数据完整性监测系统的构建（Tripwire ）

[root@sample ~]# wget http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz　← 下载源代码

--02:21:30-- http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz
=> `tripwire-2.3.1-2.tar.gz'
Resolving jaist.dl.sourceforge.net... 150.65.7.130
Connecting to jaist.dl.sourceforge.net|150.65.7.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,514,955 (1.4M) [application/x-gzip]

100%[====================================>] 1,514,955 1.29M/s

02:21:32 (1.28 MB/s) - `tripwire-2.3.1-2.tar.gz' saved [1514955/1514955]

[root@sample ~]# tar zxvf tripwire-2.3.1-2　← 将被压缩的文件展开

[root@sample ~]# cd tripwire-2.3.1-2　← 进入被解压缩的目录

[root@sample tripwire-2.3.1-2]# wget http://www.frenchfries.net/paul/tripwire/tw-20030919.patch.gz　← 下载 Tripwire Patch文件

--02:28:43-- http://www.frenchfries.net/paul/tripwire/tw-20030919.patch.gz
=> `tw-20030919.patch.gz'
Resolving www.frenchfries.net... 216.73.106.93
Connecting to www.frenchfries.net|216.73.106.93|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 786,411 (768K) [application/x-gzip]

100%[====================================>] 786,411 164.35K/s ETA 00:00

02:28:50 (154.51 KB/s) - `tw-20030919.patch.gz' saved [786411/786411]

[root@sample tripwire-2.3.1-2]# gunzip tw-20030919.patch.gz　← 将 Tripwire Patch 文件解压缩

[root@sample tripwire-2.3.1-2]# patch -p1 < tw-20030919.patch　← Patch编译

[root@sample tripwire-2.3.1-2]# chmod 755 configure　← 赋予配置文件configure可执行的权限

[root@sample tripwire-2.3.1-2]# ./configure --sysconfdir=/etc/tripwire　← 运行configure
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking for a BSD compatible install... /usr/bin/install -c
……………………………………
……………………………………
……中间提示信息省略……
……………………………………
……………………………………
config.status: creating src/twprint/Makefile
config.status: creating src/twadmin/Makefile
config.status: creating src/siggen/Makefile
config.status: creating src/tripwire/Makefile
config.status: creating config.h

[root@sample tripwire-2.3.1-2]# make　← 编译

cd . && /bin/sh /root/tripwire-2.3.1-2/missing --run autoheader
configure.in:9: warning: do not use m4_patsubst: use patsubst or m4_bpatsubst
aclocal.m4:546: AM_CONFIG_HEADER is expanded from...
configure.in:9: the top level
configure.in:401: warning: do not use m4_regexp: use regexp or m4_bregexp
aclocal.m4:559: _AM_DIRNAME is expanded from...
configure.in:401: the top level
cd . \
&& CONFIG_FILES= CONFIG_HEADERS=config.h \
/bin/sh ./config.status
……………………………………
……………………………………
……中间提示信息省略……
……需要花费一段时间……
……………………………………
……………………………………
make[2]: Leaving directory `/root/tripwire-2.3.1-2/src'
make[2]: Entering directory `/root/tripwire-2.3.1-2'
make[2]: Nothing to be done for `all-am'.
make[2]: Leaving directory `/root/tripwire-2.3.1-2'
make[1]: Leaving directory `/root/tripwire-2.3.1-2'

[root@sample tripwire-2.3.1-2]# make install　← 安装配置

Making install in man
make[1]: Entering directory `/root/tripwire-2.3.1-2/man'
Making install in man4
make[2]: Entering directory `/root/tripwire-2.3.1-2/man/man4'
make[3]: Entering directory `/root/tripwire-2.3.1-2/man/man4'
make[3]: Nothing to be done for `install-exec-am'.
/bin/sh ../../mkinstalldirs /usr/local/man/man4
mkdir /usr/local/man
……………………………………
……………………………………
……中间提示信息省略…………
……………………………………
……………………………………
Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R)
is a registered trademark of the Purdue Research Foundation and is
licensed exclusively to Tripwire (R) Security Systems, Inc.

LICENSE AGREEMENT for Tripwire(R) 2.3 Open Source

Please read the following license agreement. You must accept the
agreement to continue installing Tripwire.

Press ENTER to view the License Agreement. 　← 按回车键阅读协议
……………………………………
……………………………………
协议浏览中按空格键翻页
……………………………………
……………………………………
Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept　← 输入“accept”同意协议
Using configuration file ./install/install.cfg

Checking for programs specified in install configuration file....

/usr/sbin/sendmail exists. Continuing installation.

/bin/vi exists. Continuing installation.

----------------------------------------------
Verifying existence of binaries...

