系统完整性检查

 

系统完整性检查

 

一、      tripwire

1、        tripwire运行原理

Tripwire是一款开放源码的完整性检查工具，Tripwire会对文件或目录状态生成唯一的标识（又称为 "快照"），并将其存放起来以备后用。当Tripwire程序运行时，与快照比较，如果发现不匹配的话，它就报告系统管理人员文件已经被修改。

 

通过对以上运行机制的了解我们不难发现，完整性检查工具的安装时机非常重要，最好是在交付用户使用和连入网络之前的Linux系统初装时进行。因为完整性检查工具只有保留了系统文件的初始状态（快照），才能确保系统文件的完整性；如果在系统使用一段时间后再取其快照的话，它很可能已经不再是原系统文件的映象（如已经遭到破坏），所以这时的完整性检测的可靠性已经打了折扣。

 

2、Tripwire的组成

Tripwire主要由策略和数据库组成。策略不仅指出Tripwire应检测的对象即文件和目录，而且还规定了用于鉴定违规行为的规则。数据库则用来存放策略中规定的检测对象的快照。只要建立了策略和数据库，我们就可以随时用快照来比较当前的文件系统，然后生成一个完整性检测报告，从而判断系统的完整性是否受到攻击。除了策略和数据库外，Tripwire还有一个配置文件，用以控制数据库、策略文件和Tripwire可执行程序的位置等。

 

为了防止被篡改，Tripwire对其自身的一些重要文件进行了加密和签名处理。这里涉及到两个密钥：site密钥和local密钥。其中，site用于保护策略文件和配置文件，如果多台机器具有相同的策略和配置的话，那么它们就可以使用相同的site密钥；

local用于保护数据库和报告，因此不同的机器必须使用不同的local密钥。

 

3、安装tripwire

Tripwire的下载

#wget http://ncu.dl.sourceforge.net/project/tripwire/tripwire-src/tripwire-2.4.2-src/tripwire-2.4.2-src.tar.bz2

 

# tar xvf tripwire-2.4.2-src.tar.bz2

# cd tripwire-2.4.2-src

# ./configure

# make

# make install

当出现：

 

时按回车继续

接下来是一堆说明文档，直接按“q”退出继续

出现：

 

输入”accept”继续

出现：

 

是一些文件路径等，输入“y”

出现：

 

输入一个密钥用作site的，这里我输入了：123456

 

再次输入一次确认

 

输入local密钥，我还是选择了：123456

 

输入刚的site密钥：123456

 

这里也是

这样就完成了tripwire的安装

 

4、配置tripwire

# cd /usr/local/etc/

# ll

total 44

-rw-r----- 1 root root   931 May 30 19:16 centos-64-local.key

-rw-r----- 1 root root   931 May 30 19:16 site.key

-rw-r----- 1 root root 4586 May 30 19:17 tw.cfg

-rw-r----- 1 root root   504 May 30 19:16 twcfg.txt

-rw-r----- 1 root root 4159 May 30 19:17 tw.pol

-rw-r----- 1 root root 13703 May 30 19:17 twpol.txt

 

(1)其中配置文件tw.cfg<site加密过>由twcfg.txt生成<默认存在>

      策略文件tw.pol<site加密过>由twpol.txt生成，如果修改过策略，需重新生成此文件<默认存在>

 

(2)签名此2文件命令：

配置文件：

# twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt

策略文件：

# twadmin --create-polfile –cfgfile tw.cfg --site-keyfile site.key twpol.txt

 

(3)编辑需要监控的文件系统

# vi twpol.txt

62 Device        = +pugsdr-intlbamcCMSH ;

     63 Dynamic       = +pinugtd-srlbamcCMSH ;

     64 Growing       = +pinugtdl-srbamcCMSH ;

     65 IgnoreAll     = -pinugtsdrlbamcCMSH ;

     66 IgnoreNone    = +pinugtsdrbamcCMSH-l ;

     67 ReadOnly      = +pinugtsdbmCM-rlacSH ;

     68 Temporary     = +pugt ;

这些是指定动作

 

# Tripwire Binaries

      (

        rulename = "Tripwire Binaries",

      )

      {

        $(TWBIN)/siggen                      -> $(ReadOnly) ;

        $(TWBIN)/tripwire                    -> $(ReadOnly) ;

        $(TWBIN)/twadmin                     -> $(ReadOnly) ;

        $(TWBIN)/twprint                     -> $(ReadOnly) ;

      }

这些是监控目录的书写格式，比如我只想监控/usr/local/apache2/htdocs目录

 

那就删除其他所有的监控目录<其他相关配置需保留>，添加如下：

# Tripwire Binaries

      (

        rulename = "/usr/local/apache2/htdocs",

      )

      {

        /usr/local/apache2/htdocs                      -> $(ReadOnly) ;

      }

 

重新签名tw.pol

# twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt

Please enter your site passphrase:

Wrote policy file: /usr/local/etc/tw.pol

 

(4)可以初始化作为参照了

# tripwire --init

Please enter your local passphrase:

Parsing policy file: /usr/local/etc/tw.pol

Generating the database...

*** Processing Unix File System ***

### Warning: File system error.

### Filename: /usr/local/apache2/htdocs

### No such file or directory

### Continuing...

Wrote database file: /usr/local/lib/tripwire/centos-64.twd

The database was successfully generated.

 

数据库和报告路径

# ll /usr/local/lib/tripwire/

centos-64.twd report/

 

5、使用tripwire

现在我们到/usr/local/apache2/htdocs中添加一个test.html文件

#echo “123” > /usr/local/apache2/htdocs

 

(1)启动tripwire检测

# tripwire --check

Parsing policy file: /usr/local/etc/tw.pol

*** Processing Unix File System ***

Performing integrity check...

