查
[root@localhost etc]# crontab -e
30 0 */3 * * /usr/local/sbin/tripwire --check
3. 查看安全检测报告
[root@localhost etc]# cd /usr/local/lib/tripwire/report/
[root@localhost report]# twprint --print-report --twrfile localhost-20100601-123005.twr | less
六、后续管理操作
1. 更新策略数据库
[root@localhost ~]# tripwire --update-policy --secure-mode high
2. 更新系统完整性数据库(/usr/local/lib/tripwire/localhost.twd)
[root@localhost ~]# tripwire --update --secure-mode high
3. 修改站点口令
[root@localhost ~]# cd /usr/local/etc/
[root@localhost etc]# twadmin --change-passphrases -S site.key
4. 修改本地口令
[root@localhost ~]# cd /usr/local/etc/
[root@localhost etc]# twadmin --change-passphrases -L localhost.localdomain-local.key
阅读(1555) | 评论(0) | 转发(0) |