I. Introduction to TripWire
1. Tripwire is a set of security tools that are compared to file / directory integrity, via a ratio of existing archives and a Baseline Database established, if you find that there is new, delete or modify, TripWire is real time Inform the system administrator and generate elastic readable reports; administrators can evaluate whether to perform subsequent inspection or system restore.
2. The relevant files of the TripWire rpm version are as follows:
Program file: (in / usr / sbin /)
-TripWire: Provides five major model maintenance, (1) Database initialization (2) Integrity check (3) Database update (4) Principles Update (5) Mail Test
-Twadmin: You can generate the setting files, principles, and gold key files used by TripWire, also used to do coding and signature
-Twprint: List the contents of databases and report files in pure text
-Siggen: Harbiecable coded data for viewing files
Settings: /etc/tripwire/tw.cfg - (twcfg.txt- is not encrypted)
Principles: /etc/tripwire/tw.pol - (twpol.txt- is not encrypted)
Database: / var / lib / tripwire / $ (hostname) .twd
Report file: / var / lib / tripwire / report / $ (Hostname) - $ (DATE) .TWR
Gold key gear: divided into site key and local key; Site Key can be used on multiple sets of systems, is used to protect setting gears and principles; Local Key is used for individual hosts, such as each host database (/ ETC /Tripwire/site.key and $ (hostname) -local.Key
3. Download Software: TAR.GZ: http://sourceforge.net/projects/tripwire/ (Download Tripwire-2.3.1) RPM: http://rpmfind.net Search "Tripwire" (Redhat CD Second Also
Second, real steps
1. After the RPM file is installed (#RPM -IVH Tripwire-xxx.rpm), you need to perform /tc/tripwire/twinstall.sh#/etc/tripwire/twinstall.sh <--- Enter Site Key & local Key Password
2. Database Initialization Mode # / USR / SBIN / Tripwire -M i
3. Modify the principle file to comply with the existing archive architecture #CD / etc / tripwire # / usr / sbin / tripwire -mc | grep filename> twnotfound.txt Write a shell script (TWFILTER.SH) (Reference Source: Network people)
#! / bin / bashorg_file = / etc / tripwire / twpol.txtnot_file = twnotfound.txttmp_file = tmp.txtnew_file = new.txtcat $ ORG_FILE> $ TMP_FILEFOR I IN $ (Cat $ Not_File | Cut -D ":" -f 2) ; do grep -v $ i $ tmp_file> $ new_file cat $ new_file> $ tmp_filedonemv $ org_file $ org_file.bakcat $ new_file> $ org_filerm -f $ new_filerm -f $ tmp_file # --- END Script --- ## sh twfilter . SH <- Generate a principled file in accordance with the system
4. Reconstruction of the database according to the new principles # / usr / sbin / twadmin -m p /etc/tripwire/twpol.txt#/usr/sbin/tripwire -m i
5. ** Important ** After establishing the database, "Be sure" to delete the principle file and setting file #RM /etc/tripwire/twpol.txt#m /etc/tripwire/twcfg.txt
6. Integrity Checking Mode # / usr / sbin / tripwire -m c can add Script under /etc/cron.daily / under /etc/cron.daily / next Script: (TW-Check)
#! / bin / bash / usr / sbin / tripwire -m c | mail -s "Tripwire Daily Report from {$ hostname}" root @ localhost
7. Database Update Mode If there is a new or modified file, you need to update the database: # / usr / sbin / tripwire -mu -r /var/lib/tripwire/report/ {HostName }- 6 }.twr enters VI editing Mode, there is a selection box ([x]) in the report file ([x]), if the "X" is maintained, if the "X" is accepted, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "x" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "x" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, if "X" is removed, it means that this change is not updated (the future check or will Listed out), you need to enter the Local Key password when you change the deposit, TripWire will update the database and save the disk.
8. Policy Update Mode Exchange Existing Principles (Encryption Edition) to Twppol.txt (Pure text version) # / usr / sbin / twadmin -mpol.txt, change new Encryption Edition # / usr / sbin / tripwire -mp /etc/tripwire/twpol.txt # / usr / sbin / tripwire -mc <- Do check Now, and remember to delete twpol.txt !!!
9. If you want to update the setting file, you need to set up the setting file (encrypted version) for the pure text format # / usr / sbin / twadmin -mf> /etc/tripwire/twcfg.txt, change new Encryption Edition # / usr / sbin / twadmin -m f --site-keyfile /etc/tripwire/site.key twcfg.txt # rm twcfg.txt
Note: Monitor file list is included in /etc/tripwire/twpol.txt
