如何在 Debian 中配置 Tripewire IDS
本文是一篇关于 Debian 中安装和配置 tripewire 的文章。它是 Linux 环境下基于主机的入侵检测系统(IDS)。tripwire 的高级功能可以检测并报告任何 Linux 中未授权的(文件和目录)的更改。tripewire 安装之后,会先创建一个基本的数据库,tripewire 监控并检测新文件的创建修改和谁修改了它等等。如果修改是合法的,你可以接受修改并更新 tripwire 的数据库。
安装和配置
tripwire 在 Debian VM 中的安装如下。
<span class="com">#</span><span class="kwd">apt-get</span><span class="pln"> install tripwire</span>
installation
安装中,tripwire 会有下面的配置提示。
站点密钥创建
tripwire 需要一个站点口令(site passphrase)来加密 tripwire 的配置文件 tw.cfg 和策略文件 tw.pol。tripewire 使用指定的密码加密两个文件。一个 tripewire 实例必须指定站点口令。
site key1
本地密钥口令
本地口令用来保护 tripwire 数据库和报告文件。本地密钥用于阻止非授权的 tripewire 数据库修改。
local key1
tripwire 配置路径
tripewire 配置存储在 /etc/tripwire/twcfg.txt。它用于生成加密的配置文件 tw.cfg。
configuration file
tripwire 策略路径
tripwire 在 /etc/tripwire/twpol.txt 中保存策略文件。它用于生成加密的策略文件 tw.pol。
tripwire policy
安装完成后如下图所示。
installed tripewire1
tripwire 配置文件 (twcfg.txt)
tripewire 配置文件(twcfg.txt)细节如下图所示。加密策略文件(tw.pol)、站点密钥(site.key)和本地密钥(hostname-local.key)在后面展示。
<span class="pln">ROOT </span><span class="pun">=</span><span class="str">/usr/</span><span class="pln">sbin</span>
<span class="pln">POLFILE </span><span class="pun">=</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">tw</span><span class="pun">.</span><span class="pln">pol</span>
<span class="pln">DBFILE </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">$</span><span class="pun">(</span><span class="pln">HOSTNAME</span><span class="pun">).</span><span class="pln">twd</span>
<span class="pln">REPORTFILE </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">report</span><span class="pun">/</span><span class="pln">$</span><span class="pun">(</span><span class="pln">HOSTNAME</span><span class="pun">)-</span><span class="pln">$</span><span class="pun">(</span><span class="pln">DATE</span><span class="pun">).</span><span class="pln">twr</span>
<span class="pln">SITEKEYFILE </span><span class="pun">=</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">site</span><span class="pun">.</span><span class="pln">key</span>
<span class="pln">LOCALKEYFILE </span><span class="pun">=</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">$</span><span class="pun">(</span><span class="pln">HOSTNAME</span><span class="pun">)-</span><span class="kwd">local</span><span class="pun">.</span><span class="pln">key</span>
<span class="pln">EDITOR </span><span class="pun">=</span><span class="str">/usr/</span><span class="pln">bin</span><span class="pun">/</span><span class="pln">editor</span>
<span class="pln">LATEPROMPTING </span><span class="pun">=</span><span class="kwd">false</span>
<span class="pln">LOOSEDIRECTORYCHECKING </span><span class="pun">=</span><span class="kwd">false</span>
<span class="pln">MAILNOVIOLATIONS </span><span class="pun">=</span><span class="kwd">true</span>
<span class="pln">EMAILREPORTLEVEL </span><span class="pun">=</span><span class="lit">3</span>
<span class="pln">REPORTLEVEL </span><span class="pun">=</span><span class="lit">3</span>
<span class="pln">SYSLOGREPORTING </span><span class="pun">=</span><span class="kwd">true</span>
<span class="pln">MAILMETHOD </span><span class="pun">=</span><span class="pln">SMTP</span>
<span class="pln">SMTPHOST </span><span class="pun">=</span><span class="pln">localhost</span>
<span class="pln">SMTPPORT </span><span class="pun">=</span><span class="lit">25</span>
<span class="pln">TEMPDIRECTORY </span><span class="pun">=/</span><span class="pln">tmp</span>
tripwire 策略配置
在生成基础数据库之前先配置 tripwire 配置。有必要经用一些策略如 /dev、 /proc 、/root/mail 等。详细的 twpol.txt 策略文件如下所示。
<span class="pun">@</span><span class="lit">@section</span><span class="pln"> GLOBAL</span>
<span class="pln">TWBIN </span><span class="pun">=</span><span class="str">/usr/</span><span class="pln">sbin</span><span class="pun">;</span>
<span class="pln">TWETC </span><span class="pun">=</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">;</span>
<span class="pln">TWVAR </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">;</span>
<span class="com">#</span>
<span class="com">#</span><span class="typ">File</span><span class="typ">System</span><span class="typ">Definitions</span>
<span class="com">#</span>
<span class="pun">@</span><span class="lit">@section</span><span class="pln"> FS</span>
<span class="com">#</span>
<span class="com">#</span><span class="typ">First</span><span class="pun">,</span><span class="pln"> some variables to </span><span class="kwd">make</span><span class="pln"> configuration easier</span>
<span class="com">#</span>
<span class="pln">SEC_CRIT </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="typ">IgnoreNone</span><span class="pun">)-</span><span class="typ">SHa</span><span class="pun">;</span><span class="com">#</span><span class="typ">Critical</span><span class="pln"> files that cannot change</span>
<span class="pln">SEC_BIN </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="typ">ReadOnly</span><span class="pun">)</span><span class="pun">;</span><span class="com">#</span><span class="typ">Binaries</span><span class="pln"> that should </span><span class="kwd">not</span><span class="pln"> change</span>
<span class="pln">SEC_CONFIG </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="typ">Dynamic</span><span class="pun">)</span><span class="pun">;</span><span class="com">#</span><span class="typ">Config</span><span class="pln"> files that are changed</span>
<span class="com">#</span><span class="pln"> infrequently but accessed</span>
<span class="com">#</span><span class="pln"> often</span>