./bin/siggen found
./bin/tripwire found
./bin/twprint found
./bin/twadmin found

This program will copy Tripwire files to the following directories:

TWBIN: /usr/local/sbin
TWMAN: /usr/local/man
TWPOLICY: /etc/tripwire
TWREPORT: /usr/local/lib/tripwire/report
TWDB: /usr/local/lib/tripwire
TWSITEKEYDIR: /etc/tripwire
TWLOCALKEYDIR: /etc/tripwire

CLOBBER is false.

Continue with installation? [y/n] y　← 键入y继续安装

----------------------------------------------
Creating directories...

/usr/local/sbin: already exists
/etc/tripwire: created
/usr/local/lib/tripwire/report: created
/usr/local/lib/tripwire: already exists
/etc/tripwire: already exists
/etc/tripwire: already exists
/usr/local/man: already exists
/usr/local/doc/tripwire: created

----------------------------------------------
Copying files...

/usr/local/doc/tripwire/README: copied
/usr/local/doc/tripwire/Release_Notes: copied
/usr/local/doc/tripwire/COPYING: copied
/usr/local/doc/tripwire/TRADEMARK: copied
/usr/local/doc/tripwire/policyguide.txt: copied
/etc/tripwire/twpol-Linux.txt: copied

----------------------------------------------
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.

Passphrases should be at least 8 characters in length
and contain both letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------
Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase: 　← 输入“site keyfile”口令（输入后不会显示），并且记住这个口令
Verify the site keyfile passphrase: 　← 再次确认“site keyfile”口令
Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase: 　← 输入“local keyfile”口令（输入后不会显示），并且记住这个口令
Verify the local keyfile passphrase: 　← 再次确认“local keyfile”口令
Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------
Generating Tripwire configuration file...

----------------------------------------------
Creating signed configuration file...
Please enter your site passphrase: 　← 输入“site keyfile”口令（输入后不会显示）
Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended
that you delete this file manually after you have examined it.

----------------------------------------------
Customizing default policy file...

----------------------------------------------
Creating signed policy file...
Please enter your site passphrase: 　← 输入“site keyfile”口令（输入后不会显示）
Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements
a minimal policy, intended only to test essential
Tripwire functionality. You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.

----------------------------------------------
The installation succeeded.

Please refer to /usr/local/doc/tripwire/Release_Notes
for release information and to the printed user documentation
for further instructions on using Tripwire 2.3 Open Source.

make[3]: Leaving directory `/root/tripwire-2.3.1-2'
make[2]: Leaving directory `/root/tripwire-2.3.1-2'
make[1]: Leaving directory `/root/tripwire-2.3.1-2'

[root@sample tripwire-2.3.1-2]# cd　← 回到root用户的根目录

[root@sample ~]# rm -rf tripwire-2.3.1-2 tripwire-2.3.1-2.tar.gz　← 删除安装用过的原文件

[root@sample ~]# vi /etc/tripwire/twcfg.txt　 ← 修改文本格式的Tripwire配置文件

LOOSEDIRECTORYCHECKING =false　 ← 找到这一个行，将false的值变为true（不监测所属目录的数据完整性）
　↓
LOOSEDIRECTORYCHECKING =true 　 ← 变为此状态

REPORTLEVEL =3　 ← 找到这一行，将3变为4（改变监测结果报告的等级）
　↓
REPORTLEVEL =4　 ← 变为此状态

[root@sample ~]# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt　 ← 从文本配置文件建立加密格式配置文件

Please enter your site passphrase: 　← 输入“site keyfile”口令（输入后不会显示）
Wrote configuration file: /etc/tripwire/tw.cfg

[root@sample ~]# rm -f /etc/tripwire/twcfg.txt　← 为不留安全隐患，删除文本格式的配置文件

[root@sample ~]# vi /etc/tripwire/twpolmake.pl　 ← 建立用于建立Policy文件的Perl脚本

#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;

[root@sample ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.out　 ← 建立Policy文件

[root@sample ~]# rm -f /etc/tripwire/twpol.txt 　 ← 删除默认Policy文件

[root@sample ~]# mv /etc/tripwire/twpol.txt.out /etc/tripwire/twpol.txt　 ← 将新建立的Policy文件的名改为默认Policy文件的文件名

[root@sample ~]# vi /etc/tripwire/twpol.txt　 ← 编辑Policy文件

$(TWREPORT) 　　　-> $(SEC_CONFIG) (recurse=0) ;　 ← 找到这一行，在这一行的下一行添加语句（113行前后）
!$(TWDB)/$(HOSTNAME).twd ;　 ← 添加这一句（不对数据库进行监测）

[root@sample ~]# twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt　 ← 从文本配置文件建立加密格式配置文件

Please enter your site passphrase:　← 输入“site keyfile”口令（输入后不会显示）
Wrote policy file: /etc/tripwire/tw.pol

[root@sample ~]# rm -f /etc/tripwire/twcfg.txt　← 为不留安全隐患，删除文本格式的配置文件

[root@sample ~]# tripwire --init　← 建立数据库

Please enter your local passphrase: 　← 输入“local keyfile”口令（输入后不会显示）
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /usr/local/lib/tripwire/sample.centospub.com.twd
The database was successfully generated.

