クラッカーによるLinuxサーバーのファイルの改竄を検知するシステムを導入する。
ここでは、ファイル改竄検知システムにホスト型IDS(IDS=Intrusion Detection System)のTripwireを導入する。
目次 |
[root@host3 ~]# yum install -y perl ← 必要なのでインストール [root@host3 ~]# yum --enablerepo=epel -y install tripwire ← EPELからインストール ・ ・ ・ Complete! [root@host3 ~]# tripwire-setup-keyfiles # 以下のようにパスフレーズを何度か求められるので入力する Enter the site keyfile passphrase: ← 任意のサイトパスフレーズ応答 Verify the site keyfile passphrase: ← 任意のサイトパスフレーズ応答(確認) Enter the local keyfile passphrase: ← 任意のローカルパスフレーズ応答 Verify the local keyfile passphrase: ← 任意のローカルパスフレーズ応答(確認) Please enter your site passphrase: ← サイトパスフレーズ応答 Please enter your site passphrase: ← サイトパスフレーズ応答
[root@host3 ~]# vi /etc/tripwire/twcfg.txt ← Tripwire設定ファイル編集 LOOSEDIRECTORYCHECKING =true ← ファイル変更時に所属ディレクトリの変更を通知しないようにする REPORTLEVEL =4 ← リポートレベルを変更する [root@host3 ~]# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt ← Tripwire設定ファイル(暗号署名版)作成 Please enter your site passphrase: ← サイトパスフレーズ応答 Wrote configuration file: /etc/tripwire/tw.cfg [root@host3 ~]# rm -f /etc/tripwire/twcfg.txt ← Tripwire設定ファイル(テキスト版)削除 ※Tripwire設定ファイル(テキスト版)を復元する場合 [root@host3 ~]# twadmin -m f -c /etc/tripwire/tw.cfg > /etc/tripwire/twcfg.txt
ポリシーファイル最適化スクリプトが配布されてるので使わせていただきます。
[root@host3 ~]# vi /etc/tripwire/twpolmake.pl ← ポリシーファイル最適化スクリプト作成
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
[root@host3 ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
← ポリシーファイル最適化
[root@hostt3 ~]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwiretwpol.txt.new
← 最適化済ポリシーファイルを元にポリシーファイル(暗号署名版)作成
Please enter your site passphrase: ← サイトパスフレーズ応答
Wrote policy file: /etc/tripwire/tw.pol
[root@host3 ~]# rm -f /etc/tripwire/twpol.txt* ← ポリシーファイル(テキスト版)削除
※ポリシーファイル(テキスト版)を復元する場合
[root@host3 ~]# twadmin -m p -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key > /etc/tripwire/twpol.txt
[root@host3 ~]# tripwire -m i -s -c /etc/tripwire/tw.cfg ← Tripwireデータベース作成 Please enter your local passphrase: ← ローカルパスフレーズ応答
[root@host3 ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.1 Integrity Check Report
Report generated by: root
Report created on: 2011年06月19日 08時56分55秒
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: host3.sudachi.jp
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/host3.sudachi.jp.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
* Tripwire Data Files 100 1 0 0
Critical devices 100 0 0 0
(/proc/kcore)
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Shell Related Programs 100 0 0 0
(/sbin/getkey)
Operating System Utilities 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Critical configuration files 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0
Total objects scanned: 9972
Total violations found: 1
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/host3.sudachi.jp.twd"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.