<span class="pln">SEC_LOG </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="typ">Growing</span><span class="pun">)</span><span class="pun">;</span><span class="com">#</span><span class="typ">Files</span><span class="pln"> that grow</span><span class="pun">,</span><span class="pln"> but that</span>
<span class="com">#</span><span class="pln"> should never change ownership</span>
<span class="pln">SEC_INVARIANT </span><span class="pun">=</span><span class="pun">+</span><span class="pln">tpug </span><span class="pun">;</span><span class="com">#</span><span class="typ">Directories</span><span class="pln"> that should never</span>
<span class="com">#</span><span class="pln"> change permission </span><span class="kwd">or</span><span class="pln"> ownership</span>
<span class="pln">SIG_LOW </span><span class="pun">=</span><span class="lit">33</span><span class="pun">;</span><span class="com">#</span><span class="typ">Non</span><span class="pun">-</span><span class="pln">critical files that are of</span>
<span class="com">#</span><span class="pln"> minimal security impact</span>
<span class="pln">SIG_MED </span><span class="pun">=</span><span class="lit">66</span><span class="pun">;</span><span class="com">#</span><span class="typ">Non</span><span class="pun">-</span><span class="pln">critical files that are of</span>
<span class="com">#</span><span class="pln"> significant security impact</span>
<span class="pln">SIG_HI </span><span class="pun">=</span><span class="lit">100</span><span class="pun">;</span><span class="com">#</span><span class="typ">Critical</span><span class="pln"> files that are</span>
<span class="com">#</span><span class="pln"> significant points of</span>
<span class="com">#</span><span class="pln"> vulnerability</span>
<span class="com">#</span>
<span class="com">#</span><span class="pln"> tripwire </span><span class="typ">Binaries</span>
<span class="com">#</span>
<span class="pun">(</span>
<span class="pln">rulename </span><span class="pun">=</span><span class="str">"tripwire Binaries"</span><span class="pun">,</span>
<span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">)</span>
<span class="pun">)</span>
<span class="pun">{</span>
<span class="pln">$</span><span class="pun">(</span><span class="pln">TWBIN</span><span class="pun">)/</span><span class="pln">siggen </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="pln">$</span><span class="pun">(</span><span class="pln">TWBIN</span><span class="pun">)/</span><span class="pln">tripwire </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="pln">$</span><span class="pun">(</span><span class="pln">TWBIN</span><span class="pun">)/</span><span class="pln">twadmin </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="pln">$</span><span class="pun">(</span><span class="pln">TWBIN</span><span class="pun">)/</span><span class="pln">twprint </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">}</span>
<span class="pun">{</span>
<span class="pun">/</span><span class="pln">boot </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CRIT</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/lib/</span><span class="pln">modules </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CRIT</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">}</span>
<span class="pun">(</span>
<span class="pln">rulename </span><span class="pun">=</span><span class="str">"Boot Scripts"</span><span class="pun">,</span>
<span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">)</span>
<span class="pun">)</span>
<span class="pun">{</span>
<span class="str">/etc/</span><span class="kwd">init</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/etc/</span><span class="pln">rc</span><span class="pun">.</span><span class="pln">boot </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/etc/</span><span class="pln">rcS</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/etc/</span><span class="pln">rc0</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/etc/</span><span class="pln">rc1</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/etc/</span><span class="pln">rc2</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/etc/</span><span class="pln">rc3</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/etc/</span><span class="pln">rc4</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/etc/</span><span class="pln">rc5</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/etc/</span><span class="pln">rc6</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">}</span>
<span class="pun">(</span>
<span class="pln">rulename </span><span class="pun">=</span><span class="str">"Root file-system executables"</span><span class="pun">,</span>
<span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">)</span>
<span class="pun">)</span>
<span class="pun">{</span>
<span class="pun">/</span><span class="pln">bin </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">/</span><span class="pln">sbin </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">}</span>
<span class="com">#</span>
<span class="com">#</span><span class="typ">Critical</span><span class="typ">Libraries</span>
<span class="com">#</span>
<span class="pun">(</span>
<span class="pln">rulename </span><span class="pun">=</span><span class="str">"Root file-system libraries"</span><span class="pun">,</span>
<span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">)</span>
<span class="pun">)</span>
<span class="pun">{</span>
<span class="pun">/</span><span class="pln">lib </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">}</span>
