tripwire

- 파일 변조여부를 모니터링 하는 프로그램
- 파일 속성 및 디렉토리 정보를 데이터베이스화 하여 변조 여부를 비교한다.
- 변경으로 인한 데이터 손상에 대한 피해를 최소화 할 수 있다.
- policy 파일은 자신 시스템 중 어느 파일/디렉토리를 감시할 것인가를 설정하는 파일로 주의 깊게 설정해야 한다.


-------------------------------------------------------------------

http://www.tripwire.org/

http://sourceforge.net/projects/tripwire/

소스파일
tripwire-2.4.1.2-src.tar.bz2 : (다운로드)

RPM파일
tripwire-2.4.1.1-1.el5.i386.rpm : (다운로드)

-------------------------------------------------------------------

tripwire - RPM 설치 로 이동

-------------------------------------------------------------------


tripwire - Source 설치



1. tripwire 다운 및 압축 해제

 
[root@server3 Desktop]# pwd
/root/Desktop
[root@server3 Desktop]# ls
tripwire-2.4.1.2-src.tar.bz2

[root@server3 Desktop]# tar xvfj tripwire-2.4.1.2-src.tar.bz2
tripwire-2.4.1.2-src/man/Makefile.am
tripwire-2.4.1.2-src/mkinstalldirs
tripwire-2.4.1.2-src/configure
tripwire-2.4.1.2-src/Makefile.in
tripwire-2.4.1.2-src/configure.in
tripwire-2.4.1.2-src/ChangeLog
tripwire-2.4.1.2-src/config.guess
tripwire-2.4.1.2-src/config.sub
tripwire-2.4.1.2-src/config.h.in
tripwire-2.4.1.2-src/INSTALL
tripwire-2.4.1.2-src/COPYING
tripwire-2.4.1.2-src/Makefile.am
tripwire-2.4.1.2-src/missing
tripwire-2.4.1.2-src/TRADEMARK
tripwire-2.4.1.2-src/MAINTAINERS
tripwire-2.4.1.2-src/aclocal.m4
tripwire-2.4.1.2-src/install-sh
tripwire-2.4.1.2-src/COMMERCIAL
tripwire-2.4.1.2-src/install/
tripwire-2.4.1.2-src/install/install.cfg
tripwire-2.4.1.2-src/install/install.sh
[root@server3 Desktop]# ls
tripwire-2.4.1.2-src
tripwire-2.4.1.2-src.tar.bz2

[root@server3 Desktop]# mv tripwire-2.4.1.2-src /usr/local/src




2.
tripwire 설치

 
[root@server3 Desktop]# cd /usr/local/src
[root@server3 src]# ls
tripwire-2.4.1.2-src

[root@server3 src]# cd tripwire-2.4.1.2-src/
[root@server3 tripwire-2.4.1.2-src]# ls
COMMERCIAL  MAINTAINERS  aclocal.m4    config.sub    install     missing
COPYING     Makefile.am  bin           configure     install-sh  mkinstalldirs
ChangeLog   Makefile.in  config.guess  configure.in  lib         policy
INSTALL     TRADEMARK    config.h.in   contrib       man         src

[root@server3 tripwire-2.4.1.2-src]# ./configure --help
`configure' configures this package to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

- 중략

[root@server3 tripwire-2.4.1.2-src]# ./configure --prefix=/usr/local/tripwire

- 중략

config.status: creating Makefile
config.status: creating man/Makefile
config.status: creating man/man4/Makefile
config.status: creating man/man5/Makefile
config.status: creating man/man8/Makefile
config.status: creating src/Makefile
config.status: creating src/cryptlib/Makefile
config.status: creating src/core/Makefile
config.status: creating src/db/Makefile
config.status: creating src/fco/Makefile
config.status: creating src/fs/Makefile
config.status: creating src/tw/Makefile
config.status: creating src/twcrypto/Makefile
config.status: creating src/twparser/Makefile
config.status: creating src/util/Makefile
config.status: creating src/twprint/Makefile
config.status: creating src/twadmin/Makefile
config.status: creating src/siggen/Makefile
config.status: creating src/tripwire/Makefile
config.status: creating config.h
config.status: executing depfiles commands

