如何在 Debian 中配置 Tripewire IDS

共计 6458 个字符，预计需要花费 17 分钟才能阅读完成。

本文是一篇关于 Debian 中安装和配置 tripewire 的文章。它是 Linux 环境下基于主机的入侵检测系统（IDS）。tripwire 的高级功能可以检测并报告任何 Linux 中未授权的（文件和目录）的更改。tripewire 安装之后，会先创建一个基本的数据库，tripewire 监控并检测新文件的创建修改和谁修改了它等等。如果修改是合法的，你可以接受修改并更新 tripwire 的数据库。

安装和配置

tripwire 在 Debian VM 中的安装如下。

1. #apt-get install tripwire

installation

安装中，tripwire 会有下面的配置提示。

站点密钥创建

tripwire 需要一个站点口令（site passphrase）来加密 tripwire 的配置文件 tw.cfg 和策略文件 tw.pol。tripewire 使用指定的密码加密两个文件。一个 tripewire 实例必须指定站点口令。

site key1

本地密钥口令

本地口令用来保护 tripwire 数据库和报告文件。本地密钥用于阻止非授权的 tripewire 数据库修改。

local key1

tripwire 配置路径

tripewire 配置存储在 /etc/tripwire/twcfg.txt。它用于生成加密的配置文件 tw.cfg。

configuration file

tripwire 策略路径

tripwire 在 /etc/tripwire/twpol.txt 中保存策略文件。它用于生成加密的策略文件 tw.pol。

tripwire policy

安装完成后如下图所示。

installed tripewire1

tripwire 配置文件 (twcfg.txt)

tripewire 配置文件（twcfg.txt）细节如下图所示。加密策略文件（tw.pol）、站点密钥（site.key）和本地密钥（hostname-local.key）在后面展示。

1. ROOT =/usr/sbin
2. POLFILE =/etc/tripwire/tw.pol
3. DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
4. REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
5. SITEKEYFILE =/etc/tripwire/site.key
6. LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
7. EDITOR =/usr/bin/editor
8. LATEPROMPTING =false
9. LOOSEDIRECTORYCHECKING =false
10. MAILNOVIOLATIONS =true
11. EMAILREPORTLEVEL =3
12. REPORTLEVEL =3
13. SYSLOGREPORTING =true
14. MAILMETHOD =SMTP
15. SMTPHOST =localhost
16. SMTPPORT =25
17. TEMPDIRECTORY =/tmp

tripwire 策略配置

在生成基础数据库之前先配置 tripwire 配置。有必要经用一些策略如 /dev、/proc、/root/mail 等。详细的 twpol.txt 策略文件如下所示。

1. @@section GLOBAL
2. TWBIN =/usr/sbin;
3. TWETC =/etc/tripwire;
4. TWVAR =/var/lib/tripwire;
5. #
6. #FileSystemDefinitions
7. #
8. @@section FS
9. #
10. #First, some variables to make configuration easier
11. #
12. SEC_CRIT = $(IgnoreNone)-SHa;#Critical files that cannot change
13. SEC_BIN = $(ReadOnly);#Binaries that should not change
14. SEC_CONFIG = $(Dynamic);#Config files that are changed
15. # infrequently but accessed
16. # often
17. SEC_LOG = $(Growing);#Files that grow, but that
18. # should never change ownership
19. SEC_INVARIANT =+tpug ;#Directories that should never
20. # change permission or ownership
21. SIG_LOW =33;#Non-critical files that are of
22. # minimal security impact
23. SIG_MED =66;#Non-critical files that are of
24. # significant security impact
25. SIG_HI =100;#Critical files that are
26. # significant points of
27. # vulnerability
28. #
29. # tripwire Binaries
30. #
31. (
32. rulename ="tripwire Binaries",
33. severity = $(SIG_HI)
34. )
35. {
36. $(TWBIN)/siggen -> $(SEC_BIN);
37. $(TWBIN)/tripwire -> $(SEC_BIN);
38. $(TWBIN)/twadmin -> $(SEC_BIN);
39. $(TWBIN)/twprint -> $(SEC_BIN);
40. }
41. {
42. /boot -> $(SEC_CRIT);
43. /lib/modules -> $(SEC_CRIT);
44. }
45. (
46. rulename ="Boot Scripts",
47. severity = $(SIG_HI)
48. )
49. {
50. /etc/init.d -> $(SEC_BIN);
51. #/etc/rc.boot -> $(SEC_BIN);
52. /etc/rcS.d -> $(SEC_BIN);
53. /etc/rc0.d -> $(SEC_BIN);
54. /etc/rc1.d -> $(SEC_BIN);
55. /etc/rc2.d -> $(SEC_BIN);
56. /etc/rc3.d -> $(SEC_BIN);
57. /etc/rc4.d -> $(SEC_BIN);
58. /etc/rc5.d -> $(SEC_BIN);
59. /etc/rc6.d -> $(SEC_BIN);
60. }
61. (
62. rulename ="Root file-system executables",
63. severity = $(SIG_HI)
64. )
65. {
66. /bin -> $(SEC_BIN);
67. /sbin -> $(SEC_BIN);
68. }
69. #
70. #CriticalLibraries
71. #
72. (
73. rulename ="Root file-system libraries",
74. severity = $(SIG_HI)
75. )
76. {
77. /lib -> $(SEC_BIN);
78. }
79. #
80. #LoginandPrivilegeRaisingPrograms
81. #
82. (
83. rulename ="Security Control",
84. severity = $(SIG_MED)
85. )
86. {
87. /etc/passwd-> $(SEC_CONFIG);
88. /etc/shadow -> $(SEC_CONFIG);
89. }
90. {
91. #/var/lock -> $(SEC_CONFIG);
92. #/var/run -> $(SEC_CONFIG);# daemon PIDs
93. /var/log -> $(SEC_CONFIG);
94. }
95. #These files change the behavior of the root account
96. (
97. rulename ="Root config files",
98. severity =100
99. )
100. {
101. /root -> $(SEC_CRIT) ; # Catch all additions to /root
102. #/root/mail -> $(SEC_CONFIG);
103. #/root/Mail-> $(SEC_CONFIG);
104. /root/.xsession-errors -> $(SEC_CONFIG);
105. #/root/.xauth -> $(SEC_CONFIG);
106. #/root/.tcshrc -> $(SEC_CONFIG);
107. #/root/.sawfish -> $(SEC_CONFIG);
108. #/root/.pinerc -> $(SEC_CONFIG);
109. #/root/.mc -> $(SEC_CONFIG);
110. #/root/.gnome_private -> $(SEC_CONFIG);
111. #/root/.gnome-desktop -> $(SEC_CONFIG);
112. #/root/.gnome -> $(SEC_CONFIG);
113. #/root/.esd_auth -> $(SEC_CONFIG);
114. # /root/.elm -> $(SEC_CONFIG);
115. #/root/.cshrc -> $(SEC_CONFIG);
116. #/root/.bashrc -> $(SEC_CONFIG);
117. #/root/.bash_profile -> $(SEC_CONFIG);
118. # /root/.bash_logout -> $(SEC_CONFIG);
119. #/root/.bash_history -> $(SEC_CONFIG);
120. #/root/.amandahosts -> $(SEC_CONFIG);
121. #/root/.addressbook.lu -> $(SEC_CONFIG);
122. #/root/.addressbook -> $(SEC_CONFIG);
123. #/root/.Xresources-> $(SEC_CONFIG);
124. #/root/.Xauthority-> $(SEC_CONFIG)-i ;#ChangesInode number on login
125. /root/.ICEauthority-> $(SEC_CONFIG);
126. }
127. #
128. #Critical devices
129. #
130. (
131. rulename ="Devices & Kernel information",
132. severity = $(SIG_HI),
133. )
134. {
135. #/dev -> $(Device);
136. #/proc -> $(Device);
137. }

