数据完整性监测系统的构建（ Tripwire ）

　数据完整性监测系统的构建（ Tripwire )

前　　言

　　当服务器遭到黑客攻击时，在多数情况下，黑客可能对系统文件等等一些重要的文件进行修改。对此，我们用Tripwire建立数据完整性监测系统。虽然 它不能抵御黑客攻击以及黑客对一些重要文件的修改，但是可以监测文件是否被修改过以及哪些文件被修改过，从而在被攻击后有的放矢的策划出解决办法。

　　Tripwire的原理是Tripwire被安装、配置后，将当前的系统数据状态建立成数据库，随着文件的添加、删除和修改等等变化，通过系统数据现状与不断更新的数据库进行比较，来判定哪些文件被添加、删除和修改过。正因为初始的数据库是在Tripwire本体被安装、配置后建立的原因，我们务必应该在服务器开放前，或者说操作系统刚被安装后用Tripwire构建数据完整性监测系统。

安装 Tripwire

　　首先来安装 Tripwire 。

[root@sample ~]# wget http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz　← 下载源代码 --02:21:30-- http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz => `tripwire-2.3.1-2.tar.gz' Resolving jaist.dl.sourceforge.net... 150.65.7.130 Connecting to jaist.dl.sourceforge.net|150.65.7.130|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1,514,955 (1.4M) [application/x-gzip] 100%[====================================>] 1,514,955 1.29M/s 02:21:32 (1.28 MB/s) - `tripwire-2.3.1-2.tar.gz' saved [1514955/1514955] [root@sample ~]# tar zxvf tripwire-2.3.1-2.tar.gz　← 将被压缩的文件展开 [root@sample ~]# cd tripwire-2.3.1-2　← 进入被解压缩的目录 [root@sample tripwire-2.3.1-2]# wget http://distfiles-od.opendarwin.org/tw-20030919.patch.gz　← 下载 Tripwire Patch文件 --02:28:43-- http://distfiles-od.opendarwin.org/tw-20030919.patch.gz => `tw-20030919.patch.gz' Resolving distfiles-od.opendarwin.org... 216.73.106.93 Connecting to distfiles-od.opendarwin.org|216.73.106.93|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 786,411 (768K) [application/x-gzip] 100%[====================================>] 786,411 164.35K/s ETA 00:00 02:28:50 (154.51 KB/s) - `tw-20030919.patch.gz' saved [786411/786411] [root@sample tripwire-2.3.1-2]# gunzip tw-20030919.patch.gz　← 将 Tripwire Patch 文件解压缩 [root@sample tripwire-2.3.1-2]# patch -p1 < tw-20030919.patch　← Patch编译 [root@sample tripwire-2.3.1-2]# chmod 755 configure　← 赋予配置文件configure可执行的权限 [root@sample tripwire-2.3.1-2]# ./configure --sysconfdir=/etc/tripwire　← 运行configure checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu checking for a BSD compatible install... /usr/bin/install -c …………………………………… …………………………………… ……中间提示信息省略…… …………………………………… …………………………………… config.status: creating src/twprint/Makefile config.status: creating src/twadmin/Makefile config.status: creating src/siggen/Makefile config.status: creating src/tripwire/Makefile config.status: creating config.h [root@sample tripwire-2.3.1-2]# make　← 编译 cd . && /bin/sh /root/tripwire-2.3.1-2/missing --run autoheader configure.in:9: warning: do not use m4_patsubst: use patsubst or m4_bpatsubst aclocal.m4:546: AM_CONFIG_HEADER is expanded from... configure.in:9: the top level configure.in:401: warning: do not use m4_regexp: use regexp or m4_bregexp aclocal.m4:559: _AM_DIRNAME is expanded from... configure.in:401: the top level cd . \ && CONFIG_FILES= CONFIG_HEADERS=config.h \ /bin/sh ./config.status …………………………………… …………………………………… ……中间提示信息省略…… ……需要花费一段时间…… …………………………………… …………………………………… make[2]: Leaving directory `/root/tripwire-2.3.1-2/src' make[2]: Entering directory `/root/tripwire-2.3.1-2' make[2]: Nothing to be done for `all-am'. make[2]: Leaving directory `/root/tripwire-2.3.1-2' make[1]: Leaving directory `/root/tripwire-2.3.1-2' [root@sample tripwire-2.3.1-2]# make install　← 安装配置 Making install in man make[1]: Entering directory `/root/tripwire-2.3.1-2/man' Making install in man4 make[2]: Entering directory `/root/tripwire-2.3.1-2/man/man4' make[3]: Entering directory `/root/tripwire-2.3.1-2/man/man4' make[3]: Nothing to be done for `install-exec-am'. /bin/sh ../../mkinstalldirs /usr/local/man/man4 mkdir /usr/local/man …………………………………… …………………………………… ……中间提示信息省略………… …………………………………… …………………………………… Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R) is a registered trademark of the Purdue Research Foundation and is licensed exclusively to Tripwire (R) Security Systems, Inc. LICENSE AGREEMENT for Tripwire(R) 2.3 Open Source Please read the following license agreement. You must accept the agreement to continue installing Tripwire. Press ENTER to view the License Agreement. 　