如何在 Debian 中配置 Tripewire IDS

本文是一篇关于 Debian 中安装和配置 tripewire 的文章。它是 Linux 环境下基于主机的入侵检测系统(IDS)。tripwire 的高级功能可以检测并报告任何 Linux 中未授权的(文件和目录)的更改。tripewire 安装之后,会先创建一个基本的数据库,tripewire 监控并检测新文件的创建修改和谁修改了它等等。如果修改是合法的,你可以接受修改并更新 tripwire 的数据库。

如何在 Debian 中配置 Tripewire IDS

 

安装和配置

tripwire 在 Debian VM 中的安装如下。

  1. <span class="com">#</span><span class="kwd">apt-get</span><span class="pln"> install tripwire</span>

如何在 Debian 中配置 Tripewire IDS

installation

安装中,tripwire 会有下面的配置提示。

 

站点密钥创建

tripwire 需要一个站点口令(site passphrase)来加密 tripwire 的配置文件 tw.cfg 和策略文件 tw.pol。tripewire 使用指定的密码加密两个文件。一个 tripewire 实例必须指定站点口令。

如何在 Debian 中配置 Tripewire IDS

site key1

 

本地密钥口令

本地口令用来保护 tripwire 数据库和报告文件。本地密钥用于阻止非授权的 tripewire 数据库修改。

如何在 Debian 中配置 Tripewire IDS

local key1

 

tripwire 配置路径

tripewire 配置存储在 /etc/tripwire/twcfg.txt。它用于生成加密的配置文件 tw.cfg。

如何在 Debian 中配置 Tripewire IDS

configuration file

tripwire 策略路径

tripwire 在 /etc/tripwire/twpol.txt 中保存策略文件。它用于生成加密的策略文件 tw.pol。

如何在 Debian 中配置 Tripewire IDS

tripwire policy

安装完成后如下图所示。

如何在 Debian 中配置 Tripewire IDS

installed tripewire1

 

tripwire 配置文件 (twcfg.txt)

tripewire 配置文件(twcfg.txt)细节如下图所示。加密策略文件(tw.pol)、站点密钥(site.key)和本地密钥(hostname-local.key)在后面展示。

  1. <span class="pln">ROOT </span><span class="pun">=</span><span class="str">/usr/</span><span class="pln">sbin</span>
  2. <span class="pln">POLFILE </span><span class="pun">=</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">tw</span><span class="pun">.</span><span class="pln">pol</span>
  3. <span class="pln">DBFILE </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">$</span><span class="pun">(</span><span class="pln">HOSTNAME</span><span class="pun">).</span><span class="pln">twd</span>
  4. <span class="pln">REPORTFILE </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">report</span><span class="pun">/</span><span class="pln">$</span><span class="pun">(</span><span class="pln">HOSTNAME</span><span class="pun">)-</span><span class="pln">$</span><span class="pun">(</span><span class="pln">DATE</span><span class="pun">).</span><span class="pln">twr</span>
  5. <span class="pln">SITEKEYFILE </span><span class="pun">=</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">site</span><span class="pun">.</span><span class="pln">key</span>
  6. <span class="pln">LOCALKEYFILE </span><span class="pun">=</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">$</span><span class="pun">(</span><span class="pln">HOSTNAME</span><span class="pun">)-</span><span class="kwd">local</span><span class="pun">.</span><span class="pln">key</span>
  7. <span class="pln">EDITOR </span><span class="pun">=</span><span class="str">/usr/</span><span class="pln">bin</span><span class="pun">/</span><span class="pln">editor</span>
  8. <span class="pln">LATEPROMPTING </span><span class="pun">=</span><span class="kwd">false</span>
  9. <span class="pln">LOOSEDIRECTORYCHECKING </span><span class="pun">=</span><span class="kwd">false</span>
  10. <span class="pln">MAILNOVIOLATIONS </span><span class="pun">=</span><span class="kwd">true</span>
  11. <span class="pln">EMAILREPORTLEVEL </span><span class="pun">=</span><span class="lit">3</span>
  12. <span class="pln">REPORTLEVEL </span><span class="pun">=</span><span class="lit">3</span>
  13. <span class="pln">SYSLOGREPORTING </span><span class="pun">=</span><span class="kwd">true</span>
  14. <span class="pln">MAILMETHOD </span><span class="pun">=</span><span class="pln">SMTP</span>
  15. <span class="pln">SMTPHOST </span><span class="pun">=</span><span class="pln">localhost</span>
  16. <span class="pln">SMTPPORT </span><span class="pun">=</span><span class="lit">25</span>
  17. <span class="pln">TEMPDIRECTORY </span><span class="pun">=/</span><span class="pln">tmp</span>

