你好,游客 登录 注册 搜索
背景:
阅读新闻

如何在 Debian 中配置 Tripewire IDS

[日期:2016-04-03] 来源:Linux中国  作者:Linux [字体: ]

本文是一篇关于 Debian 中安装和配置 tripewire 的文章。它是 Linux 环境下基于主机的入侵检测系统(IDS)。tripwire 的高级功能可以检测并报告任何 Linux 中未授权的(文件和目录)的更改。tripewire 安装之后,会先创建一个基本的数据库,tripewire 监控并检测新文件的创建修改和谁修改了它等等。如果修改是合法的,你可以接受修改并更新 tripwire 的数据库。

 

安装和配置

tripwire 在 Debian VM 中的安装如下。

  1. #apt-get install tripwire

installation

installation

安装中,tripwire 会有下面的配置提示。

 

站点密钥创建

tripwire 需要一个站点口令(site passphrase)来加密 tripwire 的配置文件 tw.cfg 和策略文件 tw.pol。tripewire 使用指定的密码加密两个文件。一个 tripewire 实例必须指定站点口令。

site key1

site key1

 

本地密钥口令

本地口令用来保护 tripwire 数据库和报告文件。本地密钥用于阻止非授权的 tripewire 数据库修改。

local key1

local key1

 

tripwire 配置路径

tripewire 配置存储在 /etc/tripwire/twcfg.txt。它用于生成加密的配置文件 tw.cfg。

configuration file

configuration file

tripwire 策略路径

tripwire 在 /etc/tripwire/twpol.txt 中保存策略文件。它用于生成加密的策略文件 tw.pol。

tripwire policy

tripwire policy

安装完成后如下图所示。

installed tripewire1

installed tripewire1

 

tripwire 配置文件 (twcfg.txt)

tripewire 配置文件(twcfg.txt)细节如下图所示。加密策略文件(tw.pol)、站点密钥(site.key)和本地密钥(hostname-local.key)在后面展示。

  1. ROOT =/usr/sbin
  2. POLFILE =/etc/tripwire/tw.pol
  3. DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
  4. REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
  5. SITEKEYFILE =/etc/tripwire/site.key
  6. LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
  7. EDITOR =/usr/bin/editor
  8. LATEPROMPTING =false
  9. LOOSEDIRECTORYCHECKING =false
  10. MAILNOVIOLATIONS =true
  11. EMAILREPORTLEVEL =3
  12. REPORTLEVEL =3
  13. SYSLOGREPORTING =true
  14. MAILMETHOD =SMTP
  15. SMTPHOST =localhost
  16. SMTPPORT =25
  17. TEMPDIRECTORY =/tmp

 

tripwire 策略配置

在生成基础数据库之前先配置 tripwire 配置。有必要经用一些策略如 /dev、 /proc 、/root/mail 等。详细的 twpol.txt 策略文件如下所示。