← 按回车键阅读协议 …………………………………… …………………………………… 协议浏览中按空格键翻页 …………………………………… …………………………………… Please type "accept" to indicate your acceptance of this license agreement. [do not accept] accept　← 输入“accept”同意协议 Using configuration file ./install/install.cfg Checking for programs specified in install configuration file.... /usr/sbin/sendmail exists. Continuing installation. /bin/vi exists. Continuing installation. ---------------------------------------------- Verifying existence of binaries... ./bin/siggen found ./bin/tripwire found ./bin/twprint found ./bin/twadmin found This program will copy Tripwire files to the following directories: TWBIN: /usr/local/sbin TWMAN: /usr/local/man TWPOLICY: /etc/tripwire TWREPORT: /usr/local/lib/tripwire/report TWDB: /usr/local/lib/tripwire TWSITEKEYDIR: /etc/tripwire TWLOCALKEYDIR: /etc/tripwire CLOBBER is false. Continue with installation? [y/n] y　← 键入y继续安装 ---------------------------------------------- Creating directories... /usr/local/sbin: already exists /etc/tripwire: created /usr/local/lib/tripwire/report: created /usr/local/lib/tripwire: already exists /etc/tripwire: already exists /etc/tripwire: already exists /usr/local/man: already exists /usr/local/doc/tripwire: created ---------------------------------------------- Copying files... /usr/local/doc/tripwire/README: copied /usr/local/doc/tripwire/Release_Notes: copied /usr/local/doc/tripwire/COPYING: copied /usr/local/doc/tripwire/TRADEMARK: copied /usr/local/doc/tripwire/policyguide.txt: copied /etc/tripwire/twpol-Linux.txt: copied ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: 　← 输入“site keyfile”口令（输入后不会显示），并且记住这个口令 Verify the site keyfile passphrase: 　← 再次确认“site keyfile”口令 Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: 　← 输入“local keyfile”口令（输入后不会显示），并且记住这个口令 Verify the local keyfile passphrase: 　← 再次确认“local keyfile”口令 Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Generating Tripwire configuration file... ---------------------------------------------- Creating signed configuration file... Please enter your site passphrase: 　← 输入“site keyfile”口令（输入后不会显示） Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you delete this file manually after you have examined it. ---------------------------------------------- Customizing default policy file... ---------------------------------------------- Creating signed policy file... Please enter your site passphrase: 　← 输入“site keyfile”口令（输入后不会显示） Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file /etc/tripwire/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended .ly to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. ---------------------------------------------- The installation succeeded. Please refer to /usr/local/doc/tripwire/Release_Notes for release information and to the printed user documentation for further instructions . using Tripwire 2.3 Open Source.make[3]: Leaving directory `/root/tripwire-2.3.1-2' make[2]: Leaving directory `/root/tripwire-2.3.1-2' make[1]: Leaving directory `/root/tripwire-2.3.1-2' [root@sample tripwire-2.3.1-2]# cd　← 回到root用户的根目录 [root@sample ~]# rm -rf tripwire-2.3.1-2 tripwire-2.3.1-2.tar.gz　← 删除安装用过的原文件

