|
本文介绍如何在Ubuntu 18.04系统上安装和配置Tripwire,它可以检查文件完整性,它将监视和警告文件/目录的更改。
在Ubuntu 18.04上安装Tripwire的方法 适用于Ubuntu 18.04的Tripwire软件包可从apt存储库获得,通过运行以下命令安装它: $ sudo apt-get install tripwire
注:在安装过程会让你输入相关的密码及设置本地密码等,一路配置过去即可,非常的简单,如果需要密码管理工具请参考3个Linux命令行密码管理器:
创建Tripwire密钥并初始化数据库 既然安装成功了,我们需要生成密钥并初始化数据库,以便tripwire可以开始工作: $ sudo su - # cd /etc/tripwire/ # ls -1 server-01-local.key site.key tw.cfg tw.pol twcfg.txt twpol.txt 我们将twcfg.txt文件REPORTLEVEL修改为4,这是最大值: ROOT =/usr/sbin POLFILE =/etc/tripwire/tw.pol DBFILE =/var/lib/tripwire/$(HOSTNAME).twd REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr SITEKEYFILE =/etc/tripwire/site.key LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key EDITOR =/usr/bin/editor LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =4 SYSLOGREPORTING =true MAILMETHOD =SMTP SMTPHOST =localhost SMTPPORT =25 TEMPDIRECTORY =/tmp 更改后生成配置文件: # twadmin -m F -c tw.cfg -S site.key twcfg.txt Please enter your site passphrase: <Enter-your-passphrase> Wrote configuration file: /etc/tripwire/tw.cfg
优化Tripwire策略文件 创建一个twpolmake.pl文件,其中包含以下内容: # vim twpolmake.pl 增加: #!/usr/bin/perl # Tripwire Policy File customize tool # Copyright (C) 2019 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # Usage: # perl twpolmake.pl {Pol file} # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; 创建配置: # perl twpolmake.pl twpol.txt > twpol.txt.new # twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol 创建Tripwire数据库: # tripwire -m i -s -c tw.cfg Please enter your local passphrase: ### Warning: File system error. ### Filename: /var/lib/tripwire/server-01.twd ### No such file or directory ### Continuing... 可以使用以下命令打印数据库: # twprint -m d -d /path/to/database.twd 例如: # twprint -m d -d /var/lib/tripwire/server-01.twd
更新数据库 最简单的更新形式使用报告文件中的所有更改来更新数据库: # tripwire --update --accept-all 通过手动执行检查来测试tripwire: # tripwire -m c -s -c /etc/tripwire/tw.cfg
如果没有遇到错误,Tripwire数据文件位于:/var/lib/tripwire/<servername>.twd 扫描结果保存在/var/lib/tripwire/report/目录下: # ls /var/lib/tripwire/report/ server-01-20190224-073225.twr 要打印此报告,请使用以下语法: # twprint -m r -t [0-4] -r /path/to/reportfile.twr -t参数指定报告详细程度,其中0是报告内容的单行摘要,4表示所有已更改对象的所有收集属性,如果未在命令行上或通过REPORTLEVEL配置文件选项指定,则报告级别默认为3。 例: # twprint -m r -t 4 -r /var/lib/tripwire/report/server-01-20190224-073225.twr 另请注意,你可以手动更新此报告: # tripwire -m u -a -s -c /etc/tripwire/tw.cfg -r /var/lib/tripwire/report/server-01-20190224-073225.twr Please enter your local passphrase:
更新策略及测试电子邮件配置 1、策略更新模式会修改当前的Tripwire策略,而不会丢失现有基准: # tripwire --update-policy updated-policy.txt 这将作为更新过程的一部分检查新策略,如果此检查检测到更改,则默认行为是显示更改并退出而不更新策略或数据库,要接受更改并继续进行策略更新,请使用-Z low / –secure-mode low命令行选项。 2、测试电子邮件配置 要测试电子邮件配置: # tripwire --test --email user@domain.tld 这会使用配置文件中指定的电子邮件设置将测试电子邮件发送到指定的地址。
相关主题 |