Wrote report file: /usr/local/lib/tripwire/report/centos-64-20110530-195251.twr

 

 

Open Source Tripwire(R) 2.4.1 Integrity Check Report

 

Report generated by:          root

Report created on:            Mon 30 May 2011 07:52:51 PM CST

Database last updated on:     Never

 

===============================================================================

Report Summary:

===============================================================================

 

Host name:                    centos-64

Host IP address:              180.168.41.175

Host ID:                      None

Policy file used:             /usr/local/etc/tw.pol

Configuration file used:      /usr/local/etc/tw.cfg

Database file used:           /usr/local/lib/tripwire/centos-64.twd

Command line used:            tripwire --check

 

===============================================================================

Rule Summary:

===============================================================================

 

-------------------------------------------------------------------------------

 Section: Unix File System

-------------------------------------------------------------------------------

 

 Rule Name                       Severity Level    Added    Removed Modified

  ---------                       --------------    -----    ------- --------

* /usr/local/apache2/htdocs       0                 1        0        1       

 (/usr/local/apache2/htdocs)

 

Total objects scanned: 8

Total violations found: 2

 

===============================================================================

Object Summary:

===============================================================================

 

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

 

-------------------------------------------------------------------------------

Rule Name: /usr/local/apache2/htdocs (/usr/local/apache2/htdocs)

Severity Level: 0

-------------------------------------------------------------------------------

 

Added:

"/usr/local/apache2/htdocs/text.html"

 

Modified:

"/usr/local/apache2/htdocs"

 

===============================================================================

Error Report:

===============================================================================

 

No Errors

 

-------------------------------------------------------------------------------

*** End of report ***

 

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered

trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;

for details use --version. This is free software which may be redistributed

or modified only under certain conditions; see COPYING for details.

All rights reserved.

Integrity check complete.

从报告中可以看出修改的详细信息

 

(2)如果此次修改是合法的，避免下次每次check都报告，可以重新签名策略文件

# tripwire --update --twrfile /usr/local/lib/tripwire/report/centos-64-20110530-195251.twr

会默认用vim打开，输入:wq保存退出；再输入local密钥即可

 

再次check

# tripwire –check已经不报告合法的改变了

 

可以写一个crontab定期检测，并邮件报告

# service sendmail start

# service crond start

# chkconfig sendmail on

# chkconfig crond on

# crontab –e

10 5 * * *     /usr/local/sbin/tripwire --check | /bin/mail -s "Daily Tripwire Check" qiu.jichun@163.com

这样每天早上5点10分发送check报告

 

二、      第二个完整性检测工具，是系统自带的aide

很简单的

# yum install aide

# vi /etc/aide.conf

从# These are the default rules.

 #

 #p:      permissions

............

............到

LSPP = R+sha256

# Some files get updated automatically, so the inode/ctime/mtime change

    # but we want to know when the data inside them changes

    DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger

解释的是监控类别

 

剩下的就是监控目标，

现在拿/home/mysql目录做测试

添加一行：

/home/mysql   NORMAL

 

初始化：

# aide –i

lgetfilecon_raw failed for /home/mysql:No data available

lgetfilecon_raw failed for /home/mysql/.bashrc:No data available

lgetfilecon_raw failed for /home/mysql/.zshrc:No data available

lgetfilecon_raw failed for /home/mysql/.bash_logout:No data available

lgetfilecon_raw failed for /home/mysql/.bash_profile:No data available

 

AIDE, version 0.13.1

 

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

成功初始化

 

把刚产生的参照数据库复制成正式数据库

# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

 

检测目录

# aide -C

lgetfilecon_raw failed for /home/mysql:No data available

lgetfilecon_raw failed for /home/mysql/.bashrc:No data available

lgetfilecon_raw failed for /home/mysql/.zshrc:No data available

lgetfilecon_raw failed for /home/mysql/.bash_logout:No data available

lgetfilecon_raw failed for /home/mysql/.bash_profile:No data available

 

AIDE, version 0.13.1

 

### All files match AIDE database. Looks okay!

 

尝试更改目录，然后再次check

# echo 123 > /home/mysql/123

# aide -C

lgetfilecon_raw failed for /home/mysql:No data available

lgetfilecon_raw failed for /home/mysql/.bashrc:No data available

lgetfilecon_raw failed for /home/mysql/.zshrc:No data available

lgetfilecon_raw failed for /home/mysql/.bash_logout:No data available

lgetfilecon_raw failed for /home/mysql/123:No data available

lgetfilecon_raw failed for /home/mysql/.bash_profile:No data available

AIDE found differences between database and filesystem!!

Start timestamp: 2011-05-30 20:49:56

 

Summary:

 Total number of files:        8

 Added files:                  1

 Removed files:                0

 Changed files:                1

 

 

---------------------------------------------------

Added files:

---------------------------------------------------

 

added: /home/mysql/123

 

---------------------------------------------------

Changed files:

---------------------------------------------------

 

changed: /home/mysql

 

--------------------------------------------------

Detailed information about changes:

---------------------------------------------------

 

 

Directory: /home/mysql

 Mtime    : 2011-05-23 19:53:07              , 2011-05-30 20:49:54

 Ctime    : 2011-05-23 19:53:07              , 2011-05-30 20:49:54

 

合法性修改后同样需要更新数据库

# aide –i

# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

 

可以写到crontab中邮件通知