配置 Tripwire

[root@sample ~]# vi /etc/tripwire/twcfg.txt　 ← 修改文本格式的Tripwire配置文件 LOOSEDIRECTORYCHECKING =false　 ← 找到这一个行，将false的值变为true（不监测所属目录的数据完整性） 　↓ LOOSEDIRECTORYCHECKING =true 　 ← 变为此状态 REPORTLEVEL =3　 ← 找到这一行，将3变为4（改变监测结果报告的等级） 　↓ REPORTLEVEL =4　 ← 变为此状态 [root@sample ~]# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt　 ← 从文本配置文件建立加密格式配置文件 Please enter your site passphrase: 　← 输入“site keyfile”口令（输入后不会显示） Wrote configuration file: /etc/tripwire/tw.cfg [root@sample ~]# rm -f /etc/tripwire/twcfg.txt　← 为不留安全隐患，删除文本格式的配置文件

注：恢复文本格式的Tripwire配置文件，可通过执行“twadmin --print-cfgfile > /etc/tripwire/twcfg.txt”。

[2] Policy文件的配置

　　Tripwire的数据库是基于Policy文件建立的。但默认的Policy文件并没有有效的依照我们的需要建立数据完整性监测规则，所以这里通过一段Perl脚本来让数据监测实际满足于我们的需要。

[root@sample ~]# vi /etc/tripwire/twpolmake.pl　 ← 建立用于建立Policy文件的Perl脚本 #!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ;[root@sample ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.out　 ← 建立Policy文件 [root@sample ~]# rm -f /etc/tripwire/twpol.txt 　 ← 删除默认Policy文件 [root@sample ~]# mv /etc/tripwire/twpol.txt.out /etc/tripwire/twpol.txt　 ← 将新建立的Policy文件的名改为默认Policy文件的文件名 [root@sample ~]# vi /etc/tripwire/twpol.txt　 ← 编辑Policy文件 $(TWREPORT) 　　　-> $(SEC_CONFIG) (recurse=0) ;　 ← 找到这一行，在这一行的下一行添加语句（113行前后） !$(TWDB)/$(HOSTNAME).twd ;　 ← 添加这一句（不对数据库进行监测） [root@sample ~]# twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt　 ← 从文本配置文件建立加密格式配置文件 Please enter your site passphrase:　← 输入“site keyfile”口令（输入后不会显示） Wrote policy file: /etc/tripwire/tw.pol [root@sample ~]# rm -f /etc/tripwire/twcfg.txt　← 为不留安全隐患，删除文本格式的配置文件

注：恢复文本格式的Tripwire配置文件，可通过执行“twadmin --print-cfgfile > /etc/tripwire/twcfg.txt”。

[3] 建立数据库

[root@sample ~]# tripwire --init　← 建立数据库 Please enter your local passphrase: 　← 输入“local keyfile”口令（输入后不会显示） Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** Wrote database file: /usr/local/lib/tripwire/sample.centospub.com.twd The database was successfully generated.

运行 Tripwire

　　下面开始测试并让Tripwire开始工作。

[1] 建立Tripwire运行脚本：

[root@sample ~]# vi tripwire-check　← 建立Tripwire运行脚本 #!/bin/bash PATH=/usr/local/sbin:/usr/bin:/bin SITEPASS=******** # Site Key Passphrase　← 将星号部分换为Site Keyfile的口令 LOCALPASS=******** # Local Key Passphrase　← 将星号部分换为Local Keyfile的口令 REPORTFILE=/usr/local/lib/tripwire/report/`hostname`-`date +%Y%m%d`.twr # Run the Tripwire tripwire --check -r "$REPORTFILE"| logger -t tripwire # Mail the Tripwire Report to root cd /etc/tripwire REPORTPRINT=`mktemp` twprint -m r -c tw.cfg -r "$REPORTFILE" -L `hostname`-local.key -t 4 > $REPORTPRINT if [ -z "$(grep 'Total violations found: 0' $REPORTPRINT)" ]; then cat $REPORTPRINT | mail -s "Tripwire(R) Integrity Check Report in `hostname`" root fi rm -f $REPORTPRINT # Update the Policy File cd /etc/tripwire twadmin --print-polfile > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.out twadmin --create-polfile -S site.key -Q $SITEPASS twpol.txt.out | logger -t tripwire rm -f twpol.*# update the Database rm -f /usr/local/lib/tripwire/`hostname`.twd tripwire --init -P $LOCALPASS | logger -t tripwire [root@sample ~]# chmod 700 tripwire-check　← 赋予运行脚本文件可执行的权限

