Tripwire是目前最为著名的unix下文件系统完整性检查的软件工具,这一软件采用的技术核心就是对每个要监控的文件产生一个数字签名,保留下来。当文件现在的数字签名与保留的数字签名不一致时,那么现在这个文件必定被改动过了。
Tripwire可以对要求校验的系统文件进行类似md5的运行,而生成一个唯一的标识,即“快照”snapshot。当这些系统文件的大小、inode号、权限、时间等任意属性被修改后,再次运行Tripwire,其会进行前后属性的对比,并生成相关的详细报告。
1、下载并安装
[root@ipython ~]# wget http://nchc.dl.sourceforge.net/project/tripwire/tripwire-src/tripwire-2.4.2.2/tripwire-2.4.2.2-src.tar.bz2[root@ipython ~]# tar jxf tripwire-2.4.2.2-src.tar.bz2
[root@ipython ~]# cd tripwire-2.4.2.2-src
[root@ipython tripwire-2.4.2.2-src]#./configure –prefix=/software/tripwire
[root@ipython tripwire-2.4.2.2-src]# make
[root@ipython tripwire-2.4.2.2-src]# make install
############INSTALL 交互#################Press ENTER to view the LicenseAgreement.###回车阅读协议
license agreement.[donot accept] accept ###同意协议Continuewith installation?[y/n] y ###确认继续安装Enter the site keyfile passphrase:###需要记住的keyfileVerify the site keyfile passphrase:###重复Enter the local keyfile passphrase:###需要记住的local keyfileVerify the local keyfile passphrase:###重复Please enter your site passphrase:###输入Please enter your site passphrase:###输入############交互结束,完成安装#################[root@ipython tripwire-2.4.2.2-src]# ls /software/tripwire/etc/| sort
ipython.me-local.key ####加密本地密钥文件
site.key ####加密站点密钥文件
tw.cfg ####加密配置变量文件
tw.pol ####加密策略文件
twcfg.txt ####定义数据库、策略文件和Tripwire可执行文件的位置
twpol.txt ####定义检测的对象及违规时采取的行为
2、初始化(生成基准数据库)
[root@ipython ~]#/software/tripwire/sbin/tripwire –init
Please enter your local passphrase:###键入密码,后面省略此交互……Wrote database file:/software/tripwire/lib/tripwire/ipython.me.twd
The database was successfully generated.
3、第一次完整性检查,和常用检查参数
[root@ipython ~]#/software/tripwire/sbin/tripwire –check
##默认检查报告存放路径##/software/tripwire/lib/tripwire/report/##指定存放路径##[root@ipython ~]#/software/tripwire/sbin/tripwire –check –twrfile ./test.twr
###Email 发送报告###[root@ipython ~]#/software/tripwire/sbin/tripwire –check –email-report
###指定Email 报告的级别###[root@ipython ~]#/software/tripwire/sbin/tripwire –check –email-report –email-report-level 2###使用指定严重性等级的规则进行检查###[root@ipython ~]#/software/tripwire/sbin/tripwire –check –severity 80###使用指定的规则名检查##[root@ipython ~]#/software/tripwire/sbin/tripwire –check –rule-name rulename
###只检查指定的文件或目录[root@ipython ~]#/software/tripwire/sbin/tripwire –check object1 object2 object3
###检查是忽略某属性###[root@ipython ~]#/software/tripwire/sbin/tripwire –check –ignore “property, property, property, property”###获取帮助[root@ipython ~]#/software/tripwire/sbin/tripwire –help all
##检视报告##[root@ipython ~]#/software/tripwire/sbin/twprint –print-report –twrfile ./test.twr
##重定向加密报告的内容##[root@ipython ~]#/software/tripwire/sbin/twprint –print-report –twrfile ./test.twr > output.text
##指定报告输出时的级别##[root@ipython ~]#/software/tripwire/sbin/twprint –print-report –report-level 4–twrfile ./test.twr > output.text
4、升级基准数据库文件
###升级的目的是很正常的,因为check 是基于基准数据的###[root@ipython ~]#/software/tripwire/sbin/tripwire –update –twrfile ./test.twr
###检测后立即自动update###[root@ipython ~]#/software/tripwire/sbin/tripwire –check –interactive
5、升级策略文件
更新策略稳健,需要修改策略的规则,先将策略重定向出来[root@ipython ~]#/software/tripwire/sbin/twadmin –print-polfile > twpol.txt
###照猫画虎修改吧,然后update###[root@ipython ~]#/software/tripwire/sbin/tripwire –update-policy twpol.txt
Parsing policy file:/root/twpol.txt
Please enter your local passphrase:Please enter your site passphrase:
6、修改site key 和 local key
###修改前记得备份下###[root@ipython ~]#/software/tripwire/sbin/twadmin –generate-keys –site-keyfile /software/tripwire/etc/site.key
[root@ipython ~]#/software/tripwire/sbin/twadmin –generate-keys –local-keyfile /software/tripwire/etc/site.key
#配置文件通过site key 假面,数据文件和报告文件用local key 加密#[root@ipython ~]#/software/tripwire/sbin/twadmin –encrypt –site-keyfile /software/tripwire/etc/site.key
[root@ipython ~]#/software/tripwire/sbin/twadmin –encrypt –local-keyfile /software/tripwire/etc/ipython.me-local.key
在RedHat AS4下安装tripwire的方法 http://www.linuxidc.com/Linux/2006-12/1581.htm
数据完整性监控工具 Tripwire 2.4.2.2 发布 http://www.linuxidc.com/Linux/2011-11/47890.htm
来源: http://www.ipython.me/centos/tripwire-file-md5.html 作者: IT辰逸
本文永久更新链接地址:http://www.linuxidc.com/Linux/2014-08/105075.htm