防篡改Tripwire

一、安装

1.准备（centos7的yum不带tripwire）

wget https://mirrors.ustc.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm rpm -ivh epel-release-7-14.noarch.rpm yum -y install tripwire 

另一个方法

讯享网 cd /etc/yum.repos.d/ mv CentOS-Base.repo CentOS-Base.repo.bak wget http://mirrors.aliyun.com/repo/Centos-7.repo mv Centos-7.repo CentOS-Base.repo yum clean all yum makecache yum install tripwire --enablerepo=epel 

2.安装

yum -y install tripwire 

3.设置密钥

讯享网tripwire-setup-keyfiles 

设置网站密钥和本地密钥
网站密钥：对配置和策略文件加密（可共享到其他机器）
本地密钥：对本地数据存储加密
密钥放在/etc/tripwire下

4.配置文件说明

安装完后有两个配置文件在/etc/tripwire
twcfg.txt：软件配置
twpol.txt：策略配置
twcfg.txt如下：

[root@node-251 tripwire_test]# cat /etc/tripwire/twcfg.txt ROOT =/usr/sbin POLFILE =/etc/tripwire/tw.pol DBFILE =/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site.key LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =true MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =4 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t 

twpol.txt如下

# Rule for Security Control ( rulename = "Security Control",规则名 severity = $(SIG_HI)监测等级 ) { 
    /etc/group -> $(SEC_CRIT) ;# 监测目录和监测什么 /etc/security -> $(SEC_CRIT) ; } 

监测参数说明如下 @@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # 无法更改的关键文件,Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # 设置了SUID或SGID标志的二进制文件,Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # 不应更改的二进制文件,Binaries that should not change SEC_CONFIG = $(Dynamic) ; # 配置不经常更改但经常访问的文件,Config files that are changed infrequently but accessed often SEC_LOG = $(Growing) ; # 文件不断增长，但不应更改所有权,Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ; # 不应更改权限或所有权的目录,Directories that should never change permission or ownership SIG_LOW = 33 ; # 安全影响最小的非关键文件,Non-critical files that are of minimal security impact SIG_MED = 66 ; # 具有重大安全影响的非关键文件,Non-critical files that are of significant security impact SIG_HI = 100 ; # 作为重要漏洞点的关键文件,Critical files that are significant points of vulnerability 监测参数中参数的说明如下 A number of variables are predefined by Tripwire and may not be changed. These variables represent different ways that files can change, and can be used on the right side of rules to design a policy file quickly. Tripwire预定义了许多变量，这些变量可能不会更改。这些变量表示文件 可以更改，并且可以在规则的右侧使用，以便快速设计策略文件。 ReadOnly ReadOnly is good for files that are widely available but are intended to be read-only. ReadOnly适用于广泛可用但只读的文件。 Value: +pinugtsdbmCM‐rlacSH Dynamic Dynamic is good for monitoring user directories and files that tend to be dynamic in behavior. Dynamic有利于监视用户目录和文件，这些目录和文件的行为往往是动态的。 Value: +pinugtd‐srlbamcCMSH Growing The Growing variable is intended for files that should only get larger. Growing变量适用于只会变得更大的文件。 Value: +pinugtdl‐srbamcCMSH Device Device is good for devices or other files that Tripwire should not attempt to open. 设备适用于Tripwire不应尝试打开的设备或其他文件。 Value: +pugsdr‐intlbamcCMSH IgnoreAll IgnoreAll tracks a file's presence or absence, but doesn't check any other properties. IgnoreAll跟踪文件的存在或不存在，但不检查任何其他属性。 Value: ‐pinugtsdrlbamcCMSH IgnoreNone IgnoreNone turns on all properties and provides a convenient starting point for defining your own property IgnoreNone打开所有属性，并为定义自己的属性提供了一个方便的起点 masks. (For example, mymask = $(IgnoreNone) -ar;) Value: +pinugtsdrbamcCMSH‐l 

二、使用

1.初始化

tripwire --init 

第一次执行init一般都会报错，那是因为策略配置中的一些文件并不存在，所以我们需要执行一个脚本

sh -c "tripwire --check | grep Filename > no-directory.txt" 

把报错目录放入txt，再执行脚本进行注释

touch init.sh vim init.sh 

写入以下内容：

#!/bin/bash for f in $(grep "Filename:" no-directory.txt | cut -f2 -d:); do sed -i "s|\($f\) |#\\1|g" /etc/tripwire/twpol.txt done 

执行这个脚本：

bash init.sh 

处理完报错目录后，需要重新加密配置文件

twadmin -m P /etc/tripwire/twpol.txt 

再初始化数据库。其实就是对本地文件进行快照

tripwire --init 

2.测试

tripwire --check 

3.监测项目

在twpol.txt中加入配置即可，以下为示例说明

# Rule for Security Control ( rulename = "Security Control",#规则名 severity = $(SIG_HI)#监测等级 ) { 
    /etc/group -> $(SEC_CRIT) ;#监测目录和监测什么 /etc/security -> $(SEC_CRIT) ; } 

tripwire --test --email  

在twpol.txt文件策略中加入以下示例

# Ruleset for lnmp ( rulename = "lnmp Data", severity= $(SIG_HI), emailto =  ) { 
    /mnt/www -> $(SEC_CRIT); } 

重新加密策略文件和初始化数据库

twadmin -m P /etc/tripwire/twpol.txt tripwire --init 

检查系统并发送邮件

tripwire --check --email-report 

测试没问题便设置定时任务

cd ~/ crontab -e -u root 0 0 * * * tripwire --check --email-report 重启下定时任务 systemctl restart crond 

如果以上方法不起作用，可以用另一个方法：使用sh文件

touch check.sh vim check.sh #!/bin/bash export PATH="/usr/sbin:$PATH" tripwire --check --email-report crontab -e 0 0 * * * bash /root/check.sh 每天十二点执行 */2表示每2执行一次 systemctl restart crond 

三、常用命令

初始化数据库

tripwire –-init 

测试

tripwire –-check 

加密配置文件

twadmin -m P /etc/tripwire/twpol.txt 

更新数据库

tripwire --update 

检查系统并发送邮件

tripwire --check --email-report 

测试邮箱是否可用

tripwire --test --email  

查看报告

twprint -m r --twrfile xxx