 

tripwire 策略配置

在生成基础数据库之前先配置 tripwire 配置。有必要经用一些策略如 /dev、 /proc 、/root/mail 等。详细的 twpol.txt 策略文件如下所示。

  1. <span class="pun">@</span><span class="lit">@section</span><span class="pln"> GLOBAL</span>
  2. <span class="pln">TWBIN </span><span class="pun">=</span><span class="str">/usr/</span><span class="pln">sbin</span><span class="pun">;</span>
  3. <span class="pln">TWETC </span><span class="pun">=</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">;</span>
  4. <span class="pln">TWVAR </span><span class="pun">=</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">;</span>
  5. <span class="com">#</span>
  6. <span class="com">#</span><span class="typ">File</span><span class="typ">System</span><span class="typ">Definitions</span>
  7. <span class="com">#</span>
  8. <span class="pun">@</span><span class="lit">@section</span><span class="pln"> FS</span>
  9. <span class="com">#</span>
  10. <span class="com">#</span><span class="typ">First</span><span class="pun">,</span><span class="pln"> some variables to </span><span class="kwd">make</span><span class="pln"> configuration easier</span>
  11. <span class="com">#</span>
  12. <span class="pln">SEC_CRIT </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="typ">IgnoreNone</span><span class="pun">)-</span><span class="typ">SHa</span><span class="pun">;</span><span class="com">#</span><span class="typ">Critical</span><span class="pln"> files that cannot change</span>
  13. <span class="pln">SEC_BIN </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="typ">ReadOnly</span><span class="pun">)</span><span class="pun">;</span><span class="com">#</span><span class="typ">Binaries</span><span class="pln"> that should </span><span class="kwd">not</span><span class="pln"> change</span>
  14. <span class="pln">SEC_CONFIG </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="typ">Dynamic</span><span class="pun">)</span><span class="pun">;</span><span class="com">#</span><span class="typ">Config</span><span class="pln"> files that are changed</span>
  15. <span class="com">#</span><span class="pln"> infrequently but accessed</span>
  16. <span class="com">#</span><span class="pln"> often</span>
  17. <span class="pln">SEC_LOG </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="typ">Growing</span><span class="pun">)</span><span class="pun">;</span><span class="com">#</span><span class="typ">Files</span><span class="pln"> that grow</span><span class="pun">,</span><span class="pln"> but that</span>
  18. <span class="com">#</span><span class="pln"> should never change ownership</span>
  19. <span class="pln">SEC_INVARIANT </span><span class="pun">=</span><span class="pun">+</span><span class="pln">tpug </span><span class="pun">;</span><span class="com">#</span><span class="typ">Directories</span><span class="pln"> that should never</span>
  20. <span class="com">#</span><span class="pln"> change permission </span><span class="kwd">or</span><span class="pln"> ownership</span>
  21. <span class="pln">SIG_LOW </span><span class="pun">=</span><span class="lit">33</span><span class="pun">;</span><span class="com">#</span><span class="typ">Non</span><span class="pun">-</span><span class="pln">critical files that are of</span>
  22. <span class="com">#</span><span class="pln"> minimal security impact</span>
  23. <span class="pln">SIG_MED </span><span class="pun">=</span><span class="lit">66</span><span class="pun">;</span><span class="com">#</span><span class="typ">Non</span><span class="pun">-</span><span class="pln">critical files that are of</span>
  24. <span class="com">#</span><span class="pln"> significant security impact</span>
  25. <span class="pln">SIG_HI </span><span class="pun">=</span><span class="lit">100</span><span class="pun">;</span><span class="com">#</span><span class="typ">Critical</span><span class="pln"> files that are</span>
  26. <span class="com">#</span><span class="pln"> significant points of</span>
  27. <span class="com">#</span><span class="pln"> vulnerability</span>
  28. <span class="com">#</span>
  29. <span class="com">#</span><span class="pln"> tripwire </span><span class="typ">Binaries</span>
  30. <span class="com">#</span>
  31. <span class="pun">(</span>
  32. <span class="pln">rulename </span><span class="pun">=</span><span class="str">"tripwire Binaries"</span><span class="pun">,</span>
  33. <span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">)</span>
  34. <span class="pun">)</span>
  35. <span class="pun">{</span>
  36. <span class="pln">$</span><span class="pun">(</span><span class="pln">TWBIN</span><span class="pun">)/</span><span class="pln">siggen </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  37. <span class="pln">$</span><span class="pun">(</span><span class="pln">TWBIN</span><span class="pun">)/</span><span class="pln">tripwire </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  38. <span class="pln">$</span><span class="pun">(</span><span class="pln">TWBIN</span><span class="pun">)/</span><span class="pln">twadmin </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  39. <span class="pln">$</span><span class="pun">(</span><span class="pln">TWBIN</span><span class="pun">)/</span><span class="pln">twprint </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  40. <span class="pun">}</span>
