• Tripwire – IDS dedykowany kontroli plików

    dodany przez Przemysław Sikora

    Bezpieczeństwo powinno być dla każdego administratora priorytetem. Oczywiście stabilność i szybkość też się liczą. Co jednak z wydajności, jak mamy dziurawy serwera lub aplikację. Omówię instalację narzędzia typu IDS, które jest dedykowane kontroli plików, a dokładniej ich modyfikacjom. Często zdarza się, że złośliwy kod dopisuje się do początku lub końca pliku np. strony www i powoduje niepożądane działania. Omawiana wersja jest darmowa. Istnieje jeszcze “odmiana” Enterprise o poszerzonych możliwościach.
    Przystępujemy do instalacji.

    yum install tripwire

    Tworzymy dwa klucze niezbędne do działania omawianego narzędzia

    tripwire-setup-keyfiles

    ----------------------------------------------
    The Tripwire site and local passphrases are used to sign a variety of
    files, such as the configuration, policy, and database files.

    Passphrases should be at least 8 characters in length and contain both
    letters and numbers.

    See the Tripwire manual for more information.

    ----------------------------------------------
    Creating key files...

    (When selecting a passphrase, keep in mind that good passphrases typically
    have upper and lower case letters, digits and punctuation marks, and are
    at least 8 characters in length.)

    Enter the site keyfile passphrase:
    Verify the site keyfile passphrase:
    Generating key (this may take several minutes)...Key generation complete.

    (When selecting a passphrase, keep in mind that good passphrases typically
    have upper and lower case letters, digits and punctuation marks, and are
    at least 8 characters in length.)

    Enter the local keyfile passphrase:
    Verify the local keyfile passphrase:
    Generating key (this may take several minutes)...Key generation complete.

    ----------------------------------------------
    Signing configuration file...
    Please enter your site passphrase:
    Wrote configuration file: /etc/tripwire/tw.cfg

    A clear-text version of the Tripwire configuration file:
    /etc/tripwire/twcfg.txt
    has been preserved for your inspection. It is recommended that you
    move this file to a secure location and/or encrypt it in place (using a
    tool such as GPG, for example) after you have examined it.

    ----------------------------------------------
    Signing policy file...
    Please enter your site passphrase:
    Wrote policy file: /etc/tripwire/tw.pol

    A clear-text version of the Tripwire policy file:
    /etc/tripwire/twpol.txt
    has been preserved for your inspection. This implements a minimal
    policy, intended only to test essential Tripwire functionality. You
    should edit the policy file to describe your system, and then use
    twadmin to generate a new signed copy of the Tripwire policy.

    Once you have a satisfactory Tripwire policy file, you should move the
    clear-text version to a secure location and/or encrypt it in place
    (using a tool such as GPG, for example).

    Now run "tripwire --init" to enter Database Initialization Mode. This
    reads the policy file, generates a database based on its contents, and
    then cryptographically signs the resulting database. Options can be
    entered on the command line to specify which policy, configuration, and
    key files are used to create the database. The filename for the
    database can be specified as well. If no options are specified, the
    default values from the current configuration file are used.

    tripwire --init

    Please enter your local passphrase:
    Parsing policy file: /etc/tripwire/tw.pol
    Generating the database...
    *** Processing Unix File System ***
    ### Warning: File system error.
    ### Filename: /usr/sbin/fixrmtab
    ### Nie ma takiego pliku ani katalogu
    ### Continuing...
    .
    .
    .
    .
    .
    Wrote database file: /var/lib/tripwire/nasz-serwer.pl.twd
    The database was successfully generated.

    Konfiguracja

    sh -c 'tripwire --check | grep Filename > test_results'

    Wygenerowane zostaną pliki pomijane przez tripwire.

    vim /etc/tripwire/twpol.txt

    Edycja polityki

    twadmin -m P /etc/tripwire/twpol.txt

    Ponowne utworzenie polityki
    Please enter your site passphrase:
    Wrote policy file: /etc/tripwire/tw.pol

    tripwire --init

    Reinicjalizacja bazy danych po zmianie polityki.

    tripwire --check

    Raporty tworzone są w “/var/lib/tripwire/report/”. Aby je odczytać wydajemy polecenie:

    twprint --print-report --twrfile /var/lib/tripwire/report/nazw-pliku-raportu

Dodaj komentarz

Warto odwiedzić
Valid XHTML 1.0 Transitional centos.com.pl- mapa strony