보안 체킹 프로그램 - tripwire - Source 설치

tripwire

- 파일 변조여부를 모니터링 하는 프로그램
- 파일 속성 및 디렉토리 정보를 데이터베이스화 하여 변조 여부를 비교한다.
- 변경으로 인한 데이터 손상에 대한 피해를 최소화 할 수 있다.
- policy 파일은 자신 시스템 중 어느 파일/디렉토리를 감시할 것인가를 설정하는 파일로 주의 깊게 설정해야 한다.


-------------------------------------------------------------------

http://www.tripwire.org/

http://sourceforge.net/projects/tripwire/

소스파일
tripwire-2.4.1.2-src.tar.bz2 : (다운로드)

RPM파일
tripwire-2.4.1.1-1.el5.i386.rpm : (다운로드)

-------------------------------------------------------------------

tripwire - RPM 설치 로 이동

-------------------------------------------------------------------


tripwire - Source 설치



1. tripwire 다운 및 압축 해제

[root@server3 Desktop]# pwd /root/Desktop [root@server3 Desktop]# ls tripwire-2.4.1.2-src.tar.bz2 [root@server3 Desktop]# tar xvfj tripwire-2.4.1.2-src.tar.bz2 tripwire-2.4.1.2-src/man/Makefile.am tripwire-2.4.1.2-src/mkinstalldirs tripwire-2.4.1.2-src/configure tripwire-2.4.1.2-src/Makefile.in tripwire-2.4.1.2-src/configure.in tripwire-2.4.1.2-src/ChangeLog tripwire-2.4.1.2-src/config.guess tripwire-2.4.1.2-src/config.sub tripwire-2.4.1.2-src/config.h.in tripwire-2.4.1.2-src/INSTALL tripwire-2.4.1.2-src/COPYING tripwire-2.4.1.2-src/Makefile.am tripwire-2.4.1.2-src/missing tripwire-2.4.1.2-src/TRADEMARK tripwire-2.4.1.2-src/MAINTAINERS tripwire-2.4.1.2-src/aclocal.m4 tripwire-2.4.1.2-src/install-sh tripwire-2.4.1.2-src/COMMERCIAL tripwire-2.4.1.2-src/install/ tripwire-2.4.1.2-src/install/install.cfg tripwire-2.4.1.2-src/install/install.sh [root@server3 Desktop]# ls tripwire-2.4.1.2-src tripwire-2.4.1.2-src.tar.bz2 [root@server3 Desktop]# mv tripwire-2.4.1.2-src /usr/local/src




