보안 체킹 프로그램 - tripwire - RPM 설치

tripwire - RPM 설치

- 파일 변조여부를 모니터링 하는 프로그램
- 파일 속성 및 디렉토리 정보를 데이터베이스화 하여 변조 여부를 비교한다.
- 변경으로 인한 데이터 손상에 대한 피해를 최소화 할 수 있다.
- policy 파일은 자신 시스템 중 어느 파일/디렉토리를 감시할 것인가를 설정하는 파일로 주의 깊게 설정해야 한다.


-------------------------------------------------------------------

http://www.tripwire.org/

http://sourceforge.net/projects/tripwire/

소스파일
tripwire-2.4.1.2-src.tar.bz2 : (다운로드)

RPM파일
tripwire-2.4.1.1-1.el5.i386.rpm : (다운로드)

-------------------------------------------------------------------

tripwire - Source 설치 로 이동

-------------------------------------------------------------------


tripwire - RPM 설치



1. 설치

[root@server3 ~]# rpm -Uvh tripwire-2.4.1.1-1.el5.i386.rpm 경고: tripwire-2.4.1.1-1.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 217521f6 준비 중...               ########################################### [100%]    1:tripwire               ########################################### [100%] [root@server3 ~]# rpm -ql tripwire - tripwire 설치 폴더 확인 /etc/cron.daily/tripwire-check /etc/tripwire /etc/tripwire/twcfg.txt /etc/tripwire/twpol.txt /usr/sbin/siggen /usr/sbin/tripwire /usr/sbin/tripwire-setup-keyfiles /usr/sbin/twadmin /usr/sbin/twprint /usr/share/doc/tripwire-2.4.1.1 /usr/share/doc/tripwire-2.4.1.1/COMMERCIAL /usr/share/doc/tripwire-2.4.1.1/COPYING /usr/share/doc/tripwire-2.4.1.1/ChangeLog /usr/share/doc/tripwire-2.4.1.1/License-Issues /usr/share/doc/tripwire-2.4.1.1/README.Fedora /usr/share/doc/tripwire-2.4.1.1/TRADEMARK /usr/share/doc/tripwire-2.4.1.1/policyguide.txt /usr/share/doc/tripwire-2.4.1.1/tripwire.gif /usr/share/man/man4/twconfig.4.gz /usr/share/man/man4/twpolicy.4.gz /usr/share/man/man5/twfiles.5.gz /usr/share/man/man8/siggen.8.gz /usr/share/man/man8/tripwire.8.gz /usr/share/man/man8/twadmin.8.gz /usr/share/man/man8/twintro.8.gz /usr/share/man/man8/twprint.8.gz /var/lib/tripwire /var/lib/tripwire/report

2. keyfile 생성

[root@server3 Desktop]# cd /usr/sbin [root@server3 sbin]# ./tripwire-setup-keyfiles  - Source 설치 시에는 make install 시 키를 생성하게 된다. ---------------------------------------------- The Tripwire site and local passphrases are used to sign a  variety  of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain  both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: - 설정파일 등을 업데이트하거나 DB를 생성할 때 사용하는 키 입력 Verify the site keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: - DB를 초기화할 때 사용하는 키 입력 Verify the local keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase:  - configuration file을 생성하기 위해 site 키 입력 Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection.  It  is  recommended  that  you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase:  - policy file을 생성하기 위해 site 키 입력 Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt has been preserved for  your  inspection.  This  implements  a  minimal policy, intended only to test  essential  Tripwire  functionality.  You should edit the policy file to  describe  your  system,  and  then  use twadmin to generate a new signed copy of the Tripwire policy. Once you have a satisfactory Tripwire policy file, you should move  the clear-text version to a secure location  and/or  encrypt  it  in  place (using a tool such as GPG, for example). Now run "tripwire --init" to enter Database Initialization  Mode.  This reads the policy file, generates a database based on its contents,  and then cryptographically signs the resulting  database.  Options  can  be entered on the command line to specify which policy, configuration, and key files are used  to  create  the  database.  The  filename  for  the database can be specified as well. If no  options  are  specified,  the default values from the current configuration file are used.

3. 실행

[root@server3 sbin]# ./tripwire --help tripwire: File integrity assessment application. Tripwire(R) 2.4.1.1 built for i686-pc-linux-gnu Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Usage: Database Initialization:  tripwire [-m i|--init] [options] Integrity Checking:  tripwire [-m c|--check] [object1 [object2...]] Database Update:  tripwire [-m u|--update] Policy Update:  tripwire [-m p|--update-policy] policyfile.txt Test:  tripwire [-m t|--test] --email address Type 'tripwire [mode] --help' OR 'tripwire --help mode [mode...]' OR 'tripwire --help all' for extended help [root@server3 sbin]# ./tripwire -m i or ./tripwire --init or ./twadmin --init Please enter your local passphrase: Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** ### Warning: File system error. ### Filename: /dev/kmem ### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98 ### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80 ### \xec\x97\x86\xec\x9d\x8c ### Continuing... ### Warning: File system error. ### Filename: /proc/ksyms ### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98 ### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80 ### \xec\x97\x86\xec\x9d\x8c ### Continuing... ### Warning: File system error. ### Filename: /proc/pci ### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98 ### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80 ### \xec\x97\x86\xec\x9d\x8c ### Continuing... ### Warning: File system error. ### Filename: /usr/sbin/fixrmtab ### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98 ### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80 ### \xec\x97\x86\xec\x9d\x8c ### Continuing... - 중략 Wrote database file: /var/lib/tripwire/server3.co.kr.twd The database was successfully generated. [root@server3 sbin]# ./tripwire -m c or ./tripwire --check - 무결성 검사 Parsing policy file: /etc/tripwire/tw.pol *** Processing Unix File System *** Performing integrity check... ### Warning: File system error. ### Filename: /dev/kmem ### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98 ### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80 ### \xec\x97\x86\xec\x9d\x8c ### Continuing... -  중략 ------------------------------------------------------------------------------- *** End of report *** Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. [root@server3 ~]# cd /var/lib/tripwire/report/ [root@server3 report]# pwd /var/lib/tripwire/report [root@server3 report]# ls server3.co.kr-20090206-102047.twr - twr 파일은 암화화 되어있기 때문에 twprint를 이용해 txt파일로 변환해 준다. [root@server3 sbin]# ./twprint -m r --twrfile /var/lib/tripwire/report/server3.co.kr-20090206-102047.twr > /var/lib/tripwire/report/report-2.txt [root@server3 report]# pwd /var/lib/tripwire/report [root@server3 report]# ls report-2.txt  server3.co.kr-20090206-102047.twr [root@server3 report]# vi report-2.txt - 파일의 속성 및 디렉토리 정보를 데이터 베이스화 한 정보를 볼 수 있다. Note: Report is not encrypted. Tripwire(R) 2.4.1 Integrity Check Report Report generated by:          root Report created on:            2009년 02월 06일 (금) 오전 10시 20분 47초 Database last updated on:     Never =============================================================================== Report Summary: ===================================================================== -  중략 [root@server3 sbin]# ./tripwire -m u  or ./tripwire --update - 무결성 검사가 끝난 후에는 자신의 시스템에 대한 데이터베이스를 만들고 저장한다. ### Error: File could not be opened. ### Filename: /var/lib/tripwire/report/server3.co.kr-20090206-104123.twr ### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98 ### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80 ### \xec\x97\x86\xec\x9d\x8c ### Exiting...