分类: LINUX
2008-12-23 17:02:42
安装和配置Tripwire,加强你的Linux系统安全
1、为什么要安装tripwire
在安装完 Linux,做好设定后,建议你马上安装 tripwire 这套软件,它能把文件的特征,如对象大小、拥有者、群组、存取权限等建立成指纹数据库(fingerprints),并定期执行检查。当发现文件现况与指纹数据库不符合时,tripwire 会提出警告,告知你哪些项目与指纹数据库不符
2、[root@nihao tripwire]# rpm -ivh tripwire-2.3.1-17.i386.rpm
3、[root@nihao ~]# cd /etc/tripwire/
4、[root@nihao tripwire]# ls
twcfg.txt:可用来设定 tripwire 的工作环境,可依照你的习惯来调整
twpol.txt:指定 tripwire 对哪些文件的哪些项目进行监控
twinstall.sh:执行的安装脚本
5. 预设的 twcfg.txt其中
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi –t
DBFILE 为指纹数据库之文件名
REPORTFILE 为检测报告档之档名
6. 再来看看 twpol.txt,我们可以设定它来指定 tripwire 对哪些文件的 哪些项目进行监控。tripwire 可监控的项目可在 twpolicy 的 man page 中, 『property masks』一节内找到,如下所示
- Ignore the following properties
+ Record and check the following properties
a Access timestamp
b Number of blocks allocated
c Inode timestamp (create/modify)
d ID of device on which inode resides
g File owner 鈙 group ID
i Inode number
l File is increasing in size (a "growing file")
m Modification timestamp
n Number of links (inode reference count)
p Permissions and file mode bits
r ID of device pointed to by inode
(valid only for device objects)
s File size
t File type
u File owner 鈙 user ID
C CRC-32 hash value
H Haval hash value
M MD5 hash value
S SHA hash value
7. 如何要求 tripwire 监控某些文件呢?Red Hat 所附的 twpol.txt 已把重要的配置文件与程序行入监控的范围,你可以找到如附 图内的这一段
(
rulename = "Security Control",
severity = $(SIG_HI)
)
{
/etc/group -> $(SEC_CRIT) ;
/etc/security -> $(SEC_CRIT) ;
}
这一段把 /etc/group 以及 /etc/security 这两个对象纳入 『Security Control』
这一组,警戒程度为由 SIG_HI 这个变量定义, 值为 100(稍后会介绍)。而
tripwire 会监控 /etc/group 及 /etc/security 的哪些项目呢?则由 SEC_CRIT
这个变量来定义
8. 从 twpol.txt 的前端往后浏览,可以找到如附图的这一段
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID
flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed
infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should
never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never
change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of
minimal security impact
SIG_MED = 66 ; # Non-critical files that are of
significant security impact
SIG_HI = 100 ; # Critical files that are
significant points of vulnerability
你可以发现 SIG_HI 的值就如上一点所提的,为 100。 而 tripwire 会监控 /etc/
group 的哪些项目是由 SEC_CRIT 所定义; 在此处你发现 SEC_CRIT 等于『$
(IgnoreNone)-SHa』,究竟是哪些项目?
要解开这个谜,必须先找出 IgnoreNone 的变量究竟定义为何。 但找遍 twpol.txt
还是解不开,原来 IgnoreNone 跟下面的 ReadOnly, Dynamic, Growing 等均为
tripwire 预先定义好的变量, 在 twpolicy 的 man page 中『Variables』一节内
可以找到如附图的内容
ReadOnly ReadOnly is good for files that are widely available but
are intended to be read-only.
Value: +pinugtsdbmCM-rlacSH
Dynamic Dynamic is good for monitoring user directories and files
that tend to be dynamic in behavior.
Value: +pinugtd-srlbamcCMSH
Growing The Growing variable is intended for files that should
only get larger.
Value: +pinugtdl-srbamcCMSH
Device Device is good for devices or other files that Tripwire
should not attempt to open.
Value: +pugsdr-intlbamcCMSH
IgnoreAll IgnoreAll tracks a file 鈙 presence or absence, but doesn
鈚 check any other properties.
Value: -pinugtsdrlbamcCMSH
IgnoreNone IgnoreNone turns on all properties and provides a
convenient starting point for defining your own prop-erty
masks. (For example, mymask = $(IgnoreNone) -ar;)
Value: +pinugtsdrbamcCMSH-l
从上面得知『IgnoreNone』的值为『+pinugtsdrbamcCMSH-l』, 其中『+』后所列的是要
监控的项目,而『-』后所列的则为不监控的项目。那么『$(IgnoreNone)-SHa』呢?就
是把 IgnoreNone 内原本列入监控的 SHa 项目改列为不监控
你可以按照需求来修改这个文件
9. 接着在 在 /etc/tripwire 内执行 ./twinstall.sh。 执行过程中会要求你设定两个
密码(pass phrase):
site pass phrase :加密 twpol.txt 及 twcfg.txt 时用
local pass phrase:加密指纹数据库时用
之后会再要你输入正确的 site pass phrase, 此时会对 twpol.txt 及 twcfg.txt
分别进行加密处理, 由原始文本文件产生 tw.pol 及 tw.cfg
[root@nihao tripwire]# ./twinstall.sh
[root@localhost tripwire]# tripwire -m i
执行 tripwire -m i 来建立指纹数据库,它会要求你输入 local pass phase 10.或许你怀疑 tripwire 真的能侦测出文件最细微的改变吗? 以下来做个实验,我们把 /etc/group 中第一行第二个字段的『x』改成『X』:
[root@nihao tripwire]# head -1 /etc/group
root:x:0:root
[root@nihao tripwire]# vi /etc/group
root:X:0:root
11. 执行『tripwire -m c --interactive』进行检查,最后出现报告清单 (内定使用 vi),有
[root@nihao tripwire]# tripwire -m c –interactive
『Rule Summary』:列出所有组别的检查结果
=================================================================
Report Summary:
=================================================================
Host name: nihao
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/nihao.twd
Command line used: tripwire -m c --interactive
=================================================================
Rule Summary:
=================================================================
Section: Unix File System
Rule Name Severity Level Added Removed
Modified
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Login Scripts 100 0 0 0
Total objects scanned: 15629
Total violations found: 5
有五组有异动,一为 tripwire 的资料文件(新增),另一为 『System Control』这一组(/etc/group 属于这一组!)
=================================================================
Object Summary:
=================================================================
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Added:
[x] "/var/lib/tripwire/nihao.twd"
Rule Name: Tripwire Data Files (/etc/tripwire/tw.cfg)
Severity Level: 100
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/etc/tripwire/tw.cfg"
Rule Name: Security Control (/etc/group)
Severity Level: 100
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/etc/group"
Rule Name: Root config files (/root)
Severity Level: 100
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Added:
[x] "/root/.lesshst"
Modified:
[x] "/root"
=================================================================
Object Detail:
=================================================================
Section: Unix File System
/etc/group 被发现有异动了。如果要把指纹数据库内 /etc/group 的资料 更新为目
前的状态,请保留 /etc/group 前方 [ ] 内的 x, 否则把它改为空格
『Object Detail』:异动对象的详细信息,如哪些项目有异动等
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
虽然仅仅是把 x 改成 X,但有四个项目受到影响。其中最重要的是 MD5 的值。一个文件的 MD5 值只要跟原先的值不一样,就可以断定文件的内容 已被修改过。
tripwire 每日均会自动执行检查,并寄 e-mail 给 root 告知结果。 你也应定期『tripwire -m c --interactive』来更新指纹数据库
