Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1789936
  • 博文数量: 297
  • 博客积分: 285
  • 博客等级: 二等列兵
  • 技术积分: 3006
  • 用 户 组: 普通用户
  • 注册时间: 2010-03-06 22:04
个人简介

Linuxer, ex IBMer. GNU https://hmchzb19.github.io/

文章分类

全部博文(297)

文章存档

2020年(11)

2019年(15)

2018年(43)

2017年(79)

2016年(79)

2015年(58)

2014年(1)

2013年(8)

2012年(3)

分类: 网络与安全

2016-11-21 07:48:24

转自:

废话太多了,缩减了下。
Tripwire is an intrusion detection system (IDS), which, constantly and automatically, keeps your critical system files and reports under control if they have been destroyed or modified by a cracker (or by mistake). It allows the system administrator to know immediately what was compromised and fix it.

Tripwire is available as both an open source offering and a full-fledged enterprise version.
Tripwire Open Source agents monitor Linux systems to detect and report any unauthorized changes to files and directories. It first creates a baseline of all files in an encrypted file (encryption protects it from malware tampering) then monitors the files for changes, including permissions, internal file changes, and timestamp details. Cryptographic hashes are employed to detect changes in a file without storing its entire contents in the database. While useful for detecting intrusions after they?ve occurred, Tripwire Open Source can also serve many other purposes, such as integrity assurance, change management and policy compliance.
System Update:

 login to your CentOS 7 and update it with latest updates and security patches using the command below.

点击(此处)折叠或打开

  1. #yum update

After system update, install the latest EPEL Repository.

点击(此处)折叠或打开

  1. # yum install epel-release

Installing Tripwire:

点击(此处)折叠或打开

  1. # yum install tripwire

Creating Keys:

Run the command below to create Tripwire local and site key files provided with some secured pass phrases for the Tripwire site and local passphrases which are used to sign a variety of files, such as the configuration, policy, and database files.

点击(此处)折叠或打开

  1. #tripwire-setup-keyfiles

Once you have a satisfactory Tripwire policy file, you should move the clear-text version to a secure location and/or encrypt it in place (using a tool such as GPG, for example).

Now run tripwire --init to enter Database Initialization Mode. it reads the policy file, generates a database based on its contents, and then cryptographically signs the resulting database. Options can be entered on the command line to specify which policy, configuration, and key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the default values from the current configuration file are used.

Initializing Tripwire:

Finally initialize the Tripwire database using the following command.

点击(此处)折叠或打开

  1. # tripwire --init

After processing all system files, you will get the following message bout tripwire database initialization.

"### Continuing"
Wrote database file: /var/lib/tripwire/ksh-cent7.twd
The database was successfully generated.?

Configure Tripwire policy:

You can disable some check by "#" when we have done Initializing .

点击(此处)折叠或打开

  1. # vim /etc/tripwire/twpol.txt

Tripwire will identify file changes in the critical system files specified in the policy file. Using Tripwire while making frequent changes to these directories will flag all these changes. It is most useful after a system has reached a configuration that the user considers stable.

To use Tripwire after creating a policy file to run a report, use the following command.

点击(此处)折叠或打开

  1. # tripwire --check > /etc/tripwire/report.txt

Depending on your system and the contents of the policy file, the tripwire check will might take some time to complete the process. Alter that you will be able to view the Report Summary generated by Tripwire.

If you would like to modify the default policy file then you can use a new one, by modifying the policy file and then execute the following commands as the root for its implementation.


点击(此处)折叠或打开

  1. # twadmin create-polfile /etc/tripwire/twpol.txt && tripwire --init


Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database?
*** Processing Unix File System ***

### Continuing?
Wrote database file: /var/lib/tripwire/ksh-cent7.twd
The database was successfully generated.

Automating Tripwire reports:

Now we will set up a cron job to execute a tripwire check every morning after confirmation of tripwire results manually.

We will be using root?s crontab, because edits to the system cronjob can get wiped out with system updates.

Let's create the crontab by typing below command.

点击(此处)折叠或打开

  1. # crontab -e
  2. 40 2 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" your_email@linuxpitstop.com

Here in this cron job we have provided our email to send reports by tripwire run at 2:40am every day.

In order to review all of your cron jobs present under your current use, you can use below command.

点击(此处)折叠或打开

  1. # crontab -l

Conclusion:

At the end of this article, you are now able to install and configure your Tripwire IDS. Now you should review the emailed reports regularly and take action where there are changes detected, either in updating the tripwire database to okay the changes, or investigating suspicious activity. You are all setup for an automated intrusion detection system that sends you reports regarding changes on your filesystem. enjoy 

#==================================================================================#
还有个好东西

CrackStation's Password Cracking Dictionary

阅读(1395) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~