ホスト型IDSの導入2010/06/14

yum -y install tripwire

/usr/sbin/tripwire-setup-keyfiles

# 以下のようにパスフレーズを何度か求められるので入力する

cd /etc/tripwire

vi twcfg.txt

# 9行目：'true'指定でディレクトリにファイルが追加・削除された場合、 そのディレクトリの変更は報告されない

true

# 12行目：報告レベル最大に変更

4

# 暗号署名設定ファイル作成

twadmin -m F -c tw.cfg -S site.key twcfg.txt

# ポリシーファイル最適化スクリプトが配布されてるのでそちらを使わせていただく

vi twpolmake.pl

#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#    perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
     chomp;
     if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
          $myhost = `hostname` ; chomp($myhost) ;
          if ($thost ne $myhost) {
               $_="HOSTNAME=\"$myhost\";" ;
          }
     }
     elsif ( /^{/ ) {
          $INRULE=1 ;
     }
     elsif ( /^}/ ) {
          $INRULE=0 ;
     }
     elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
          $ret = ($sharp =~ s/\#//g) ;
          if ($tpath eq '/sbin/e2fsadm' ) {
               $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
          }
          if (! -s $tpath) {
               $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
          }
          else {
               $_ = "$sharp$tpath$cond" ;
          }
     }
     print "$_\n" ;
}
close(POL) ;

perl twpolmake.pl twpol.txt > twpol.txt.new

twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

tripwire -m i -s -c tw.cfg

tripwire -m c -s -c tw.cfg

root

Wed 16 May 2007 10:17:40 PM JST

Never

www.srv.world

127.0.0.1

None

/usr/local/etc/tw.pol

/usr/local/etc/tw.cfg

/usr/local/lib/tripwire/www.srv.world.twd

tripwire -m c -s -c tw.cfg

Severity Level

Added

Removed

Modified

--------------

-----   

-------   

--------

  0

0

0

0

  0

0

0

2

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

touch hacking

tripwire -m c -s -c /etc/tripwire/tw.cfg

root

Wed 16 May 2007 10:17:40 PM JST

Never

www.srv.world

127.0.0.1

None

/usr/local/etc/tw.pol

/usr/local/etc/tw.cfg

/usr/local/lib/tripwire/www.srv.world.twd

tripwire -m c -s -c tw.cfg

Severity Level

Added

Removed

Modified

--------------

-----   

-------   

--------

  0

0

0

0

  0

0

0

2

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

1

0

0

tripwire -m u -r /var/lib/tripwire/report/www.srv.world-20070517-014755.twr

root

Wed 16 May 2007 10:17:40 PM JST

Never

www.srv.world

127.0.0.1

None

/usr/local/etc/tw.pol

/usr/local/etc/tw.cfg

/usr/local/lib/tripwire/www.srv.world.twd

tripwire -m c -s -c tw.cfg

Severity Level

Added

Removed

Modified

--------------

-----   

-------   

--------

  0

0

0

0

  0

0

0

2

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

0

0

0

  0

1

0

0

# 整合性がとれなかったので[x] がついている

# 整合性がとれなかったので[x] がついている

# 問題なければ保存終了する。すると以下のようにパスフレーズを求められるので入力