  41. <span class="pun">{</span>
  42. <span class="pun">/</span><span class="pln">boot </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CRIT</span><span class="pun">)</span><span class="pun">;</span>
  43. <span class="str">/lib/</span><span class="pln">modules </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CRIT</span><span class="pun">)</span><span class="pun">;</span>
  44. <span class="pun">}</span>
  45. <span class="pun">(</span>
  46. <span class="pln">rulename </span><span class="pun">=</span><span class="str">"Boot Scripts"</span><span class="pun">,</span>
  47. <span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">)</span>
  48. <span class="pun">)</span>
  49. <span class="pun">{</span>
  50. <span class="str">/etc/</span><span class="kwd">init</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  51. <span class="com">#/etc/</span><span class="pln">rc</span><span class="pun">.</span><span class="pln">boot </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  52. <span class="str">/etc/</span><span class="pln">rcS</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  53. <span class="str">/etc/</span><span class="pln">rc0</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  54. <span class="str">/etc/</span><span class="pln">rc1</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  55. <span class="str">/etc/</span><span class="pln">rc2</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  56. <span class="str">/etc/</span><span class="pln">rc3</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  57. <span class="str">/etc/</span><span class="pln">rc4</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  58. <span class="str">/etc/</span><span class="pln">rc5</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  59. <span class="str">/etc/</span><span class="pln">rc6</span><span class="pun">.</span><span class="pln">d </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  60. <span class="pun">}</span>
  61. <span class="pun">(</span>
  62. <span class="pln">rulename </span><span class="pun">=</span><span class="str">"Root file-system executables"</span><span class="pun">,</span>
  63. <span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">)</span>
  64. <span class="pun">)</span>
  65. <span class="pun">{</span>
  66. <span class="pun">/</span><span class="pln">bin </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  67. <span class="pun">/</span><span class="pln">sbin </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  68. <span class="pun">}</span>
  69. <span class="com">#</span>
  70. <span class="com">#</span><span class="typ">Critical</span><span class="typ">Libraries</span>
  71. <span class="com">#</span>
  72. <span class="pun">(</span>
  73. <span class="pln">rulename </span><span class="pun">=</span><span class="str">"Root file-system libraries"</span><span class="pun">,</span>
  74. <span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">)</span>
  75. <span class="pun">)</span>
  76. <span class="pun">{</span>
  77. <span class="pun">/</span><span class="pln">lib </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_BIN</span><span class="pun">)</span><span class="pun">;</span>
  78. <span class="pun">}</span>
  79. <span class="com">#</span>
  80. <span class="com">#</span><span class="typ">Login</span><span class="kwd">and</span><span class="typ">Privilege</span><span class="typ">Raising</span><span class="typ">Programs</span>
  81. <span class="com">#</span>
  82. <span class="pun">(</span>
  83. <span class="pln">rulename </span><span class="pun">=</span><span class="str">"Security Control"</span><span class="pun">,</span>
  84. <span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_MED</span><span class="pun">)</span>
  85. <span class="pun">)</span>
  86. <span class="pun">{</span>
  87. <span class="str">/etc/</span><span class="kwd">passwd</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  88. <span class="str">/etc/</span><span class="pln">shadow </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  89. <span class="pun">}</span>
  90. <span class="pun">{</span>
  91. <span class="com">#/var/</span><span class="pln">lock </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  92. <span class="com">#/var/</span><span class="pln">run </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span><span class="com">#</span><span class="pln"> daemon </span><span class="typ">PIDs</span>
  93. <span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  94. <span class="pun">}</span>
  95. <span class="com">#</span><span class="typ">These</span><span class="pln"> files change the behavior of the root account</span>
  96. <span class="pun">(</span>
  97. <span class="pln">rulename </span><span class="pun">=</span><span class="str">"Root config files"</span><span class="pun">,</span>
