tripwire

tripwireインストール †

# yum install tripwire
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package tripwire.i386 0:2.4.1.2-3.fc8 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size 
=============================================================================
Installing:
 tripwire                i386       2.4.1.2-3.fc8    fedora            1.7 M

Transaction Summary
=============================================================================
Install      1 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 1.7 M
Is this ok [y/N]: y
Downloading Packages:
 (1/1): tripwire-2.4.1.2-3  13% |===                      | 240 kB    00:27
E(1/1): tripwire-2.4.1.2-3  46% |===========              | 816 kB    00:05
E(1/1): tripwire-2.4.1.2-3  90% |======================   | 1.6 MB    00:00
E(1/1): tripwire-2.4.1.2-3 100% |=========================| 1.7 MB    00:05     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: tripwire                     ######################### [1/1] 

Installed: tripwire.i386 0:2.4.1.2-3.fc8
Complete!

tripwire設定 †

サイトキーの作成 †

# twadmin -m G S /etc/tripwire/site.key
### Error: Incorrect number of parameters on command line.
### Exiting...
Use --help to get help.
[root@localhost ~]# twadmin -m G -S /etc/tripwire/site.key

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

ローカルキーの作成 †

# twadmin -m G -L /etc/tripwire/`hostname`-local.key

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

設定ファイル変更 †

vi /etc/tripwire/twcfg.txt
LOOSEDIRECTORYCHECKING =true
REPORTLEVEL            =4
SYSLOGREPORTING        =true
MAILPROGRAM            =/usr/sbin/postfix

設定ファイルの暗号化 †

# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg

設定ファイル削除 †

暗号化したので、元ファイルは削除します。

# rm -f /etc/tripwire/twcfg.txt

設定ファイルを復元したい時は †

# twadmin --print-cfgfile > /etc/tripwire/twcfg.txt

ポリシーの設定 †

# vi /etc/tripwire/twpol.txt 
HOSTNAME=longearth.net;

ポリシーファイルの暗号化 †

# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol

ポリシーファイル削除 †

暗号化したので、元ファイルを削除します。

# rm -f /etc/tripwire/twpol.txt 

ポリシーファイルを復元したい時は †

# twadmin -m p -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key > /etc/tripwire/twpol.txt

データベース作成 †

現在のファイル状態を記録するために、データベースへ登録します。

# tripwire --init
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /dev/kmem
### \xe3\x81\x9d\xe3\x81\xae\xe3\x82\x88\xe3\x81\x86\xe3\x81\xaa\xe3\x83\x95\xe3\x82\xa1\xe3\x82\xa4\xe3\x83\xab\xe3\x82\x84\xe3\x83\x87\xe3\x82\xa3\xe3\x83\xac\xe3\x82\xaf\xe3\x83\x88\xe3\x83\xaa\xe3\x81\xaf\xe3\x81\x82\xe3\x82\x8a\xe3\x81\xbe\xe3\x81\x9b\xe3\x82\x93
### Continuing...
### Warning: File system error.
### Filename: /proc/ksyms
### \xe3\x81\x9d\xe3\x81\xae\xe3\x82\x88\xe3\x81\x86\xe3\x81\xaa\xe3\x83\x95\xe3\x82\xa1\xe3\x82\xa4\xe3\x83\xab\xe3\x82\x84\xe3\x83\x87\xe3\x82\xa3\xe3\x83\xac\xe3\x82\xaf\xe3\x83\x88\xe3\x83\xaa\xe3\x81\xaf\xe3\x81\x82\xe3\x82\x8a\xe3\x81\xbe\xe3\x81\x9b\xe3\x82\x93
### Continuing...
### Warning: File system error.
### Filename: /proc/pci
### \xe3\x81\x9d\xe3\x81\xae\xe3\x82\x88\xe3\x81\x86\xe3\x81\xaa\xe3\x83\x95\xe3\x82\xa1\xe3\x82\xa4\xe3\x83\xab\xe3\x82\x84\xe3\x83\x87\xe3\x82\xa3\xe3\x83\xac\xe3\x82\xaf\xe3\x83\x88\xe3\x83\xaa\xe3\x81\xaf\xe3\x81\x82\xe3\x82\x8a\xe3\x81\xbe\xe3\x81\x9b\xe3\x82\x93
Wrote database file: /var/lib/tripwire/localhost.localdomain.twd
The database was successfully generated.

チェックするファイルを変更する †

ファイルが見つからないエラーが結構でてくるので、存在しないファイルはチェックしないように、ポリシーを変更します。
/etc/tripwire/twpol.txt中の該当部分をコメントアウトします。
上の出力結果では、/proc/pci、/proc/ksyms、/dev/kmemがエラーになっているので、これらを以下のファイルでコメントアウトします。

# vi /etc/tripwire/twpol.txt 

変更後は再度、ポリシーを暗号化します。

# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol

んでもう一度DBを初期化します。

# tripwire --init
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/localhost.localdomain.twd
The database was successfully generated

エラーが出なくなりました。

tripwireでファイル改竄をチェックしてみる †

# tripwire --check
-bash: tirpwire: command not found
[root@localhost ~]# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/localhost.localdomain-20080224-060950.twr
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by:          root
Report created on:            2008年02月24日 06時09分50秒
Database last updated on:     Never
===============================================================================
Report Summary:
===============================================================================
Host name:                    localhost.localdomain
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/localhost.localdomain.twd
Command line used:            tripwire --check 
===============================================================================
Rule Summary: 
===============================================================================
-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------
  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Invariant Directories           66                0        0        0        
  Temporary directories           33                0        0        0        
  Tripwire Data Files             100               0        0        0        
  Critical devices                100               0        0        0        
  User binaries                   66                0        0        0        
  Tripwire Binaries               100               0        0        0        
  Libraries                       66                0        0        0        
  Operating System Utilities      100               0        0        0        
  Critical system boot files      100               0        0        0        
  File System and Disk Administraton Programs
                                  100               0        0        0        
  Kernel Administration Programs  100               0        0        0        
  Networking Programs             100               0        0        0        
  System Administration Programs  100               0        0        0        
  Hardware and Device Control Programs
                                  100               0        0        0        
  System Information Programs     100               0        0        0        
  Application Information Programs
                                  100               0        0        0        
  (/sbin/rtmon)
  Shell Related Programs          100               0        0        0        
  Critical Utility Sym-Links      100               0        0        0        
  Shell Binaries                  100               0        0        0        
  Critical configuration files    100               0        0        0        
  System boot changes             100               0        0        0        
  OS executables and libraries    100               0        0        0        
  Security Control                100               0        0        0        
  Login Scripts                   100               0        0        0        
  Root config files               100               0        0        0        
Total objects scanned:  17649
Total violations found:  0
===============================================================================
Object Summary: 
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report: 
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.