在 Ubuntu 22.04|20.04|18.04 上安装和配置 Tripwire |
在这篇博文中,我们将了解如何在 Ubuntu 22.04|20.04|18.04 Linux 系统上安装和配置 Tripwire。 Tripwire 是一个基于主机的开源入侵检测系统。 Tripwire 可以检查文件完整性,并且会监视文件/目录更改并发出警报。
Tripwire 检查将当前文件系统状态与已知基线状态进行比较,并就检测到的任何更改发出警报。基线和检查行为由策略文件控制,该策略文件指定要监视哪些文件或目录,以及要监视它们的哪些属性,例如哈希值、文件权限和所有权。
当发生预期的更改(例如升级包)时,可以将基线数据库更新到新的已知良好状态。该策略还可以更新,例如,以减少噪音或覆盖新安装的软件包。
在 Ubuntu 22.04|20.04|18.04 上安装 Tripwire
适用于 Ubuntu 的 Tripwire 软件包可从 apt 存储库获取。通过运行安装它:
sudo apt update
sudo apt install tripwire此安装是一个交互式过程,它会问您几个问题。然后相应回答即可安装
创建 Tripwire 密钥并初始化数据库。
现在安装已经成功,我们需要生成密钥并初始化数据库,以便 Tripwire 可以开始工作。
$ cd /etc/tripwire/
$ ls -l
total 36
-rw------- 1 root root 931 Nov 15 16:05 site.key
-rw-r--r-- 1 root root 4586 Nov 15 16:06 tw.cfg
-rw-r--r-- 1 root root 4159 Nov 15 16:06 tw.pol
-rw-r--r-- 1 root root 510 Nov 10 19:57 twcfg.txt
-rw-r--r-- 1 root root 6057 Nov 10 19:57 twpol.txt
-rw------- 1 root root 931 Nov 15 16:06 ubuntu22-local.key我们会将twcfg.txt文件 REPORTLEVEL 修改为4,这是最大值。
$ sudo vim twcfg.txt
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/usr/bin/editor
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =4
SYSLOGREPORTING =true
MAILMETHOD =SMTP
SMTPHOST =localhost
SMTPPORT =25
TEMPDIRECTORY =/tmp修改后生成配置文件:
$ sudo twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase: <Enter-your-passphrase>
Wrote configuration file: /etc/tripwire/tw.cfg优化 Tripwire 策略文件
创建一个包含以下内容的 twpolmake.pl 文件:
sudo vim twpolmake.pl添加 :
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;创建配置:
$ sudo su -
# perl twpolmake.pl twpol.txt > twpol.txt.new
# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol创建 Tripwire 数据库:
# tripwire -m i -s -c tw.cfg
Please enter your local passphrase:
### Warning: File system error.
### Filename: /var/lib/tripwire/server-01.twd
### No such file or directory
### Continuing...您可以使用以下命令打印数据库:
# twprint -m d -d /path/to/database.twd
E.g
# twprint -m d -d /var/lib/tripwire/server-01.twd更新数据库
最简单的更新形式是使用报告文件中的所有更改来更新数据库:
# tripwire --update --accept-all通过手动执行检查来测试 tripwire:
# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.3.1 Integrity Check Report
Report generated by: root
Report created on: Sat Jun 9 07:32:25 2018
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: server-01
Host IP address: 127.0.1.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/server-01.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Other binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Other libraries 66 0 0 0
Root file-system executables 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
Root file-system libraries 100 0 0 0
(/lib)
Critical system boot files 100 0 0 0
Other configuration files 66 0 0 0
(/etc)
Boot Scripts 100 0 0 0
Security Control 66 0 0 0
Root config files 100 0 0 0
Devices & Kernel information 100 0 0 0
(/dev)
Invariant Directories 66 0 0 0
Total objects scanned: 14492
Total violations found: 1
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire/server-01.twd)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/server-01.twd"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.如果没有遇到错误,Tripwire 数据文件位于:/var/lib/tripwire/
# ls /var/lib/tripwire/report/
server-01-20180609-073225.twr要打印此报告,请使用以下语法:
# twprint -m r -t [0-4] -r /path/to/reportfile.twr-t 参数指定报告详细程度,其中 0 是报告内容的单行摘要,4 显示所有已更改对象的所有收集的属性。如果未在命令行上或通过 REPORTLEVEL 配置文件选项指定,则报告级别默认为 3。示例:
# twprint -m r -t 4 -r /var/lib/tripwire/report/server-01-20180609-073225.twr另请注意,您可以手动更新此报告:
# tripwire -m u -a -s -c /etc/tripwire/tw.cfg -r /var/lib/tripwire/report/server-01-20180609-073225.twr
Please enter your local passphrase:更新政策
策略更新模式修改当前 Tripwire 策略,而不会丢失现有基线。
# tripwire --update-policy updated-policy.txt作为更新过程的一部分,这将检查新策略。如果此检查检测到更改,则默认行为是显示更改并退出,而不更新策略或数据库。要接受更改并继续策略更新,请使用 -Z low/–secure-mode low 命令行选项。
测试电子邮件配置
测试电子邮件配置:
# tripwire --test --email [email 这将使用配置文件中指定的电子邮件设置将测试电子邮件发送到指定的地址。我们将在下一篇文章中介绍更多 Tripwire 配置。