  1. @@section GLOBAL
  2. TWBIN =/usr/sbin;
  3. TWETC =/etc/tripwire;
  4. TWVAR =/var/lib/tripwire;
  5. #
  6. #FileSystemDefinitions
  7. #
  8. @@section FS
  9. #
  10. #First, some variables to make configuration easier
  11. #
  12. SEC_CRIT = $(IgnoreNone)-SHa;#Critical files that cannot change
  13. SEC_BIN = $(ReadOnly);#Binaries that should not change
  14. SEC_CONFIG = $(Dynamic);#Config files that are changed
  15. # infrequently but accessed
  16. # often
  17. SEC_LOG = $(Growing);#Files that grow, but that
  18. # should never change ownership
  19. SEC_INVARIANT =+tpug ;#Directories that should never
  20. # change permission or ownership
  21. SIG_LOW =33;#Non-critical files that are of
  22. # minimal security impact
  23. SIG_MED =66;#Non-critical files that are of
  24. # significant security impact
  25. SIG_HI =100;#Critical files that are
  26. # significant points of
  27. # vulnerability
  28. #
  29. # tripwire Binaries
  30. #
  31. (
  32. rulename ="tripwire Binaries",
  33. severity = $(SIG_HI)
  34. )
  35. {
  36. $(TWBIN)/siggen -> $(SEC_BIN);
  37. $(TWBIN)/tripwire -> $(SEC_BIN);
  38. $(TWBIN)/twadmin -> $(SEC_BIN);
  39. $(TWBIN)/twprint -> $(SEC_BIN);
  40. }
  41. {
  42. /boot -> $(SEC_CRIT);
  43. /lib/modules -> $(SEC_CRIT);
  44. }
  45. (
  46. rulename ="Boot Scripts",
  47. severity = $(SIG_HI)
  48. )
  49. {
  50. /etc/init.d -> $(SEC_BIN);
  51. #/etc/rc.boot -> $(SEC_BIN);
  52. /etc/rcS.d -> $(SEC_BIN);
  53. /etc/rc0.d -> $(SEC_BIN);
  54. /etc/rc1.d -> $(SEC_BIN);
  55. /etc/rc2.d -> $(SEC_BIN);
  56. /etc/rc3.d -> $(SEC_BIN);
  57. /etc/rc4.d -> $(SEC_BIN);
  58. /etc/rc5.d -> $(SEC_BIN);
  59. /etc/rc6.d -> $(SEC_BIN);
  60. }
  61. (
  62. rulename ="Root file-system executables",
  63. severity = $(SIG_HI)
  64. )
  65. {
  66. /bin -> $(SEC_BIN);
  67. /sbin -> $(SEC_BIN);
  68. }
  69. #
  70. #CriticalLibraries
  71. #
  72. (
  73. rulename ="Root file-system libraries",
  74. severity = $(SIG_HI)
  75. )
  76. {
  77. /lib -> $(SEC_BIN);
  78. }
  79. #
  80. #LoginandPrivilegeRaisingPrograms
  81. #
  82. (
  83. rulename ="Security Control",
  84. severity = $(SIG_MED)
  85. )
  86. {
  87. /etc/passwd-> $(SEC_CONFIG);
  88. /etc/shadow -> $(SEC_CONFIG);
  89. }
  90. {
  91. #/var/lock -> $(SEC_CONFIG);
  92. #/var/run -> $(SEC_CONFIG);# daemon PIDs
  93. /var/log -> $(SEC_CONFIG);
  94. }
  95. #These files change the behavior of the root account
  96. (
  97. rulename ="Root config files",
  98. severity =100
  99. )
  100. {
  101. /root -> $(SEC_CRIT) ; # Catch all additions to /root
  102. #/root/mail -> $(SEC_CONFIG);
  103. #/root/Mail-> $(SEC_CONFIG);
  104. /root/.xsession-errors -> $(SEC_CONFIG);
  105. #/root/.xauth -> $(SEC_CONFIG);
  106. #/root/.tcshrc -> $(SEC_CONFIG);
  107. #/root/.sawfish -> $(SEC_CONFIG);
  108. #/root/.pinerc -> $(SEC_CONFIG);
  109. #/root/.mc -> $(SEC_CONFIG);
  110. #/root/.gnome_private -> $(SEC_CONFIG);
  111. #/root/.gnome-desktop -> $(SEC_CONFIG);
  112. #/root/.gnome -> $(SEC_CONFIG);
  113. #/root/.esd_auth -> $(SEC_CONFIG);
  114. # /root/.elm -> $(SEC_CONFIG);
  115. #/root/.cshrc -> $(SEC_CONFIG);
  116. #/root/.bashrc -> $(SEC_CONFIG);
  117. #/root/.bash_profile -> $(SEC_CONFIG);
  118. # /root/.bash_logout -> $(SEC_CONFIG);
  119. #/root/.bash_history -> $(SEC_CONFIG);
  120. #/root/.amandahosts -> $(SEC_CONFIG);
  121. #/root/.addressbook.lu -> $(SEC_CONFIG);
  122. #/root/.addressbook -> $(SEC_CONFIG);
  123. #/root/.Xresources-> $(SEC_CONFIG);
  124. #/root/.Xauthority-> $(SEC_CONFIG)-i ;#ChangesInode number on login
  125. /root/.ICEauthority-> $(SEC_CONFIG);
  126. }
  127. #
  128. #Critical devices
  129. #
  130. (
  131. rulename ="Devices & Kernel information",
  132. severity = $(SIG_HI),
  133. )
  134. {
  135. #/dev -> $(Device);
  136. #/proc -> $(Device);
  137. }

