等保建设:构建数据完整性监测系统
文章来源:https://blog.51cto.com/rhcss/139824
当服务器遭到黑客攻击时,在多数情况下,黑客可能对系统文件等等一些重要的文件进行修改。对此,我们用Tripwire建立数据完整性监测系统。虽然 它不能抵御黑客攻击以及黑客对一些重要文件的修改,但是可以监测文件是否被修改过以及哪些文件被修改过,从而在被攻击后有的放矢的策划出解决办法。
Tripwire的原理是Tripwire被安装、配置后,将当前的系统数据状态建立成数据库,随着文件的添加、删除和修改等等变化,通过系统数据现状与不断更新的数据库进行比较,来判定哪些文件被添加、删除和修改过。正因为初始的数据库是在Tripwire本体被安装、配置后建立的原因,我们务必应该在服务器开放前,或者说操作系统刚被安装后用Tripwire构建数据完整性监测系统。
|
首先来安装 Tripwire 。
[root@sample ~]# wget [url]http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz[/url] ← 下载源代码 --02:21:30-- [url]http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz[/url] => `tripwire-2.3.1-2.tar.gz' Resolving jaist.dl.sourceforge.net... 150.65.7.130 Connecting to jaist.dl.sourceforge.net|150.65.7.130|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1,514,955 (1.4M) [application/x-gzip] 100%[====================================>] 1,514,955 1.29M/s 02:21:32 (1.28 MB/s) - `tripwire-2.3.1-2.tar.gz' saved [1514955/1514955] [root@sample ~]# tar zxvf tripwire-2.3.1-2.tar.gz ← 将被压缩的文件展开 100%[====================================>] 786,411 164.35K/s ETA 00:00 02:28:50 (154.51 KB/s) - `tw-20030919.patch.gz' saved [786411/786411] [root@sample tripwire-2.3.1-2]# gunzip tw-20030919.patch.gz ← 将 Tripwire Patch 文件解压缩 [root@sample tripwire-2.3.1-2]# ./configure --sysconfdir=/etc/tripwire ← 运行configure LICENSE AGREEMENT for Tripwire(R) 2.3 Open Source Please read the following license agreement. You must accept the Press ENTER to view the License Agreement. ← 按回车键阅读协议 Checking for programs specified in install configuration file.... /usr/sbin/sendmail exists. Continuing installation. /bin/vi exists. Continuing installation. ---------------------------------------------- ./bin/siggen found This program will copy Tripwire files to the following directories: TWBIN: /usr/local/sbin CLOBBER is false. Continue with installation? [y/n] y ← 键入y继续安装 /usr/local/sbin: already exists ---------------------------------------------- /usr/local/doc/tripwire/README: copied ---------------------------------------------- Passphrases should be at least 8 characters in length See the Tripwire manual for more information. ---------------------------------------------- (When selecting a passphrase, keep in mind that good passphrases typically Enter the site keyfile passphrase: ← 输入“site keyfile”口令(输入后不会显示),并且记住这个口令 (When selecting a passphrase, keep in mind that good passphrases typically Enter the local keyfile passphrase: ← 输入“local keyfile”口令(输入后不会显示),并且记住这个口令 ---------------------------------------------- ---------------------------------------------- A clear-text version of the Tripwire configuration file ---------------------------------------------- ---------------------------------------------- A clear-text version of the Tripwire policy file ---------------------------------------------- Please refer to /usr/local/doc/tripwire/Release_Notes make[2]: Leaving directory `/root/tripwire-2.3.1-2' make[1]: Leaving directory `/root/tripwire-2.3.1-2' [root@sample tripwire-2.3.1-2]# cd ← 回到root用户的根目录 [root@sample ~]# rm -rf tripwire-2.3.1-2 tripwire-2.3.1-2.tar.gz ← 删除安装用过的原文件 |
|
[root@sample ~]# vi /etc/tripwire/twcfg.txt ← 修改文本格式的Tripwire配置文件 LOOSEDIRECTORYCHECKING =false ← 找到这一个行,将false的值变为true(不监测所属目录的数据完整性) ↓ LOOSEDIRECTORYCHECKING =true ← 变为此状态 REPORTLEVEL =3 ← 找到这一行,将3变为4(改变监测结果报告的等级) ↓ REPORTLEVEL =4 ← 变为此状态 [root@sample ~]# twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt ← 从文本配置文件建立加密格式配置文件 Please enter your site passphrase: ← 输入“site keyfile”口令(输入后不会显示) Wrote configuration file: /etc/tripwire/tw.cfg [root@sample ~]# rm -f /etc/tripwire/twcfg.txt ← 为不留安全隐患,删除文本格式的配置文件 |
注:恢复文本格式的Tripwire配置文件,可通过执行“twadmin --print-cfgfile > /etc/tripwire/twcfg.txt”。
[2] Policy文件的配置
Tripwire的数据库是基于Policy文件建立的。但默认的Policy文件并没有有效的依照我们的需要建立数据完整性监测规则,所以这里通过一段Perl脚本来让数据监测实际满足于我们的需要。
