ホスト型IDS - Tripwire2011/04/27 |
| [1] | ホスト型IDS(Intrusion Detection System - 侵入検知システム)のTripwireをインストールします。 IDSとは、不正行為を検出するシステムです。ホスト型とは、それをコンピュータに対してしてくれるもので(コンピュータのI/Oパケットを監視)、 それに対してネットワーク型もあります。ネットワーク型ではネットワーク上のパケットを監視します。 |
|
[root@www ~]#
tripwire-setup-keyfiles # 以下のようにパスフレーズを何度か求められるので入力する Enter the site keyfile passphrase: # (1) 任意のパスフレーズを設定
Verify the site keyfile passphrase:
Enter the local keyfile passphrase: # 再入力 # (2) 任意のパスフレーズを設定
Verify the local keyfile passphrase:
# 再入力
Please enter your site passphrase:
# (1)のパスフレーズで応答
Please enter your site passphrase:
[root@www ~]# # 再び(1)のパスフレーズで応答 cd /etc/tripwire
[root@www tripwire]#
vi twcfg.txt # 9行目:'true'指定でディレクトリにファイルが追加・削除された場合、
そのディレクトリの変更は報告されない LOOSEDIRECTORYCHECKING = true
# 12行目:報告レベル最大に変更 REPORTLEVEL = 4
# 暗号署名設定ファイル作成 [root@www tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase:
# (1)のパスフレーズ入力 Wrote configuration file: /etc/tripwire/tw.cfg
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
perl twpolmake.pl twpol.txt > twpol.txt.new [root@www tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new Please enter your site passphrase: # パスフレーズ Wrote policy file: /etc/tripwire/tw.pol [root@www tripwire]# tripwire -m i -s -c tw.cfg # データベース作成 Please enter your local passphrase: # パスフレーズ [root@www tripwire]# tripwire -m c -s -c tw.cfg # チェック実行
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root Report created on: Wed 27 Apr 2011 09:47:32 PM JST
Database last updated on:
======================================================Never Report Summary:
======================================================
Host name: www.srv.world Host IP address: 10.0.0.31 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/www.srv.world.twd
Command line used:
======================================================tripwire -m c -s -c tw.cfg Rule Summary:
======================================================
-------------------------------------------------------Section: Unix File System
-------------------------------------------------------
Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 Tripwire Data Files 100 0 0 0 Critical devices 100 0 0 0 (/proc/kcore) User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 (/sbin/rtmon) Shell Related Programs 100 0 0 0 (/sbin/getkey) Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical system boot files 100 0 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Critical configuration files 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0
Root config files
Total objects scanned: 14589100 0 0 0
Total violations found: 0
======================================================Object Summary:
======================================================
-------------------------------------------------------# Section: Unix File System
-------------------------------------------------------
No violations.
======================================================Error Report:
======================================================
No Errors
-------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registeredtrademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
| [2] | ファイルを追加してテストしてみます。 |
|
[root@www ~]# touch test.txt [root@www ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root Report created on: Wed 27 Apr 2011 09:47:32 PM JST
Database last updated on:
======================================================Never Report Summary:
======================================================
Host name: www.srv.world Host IP address: 10.0.0.31 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/www.srv.world.twd
Command line used:
======================================================tripwire -m c -s -c tw.cfg Rule Summary:
======================================================
-------------------------------------------------------Section: Unix File System
-------------------------------------------------------
Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 Tripwire Data Files 100 0 0 0 Critical devices 100 0 0 0 (/proc/kcore) User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 (/sbin/rtmon) Shell Related Programs 100 0 0 0 (/sbin/getkey) Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical system boot files 100 0 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Critical configuration files 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0
* Root config files
Total objects scanned: 14590100 1 0 0
Total violations found: 1
======================================================Object Summary:
======================================================
-------------------------------------------------------# Section: Unix File System
-------------------------------------------------------
-------------------------------------------------------Rule Name: Root config files (/root) Severity Level: 100
-------------------------------------------------------
Added:
"/root/test.txt"
======================================================# 検出された Error Report:
======================================================
No Errors
-------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registeredtrademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details.
All rights reserved.
# 検出されたファイルが問題なければ次回から検出しないようデータベースをアップデートしておく
[root@www ~]#
tripwire -m u -r /var/lib/tripwire/report/www.srv.world-20110427-170215.twr # 内容を確認したら保存して終了 # パスフレーズ Wrote database file: /var/lib/tripwire/www.srv.world.twd |