  98. <span class="pln">severity </span><span class="pun">=</span><span class="lit">100</span>
  99. <span class="pun">)</span>
  100. <span class="pun">{</span>
  101. <span class="str">/root -> $(SEC_CRIT) ; # Catch all additions to /</span><span class="pln">root</span>
  102. <span class="com">#/root/</span><span class="pln">mail </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  103. <span class="com">#/root/</span><span class="typ">Mail</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  104. <span class="str">/root/</span><span class="pun">.</span><span class="pln">xsession</span><span class="pun">-</span><span class="pln">errors </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  105. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">xauth </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  106. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">tcshrc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  107. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">sawfish </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  108. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">pinerc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  109. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">mc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  110. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">gnome_private </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  111. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">gnome</span><span class="pun">-</span><span class="pln">desktop </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  112. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">gnome </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  113. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">esd_auth </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  114. <span class="com"># /root/</span><span class="pun">.</span><span class="pln">elm </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  115. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">cshrc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  116. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">bashrc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  117. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">bash_profile </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  118. <span class="com"># /root/</span><span class="pun">.</span><span class="pln">bash_logout </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  119. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">bash_history </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  120. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">amandahosts </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  121. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">addressbook</span><span class="pun">.</span><span class="pln">lu </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  122. <span class="com">#/root/</span><span class="pun">.</span><span class="pln">addressbook </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  123. <span class="com">#/root/</span><span class="pun">.</span><span class="typ">Xresources</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  124. <span class="com">#/root/</span><span class="pun">.</span><span class="typ">Xauthority</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">-</span><span class="pln">i </span><span class="pun">;</span><span class="com">#</span><span class="typ">Changes</span><span class="typ">Inode</span><span class="pln"> number on </span><span class="kwd">login</span>
  125. <span class="pun">/</span><span class="pln">root</span><span class="pun">/.</span><span class="typ">ICEauthority</span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SEC_CONFIG</span><span class="pun">)</span><span class="pun">;</span>
  126. <span class="pun">}</span>
  127. <span class="com">#</span>
  128. <span class="com">#</span><span class="typ">Critical</span><span class="pln"> devices</span>
  129. <span class="com">#</span>
  130. <span class="pun">(</span>
  131. <span class="pln">rulename </span><span class="pun">=</span><span class="str">"Devices & Kernel information"</span><span class="pun">,</span>
  132. <span class="pln">severity </span><span class="pun">=</span><span class="pln"> $</span><span class="pun">(</span><span class="pln">SIG_HI</span><span class="pun">),</span>
  133. <span class="pun">)</span>
  134. <span class="pun">{</span>
  135. <span class="com">#</span><span class="pun">/</span><span class="pln">dev </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="typ">Device</span><span class="pun">)</span><span class="pun">;</span>
  136. <span class="com">#</span><span class="pun">/</span><span class="pln">proc </span><span class="pun">-></span><span class="pln"> $</span><span class="pun">(</span><span class="typ">Device</span><span class="pun">)</span><span class="pun">;</span>
  137. <span class="pun">}</span>

