ANDRA DELEN AV INSTALLATIONEN
Nu ska Tripwire vara installerat och du kan nu installera Tripwires databas.
Det är den som har koll på hela systemet och alla filer.
Tripwire databas kommer kolla ditt system och lägga till det i sin databas.
Det kan hända att det finns filer som inte existerar och då kommer Tripwire ge massa fel-meddelanden när du installerar databasen.
Men det gör inget för dom ska vi ta bort, för vi ska skräddarsy Tripwires databas att passa just ditt system, som handen i handsken.
Med detta exempel så kör jag Ubuntu 12.04 LTS.
Kör följande kod:
Som du säkert såg så fick du i slutet en massa error meddelanden.
Dom ska vi nu ta bort och skräddarsy databasen att passa ditt Linux system.
Först så kan vi skapa en lista över alla fel-meddelanden vi fick, så vi vet vilka filer vi ska ta bort.
Det gör vi genom att skapa en "test_results" fil.
Skriv följande:
sudo sh -c 'tripwire --check | grep Filename > test_results'
Du hittar filen i Home katalogen eller i /etc/tripwire
Med mitt Ubuntu 12.04 LTS så hitta jag filen "test_results" i home katalogen.
Nu kan du klicka på den filen och så kommer den att öppnas upp med gedit automatiskt.
Så här ser filen ut:
Filename: /etc/rc.boot
Filename: /root/mail
Filename: /root/Mail
Filename: /root/.xsession-errors
Filename: /root/.xauth
Filename: /root/.tcshrc
Filename: /root/.sawfish
Filename: /root/.pinerc
Filename: /root/.mc
Filename: /root/.gnome_private
Filename: /root/.gnome-desktop
Filename: /root/.gnome
Filename: /root/.esd_auth
Filename: /root/.elm
Filename: /root/.cshrc
Filename: /root/.bash_profile
Filename: /root/.bash_logout
Filename: /root/.bash_history
Filename: /root/.amandahosts
Filename: /root/.addressbook.lu
Filename: /root/.addressbook
Filename: /root/.Xresources
Filename: /root/.Xauthority
Filename: /root/.ICEauthority
Filename: /proc/4116/fd/3
Filename: /proc/4116/fdinfo/3
Filename: /proc/4116/task/4116/fd/3
Filename: /proc/4116/task/4116/fdinfo/3
Alla dessa filer gav dig ett fel-meddelande när du installera databasen.
Nu ska vi ta bort dessa onödiga filer.
För detta ska vi använda text editor Nano.
För att spara en föändring i Nano trycker man "ctrl o" och sedan Enter.
För att stänga Nano trycker man "ctrl x"
Det är bara dom två commandon du behöver veta för att köra Nano.
Nu ska vi öppna filen twpol.txt som innehåller mappen med alla filer som ska kontrolleras av Tripwire, The Policy file.
Skriv följande:
sudo nano /etc/tripwire/twpol.txt
Så här ser filen ut ...
#
# Standard Debian Tripwire configuration
#
#
# This configuration covers the contents of all 'Essential: yes'
# packages along with any packages necessary for access to an internet
# or system availability, e.g. name services, mail services, PCMCIA
# support, RAID support, and backup/restore support.
#
#
# Global Variable Definitions
#
# These definitions override those in to configuration file. Do not
# change them unless you understand what you're doing.
#
@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;
