Tripwire

Tripwire to całkiem dobry program do wykrywania zmian w plikach i katalogach, jeżeli nie potrzebujemy centralnego raportowania. Ma wersje open-source oraz komercyjną (bardziej rozbudowaną).

Instalacja

W przypadku CentOS-a znajduje się on w repozytoriach EPEL-a. Instalacja odbywa się przez standardowe wydanie polecenia yum:

[root@vps121453 ~]# yum install tripwire

Konfiguracja

Zaraz po zainstalowaniu warto wygenerować pliko-klucze lokalne i strony (ang. site) przy pomocy polecenia

tripwire-setup-keyfiles

.
Tripwire tworzy dwa klucze, site key oraz local key. Site key chroni pliki konfiguracyjne programu oraz plik z policy dla programu. Klucz „Local key” chroni pliki bazodanowe.

[root@vps121453 tripwire]# /usr/sbin/tripwire-setup-keyfiles

----------------------------------------------
The Tripwire site and local passphrases are used to sign a  variety  of
files, such as the configuration, policy, and database files.

Passphrases should be at least 8 characters in length and contain  both
letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------
Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Incorrect site passphrase.
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------
Signing configuration file...
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection.  It  is  recommended  that  you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.


----------------------------------------------
Signing policy file...
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for  your  inspection.  This  implements  a  minimal
policy, intended only to test  essential  Tripwire  functionality.  You
should edit the policy file to  describe  your  system,  and  then  use
twadmin to generate a new signed copy of the Tripwire policy.

Once you have a satisfactory Tripwire policy file, you should move  the
clear-text version to a secure location  and/or  encrypt  it  in  place
(using a tool such as GPG, for example).

Now run "tripwire --init" to enter Database Initialization  Mode.  This
reads the policy file, generates a database based on its contents,  and
then cryptographically signs the resulting  database.  Options  can  be
entered on the command line to specify which policy, configuration, and
key files are used  to  create  the  database.  The  filename  for  the
database can be specified as well. If no  options  are  specified,  the
default values from the current configuration file are used.

Inicjacja bazy danych

Kolejnym krokiem jest zainicjowanie bazy:

tripwire --init

Modyfikacja polityki

Edytujemy plik polityki:

vi /etc/tripwire/twpol.txt

Aktualizujemy binarne pliki polityki:

tripwire --update-policy --secure-mode low /etc/tripwire/twpo

Sprawdzenie bazy danych

tripwire --check

Wyświetlenie raportu programu

Raporty są zapisywane w katalogu /var/lib/tripwire/report/

twprint -m -r --twrfile nazwa-pliku.twr

Update

twprint --update

Update policy

twprint --update-policy

Test email-a

twprint --test

Więcej: https://ostechnix.wordpress.com/2013/05/10/install-tripwire-intrusion-detection-system-on-centos-6-4-rhel-6-4-scientific-linux-6-4/

Dodaj komentarz