基于Tripwire的系统文件篡改检知系统搭建
我们这里采用Intrusion Detection System的一个叫Tripwire的软件来搭建。Tripwire在配置好后,把系统文件的状态保存到数据库中,当文件状态发生变化时,就会被检测出来,因此适合在装完系统后或者搭建完生产环境后立马进行部署。
1.Tripwire的安装。
[root@centos ~]# yum -y install tripwire
[root@centos ~]# tripwire-setup-keyfiles #初期设定
----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: #输入keyfile的密码
Verify the site keyfile passphrase: #输入keyfile的密码
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: #输入keyfile的密码
Verify the local keyfile passphrase: #输入keyfile的密码
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase: #输入keyfile的密码
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase: #输入keyfile的密码
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
2.设定各种配置参数
[root@centos ~]# vi /etc/tripwire/twcfg.txt #设定文件
LOOSEDIRECTORYCHECKING =true #文件夹修改不通知
REPORTLEVEL =4
[root@centos ~]# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt #设定文件自签名设置
Please enter your site passphrase: #前一步设置的密码
Wrote configuration file: /etc/tripwire/tw.cfg
3.文件策略设置
tripwire的原理是,保存现在的文件状态,文件有变更的时候进行对比,但是默认策略是没有什么效果,我们需要设置对不存在的文件不检测,对于存在的文件必须检测,
用下面的perl脚本来实现,保存为makepolicy.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;while (<POL>) {chomp;if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {$myhost = `hostname` ; chomp($myhost) ;if ($thost ne $myhost) {$_="HOSTNAME=\"$myhost\";" ;}}elsif ( /^{/ ) {$INRULE=1 ;}elsif ( /^}/ ) {$INRULE=0 ;}elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {$ret = ($sharp =~ s/\#//g) ;if ($tpath eq '/sbin/e2fsadm' ) {$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;}if (! -s $tpath) {$_ = "$sharp#$tpath$cond" if ($ret == 0) ;}else {$_ = "$sharp$tpath$cond" ;}}print "$_\n" ;
}
close(POL) ;然后执行以下命令来生成新策略。
[root@centos ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new #执行脚本生成策略
[root@centos ~]# echo ! "/var/lib/tripwire/`hostname`.twd ;" >> /etc/tripwire/twpol.txt.new #Tripwire自己不检测
[root@centos ~]# echo ! "/tmp/tripwire.log ;" >> /etc/tripwire/twpol.txt.new #Tripwire日志不检测
[root@centos ~]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new #新策略自签名
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
4.生成数据库文件
[root@centos ~]# tripwire -m i -s -c /etc/tripwire/tw.cfg
5.执行一次检测
[root@centos ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg
基于Tripwire的系统文件篡改检知系统搭建相关推荐
- 我的第一个web开发环境:基于eclipse java EE 的java web系统搭建
一种基于eclipse java EE 的java web系统搭建 刚开始接触web开发,首先将开发环境的搭建记下来以免忘记. 1.环境搭建前需要准备的工具 (1)Eclipse IDE for Ja ...
- 基于区块链与IPFS的数据共享系统搭建步骤
购买专栏前请认真阅读:<基于区块链与IPFS的数据共享系统>专栏简介 视频演示: https://www.bilibili.com/video/BV1y24y1v7RX 系统简介: 本系统 ...
- cnetos6.2搭建mysql_基于腾讯云的Centos6.2系统搭建Apache+Mysql+PHP开发环境
搭建环境,我肯定需要先购买腾讯云服务器的哦! 然后,我们打开SecureCRT 7.3,这是一款可以连接Linux系统的客户端工具,使用的很方便快捷,要注意的是,若你是Linux系统的就要用22端口, ...
- inception-v3模型神经网络图片识别系统搭建详细流程(1)
本文整理了该模型的运行经验,经过验证可行. 本文详细介绍了基于inception-v3模型的神经网络图片识别系统搭建过程. 1. 系统搭建 进行系统搭建前,需要配置文件夹,如图1,介绍了工程的文件架构 ...
- inception-v3模型神经网络图片识别系统搭建详细流程(2)
阅读前提示:代码复制过来时带有行号,运行本文程序需要自行删除行号并检查是否存在缩进错误.本文整理了该模型的运行经验,经过验证可行. 本文详细介绍了基于inception-v3模型的神经网络图片识别系统 ...
- linux 目录防篡改,一种基于Linux虚拟文件系统的防篡改方法及系统的制作方法
一种基于Linux虚拟文件系统的防篡改方法及系统的制作方法 [技术领域] [0001]本发明涉及文件防护技术领域,特别涉及一种基于Linux虚拟文件系统的防篡改方法及系统. [背景技术] [0002] ...
- ssm毕设项目基于JAVAEE的车检预约系统846ks(java+VUE+Mybatis+Maven+Mysql+sprnig)
ssm毕设项目基于JAVAEE的车检预约系统846ks(java+VUE+Mybatis+Maven+Mysql+sprnig) 项目运行 环境配置: Jdk1.8 + Tomcat8.5 + Mys ...
- 计算机毕业设计ssm基于JAVAEE的车检预约系统846ks系统+程序+源码+lw+远程部署
计算机毕业设计ssm基于JAVAEE的车检预约系统846ks系统+程序+源码+lw+远程部署 计算机毕业设计ssm基于JAVAEE的车检预约系统846ks系统+程序+源码+lw+远程部署 本源码技术栈 ...
- 2023最新SSM计算机毕业设计选题大全(附源码+LW)之java基于JAVAEE的车检预约系统846ks
面对老师五花八门的设计要求,首先自己要明确好自己的题目方向,并且与老师多多沟通,用什么编程语言,使用到什么数据库,确定好了,在开始着手毕业设计. 1:选择课题的第一选择就是尽量选择指导老师擅长的课题, ...
最新文章
- 采购AI/ML安全工具前要先回答这11个问题
- R package XML安装
- 算法-----------乘积最大子数组(Java版本)
- Luogu4926 倍杀测量者(二分答案+差分约束)
- 速卖通运营之选品方法和技巧
- jQuery对select操作(2)
- 从实验现象详细分析BGP的路由策略与选路原则
- 匿名内部类----java
- 增强的Java FTP工具----扩展免费版的edtftpj
- 飞鸽传书扫描器 v1.3
- 基础知识(一)matlab与c++混合编程之环境搭建
- T-SQL Parser
- [译]C#7 Pattern Matching
- 【转】DD_belatedPNG,解决IE6不支持PNG绝佳方案
- ARC100C Linear Approximation
- Minecraft Forge 安装
- 【转】MapGISnbsp;K9基础系…
- 我的世界贝爷生存用什么Java_我的世界贝爷生存MOD教程 [MITE] MC实在是太简单了教程详解 | 我的世界 | MC世界侠...
- 解决Chrome无法翻译此网页
- android开发利器--站在巨人肩膀上前行