[root@sample ~]# vi tripwire-check　← 建立Tripwire运行脚本

#!/bin/bash

PATH=/usr/local/sbin:/usr/bin:/bin
SITEPASS=******** # Site Key Passphrase　← 将星号部分换为Site Keyfile的口令
LOCALPASS=******** # Local Key Passphrase　← 将星号部分换为Local Keyfile的口令
REPORTFILE=/usr/local/lib/tripwire/report/`hostname`-`date +%Y%m%d`.twr

# Run the Tripwire
tripwire --check -r "$REPORTFILE"| logger -t tripwire

# Mail the Tripwire Report to root
cd /etc/tripwire
REPORTPRINT=`mktemp`
twprint -m r -c tw.cfg -r "$REPORTFILE" -L `hostname`-local.key -t 4 > $REPORTPRINT
if [ -z "$(grep 'Total violations found: 0' $REPORTPRINT)" ]; then
cat $REPORTPRINT | mail -s "Tripwire(R) Integrity Check Report in `hostname`" root
fi
rm -f $REPORTPRINT

# Update the Policy File
cd /etc/tripwire
twadmin --print-polfile > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.out
twadmin --create-polfile -S site.key -Q $SITEPASS twpol.txt.out | logger -t tripwire
rm -f twpol.*

# update the Database
rm -f /usr/local/lib/tripwire/`hostname`.twd
tripwire --init -P $LOCALPASS | logger -t tripwire

[root@sample ~]# chmod 700 tripwire-check　← 赋予运行脚本文件可执行的权限

[root@sample ~]# ./tripwire-check 　← 运行一次脚本
由于增加了运行脚本本身，也被认作系统被作了改动，会发邮件通知root…查看邮箱回收到监测报告

[root@sample ~]# ./tripwire-check　← 再次运行一次脚本
由于两次连续运行，之间不太可能有文件变更，所以请确认不会发送E-mail给root

[root@sample ~]# ls -l /usr/local/lib/tripwire/report/　← 监测报告所在目录的文件列表
total 32
-rw-r--r-- 1 root root 8222 Aug 23 05:46 sample.centospub.com-20060823.twr　← 比如想浏览此篇报告
-rw-r--r-- 1 root root 8230 Aug 23 05:46 sample.centospub.com-20060823.twr.bak

[root@sample ~]# cd /etc/tripwire　← 进入Tripwire配置文件所在目录

[root@sample tripwire]# twprint -m r -c tw.cfg -r "/usr/local/lib/tripwire/report/sample.centospub.com-20060823.twr" -L sample.centospub.com-local.key -t 4 > tripwire-report　← 将监测报告保存到名为tripwire-report的文件中

[root@sample tripwire]# cat tripwire-report　← 浏览监测报告
Note: Report is not encrypted.
Tripwire(R) 2.3.0 Integrity Check Report

Report generated by: root
Report created on: Wed 23 Aug 2006 05:45:01 AM CST
Database last updated on: Never

===============================================================================
Report Summary:
===============================================================================

Host name: sample.centospub.com
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /usr/local/lib/tripwire/sample.centospub.com.twd
Command line used: tripwire --check -r /usr/local/lib/tripwire/report/sample.centospub.com-20060823.twr

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Tripwire Data Files 100 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
(/proc/kcore)
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
User binaries 66 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Shell Related Programs 100 0 0 0
Operating System Utilities 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
OS executables and libraries 100 0 0 0
System boot changes 100 0 0 0
Critical configuration files 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
* Root config files 100 0 0 1

Total objects scanned: 17363
Total violations found: 1

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/root/tripwire-check"

===============================================================================
Object Detail:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------

Modified object name: /root/tripwire-check

Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 64768 64768
File Device Number 0 0
Inode Number 351317 351317
Mode -rwx------ -rwx------
Num Links 1 1
UID root (0) root (0)
GID root (0) root (0)
* Size 953 951
* Modify Time Wed 23 Aug 2006 05:21:26 AM CST
Wed 23 Aug 2006 05:43:10 AM CST
* Change Time Wed 23 Aug 2006 05:21:26 AM CST
Wed 23 Aug 2006 05:43:10 AM CST
Blocks 16 16
* CRC32 Ay0oV9 BDzM8Y
* MD5 BoeMoWfjEKCSLOJCs/E7mj ABQN3hl5wF0PyTcXugPE5U

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

[root@sample tripwire]# rm -f tripwire-report　← 删除监测报告

[root@sample tripwire]# cd　 ← 进入Tripwire运行脚本所在的root目录

[root@sample ~]# mv tripwire-check /etc/cron.daily/　 ← 转移脚本到每天自动运行的目录中