Install and configure TripWire, strengthen your Linux system security

zhaozj2021-02-17 78

1. Why do you want to install TripWire after installation of Linux, after setting it, it is recommended that you install the TripWire software immediately, it can build the features, such as object size, owner, group, access rights, etc. FingerPrints and perform check regularly. When the status of the discovery file is not compliant with the fingerprint database, TripWire will make a warning to tell you which project does not match the fingerprint database.

2, installer

Note: The Linux release version used in this document is Redhat Linux 7.3. Other release versions are similar.

1. Installation kit: rpm -uvh tripwire- version number.rpm

2. Switch the work directory to / etc / tripwire, where there are two profiles:

§ Twcfg.txt: Can be used to set the working environment of Tripwire, can be adjusted in accordance with your habits.

§ Twppol.txt: Specifies which projects of TripWire to monitor.

3. Preset twcfg.txt

Root = / usr / sbin

POLFILE = / etc / tripwire / tw.pol

DBFILE = / var / lib / tripwire / $ (hostname) .twd

Reportfile = / var / lib / tripwire / report / $ (hostname) - $ (date) .twr

SiteKeyFile = / etc / tripwire / site.key

LocalKeyFile = / etc / tripwire / $ (hostname) -local.Key

Editor = / bin / vi

Lateprompting = false

LooseDirectoryChecking = FALSE

Mailnoviolations = TRUE

EmailReportLevel = 3

ReportLevel = 3

Mailmethod = sendmail

Syslogreporting = false

Mailprogram = / usr / sbin / sendmail -oc

§ DBFile is the file name of the fingerprint database.

§ ReportFile is the name of the test report.

4. Let's take a look at Twpol.txt, we can set it to specify which projects of which files are monitored for TripWire. Tripwire can be monitored projects in TWPolicy's Man Page, "Property Masks" section is found, as shown below:

- Ignore The Following Properties

Record and Check The Following Properties

A Access TimeStamp

B Number of Blocks Allocated

C inode timestamp (create / modify)

D ID of Device On Which Inode Resides

G File Owner's Group ID

i inode number

l File is increasing in size (a "growing file") m modification timestamp

N Number of Links (Inode Reference Count)

P Permissions and File Mode Bits

R id of device pointed to by inode

(Valid ONLY for Device Objects)

s File Size

T File Type

u File Owner's User ID

C CRC-32 Hash Value

H Haval Hash Value

M MD5 Hash Value

S Sha Hash Value

Where " " is described later.

5. How do I ask TripWire to monitor some files? The twpol.txt attached by Red Hat has put important configuration files with the program to be monitored, and you can find this paragraph in the map :(

(

Rulename = "Security Control",

SEVERITY = $ (SIG_HI)

)

{

/ etc / group -> $ (sec_crit);

/ etc / security -> $ (sec_crit);

}

This paragraph is included in the "SECURITY Control" group in this paragraph, and the degree of warning is defined by the variable of Sig_hi, the value is 100 (later later). And which projects will TripWire monitor / etc / group and / etc / security? This is defined by the variable of sec_crit.

6. Browse from the front end of Twppol.txt, you can find this paragraph as the drawings:

@@ section fs

SEC_CRIT = $ (ignorenone) -sha; # crringal files That Cannot Change

SEC_SUID = $ (ignorenone) -sha; # binaries with the suid or sgid flags set

Sec_bin = $ (ie); # binaries That Should Not Change

SEC_CONFIG = $ (Dynamic); # Config Files That Are Changed Infrequently But Accessed OFTEN

SEC_LOG = $ (growing); # files That Grow, But That Should Never Change Ownership

SEC_INVARIANT = TPUG; # Directories That Should Never Change Permission Or Ownership

SIG_LOW = 33; # Non-critical Files That area of Minimal Security Impact

SIG_MED = 66; # Non-crringal files That Are Of Significant Security Impactsig_hi = 100; # critical files That Are Significant Points of Vulnerability

You can find that the value of SIG_HI is as mentioned above, 100. The TripWire will monitor / etc / group which projects are defined by sec_crit; where you find SEC_CRIT equal to "ignorenone -sha", which projects are it?