 

tripwire 报告

tripwire-check 命令检查 twpol.txt 文件并基于此文件生成 tripwire 报告如下。如果 twpol.txt 中有任何错误,tripwire 不会生成报告。

tripwire report

tripwire report

文本形式报告

  1. root@VMdebian:/home/labadmin# tripwire --check
  2. Parsing policy file:/etc/tripwire/tw.pol
  3. ***ProcessingUnixFileSystem***
  4. Performing integrity check...
  5. Wrote report file:/var/lib/tripwire/report/VMdebian-20151024-122322.twr
  6. OpenSource tripwire(R)2.4.2.2IntegrityCheckReport
  7. Report generated by: root
  8. Report created on:SatOct2412:23:222015
  9. Databaselast updated on:Never
  10. ReportSummary:
  11. =========================================================
  12. Host name:VMdebian
  13. Host IP address:127.0.1.1
  14. Host ID:None
  15. Policyfile used:/etc/tripwire/tw.pol
  16. Configurationfile used:/etc/tripwire/tw.cfg
  17. Databasefile used:/var/lib/tripwire/VMdebian.twd
  18. Command line used: tripwire --check
  19. =========================================================
  20. RuleSummary:
  21. =========================================================
  22. -------------------------------------------------------------------------------
  23. Section:UnixFileSystem
  24. -------------------------------------------------------------------------------
  25. RuleNameSeverityLevelAddedRemovedModified
  26. -------------------------------------------
  27. Other binaries 66000
  28. tripwire Binaries100000
  29. Other libraries 66000
  30. Rootfile-system executables 100000
  31. tripwire DataFiles100000
  32. System boot changes 100000
  33. (/var/log)
  34. Rootfile-system libraries 100000
  35. (/lib)
  36. Critical system boot files 100000
  37. Other configuration files 66000
  38. (/etc)
  39. BootScripts100000
  40. SecurityControl66000
  41. Root config files 100000
  42. InvariantDirectories66000
  43. Total objects scanned:25943
  44. Total violations found:0
  45. =========================ObjectSummary:================================
  46. -------------------------------------------------------------------------------
  47. #Section:UnixFileSystem
  48. -------------------------------------------------------------------------------
  49. No violations.
  50. ===========================ErrorReport:=====================================
  51. NoErrors
  52. -------------------------------------------------------------------------------
  53. ***End of report ***
  54. OpenSource tripwire 2.4Portions copyright 2000 tripwire,Inc. tripwire is a registered
  55. trademark of tripwire,Inc.This software comes with ABSOLUTELY NO WARRANTY;
  56. for details use--version.Thisis free software which may be redistributed
  57. or modified only under certain conditions; see COPYING for details.
  58. All rights reserved.
  59. Integrity check complete.

 

总结

本篇中,我们学习安装配置开源入侵检测软件 tripwire。首先生成基础数据库并通过比较检测出任何改动(文件/文件夹)。然而,tripwire 并不是实时监测的 IDS。


via: http://linoxide.com/security/configure-tripwire-ids-debian/

作者:nido 译者:geekpi 校对:wxy

本文由 LCTT 原创编译,Linux中国 荣誉推出

本文永久更新链接地址http://www.linuxidc.com/Linux/2016-04/129806.htm

linux
相关资讯       Tripewire  IDS配置 
本文评论   查看全部评论 (0)
表情: 表情 姓名: 字数

       

评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款