<span class="com">#</span>
<span class="com">#</span><span class="typ">Login</span><span class="kwd">and</span><span class="typ">Privilege</span><span class="typ">Raising</span><span class="typ">Programs</span>
<span class="com">#</span>
<span class="pun">(</span>
<span class="pln">rulename </span><span class="pun">=</span><span class="str">"Security Control"</span><span class="pun">,</span>
<span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_MED</span><span class="pun">)</span>
<span class="pun">)</span>
<span class="pun">{</span>
<span class="str">/etc/</span><span class="kwd">passwd</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/etc/</span><span class="pln">shadow </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">}</span>
<span class="pun">{</span>
<span class="com">#/var/</span><span class="pln">lock </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/var/</span><span class="pln">run </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span><span class="com">#</span><span class="pln"> daemon </span><span class="typ">PIDs</span>
<span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">}</span>
<span class="com">#</span><span class="typ">These</span><span class="pln"> files change the behavior of the root account</span>
<span class="pun">(</span>
<span class="pln">rulename </span><span class="pun">=</span><span class="str">"Root config files"</span><span class="pun">,</span>
<span class="pln">severity </span><span class="pun">=</span><span class="lit">100</span>
<span class="pun">)</span>
<span class="pun">{</span>
<span class="str">/root -> $(SEC_CRIT) ; # Catch all additions to /</span><span class="pln">root</span>
<span class="com">#/root/</span><span class="pln">mail </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="typ">Mail</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="str">/root/</span><span class="pun">.</span><span class="pln">xsession</span><span class="pun">-</span><span class="pln">errors </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">xauth </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">tcshrc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">sawfish </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">pinerc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">mc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">gnome_private </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">gnome</span><span class="pun">-</span><span class="pln">desktop </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">gnome </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">esd_auth </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com"># /root/</span><span class="pun">.</span><span class="pln">elm </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">cshrc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">bashrc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">bash_profile </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com"># /root/</span><span class="pun">.</span><span class="pln">bash_logout </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">bash_history </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">amandahosts </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">addressbook</span><span class="pun">.</span><span class="pln">lu </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="pln">addressbook </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="typ">Xresources</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#/root/</span><span class="pun">.</span><span class="typ">Xauthority</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">-</span><span class="pln">i </span><span class="pun">;</span><span class="com">#</span><span class="typ">Changes</span><span class="typ">Inode</span><span class="pln"> number on </span><span class="kwd">login</span>
<span class="pun">/</span><span class="pln">root</span><span class="pun">/.</span><span class="typ">ICEauthority</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">}</span>
<span class="com">#</span>
<span class="com">#</span><span class="typ">Critical</span><span class="pln"> devices</span>
<span class="com">#</span>
<span class="pun">(</span>
<span class="pln">rulename </span><span class="pun">=</span><span class="str">"Devices & Kernel information"</span><span class="pun">,</span>
<span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">),</span>
<span class="pun">)</span>
<span class="pun">{</span>
<span class="com">#</span><span class="pun">/</span><span class="pln">dev </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="typ">Device</span><span class="pun">)</span><span class="pun">;</span>
<span class="com">#</span><span class="pun">/</span><span class="pln">proc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="typ">Device</span><span class="pun">)</span><span class="pun">;</span>
<span class="pun">}</span>
tripwire 报告
tripwire-check 命令检查 twpol.txt 文件并基于此文件生成 tripwire 报告如下。如果 twpol.txt 中有任何错误,tripwire 不会生成报告。
tripwire report
文本形式报告
<span class="pln">root@VMdebian</span><span class="pun">:</span><span class="str">/home/</span><span class="pln">labadmin</span><span class="com">#</span><span class="pln"> tripwire </span><span class="pun">--</span><span class="pln">check</span>
<span class="typ">Parsing</span><span class="pln"> policy </span><span class="kwd">file</span><span class="pun">:</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">tw</span><span class="pun">.</span><span class="pln">pol</span>