#
# File System Definitions
#
@@section FS
#
# First, some variables to make configuration easier
#
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed
# infrequently but accessed
# often
SEC_LOG = $(Growing) ; # Files that grow, but that
# should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never
# change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of
# minimal security impact
SIG_MED = 66 ; # Non-critical files that are of
# significant security impact
SIG_HI = 100 ; # Critical files that are
# significant points of
# vulnerability
#
# Tripwire Binaries
#
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
#
# Tripwire Data Files - Configuration Files, Policy Files, Keys,
# Reports, Databases
#
# NOTE: We remove the inode attribute because when Tripwire creates a
# backup, it does so by renaming the old file and creating a new one
# (which will have a new inode number). Inode is left turned on for
# keys, which shouldn't ever change.
# NOTE: The first integrity check triggers this rule and each
# integrity check afterward triggers this rule until a database update
# is run, since the database file does not exist before that point.
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
$(TWVAR)/$(HOSTNAME).twd -> $(SEC_CONFIG) -i ;
$(TWETC)/tw.pol -> $(SEC_BIN) -i ;
$(TWETC)/tw.cfg -> $(SEC_BIN) -i ;
$(TWETC)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWETC)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ;
}
#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
/lib/modules -> $(SEC_CRIT) ;
}
(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
/etc/rc.boot -> $(SEC_BIN) ;
/etc/rcS.d -> $(SEC_BIN) ;
/etc/rc0.d -> $(SEC_BIN) ;
/etc/rc1.d -> $(SEC_BIN) ;
/etc/rc2.d -> $(SEC_BIN) ;
/etc/rc3.d -> $(SEC_BIN) ;
/etc/rc4.d -> $(SEC_BIN) ;
/etc/rc5.d -> $(SEC_BIN) ;
/etc/rc6.d -> $(SEC_BIN) ;
}
#
# Critical executables
#
(
rulename = "Root file-system executables",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/sbin -> $(SEC_BIN) ;
}
#
# Critical Libraries
#
(
rulename = "Root file-system libraries",
severity = $(SIG_HI)
)
{
/lib -> $(SEC_BIN) ;
}
#
# Login and Privilege Raising Programs
#
(
rulename = "Security Control",
severity = $(SIG_MED)
)
{
/etc/passwd -> $(SEC_CONFIG) ;
/etc/shadow -> $(SEC_CONFIG) ;
}
#
# These files change every time the system boots
#
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
/var/lock -> $(SEC_CONFIG) ;
/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
}
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
/root/mail -> $(SEC_CONFIG) ;
/root/Mail -> $(SEC_CONFIG) ;
/root/.xsession-errors -> $(SEC_CONFIG) ;
/root/.xauth -> $(SEC_CONFIG) ;
/root/.tcshrc -> $(SEC_CONFIG) ;
/root/.sawfish -> $(SEC_CONFIG) ;
/root/.pinerc -> $(SEC_CONFIG) ;
/root/.mc -> $(SEC_CONFIG) ;
/root/.gnome_private -> $(SEC_CONFIG) ;
/root/.gnome-desktop -> $(SEC_CONFIG) ;
/root/.gnome -> $(SEC_CONFIG) ;
/root/.esd_auth -> $(SEC_CONFIG) ;
/root/.elm -> $(SEC_CONFIG) ;
/root/.cshrc -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
/root/.bash_profile -> $(SEC_CONFIG) ;
/root/.bash_logout -> $(SEC_CONFIG) ;
/root/.bash_history -> $(SEC_CONFIG) ;
/root/.amandahosts -> $(SEC_CONFIG) ;
/root/.addressbook.lu -> $(SEC_CONFIG) ;
/root/.addressbook -> $(SEC_CONFIG) ;
/root/.Xresources -> $(SEC_CONFIG) ;
/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
/root/.ICEauthority -> $(SEC_CONFIG) ;
}
#
# Critical devices
#
(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
)
{
/dev -> $(Device) ;
/proc -> $(Device) ;
}
#
# Other configuration files
#
(
rulename = "Other configuration files",
severity = $(SIG_MED)
)
{
/etc -> $(SEC_BIN) ;
}
#
# Binaries
#
(
rulename = "Other binaries",
severity = $(SIG_MED)
)
{
/usr/local/sbin -> $(SEC_BIN) ;
/usr/local/bin -> $(SEC_BIN) ;
/usr/sbin -> $(SEC_BIN) ;
/usr/bin -> $(SEC_BIN) ;
}
#
# Libraries
#
(
rulename = "Other libraries",
severity = $(SIG_MED)
)
{
/usr/local/lib -> $(SEC_BIN) ;
/usr/lib -> $(SEC_BIN) ;
}
#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
/usr -> $(SEC_INVARIANT) (recurse = 0) ;
/var -> $(SEC_INVARIANT) (recurse = 0) ;
/var/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
}
Ovan kan du se en blue print som innehåller reglerna för hur ditt Tripwire ska kolla och kontrollera dina filer på ditt system.