[root@sample ~]# vi /etc/tripwire/twpolmake.pl ← 建立用于建立Policy文件的Perl脚本 #!/usr/bin/perl open(POL,"$POLFILE") or die "open error: $POLFILE" ; while (<POL>) { [root@sample ~]# rm -f /etc/tripwire/twpol.txt ← 删除默认Policy文件 [root@sample ~]# mv /etc/tripwire/twpol.txt.out /etc/tripwire/twpol.txt ← 将新建立的Policy文件的名改为默认Policy文件的文件名 [root@sample ~]# vi /etc/tripwire/twpol.txt ← 编辑Policy文件 $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; ← 找到这一行,在这一行的下一行添加语句(113行前后) !$(TWDB)/$(HOSTNAME).twd ; ← 添加这一句(不对数据库进行监测) [root@sample ~]# twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt ← 从文本配置文件建立加密格式配置文件 Please enter your site passphrase: ← 输入“site keyfile”口令(输入后不会显示) Wrote policy file: /etc/tripwire/tw.pol [root@sample ~]# rm -f /etc/tripwire/twcfg.txt ← 为不留安全隐患,删除文本格式的配置文件 |
注:恢复文本格式的Tripwire配置文件,可通过执行“twadmin --print-cfgfile > /etc/tripwire/twcfg.txt”。
[3] 建立数据库
[root@sample ~]# tripwire --init ← 建立数据库 Please enter your local passphrase: ← 输入“local keyfile”口令(输入后不会显示) Parsing policy file: /etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** Wrote database file: /usr/local/lib/tripwire/sample.centospub.com.twd The database was successfully generated. |
|
下面开始测试并让Tripwire开始工作。
[1] 建立Tripwire运行脚本:
[root@sample ~]# vi tripwire-check ← 建立Tripwire运行脚本 #!/bin/bash PATH=/usr/local/sbin:/usr/bin:/bin # Run the Tripwire # Mail the Tripwire Report to root # Update the Policy File rm -f /usr/local/lib/tripwire/`hostname`.twd tripwire --init -P $LOCALPASS | logger -t tripwire [root@sample ~]# chmod 700 tripwire-check ← 赋予运行脚本文件可执行的权限 |
注:Tripwire的监测报告会被加密保存到/usr/local/lib/tripwire/report目录下。日志被保存在/var/log/messages中。
[2] 测试运行脚本
[root@sample ~]# ./tripwire-check ← 运行一次脚本 由于增加了运行脚本本身,也被认作系统被作了改动,会发邮件通知root…查看邮箱回收到监测报告 [root@sample ~]# ./tripwire-check ← 再次运行一次脚本 由于两次连续运行,之间不太可能有文件变更,所以请确认不会发送E-mail给root |
[3] 在服务器本地监测报告的浏览
[root@sample ~]# ls -l /usr/local/lib/tripwire/report/ ← 监测报告所在目录的文件列表 total 32 -rw-r--r-- 1 root root 8222 Aug 23 05:46 sample.centospub.com-20060823.twr ← 比如想浏览此篇报告 -rw-r--r-- 1 root root 8230 Aug 23 05:46 sample.centospub.com-20060823.twr.bak [root@sample ~]# cd /etc/tripwire ← 进入Tripwire配置文件所在目录 [root@sample tripwire]# twprint -m r -c tw.cfg -r "/usr/local/lib/tripwire/report/sample.centospub.com-20060823.twr" -L sample.centospub.com-local.key -t 4 > tripwire-report ← 将监测报告保存到名为tripwire-report的文件中 [root@sample tripwire]# cat tripwire-report ← 浏览监测报告 Note: Report is not encrypted. Tripwire(R) 2.3.0 Integrity Check Report Report generated by: root =============================================================================== Host name: sample.centospub.com =============================================================================== ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified Total objects scanned: 17363 =============================================================================== ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Modified: =============================================================================== ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Modified object name: /root/tripwire-check Property: Expected Observed
=============================================================================== No Errors ------------------------------------------------------------------------------- trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified .ly under certain conditions; see COPYING for details. All rights reserved. [root@sample tripwire]# rm -f tripwire-report ← 删除监测报告 |
[4] 让监测脚本每天自动运行
[root@sample tripwire]# cd ← 进入Tripwire运行脚本所在的root目录 [root@sample ~]# mv tripwire-check /etc/cron.daily/ ← 转移脚本到每天自动运行的目录中 |
放在/etc/cron.daily下的脚本,会在每天4点02分自动被运行。这样通过数据完整性监测来监视系统文件的状况。如果增加、修改或删除的情况,将会给root发送邮件,并自动转送到初始环境设置中设置的转送邮箱中。
推荐阅读