Tripwire セットアップ

Nid: 1159

1 . Tripwire インストール

$ sudo apt-get install tripwire

mail configuration: 'Internet Site'

mail system name: そのまま

Enter site-key passphrase:

Enter local-key passphrase:

~# tripwire --help
tripwire: File integrity assessment application.
...
Usage:

Database Initialization:  tripwire [-m i|--init] [options]
Integrity Checking:  tripwire [-m c|--check] [object1 [object2...]]
Database Update:  tripwire [-m u|--update]
Policy Update:  tripwire [-m p|--update-policy] policyfile.txt
Test:  tripwire [-m t|--test] --email address
~# twadmin --help
twadmin: Tripwire administrative tool.
...
Usage:

Create Configuration File: twadmin [-m F|--create-cfgfile][options] cfgfile.txt
Print Configuration File: twadmin [-m f|--print-cfgfile] [options]
Create Policy File: twadmin [-m P|--create-polfile] [options] polfile.txt
Print Policy File: twadmin [-m p|--print-polfile] [options]
Remove Encryption: twadmin [-m R|--remove-encryption] [options] [file1...]
Encryption: twadmin [-m E|--encrypt] [options] [file1...]
Examine Encryption: twadmin [-m e|--examine] [options] [file1...]
Generate Keys: twadmin [-m G|--generate-keys] [options]
Change Passphrases: twadmin [-m C|--change-passphrases] [options]
~# twprint --help
twprint: Tripwire database and report printer.
...
Usage:

Print Database:  twprint [-m d|--print-dbfile] [options] [object1 [object2...]]
Print Report:  twprint [-m r|--print-report] [options]

2 . Tripwire 設定ファイル作成

twcfg.txt

~# cd /etc/tripwire
/etc/tripwire# vi twcfg.txt
EDITOR        =/usr/bin/vi
REPORTLEVEL   =4

3 . Tripwire 設定ファイルの暗号署名

twcfg.txt -> tw.cfg

/etc/tripwire# twadmin --create-cfgfile -c tw.cfg -S site.key twcfg.txt 
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg

4 . Tripwire ポリシーファイル作成

twpol.txt

perl スクリプトを使用してポリシーファイル最適化

/etc/tripwire# vi twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#     perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;
/etc/tripwire# cp twpol.txt twpol.txt.org
/etc/tripwire# perl twpolmake.pl twpol.txt.org > twpol.txt
/etc/tripwire# vi twpol.txt

.viminfo を除外

# These files change the behavior of the root account
(
  rulename = "Root config files",
  severity = 100
)
{
        /root                           -> $(SEC_CRIT) ; # Catch all additions to /root
...
!/root/.viminfo;
}

5 . Tripwire ポリシーファイル暗号署名

twpol.txt -> tw.pol

/etc/tripwire# twadmin --create-polfile -c tw.cfg -p tw.pol -S site.key twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol 

6 . Tripwire データベース作成

/etc/tripwire# tripwire --init -c tw.cfg -p tw.pol
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/boot/efi" is on a different file system...ignoring.
The object: "/dev/hugepages" is on a different file system...ignoring.
The object: "/dev/mqueue" is on a different file system...ignoring.
The object: "/dev/pts" is on a different file system...ignoring.
The object: "/dev/shm" is on a different file system...ignoring.
Wrote database file: /var/lib/tripwire/ns9999999.twd
The database was successfully generated.

7 . Tripwire 整合性チェック

/etc/tripwire# cd
~# tripwire --check -c /etc/tripwire/tw.cfg 

チェックしてすぐにエディタでデータベース更新する場合

~# tripwire --check --interactive -c /etc/tripwire/tw.cfg 

8 . Tripwire レポート閲覧

~# ls -l /var/lib/tripwire/report 
~# twprint --print-report --twrfile /var/lib/tripwire/report/<name>.twr

9 . Tripwire データベース更新

Tripwire が検出した変更に問題がなければ、データベースを更新する。

~# tripwire --update --twrfile /var/lib/tripwire/report/<name>.twr

最新のレポートを更新する例。

$ sudo tripwire --update --twrfile /var/lib/tripwire/report/`ls -1t /var/lib/tripwire/report | head -1`

変更に問題なく次回検知しなくてよいものは"x"をそのままに、不正な変更で次回も検知すべきものは"x"を削除。

10 . Tripwire データベース表示

~# twprint --print-dbfile | less
~# /usr/sbin/twprint --print-dbfile /etc/hosts

11 . Tripwire メール送信テスト

メールテスト、受信確認

~# tripwire --test --email root
Sending a test message to: root

12 . Tripwire cron

~# cat /etc/cron.daily/tripwire
#!/bin/sh -e

tripwire=/usr/sbin/tripwire

[ -x $tripwire ] || exit 0

umask 027

$tripwire --check --quiet --email-report

13 . 署名前の一時テキストファイル削除

ファイル退避

# mv /etc/tripwire/{twpol,twcfg}.txt /tmp
# ls /tmp/{twpol,twcfg}.txt
/tmp/twcfg.txt  /tmp/twpol.txt

ファイル生成できることを確認

# twadmin --print-polfile > /etc/tripwire/twpol.txt 
# twadmin --print-cfgfile > /etc/tripwire/twcfg.txt 
# head /etc/tripwire/twpol.txt /etc/tripwire/twcfg.txt

ファイル削除

# rm /etc/tripwire/{twpol,twcfg}.txt /tmp/{twpol,twcfg}.txt

14 . Tripwire ポリシーファイル変更

~# twadmin --print-polfile > /etc/tripwire/twpol.txt
~# cd /etc/tripwire
/etc/tripwire# vi twpol.txt
/etc/tripwire# tripwire --update-policy -S site.key twpol.txt
/etc/tripwire# twadmin -m p

ファイル削除

# rm /etc/tripwire/{twpol,twcfg}.txt /tmp/{twpol,twcfg}.txt