<span class="pun">***</span><span class="typ">Processing</span><span class="typ">Unix</span><span class="typ">File</span><span class="typ">System</span><span class="pun">***</span>
<span class="typ">Performing</span><span class="pln"> integrity check</span><span class="pun">...</span>
<span class="typ">Wrote</span><span class="pln"> report </span><span class="kwd">file</span><span class="pun">:</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">report</span><span class="pun">/</span><span class="typ">VMdebian</span><span class="pun">-</span><span class="lit">20151024</span><span class="pun">-</span><span class="lit">122322.twr</span>
<span class="typ">Open</span><span class="typ">Source</span><span class="pln"> tripwire</span><span class="pun">(</span><span class="pln">R</span><span class="pun">)</span><span class="lit">2.4</span><span class="pun">.</span><span class="lit">2.2</span><span class="typ">Integrity</span><span class="typ">Check</span><span class="typ">Report</span>
<span class="typ">Report</span><span class="pln"> generated by</span><span class="pun">:</span><span class="pln"> root</span>
<span class="typ">Report</span><span class="pln"> created on</span><span class="pun">:</span><span class="typ">Sat</span><span class="typ">Oct</span><span class="lit">24</span><span class="lit">12</span><span class="pun">:</span><span class="lit">23</span><span class="pun">:</span><span class="lit">22</span><span class="lit">2015</span>
<span class="typ">Database</span><span class="kwd">last</span><span class="pln"> updated on</span><span class="pun">:</span><span class="typ">Never</span>
<span class="typ">Report</span><span class="typ">Summary</span><span class="pun">:</span>
<span class="pun">=========================================================</span>
<span class="typ">Host</span><span class="pln"> name</span><span class="pun">:</span><span class="typ">VMdebian</span>
<span class="typ">Host</span><span class="pln"> IP address</span><span class="pun">:</span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">1.1</span>
<span class="typ">Host</span><span class="pln"> ID</span><span class="pun">:</span><span class="kwd">None</span>
<span class="typ">Policy</span><span class="kwd">file</span><span class="pln"> used</span><span class="pun">:</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">tw</span><span class="pun">.</span><span class="pln">pol</span>
<span class="typ">Configuration</span><span class="kwd">file</span><span class="pln"> used</span><span class="pun">:</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">tw</span><span class="pun">.</span><span class="pln">cfg</span>
<span class="typ">Database</span><span class="kwd">file</span><span class="pln"> used</span><span class="pun">:</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="typ">VMdebian</span><span class="pun">.</span><span class="pln">twd</span>
<span class="typ">Command</span><span class="pln"> line used</span><span class="pun">:</span><span class="pln"> tripwire </span><span class="pun">--</span><span class="pln">check</span>
<span class="pun">=========================================================</span>
<span class="typ">Rule</span><span class="typ">Summary</span><span class="pun">:</span>
<span class="pun">=========================================================</span>
<span class="pun">-------------------------------------------------------------------------------</span>
<span class="typ">Section</span><span class="pun">:</span><span class="typ">Unix</span><span class="typ">File</span><span class="typ">System</span>
<span class="pun">-------------------------------------------------------------------------------</span>
<span class="typ">Rule</span><span class="typ">Name</span><span class="typ">Severity</span><span class="typ">Level</span><span class="typ">Added</span><span class="typ">Removed</span><span class="typ">Modified</span>
<span class="pun">---------</span><span class="pun">--------------</span><span class="pun">-----</span><span class="pun">-------</span><span class="pun">--------</span>
<span class="typ">Other</span><span class="pln"> binaries </span><span class="lit">66</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
<span class="pln">tripwire </span><span class="typ">Binaries</span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
<span class="typ">Other</span><span class="pln"> libraries </span><span class="lit">66</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
<span class="typ">Root</span><span class="kwd">file</span><span class="pun">-</span><span class="pln">system executables </span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
<span class="pln">tripwire </span><span class="typ">Data</span><span class="typ">Files</span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
<span class="typ">System</span><span class="pln"> boot changes </span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
<span class="pun">(</span><span class="str">/var/</span><span class="pln">log</span><span class="pun">)</span>
<span class="typ">Root</span><span class="kwd">file</span><span class="pun">-</span><span class="pln">system libraries </span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
<span class="pun">(/</span><span class="pln">lib</span><span class="pun">)</span>
<span class="typ">Critical</span><span class="pln"> system boot files </span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
<span class="typ">Other</span><span class="pln"> configuration files </span><span class="lit">66</span><span class="lit">0</span><span class="lit"&g