 

tripwire 报告

tripwire-check 命令检查 twpol.txt 文件并基于此文件生成 tripwire 报告如下。如果 twpol.txt 中有任何错误,tripwire 不会生成报告。

如何在 Debian 中配置 Tripewire IDS

tripwire report

文本形式报告

  1. <span class="pln">root@VMdebian</span><span class="pun">:</span><span class="str">/home/</span><span class="pln">labadmin</span><span class="com">#</span><span class="pln"> tripwire </span><span class="pun">--</span><span class="pln">check</span>
  2. <span class="typ">Parsing</span><span class="pln"> policy </span><span class="kwd">file</span><span class="pun">:</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">tw</span><span class="pun">.</span><span class="pln">pol</span>
  3. <span class="pun">***</span><span class="typ">Processing</span><span class="typ">Unix</span><span class="typ">File</span><span class="typ">System</span><span class="pun">***</span>
  4. <span class="typ">Performing</span><span class="pln"> integrity check</span><span class="pun">...</span>
  5. <span class="typ">Wrote</span><span class="pln"> report </span><span class="kwd">file</span><span class="pun">:</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">report</span><span class="pun">/</span><span class="typ">VMdebian</span><span class="pun">-</span><span class="lit">20151024</span><span class="pun">-</span><span class="lit">122322.twr</span>
  6. <span class="typ">Open</span><span class="typ">Source</span><span class="pln"> tripwire</span><span class="pun">(</span><span class="pln">R</span><span class="pun">)</span><span class="lit">2.4</span><span class="pun">.</span><span class="lit">2.2</span><span class="typ">Integrity</span><span class="typ">Check</span><span class="typ">Report</span>
  7. <span class="typ">Report</span><span class="pln"> generated by</span><span class="pun">:</span><span class="pln"> root</span>
  8. <span class="typ">Report</span><span class="pln"> created on</span><span class="pun">:</span><span class="typ">Sat</span><span class="typ">Oct</span><span class="lit">24</span><span class="lit">12</span><span class="pun">:</span><span class="lit">23</span><span class="pun">:</span><span class="lit">22</span><span class="lit">2015</span>
  9. <span class="typ">Database</span><span class="kwd">last</span><span class="pln"> updated on</span><span class="pun">:</span><span class="typ">Never</span>
  10. <span class="typ">Report</span><span class="typ">Summary</span><span class="pun">:</span>
  11. <span class="pun">=========================================================</span>
  12. <span class="typ">Host</span><span class="pln"> name</span><span class="pun">:</span><span class="typ">VMdebian</span>
  13. <span class="typ">Host</span><span class="pln"> IP address</span><span class="pun">:</span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">1.1</span>
  14. <span class="typ">Host</span><span class="pln"> ID</span><span class="pun">:</span><span class="kwd">None</span>
  15. <span class="typ">Policy</span><span class="kwd">file</span><span class="pln"> used</span><span class="pun">:</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">tw</span><span class="pun">.</span><span class="pln">pol</span>
  16. <span class="typ">Configuration</span><span class="kwd">file</span><span class="pln"> used</span><span class="pun">:</span><span class="str">/etc/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="pln">tw</span><span class="pun">.</span><span class="pln">cfg</span>
  17. <span class="typ">Database</span><span class="kwd">file</span><span class="pln"> used</span><span class="pun">:</span><span class="str">/var/</span><span class="pln">lib</span><span class="pun">/</span><span class="pln">tripwire</span><span class="pun">/</span><span class="typ">VMdebian</span><span class="pun">.</span><span class="pln">twd</span>
  18. <span class="typ">Command</span><span class="pln"> line used</span><span class="pun">:</span><span class="pln"> tripwire </span><span class="pun">--</span><span class="pln">check</span>
  19. <span class="pun">=========================================================</span>
  20. <span class="typ">Rule</span><span class="typ">Summary</span><span class="pun">:</span>
  21. <span class="pun">=========================================================</span>
  22. <span class="pun">-------------------------------------------------------------------------------</span>
  23. <span class="typ">Section</span><span class="pun">:</span><span class="typ">Unix</span><span class="typ">File</span><span class="typ">System</span>
  24. <span class="pun">-------------------------------------------------------------------------------</span>
  25. <span class="typ">Rule</span><span class="typ">Name</span><span class="typ">Severity</span><span class="typ">Level</span><span class="typ">Added</span><span class="typ">Removed</span><span class="typ">Modified</span>
  26. <span class="pun">---------</span><span class="pun">--------------</span><span class="pun">-----</span><span class="pun">-------</span><span class="pun">--------</span>
  27. <span class="typ">Other</span><span class="pln"> binaries </span><span class="lit">66</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
  28. <span class="pln">tripwire </span><span class="typ">Binaries</span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
  29. <span class="typ">Other</span><span class="pln"> libraries </span><span class="lit">66</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
  30. <span class="typ">Root</span><span class="kwd">file</span><span class="pun">-</span><span class="pln">system executables </span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
  31. <span class="pln">tripwire </span><span class="typ">Data</span><span class="typ">Files</span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
  32. <span class="typ">System</span><span class="pln"> boot changes </span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
  33. <span class="pun">(</span><span class="str">/var/</span><span class="pln">log</span><span class="pun">)</span>
  34. <span class="typ">Root</span><span class="kwd">file</span><span class="pun">-</span><span class="pln">system libraries </span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
  35. <span class="pun">(/</span><span class="pln">lib</span><span class="pun">)</span>
  36. <span class="typ">Critical</span><span class="pln"> system boot files </span><span class="lit">100</span><span class="lit">0</span><span class="lit">0</span><span class="lit">0</span>
  37. <span class="typ">Other</span><span class="pln"> configuration files </span><span class="lit">66</span><span class="lit">0</span><span class="lit"&g

相关推荐