2. tripwire 설치


[root@server3 Desktop]# cd /usr/local/src [root@server3 src]# ls tripwire-2.4.1.2-src [root@server3 src]# cd tripwire-2.4.1.2-src/ [root@server3 tripwire-2.4.1.2-src]# ls COMMERCIAL  MAINTAINERS  aclocal.m4    config.sub    install     missing COPYING     Makefile.am  bin           configure     install-sh  mkinstalldirs ChangeLog   Makefile.in  config.guess  configure.in  lib         policy INSTALL     TRADEMARK    config.h.in   contrib       man         src [root@server3 tripwire-2.4.1.2-src]# ./configure --help `configure' configures this package to adapt to many kinds of systems. Usage: ./configure [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE.  See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration:   -h, --help              display this help and exit       --help=short        display options specific to this package       --help=recursive    display the short help of all the included packages   -V, --version           display version information and exit   -q, --quiet, --silent   do not print `checking...' messages       --cache-file=FILE   cache test results in FILE [disabled]   -C, --config-cache      alias for `--cache-file=config.cache'   -n, --no-create         do not create output files       --srcdir=DIR        find the sources in DIR [configure dir or `..'] Installation directories:   --prefix=PREFIX         install architecture-independent files in PREFIX                           [/usr/local]   --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX                           [PREFIX] - 중략 [root@server3 tripwire-2.4.1.2-src]# ./configure --prefix=/usr/local/tripwire - 중략 config.status: creating Makefile config.status: creating man/Makefile config.status: creating man/man4/Makefile config.status: creating man/man5/Makefile config.status: creating man/man8/Makefile config.status: creating src/Makefile config.status: creating src/cryptlib/Makefile config.status: creating src/core/Makefile config.status: creating src/db/Makefile config.status: creating src/fco/Makefile config.status: creating src/fs/Makefile config.status: creating src/tw/Makefile config.status: creating src/twcrypto/Makefile config.status: creating src/twparser/Makefile config.status: creating src/util/Makefile config.status: creating src/twprint/Makefile config.status: creating src/twadmin/Makefile config.status: creating src/siggen/Makefile config.status: creating src/tripwire/Makefile config.status: creating config.h config.status: executing depfiles commands [root@server3 tripwire-2.4.1.2-src]# make - 중략 make[3]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src/src/tripwire' make[3]: Entering directory `/usr/local/src/tripwire-2.4.1.2-src/src' make[3]: `all-am'를 위해 할 일이 없습니다 make[3]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src/src' make[2]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src/src' make[2]: Entering directory `/usr/local/src/tripwire-2.4.1.2-src' make[2]: `all-am'를 위해 할 일이 없습니다 make[2]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src' make[1]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src' [root@server3 tripwire-2.4.1.2-src]# make install - 중략 ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase:    - 설정파일 등을 업데이트하거나 DB를 생성할 때 사용하는 키 입력 Verify the site keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase:     - DB를 초기화할 때 사용하는 키 입력 Verify the local keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Generating Tripwire configuration file... ---------------------------------------------- Creating signed configuration file... Please enter your site passphrase:      - configuration file을 생성하기 위해 site 키 입력 Wrote configuration file: /usr/local/tripwire/etc/tw.cfg A clear-text version of the Tripwire configuration file /usr/local/tripwire/etc/twcfg.txt has been preserved for your inspection.  It is recommended that you delete this file manually after you have examined it. ---------------------------------------------- Customizing default policy file... ---------------------------------------------- Creating signed policy file... Please enter your site passphrase:      - policy file을 생성하기 위해 site 키 입력 Wrote policy file: /usr/local/tripwire/etc/tw.pol A clear-text version of the Tripwire policy file /usr/local/tripwire/etc/twpol.txt has been preserved for your inspection.  This implements a minimal policy, intended only to test essential Tripwire functionality.  You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. ---------------------------------------------- The installation succeeded. Please refer to for release information and to the printed user documentation for further instructions on using Tripwire 2.4 Open Source. make[3]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src' make[2]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src' make[1]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src' [root@server3 tripwire-2.4.1.2-src]#