注：Tripwire的监测报告会被加密保存到/usr/local/lib/tripwire/report目录下。日志被保存在/var/log/messages中。
[2] 测试运行脚本

[root@sample ~]# ./tripwire-check 　← 运行一次脚本 由于增加了运行脚本本身，也被认作系统被作了改动，会发邮件通知root…查看邮箱回收到监测报告 [root@sample ~]# ./tripwire-check　← 再次运行一次脚本 由于两次连续运行，之间不太可能有文件变更，所以请确认不会发送E-mail给root

[3] 在服务器本地监测报告的浏览

[root@sample ~]# ls -l /usr/local/lib/tripwire/report/　← 监测报告所在目录的文件列表 total 32 -rw-r--r-- 1 root root 8222 Aug 23 05:46 sample.centospub.com-20060823.twr　← 比如想浏览此篇报告 -rw-r--r-- 1 root root 8230 Aug 23 05:46 sample.centospub.com-20060823.twr.bak [root@sample ~]# cd /etc/tripwire　← 进入Tripwire配置文件所在目录 [root@sample tripwire]# twprint -m r -c tw.cfg -r "/usr/local/lib/tripwire/report/sample.centospub.com-20060823.twr" -L sample.centospub.com-local.key -t 4 > tripwire-report　← 将监测报告保存到名为tripwire-report的文件中 [root@sample tripwire]# cat tripwire-report　← 浏览监测报告 Note: Report is not encrypted. Tripwire(R) 2.3.0 Integrity Check Report Report generated by: root Report created .: Wed 23 Aug 2006 05:45:01 AM CST Database last updated .: Never =============================================================================== Report Summary: =============================================================================== Host name: sample.centospub.com Host IP address: 127.0.0.1 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /usr/local/lib/tripwire/sample.centospub.com.twd Command line used: tripwire --check -r /usr/local/lib/tripwire/report/sample.centospub.com-20060823.twr =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Invariant Directories 66 0 0 0 Tripwire Data Files 100 0 0 0 Temporary directories 33 0 0 0 Critical devices 100 0 0 0 (/proc/kcore) Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 User binaries 66 0 0 0 Critical system boot files 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 (/sbin/rtmon) Shell Related Programs 100 0 0 0 Operating System Utilities 100 0 0 0 Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 OS executables and libraries 100 0 0 0 System boot changes 100 0 0 0 Critical configuration files 100 0 0 0 Security Control 100 0 0 0 Login .s 100 0 0 0 * Root config files 100 0 0 1 Total objects scanned: 17363 Total violations found: 1 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/root/tripwire-check" =============================================================================== Object Detail: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- ---------------------------------------- Modified Objects: 1 ---------------------------------------- Modified object name: /root/tripwire-check Property: Expected Observed ------------- ----------- ----------- Object Type Regular File Regular File Device Number 64768 64768 File Device Number 0 0 Inode Number 351317 351317 Mode -rwx------ -rwx------ Num Links 1 1 UID root (0) root (0) GID root (0) root (0) * Size 953 951 * Modify Time Wed 23 Aug 2006 05:21:26 AM CST Wed 23 Aug 2006 05:43:10 AM CST * Change Time Wed 23 Aug 2006 05:21:26 AM CST Wed 23 Aug 2006 05:43:10 AM CST Blocks 16 16 * CRC32 Ay0oV9 BDzM8Y * MD5 BoeMoWfjEKCSLOJCs/E7mj ABQN3hl5wF0PyTcXugPE5U =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report ***Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified .ly under certain conditions; see COPYING for details. All rights reserved. [root@sample tripwire]# rm -f tripwire-report　← 删除监测报告

[4] 让监测脚本每天自动运行

[root@sample tripwire]# cd　 ← 进入Tripwire运行脚本所在的root目录 [root@sample ~]# mv tripwire-check /etc/cron.daily/　 ← 转移脚本到每天自动运行的目录中

　　放在/etc/cron.daily下的脚本，会在每天4点02分自动被运行。这样通过数据完整性监测来监视系统文件的状况。如果增加、修改或删除的情况，将会给root发送邮件，并自动转送到初始环境设置中设置的转送邮箱中。