| トップ | Solaris | FreeBSD | Gentoo | CentOS | Fedora | Windows | Tips | 自宅サーバの動作確認 | サイト内検索(Namazu) | サイト内検索(HE) |
ファイルの改竄を検知する為に「Tripwire」を導入する。
「Tripwire」のインストール
CentOS向けのRPMは提供されていない為、ソースからインストールする。
[root@CentOS ~]# mkdir /usr/local/src/tripwire <= 作業用ディレクトリの作成
[root@CentOS ~]# chmod 777 /usr/local/src/tripwire <= 作業用ディレクトリのパーミッション変更
[root@CentOS ~]# exit <= 一般ユーザになる
[kaz@CentOS ~]$ cd /usr/local/src/tripwire <= 作業用ディレクトリへ移動
[kaz@CentOS tripwire]$ wget http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.4.1.2-src.tar.bz2
<= 「Tripwire」のソースをダウンロード
[kaz@CentOS tripwire]$ tar xjf tripwire-2.4.1.2-src.tar.bz2 <= ダウンロードしたファイルの展開
[kaz@CentOS tripwire]$ cd tripwire-2.4.1.2-src <= 展開したディレクトリに移動
[kaz@CentOS tripwire-2.4.1.2-src]$ ./configure --prefix=/usr/local/tripwire \
sysconfdir=/etc/tripwire \
path_to_sendmail=/usr/sbin/sendmail | tee configure.log 2>&1
[kaz@CentOS tripwire-2.4.1.2-src]$ make | tee make.log 2>&1 <= コンパイル
[kaz@CentOS tripwire-2.4.1.2-src]$ su <= スーパーユーザになる
Password: <= パスワードの入力
[root@CentOS tripwire-2.4.1.2-src]# make install | tee make-install.log 2>&1 <= インストール
Press ENTER to view the License Agreement <= 空Enter
ライセンスが表示されるのでSpaceキーで読む
Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept
Using configuration file ./install/install.cfg
Checking for programs specified in install configuration file....
/usr/sbin/sendmail -oi -t exists. Continuing installation.
/bin/vi exists. Continuing installation.
----------------------------------------------
Verifying existence of binaries...
./bin/siggen found
./bin/tripwire found
./bin/twprint found
./bin/twadmin found
This program will copy Tripwire files to the following directories:
TWBIN: /usr/local/tripwire/sbin
TWMAN: /usr/local/tripwire/man
TWPOLICY: /etc/tripwire
TWREPORT: /usr/local/tripwire/lib/tripwire/report
TWDB: /usr/local/tripwire/lib/tripwire
TWSITEKEYDIR: /etc/tripwire
TWLOCALKEYDIR: /etc/tripwire
CLOBBER is false.
Continue with installation? [y/n] y
----------------------------------------------
Creating directories...
/usr/local/tripwire/sbin: already exists
/etc/tripwire: created
/usr/local/tripwire/lib/tripwire/report: created
/usr/local/tripwire/lib/tripwire: already exists
/etc/tripwire: already exists
/etc/tripwire: already exists
/usr/local/tripwire/man: created
/usr/local/tripwire/doc/tripwire: created
----------------------------------------------
Copying files...
/usr/local/tripwire/doc/tripwire/COPYING: copied
/usr/local/tripwire/doc/tripwire/TRADEMARK: copied
/usr/local/tripwire/doc/tripwire/policyguide.txt: copied
/etc/tripwire/twpol-Linux.txt: copied
----------------------------------------------
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.
Passphrases should be at least 8 characters in length
and contain both letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: <= サイトパスフレーズの入力
Verify the site keyfile passphrase: <= サイトパスフレーズの入力(確認)
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: <= ローカルパスフレーズの入力
Verify the local keyfile passphrase: <= ローカルパスフレーズの入力(確認)
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Generating Tripwire configuration file...
----------------------------------------------
Creating signed configuration file...