To unlock this mystery, you must first find why Ignorenone variable definition is defined. But it's not unknown to twppol.txt. It turns out that ignorenone follows the readOrthly, Dynamic, Growing, etc., which is TripWire pre-defined variables, and the contents of the drawing can be found in the "Variables" in TWPOLICY. :

Readonly Readonly Is Good for Files That Are Widely Available But Are Intended To Be Read-Only. Value: PinugtsdBmcm-Rlacsh

Dynamic Dynamic Is Good for Monitoring User Direc- Tories and Files Tents TEND To Be Dynamic in Behavior. Value: Pinugtd-srlbamcmsh

Growing the growing variable is intended for Files That Should Only Get Larger. Value: Pinugtdl-Srbamccmsh

Device Device Is Good for Devices Or Other Files That Tripwire Should Not Attempt To Open. Value: Pugsdr-Intlbamccmsh

IgnoreAll IgnoreAll TRACKS A File's Presence or Absence, But doesn't Check Any Other Prop- Orties. Value: -pinugtsdrlbamcmsh

Ignorenone Ignorenone Turns on All Properties and Pro-Vides A Convenient Starting Point for Defining Your Own Property Masks. (For Example, Mymask = $ (Ignorenone) -ar;) Value: Pinugtsdrbamccmsh-L

From the above, the value of "Ignorenone" is " PinugtsDRBAMCMSH-L", where " " is listed, the item to monitor, and "-" is not monitored items. So "Ignorenone" -SHA? That is to change the SHA project of Ignorenone inner, the monitored SHA project is not monitored. You can modify this file in accordance with the needs. .

7. Next, execute ./twinstall.sh in / etc / tripwire. You will ask you to set two passwords during the execution process:

§ Site Pass Phrase: Encrypted Twppol.txt and TWCFG.txt.

§ Local Pass Phrase: Used when encrypting a fingerprint database.

Then you will enter the correct Site Pass Phrase again, which is encrypted by Twppol.txt and TWCFG.txt, resulting in Tw.POL and TW.CFG by the original text file. The process is shown in the drawings: [root @ localhost tripwire] # ./twinstall.sh

----------------------------------------------

The Tripwire Site and Local Passphrases Are Used To

Sign A Variety of Files, Such as The Configuration,

Policy, And Database Files.

Passphrases SHOULD BE AT Least 8 Characters in Length

And Contain Both Letters and Numbers.

See The Tripwire Manual for more information.

----------------------------------------------

Creating Key Files ...

(When SELECTING A Passphrase, Keep In Mind That Good Passphrases Typically

Have Upper and Lower Case Letters, Digits and Punctuation Marks, And Are

AT Least 8 Characters in Length.)

ENTER THE KeyFile Passphrase:

Verify THE KeyFile Passphrase:

Generating Key (this May Take Several Minutes) ... Key Generation Complete.

(When SELECTING A Passphrase, Keep In Mind That Good Passphrases Typically

Have Upper and Lower Case Letters, Digits and Punctuation Marks, And Are

AT Least 8 Characters in Length.)

Enter The Local KeyFile Passphrase:

Verify The Local KeyFile Passphrase:

Generating Key (this May Take Several Minutes) ... Key Generation Complete.

----------------------------------------------

Signing Configuration File ...

Please enter your site passphrase: 0000-00-00 PLEASE ENTER Your Site Pass

Wrote Configuration File: /etc/tripwire/tw.cfga Clear-Text Version of The Tripwire Configuration File

/etc/tripwire/twcfg.txt

HAS been preserved for your inspection. it is recommented

That You Delete this file manually after you have examined it.

----------------------------------------------

Signing Policy File ...

Please enter your site passphrase: 0000-00-00 PLEASE ENTER Your Site Pass

Wrote Policy File: /etc/tripwire/tw.pol

A Clear-Text Version of the Tripwire Policy File

/etc/tripwire/twpol.txt

HAS been preserved for your inspection. this imports

a Minimal Policy, Intended Only to Test Essential

Tripwire functionality. You Should Edit The Policy File

To Describe your system, and then use twadmin to generate

A New Signed Copy of The Tripwire Policy.

You have new mail in / var / spool / mail / root

After TWINSTALL.SH is executed, it is recommended to delete or move to other text files of twpol.txt and twcfg.txt.

8. Execute TripWire -M i to establish a fingerprint database, which will ask you to enter Local PaSE.

[root @ localhost tripwire] # Tripwire -m i

Please enter your local passphrase:

Parsing Policy File: /etc/tripwire/tw.pol

Generating the database ...

*** Processing Unix File System ***

### Warning: File System Error.

### filename: / proc / scsi

### no such file or directory

### Continuing ...

### Warning: File System Error.

### filename: / usr / sbin / fixrmtab

### no such file or directory

### Continuing ...

Wrote Database File: /var/lib/tripwire/localhost.localdomain.twd

The Database Was SuccessFully generated.