Nu kan du ta en titt på din "test_results" fil och kommentera bort dom med twpol.txt.
Du skriver ett # tecken framför varje fil som ska bort.
Så här ska det se ut:
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
#/root/mail -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
#/root/.xsession-errors -> $(SEC_CONFIG) ;
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.tcshrc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.gnome_private -> $(SEC_CONFIG) ;
#/root/.gnome-desktop -> $(SEC_CONFIG) ;
#/root/.gnome -> $(SEC_CONFIG) ;
#/root/.esd_auth -> $(SEC_CONFIG) ;
#/root/.elm -> $(SEC_CONFIG) ;
#/root/.cshrc -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
#/root/.bash_profile -> $(SEC_CONFIG) ;
#/root/.bash_logout -> $(SEC_CONFIG) ;
#/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
#/root/.Xresources -> $(SEC_CONFIG) ;
#/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#/root/.ICEauthority -> $(SEC_CONFIG) ;
För att spara ändringarna skriver du "ctrl o" och Enter.
Vidare ...
Du ska även ändra följande filer:
I "Boot Scripts" ska du ta bort och kommentera bort /etc/rc.boot
Den filen existerar inte med ett Ubuntu system.
(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
#/etc/rc.boot -> $(SEC_BIN) ;
/etc/rcS.d -> $(SEC_BIN) ;
/etc/rc0.d -> $(SEC_BIN) ;
/etc/rc1.d -> $(SEC_BIN) ;
/etc/rc2.d -> $(SEC_BIN) ;
/etc/rc3.d -> $(SEC_BIN) ;
/etc/rc4.d -> $(SEC_BIN) ;
/etc/rc5.d -> $(SEC_BIN) ;
/etc/rc6.d -> $(SEC_BIN) ;
}
Vidare ...
Sedan har vi /proc filen, den lämnar massa falska fel-meddelanden hela tiden, så vi måste kommentera bort den filen med # tecken.
Men sedan finns det andra filer under /proc som vi vill kolla med vårat Tripwire.
Dom får du skriva in för hand och lägga till i din twpol.txt fil.
Detta är följande filer du kan lägga till:
{
/dev -> $(Device) ;
#/proc -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/misc -> $(Device) ;
}
Sedan har vi en fil som heter /dev/pts
Det är en seperat fil system som inte kollas automatiskt, därför måste vi lägga till den.
Då ser det ut så här:
{
/dev -> $(Device) ;
/dev/pts -> $(Device) ;
#/proc -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/sys -> $(Device) ;
Sist så ändrar vi /var så att dom inte skickar varningar om vanliga förändringar i systemet.
Det ser ut så här:
)
{
#/var/lock -> $(SEC_CONFIG) ;
#/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
}
Nu ska du spara alla förändringar med Nano.
"ctrl o" och Enter.
Här kan du nu se hur den färdiga skräddarsydda filen twpol.txt ser ut.
#
# Standard Debian Tripwire configuration
#
#
# This configuration covers the contents of all 'Essential: yes'
# packages along with any packages necessary for access to an internet
# or system availability, e.g. name services, mail services, PCMCIA
# support, RAID support, and backup/restore support.
#
#
# Global Variable Definitions
#
# These definitions override those in to configuration file. Do not
# change them unless you understand what you're doing.
#
@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;