Please enter your site passphrase: <= サイトパスフレーズ入力
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended
that you delete this file manually after you have examined it.
----------------------------------------------
Customizing default policy file...
----------------------------------------------
Creating signed policy file...
Please enter your site passphrase: <= サイトパスフレーズ入力
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements
a minimal policy, intended only to test essential
Tripwire functionality. You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.
----------------------------------------------
The installation succeeded.
Please refer to
for release information and to the printed user documentation
for further instructions on using Tripwire 2.4 Open Source.
|
テキスト版の設定ファイルを編集する。
[root@CentOS ~]# vi /etc/tripwire/twcfg.txt <= 設定ファイルの編集 REPORTFILE =/usr/local/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr ↓ REPORTFILE =/usr/local/tripwire/lib/tripwire/report/$(HOSTNAME).twr <= レポートファイル名を変更 LOOSEDIRECTORYCHECKING =false ↓ LOOSEDIRECTORYCHECKING =true <= ファイル変更検知時に所属ディレクトリまで変更検知しない MAILNOVIOLATIONS =true ↓ MAILNOVIOLATIONS =false <= ファイル変更検知時のみメールを送信する EMAILREPORTLEVEL =3 ↓ EMAILREPORTLEVEL =4 <= ファイル変更チェック結果レポートレベルの変更 REPORTLEVEL =3 ↓ REPORTLEVEL =4 <= ファイル変更チェック結果レポートレベルの変更 |
設定ファイルの暗号化
[root@CentOS ~]# /usr/local/tripwire/sbin/twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt <= 暗号化した設定ファイルの作成(テキスト版=>暗号署名版) Please enter your site passphrase: <= サイトパスフレーズ入力 Wrote configuration file: /etc/tripwire/tw.cfg [root@CentOS ~]# rm -f /etc/tripwire/twcfg.txt <= テキスト版の設定ファイルの削除 ・暗号化されたファイルから設定ファイル(テキスト版)を作成する場合 [root@CentOS ~]# /usr/local/tripwire/sbin/twadmin --print-cfgfile > /etc/tripwire/twcfg.txt |
ポリシーファイルの作成
デフォルトのポリシーファイルでは存在しないファイルのチェックが有効であったり、
存在するファイルのチェックが無効になっている。
そこで、和泉宏明氏の作成された
Perlスクリプトを利用し、
ポリシーファイルを作成する。
[root@CentOS ~]# wget http://www.aritia.org/hizumi/linux/tripwire_pol.pl.txt <= スクリプトファイルの取得
[root@CentOS ~]# mv tripwire_pol.pl.txt /etc/tripwire/tripwire_pol.pl <= スクリプトファイルを移動
[root@CentOS ~]# chmod 700 /etc/tripwire/tripwire_pol.pl <= スクリプトファイルに実行権限付加
[root@CentOS ~]# cat /etc/tripwire/tripwire_pol.pl <= Perlスクリプトの確認
#!/usr/bin/perl
# Tripwire Policy File customize tool for Redhat 8.0
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl tripwire_pol.pl {Pol file}
# --------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAMEs*=\s*(.+)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=$myhost;" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -e $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
[root@CentOS ~]# /etc/tripwire/tripwire_pol.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.tmp
<= デフォルトのポリシーファイルを基にポリシーファイル作成
[root@CentOS ~]# rm -f /etc/tripwire/twpol.txt <= デフォルトのポリシーファイルを削除
[root@CentOS ~]# mv /etc/tripwire/twpol.txt.tmp /etc/tripwire/twpol.txt
<= 作成したポリシーファイルをデフォルトのポリシーファイル名にリネーム
|
ポリシーファイルの暗号化
