Tripwire 完整性分析工具(Linux系统)
环境:centos7
工作流程:
- 当前的系统数据状态建立数据库
- 定期比较系统现状与数据库中的状态
- 属性改变有详细报告
- 分析报告发现入侵
1、安装相关软件包
[root@hello ~]# yum install epel-release -y
已加载插件:fastestmirror
Repository base is listed more than once in the configuration
base | 3.6 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00[root@hello ~]# yum install tripwire -y
已加载插件:fastestmirror
Repository base is listed more than once in the configuration
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 tripwire.x86_64.0.2.4.3.7-1.el7 将被 安装
--> 解决依赖关系完成生成密钥(123456)
[root@hello ~]# tripwire-setup-keyfiles----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.Passphrases should be at least 8 characters in length and contain both
letters and numbers.See the Tripwire manual for more information.----------------------------------------------
Creating key files...
2、初始化数据库
[root@hello ~]# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /usr/sbin/fixrmtab
### 没有那个文件或目录
- 就地解决报错
[root@hello ~]# sh -c "tripwire --check | grep Filename > cat no-directory.txt
"
#将报错中不存在的目录和文件加到no-directory.txt中### Warning: File system error.
### Filename: /usr/sbin/fixrmtab
### 没有那个文件或目录
[root@hello ~]# vim tripwire.sh#写个脚本
for f in $(grep "Filename:" no-directory.txt | cut -f2 -d:); do
sed -i "s|\($f\) |#\\1|g" /etc/tripwire/twpol.txt
done[root@hello ~]# twadmin -m P /etc/tripwire/twpol.txt#重新签署配置
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol[root@hello ~]# tripwire --init#重新初始化
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
3、测试:更改/etc/passwd文件(添加了以下k)
4、发现异常
[root@hello ~]# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...Wrote report file: /var/lib/tripwire/report/hello-20210518-114057.twrOpen Source Tripwire(R) 2.4.3.7 Integrity Check ReportReport generated by: root
Report created on: 2021年05月18日 星期二 11时40分57秒
Database last updated on: Never===============================================================================
Report Summary:
===============================================================================Host name: hello
Host IP address: 10.0.0.134
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/hello.twd
Command line used: tripwire --check===============================================================================
Rule Summary:
===============================================================================-------------------------------------------------------------------------------Section: Unix File System
-------------------------------------------------------------------------------Rule Name Severity Level Added Removed Modified--------- -------------- ----- ------- --------User binaries 66 0 0 0Tripwire Binaries 100 0 0 0Libraries 66 0 0 0Operating System Utilities 100 0 0 0File System and Disk Administraton Programs100 0 0 0Kernel Administration Programs 100 0 0 0Networking Programs 100 0 0 0System Administration Programs 100 0 0 0Hardware and Device Control Programs100 0 0 0System Information Programs 100 0 0 0Application Information Programs100 0 0 0(/sbin/rtmon)Critical Utility Sym-Links 100 0 0 0Shell Binaries 100 0 0 0Critical system boot files 100 0 0 0Tripwire Data Files 100 0 0 0System boot changes 100 0 0 0OS executables and libraries 100 0 0 0
* Critical configuration files 100 0 0 1Security Control 100 0 0 0Login Scripts 100 0 0 0
* Root config files 100 0 0 2Invariant Directories 66 0 0 0Temporary directories 33 0 0 0Critical devices 100 0 0 0Total objects scanned: 17245
Total violations found: 3===============================================================================
Object Summary:
===============================================================================-------------------------------------------------------------------------------
# Section: Unix File System
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Rule Name: Critical configuration files (/etc/passwd)
Severity Level: 100
-------------------------------------------------------------------------------Modified:
"/etc/passwd"-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------Modified:
"/root"
"/root/.viminfo"===============================================================================
Error Report:
===============================================================================No Errors-------------------------------------------------------------------------------
*** End of report ***Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registe red
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
[root@hello ~]#
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!