You have new mail in / var / spool / mail / root

9. Maybe you suspect that tripwire really detects the finest change in the file? Below is the experiment, we change the "X" of the second field of / etc / group to "X":

[root @ localhost tripwire] #haoad -1 / etc / group

Root: x: 0: root

[root @ localhost tripwire] #vi / etc / group

[root @ localhost tripwire] #HEAD -1 / etc / grouproot: x: 0: root

10. Next, "Tripwire -M C - InterACTIVE" is executed, and finally the report list (I use VI), with:

§ "Rule Summary": Lists all group inspection results.

============================================================================================================================================================================================================= ==============================

Rule Summary:

-------------------------------------------------- -----------------------------

Section: UNIX File System

-------------------------------------------------- -----------------------------

Rule Name Severity Level Added Removed Modified

---------------------- ----------------------------------------------------------------------------------------------------------------------

Invariant Directories 66 0 0 0

Temporary Directories 33 0 0 0

* TripWire Data Files 100 1 0 0

Critical Devices 100 0 0 0

User binaries 66 0 0 0

Tripwire Binaries 100 0 0 0 0 0 0 0 0 0 0

Libraries 66 0 0 0

Operating system utilities 100 0 0 0

Critical System Boot Files 100 0 0 0

File System and Disk Administraton Programs

100 0 0 0

Kernel Administration Programs 100 0 0 0

Networking programs 100 0 0 0

System Administration Programs 100 0 0 0

Hardware and Device Control Programs

100 0 0 0

System Information Programs 100 0 0 0

Application Information Programs

100 0 0 0

Shell Related Programs 100 0 0 0

Critical Utility Sym-Links 100 0 0 0

Shell Binaries 100 0 0 0

System Boot Changes 100 0 0 0

OS Executables and Libraries 100 0 0 0

* SECURITY Control 100 0 0 1

Root Config Files 100 0 0 0

Total Objects Scanned: 15675

Total Violations Found: 2

There are two groups with immediate, one for Tripwire's data documents (new), another group of "System Control" (/ etc / group belongs to this group!).

"Object Summary": Lists the list of objects with an action.

-------------------------------------------------- -----------------------------

# Section: UNIX File System

-------------------------------------------------- -----------------------------

Rule Name: Tripwire Data Files (/ VAR / LIB / TRIPWIRE)

Severity Level: 100

-------------------------------------------------- -----------------------------

Remove the "x" from the adjacent box to prevent Updating the database

WITH The New Values for this Object.

Added:

[x] "/VAR/LIB/Tripwire/localhost.localdomain.twd"

-------------------------------------------------- -----------------------------

Rule Name: Security Control (/ etc / group)

Severity Level: 100

-------------------------------------------------- -----------------------------

Remove the "x" from the adjacent box to prevent Updating the database

With the new value for this Object.modified:

[x] "/ etc / group"

Object detail:

-------------------------------------------------- -----------------------------

Section: UNIX File System

-------------------------------------------------- -----------------------------

Rule Name: Tripwire Data Files (/ VAR / LIB / TRIPWIRE)

/ etc / group is found to have an interest. If you want to update the data / etc / group of the fingerprint database to the current state, keep the x-ETC / GROUP [], otherwise it will change it to space.

"Object Detail": Detailed information on an action, such as which projects have an action. ============================================================================================================================================================================================================= ============================= Object Summary:

-------------------------------------------------- -----------------------------

# Section: UNIX File System

-------------------------------------------------- -----------------------------

Rule Name: Tripwire Data Files (/ VAR / LIB / TRIPWIRE)

Severity Level: 100

-------------------------------------------------- -----------------------------

Remove the "x" from the adjacent box to prevent Updating the database

WITH The New Values for this Object.

Added:

[x] "/VAR/LIB/Tripwire/localhost.localdomain.twd"

-------------------------------------------------- -----------------------------

Rule Name: Security Control (/ etc / group)

Severity Level: 100

-------------------------------------------------- -----------------------------

Remove the "x" from the adjacent box to prevent Updating the databasewith the new value for this object.

Modified: [x] "/ etc / group"

Although only X is changed to X, there are four projects affected. The most important of these is the value of MD5. The MD5 value of a file can determine the contents of the file that the contents of the file have been modified as long as the original value is different.

§ Tripwire automatically performs checks every day, and send E-mail to the root. You should also perform "TripWire -M C-Interactive" regularly to update the fingerprint database.

转载请注明原文地址:https://www.9cbs.com/read-31289.html

9cbs

New Post(0)