[root@CentOS ~]# /usr/local/tripwire/sbin/twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt <= 暗号化したポリシーファイルの作成(テキスト版=>暗号署名版) Please enter your site passphrase: <= サイトパスフレーズ入力 Wrote policy file: /etc/tripwire/tw.pol [root@CentOS ~]# rm -f /etc/tripwire/twpol.txt <= ポリシーファイル(テキスト版)を削除 ・暗号化されたファイルからポリシーファイル(テキスト版)を作成する場合 [root@CentOS ~]# /usr/local/tripwire/sbin/twadmin --print-polfile > /etc/tripwire/twpol.txt |
ポリシーファイルよりデータベースを作成する。
[root@CentOS ~]# LANG=C /usr/local/tripwire/sbin/tripwire --init <= データベースの作成 Please enter your local passphrase: <= ローカルパスフレーズ入力 Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** Wrote database file: /var/lib/tripwire/CentOS.crimson-snow.net.twd The database was successfully generated. |
[root@CentOS ~]# LANG=C /usr/local/tripwire/sbin/tripwire --check <= ファイル変更チェック Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... Wrote report file: /var/lib/tripwire/report/CentOS.crimson-snow.net.twr Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Mon Sep 29 23:25:18 2008 Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: CentOS.crimson-snow.net Host IP address: 127.0.0.1 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/CentOS.crimson-snow.net.twd Command line used: tripwire --check =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- * Tripwire Data Files 0 1 0 0 <= Tripwire Data Filesに1件の追加を検出 Monitor Filesystems 0 0 0 0 User Binaries and Libraries 0 0 0 0 Tripwire Binaries 0 0 0 0 OS Binaries and Libraries 0 0 0 0 Temporary Directories 0 0 0 0 Global Configuration Files 0 0 0 0 System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0 OS Devices and Misc Directories 0 0 0 0 Root Directory and Files 0 0 0 0 Total objects scanned: 73808 Total violations found: 1 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/usr/local/tripwire/lib/tripwire) Severity Level: 0 ------------------------------------------------------------------------------- Added: "/usr/local/tripwire/lib/tripwire/CentOS.crimson-snow.net.twd" <= /usr/local/tripwire/lib/tripwire/CentOS.crimson-snow.net.twdの追加を検出(Tripwireのデータベースの為、問題無し) =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. |
「Tripwire」を実行するスクリプトを作成し、cronに登録して自動実行するようにする。
[root@CentOS ~]# vi tripwire.sh <= スクリプトの作成 #!/bin/sh # 設定 LANG=C TRIPWIRE=/usr/local/tripwire/sbin/tripwire TWADMIN=/usr/local/tripwire/sbin/twadmin TWPRINT=/usr/local/tripwire/sbin/twprint TRIPWIRE_POL=/etc/tripwire/tripwire_pol.pl SITEKEY=/etc/tripwire/site.key TWPOL_TXT=/etc/tripwire/twpol.txt TWPOL_TMP=/etc/tripwire/twpol.txt.tmp TWCFG=/etc/tripwire/tw.cfg LOG=/var/log/tripwire.log LOCALPASS=ローカルパスフレーズ <= ローカルパスフレーズを入力 SITEPASS=サイトパスフレーズ <= サイトパスフレーズを入力 # Tripwire実行 $TRIPWIRE --check > $LOG # Tripwire実行結果レポート出力 $TWPRINT --print-report -c $TWCFG -t 4 # ポリシーファイル最新化 $TWADMIN --print-polfile > $TWPOL_TXT $TRIPWIRE_POL $TWPOL_TXT > $TWPOL_TMP $TWADMIN --create-polfile -S $SITEKEY -Q $SITEPASS $TWPOL_TMP >> $LOG rm -f $TWPOL_TXT rm -f $TWPOL_TMP # データベース最新化 rm -f /usr/local/tripwire/lib/tripwire/*twd* $TRIPWIRE --init -P $LOCALPASS >> $LOG [root@CentOS ~]# chmod 700 /root/tripwire.sh <= 作成したスクリプトに実行権限付加 |
スクリプトの自動実行
[root@CentOS ~]# crontab -e <= cron編集 00 06 * * * /root/tripwire.sh <= 追加(毎日6:00にスクリプト実行) |