3. tripwire 실행

[root@server3 tripwire-2.4.1.2-src]# cd /usr/local/tripwire - 설치 폴더 [root@server3 tripwire]# pwd /usr/local/tripwire [root@server3 tripwire]# ls doc  etc  lib  man  sbin  share [root@server3 tripwire]# cd sbin [root@server3 sbin]# ls siggen  tripwire  twadmin  twprint [root@server3 sbin]# ./tripwire --help or twadmin --help tripwire: File integrity assessment application. Open Soure Tripwire(R) 2.4.1.2 built for i686-pc-linux-gnu Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Usage: Database Initialization:  tripwire [-m i|--init] [options] Integrity Checking:  tripwire [-m c|--check] [object1 [object2...]] Database Update:  tripwire [-m u|--update] Policy Update:  tripwire [-m p|--update-policy] policyfile.txt Test:  tripwire [-m t|--test] --email address Type 'tripwire [mode] --help' OR 'tripwire --help mode [mode...]' OR 'tripwire --help all' for extended help [root@server3 ~]# ------------------------------------------------------------------- 1. tripwire 데이터 베이스 생성 (초기화) [root@server3 sbin]# ./tripwire --init or ./twadmin --init Please enter your local passphrase:  Parsing policy file: /usr/local/tripwire/etc/tw.pol Generating the database... *** Processing Unix File System *** The object: "/VMware" is on a different file system...ignoring. The object: "/backup" is on a different file system...ignoring. The object: "/home2" is on a different file system...ignoring. The object: "/media/IRIVER-1GB" is on a different file system...ignoring. The object: "/media/IRIVER-1GB_" is on a different file system...ignoring. The object: "/media/MEMO-4GB" is on a different file system...ignoring. The object: "/media/MXR2" is on a different file system...ignoring. The object: "/misc" is on a different file system...ignoring. The object: "/net" is on a different file system...ignoring. The object: "/raid1" is on a different file system...ignoring. The object: "/sys" is on a different file system...ignoring. ### Warning: File system error. ### Filename: /usr/local/doc ### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98 ### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80 ### \xec\x97\x86\xec\x9d\x8c ### Continuing... - 중략 Wrote database file: /usr/local/tripwire/lib/tripwire/server3.co.kr.twd The database was successfully generated. [root@server3 sbin]# ------------------------------------------------------------------- 2. 무결성 검사 [root@server3 sbin]# ./tripwire --check - 무결성 검사 - 중략 ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. [root@server3 sbin]# ------------------------------------------------------------------- 무결성 검사가 끝나고 나면 xxx.twr 이라는 파일이 생성된다. [root@server3 ~]# cd /usr/local/tripwire/lib/tripwire/report/ [root@server3 report]# ls server3.co.kr-20090203-114212.twr - twr 파일은 암화화 되어있기 때문에 twprint를 이용해 txt파일로 변환해 준다. ------------------------------------------------------------------- [root@server3 sbin]# pwd /usr/local/tripwire/sbin [root@server3 sbin]# ./twprint -m r --twrfile /usr/local/tripwire/lib/tripwire/report/server3.co.kr-20090203-114212.twr > report.txt [root@server3 sbin]# vi report.txt - 파일의 속성 및 디렉토리 정보를 데이터 베이스화 한 정보를 볼 수 있다. Note: Report is not encrypted. Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by:          root Report created on:            2009년 02월 03일 (화) 오전 11시 42분 12초 Database last updated on:     Never =============================================================================== Report Summary: =============================================================================== Host name:                    server3.co.kr Host IP address:              127.0.0.1 Host ID:                      None Policy file used:             /usr/local/tripwire/etc/tw.pol Configuration file used:      /usr/local/tripwire/etc/tw.cfg Database file used:           /usr/local/tripwire/lib/tripwire/server3.co.kr.twd Command line used:            ./tripwire --check =============================================================================== Rule Summary: =============================================================================== -------------------------------------------------------------------------------   Section: Unix File System -------------------------------------------------------------------------------   Rule Name                       Severity Level    Added    Removed  Modified   ---------                       --------------    -----    -------  -------- * Tripwire Data Files             0                 1        0        0 * Monitor Filesystems             0                 0        0        19 * User Binaries and Libraries     0                 0        0        1   Tripwire Binaries               0                 0        0        0   OS Binaries and Libraries       0                 0        0        0   Temporary Directories           0                 0        0        0 * Global Configuration Files      0                 0        0        2   System Boot Changes             0                 0        0        0   RPM Checksum Files              0                 0        0        0   OS Devices and Misc Directories 0                 0        0        0   OS Boot Files and Mount Points  0                 0        0        0 * Root Directory and Files        0                 3        0        15 Total objects scanned:  243249 Total violations found:  41 - 중략 ------------------------------------------------------------------- 3. 데이터베이스 업데이트 [root@server3 sbin]# ./tripwire --update - 무결성 검사가 끝난 후에는 자신의 시스템에 대한 데이터베이스를 만들고 저장한다. ### Error: File could not be opened. ### Filename: ### /usr/local/tripwire/lib/tripwire/report/server3.co.kr-20090203-133624.twr ### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98 ### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80 ### \xec\x97\x86\xec\x9d\x8c ### Exiting... [root@server3 sbin]#