#
# File System Definitions
#
@@section FS
#
# First, some variables to make configuration easier
#
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed
# infrequently but accessed
# often
SEC_LOG = $(Growing) ; # Files that grow, but that
# should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never
# change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of
# minimal security impact
SIG_MED = 66 ; # Non-critical files that are of
# significant security impact
SIG_HI = 100 ; # Critical files that are
# significant points of
# vulnerability
#
# Tripwire Binaries
#
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
#
# Tripwire Data Files - Configuration Files, Policy Files, Keys,
# Reports, Databases
#
# NOTE: We remove the inode attribute because when Tripwire creates a
# backup, it does so by renaming the old file and creating a new one
# (which will have a new inode number). Inode is left turned on for
# keys, which shouldn't ever change.
# NOTE: The first integrity check triggers this rule and each
# integrity check afterward triggers this rule until a database update
# is run, since the database file does not exist before that point.
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
$(TWVAR)/$(HOSTNAME).twd -> $(SEC_CONFIG) -i ;
$(TWETC)/tw.pol -> $(SEC_BIN) -i ;
$(TWETC)/tw.cfg -> $(SEC_BIN) -i ;
$(TWETC)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWETC)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ;
}
#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
/lib/modules -> $(SEC_CRIT) ;
}
(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
#/etc/rc.boot -> $(SEC_BIN) ;
/etc/rcS.d -> $(SEC_BIN) ;
/etc/rc0.d -> $(SEC_BIN) ;
/etc/rc1.d -> $(SEC_BIN) ;
/etc/rc2.d -> $(SEC_BIN) ;
/etc/rc3.d -> $(SEC_BIN) ;
/etc/rc4.d -> $(SEC_BIN) ;
/etc/rc5.d -> $(SEC_BIN) ;
/etc/rc6.d -> $(SEC_BIN) ;
}
#
# Critical executables
#
(
rulename = "Root file-system executables",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/sbin -> $(SEC_BIN) ;
}
#
# Critical Libraries
#
(
rulename = "Root file-system libraries",
severity = $(SIG_HI)
)
{
/lib -> $(SEC_BIN) ;
}
#
# Login and Privilege Raising Programs
#
(
rulename = "Security Control",
severity = $(SIG_MED)
)
{
/etc/passwd -> $(SEC_CONFIG) ;
/etc/shadow -> $(SEC_CONFIG) ;
}
#
# These files change every time the system boots
#
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
#/var/lock -> $(SEC_CONFIG) ;
#/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
}
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
#/root/mail -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
#/root/.xsession-errors -> $(SEC_CONFIG) ;
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.tcshrc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.gnome_private -> $(SEC_CONFIG) ;
#/root/.gnome-desktop -> $(SEC_CONFIG) ;
#/root/.gnome -> $(SEC_CONFIG) ;
#/root/.esd_auth -> $(SEC_CONFIG) ;
#/root/.elm -> $(SEC_CONFIG) ;
#/root/.cshrc -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
#/root/.bash_profile -> $(SEC_CONFIG) ;
#/root/.bash_logout -> $(SEC_CONFIG) ;
#/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
#/root/.Xresources -> $(SEC_CONFIG) ;
#/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#/root/.ICEauthority -> $(SEC_CONFIG) ;
}
#
# Critical devices
#
(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
)
{
/dev -> $(Device) ;
/dev/pts -> $(Device) ;
#/proc -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/misc -> $(Device) ;
}
#
# Other configuration files
#
(
rulename = "Other configuration files",
severity = $(SIG_MED)
)
{
/etc -> $(SEC_BIN) ;
}
#
# Binaries
#
(
rulename = "Other binaries",
severity = $(SIG_MED)
)
{
/usr/local/sbin -> $(SEC_BIN) ;
/usr/local/bin -> $(SEC_BIN) ;
/usr/sbin -> $(SEC_BIN) ;
/usr/bin -> $(SEC_BIN) ;
}
#
# Libraries
#
(
rulename = "Other libraries",
severity = $(SIG_MED)
)
{
/usr/local/lib -> $(SEC_BIN) ;
/usr/lib -> $(SEC_BIN) ;
}
#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
/usr -> $(SEC_INVARIANT) (recurse = 0) ;
/var -> $(SEC_INVARIANT) (recurse = 0) ;
/var/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
}
Nu måste vi uppdatera twpol.txt med vårt nya skräddarsydda system, så Tripwire noterar detta.
sudo twadmin -m P /etc/tripwire/twpol.txt
Nu måste vi installera om databasen, så den kan uppdatera våra förändringar.
Nu ska alla fel-meddelanden vara borta.
Men om du skulle mot förmodan få ett fel-meddelande, så är det bara öppna twpol.txt och modifiera/skräddarsy och sedan installera om databasen igen.