tripwire 报告

tripwire-check 命令检查 twpol.txt 文件并基于此文件生成 tripwire 报告如下。如果 twpol.txt 中有任何错误，tripwire 不会生成报告。

tripwire report

文本形式报告

1. root@VMdebian:/home/labadmin# tripwire --check
2. Parsing policy file:/etc/tripwire/tw.pol
3. ***ProcessingUnixFileSystem***
4. Performing integrity check...
5. Wrote report file:/var/lib/tripwire/report/VMdebian-20151024-122322.twr
6. OpenSource tripwire(R)2.4.2.2IntegrityCheckReport
7. Report generated by: root
8. Report created on:SatOct2412:23:222015
9. Databaselast updated on:Never
10. ReportSummary:
11. =========================================================
12. Host name:VMdebian
13. Host IP address:127.0.1.1
14. Host ID:None
15. Policyfile used:/etc/tripwire/tw.pol
16. Configurationfile used:/etc/tripwire/tw.cfg
17. Databasefile used:/var/lib/tripwire/VMdebian.twd
18. Command line used: tripwire --check
19. =========================================================
20. RuleSummary:
21. =========================================================
22. -------------------------------------------------------------------------------
23. Section:UnixFileSystem
24. -------------------------------------------------------------------------------
25. RuleNameSeverityLevelAddedRemovedModified
26. -------------------------------------------
27. Other binaries 66000
28. tripwire Binaries100000
29. Other libraries 66000
30. Rootfile-system executables 100000
31. tripwire DataFiles100000
32. System boot changes 100000
33. (/var/log)
34. Rootfile-system libraries 100000
35. (/lib)
36. Critical system boot files 100000
37. Other configuration files 66000
38. (/etc)
39. BootScripts100000
40. SecurityControl66000
41. Root config files 100000
42. InvariantDirectories66000
43. Total objects scanned:25943
44. Total violations found:0
45. =========================ObjectSummary:================================
46. -------------------------------------------------------------------------------
47. #Section:UnixFileSystem
48. -------------------------------------------------------------------------------
49. No violations.
50. ===========================ErrorReport:=====================================
51. NoErrors
52. -------------------------------------------------------------------------------
53. ***End of report ***
54. OpenSource tripwire 2.4Portions copyright 2000 tripwire,Inc. tripwire is a registered
55. trademark of tripwire,Inc.This software comes with ABSOLUTELY NO WARRANTY;
56. for details use--version.Thisis free software which may be redistributed
57. or modified only under certain conditions; see COPYING for details.
58. All rights reserved.
59. Integrity check complete.

总结

本篇中，我们学习安装配置开源入侵检测软件 tripwire。首先生成基础数据库并通过比较检测出任何改动（文件 / 文件夹）。然而，tripwire 并不是实时监测的 IDS。

via: http://linoxide.com/security/configure-tripwire-ids-debian/

作者：nido 译者：geekpi 校对：wxy

本文由 LCTT 原创编译，Linux 中国 荣誉推出

本文永久更新链接地址 ：http://www.linuxidc.com/Linux/2016-04/129806.htm