[root@server3 tripwire-2.4.1.2-src]# make

- 중략

make[3]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src/src/tripwire'
make[3]: Entering directory `/usr/local/src/tripwire-2.4.1.2-src/src'
make[3]: `all-am'를 위해 할 일이 없습니다
make[3]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src/src'
make[2]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src/src'
make[2]: Entering directory `/usr/local/src/tripwire-2.4.1.2-src'
make[2]: `all-am'를 위해 할 일이 없습니다
make[2]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src'
make[1]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src'

[root@server3 tripwire-2.4.1.2-src]# make install

- 중략

----------------------------------------------
Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase:    - 설정파일 등을 업데이트하거나 DB를 생성할 때 사용하는 키 입력
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase:     - DB를 초기화할 때 사용하는 키 입력
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------
Generating Tripwire configuration file...

----------------------------------------------
Creating signed configuration file...
Please enter your site passphrase:      - configuration file을 생성하기 위해 site 키 입력
Wrote configuration file: /usr/local/tripwire/etc/tw.cfg

A clear-text version of the Tripwire configuration file
/usr/local/tripwire/etc/twcfg.txt
has been preserved for your inspection.  It is recommended
that you delete this file manually after you have examined it.


----------------------------------------------
Customizing default policy file...

----------------------------------------------
Creating signed policy file...
Please enter your site passphrase:      - policy file을 생성하기 위해 site 키 입력
Wrote policy file: /usr/local/tripwire/etc/tw.pol

A clear-text version of the Tripwire policy file
/usr/local/tripwire/etc/twpol.txt
has been preserved for your inspection.  This implements
a minimal policy, intended only to test essential
Tripwire functionality.  You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.


----------------------------------------------
The installation succeeded.

Please refer to
for release information and to the printed user documentation
for further instructions on using Tripwire 2.4 Open Source.

make[3]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src'
make[2]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src'
make[1]: Leaving directory `/usr/local/src/tripwire-2.4.1.2-src'
[root@server3 tripwire-2.4.1.2-src]#




3. tripwire 실행

 
[root@server3 tripwire-2.4.1.2-src]# cd /usr/local/tripwire - 설치 폴더
[root@server3 tripwire]# pwd
/usr/local/tripwire
[root@server3 tripwire]# ls
doc  etc  lib  man  sbin  share
[root@server3 tripwire]# cd sbin
[root@server3 sbin]# ls
siggen  tripwire  twadmin  twprint

[root@server3 sbin]# ./tripwire --help or twadmin --help
tripwire: File integrity assessment application.

Open Soure Tripwire(R) 2.4.1.2 built for i686-pc-linux-gnu

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Usage:

Database Initialization:  tripwire [-m i|--init] [options]
Integrity Checking:  tripwire [-m c|--check] [object1 [object2...]]
Database Update:  tripwire [-m u|--update]
Policy Update:  tripwire [-m p|--update-policy] policyfile.txt
Test:  tripwire [-m t|--test] --email address

Type 'tripwire [mode] --help' OR
'tripwire --help mode [mode...]' OR
'tripwire --help all' for extended help
[root@server3 ~]#

-------------------------------------------------------------------

1. tripwire 데이터 베이스 생성 (초기화)

[root@server3 sbin]# ./tripwire --init or ./twadmin --init
Please enter your local passphrase: 
Parsing policy file: /usr/local/tripwire/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/VMware" is on a different file system...ignoring.
The object: "/backup" is on a different file system...ignoring.
The object: "/home2" is on a different file system...ignoring.
The object: "/media/IRIVER-1GB" is on a different file system...ignoring.
The object: "/media/IRIVER-1GB_" is on a different file system...ignoring.
The object: "/media/MEMO-4GB" is on a different file system...ignoring.
The object: "/media/MXR2" is on a different file system...ignoring.
The object: "/misc" is on a different file system...ignoring.
The object: "/net" is on a different file system...ignoring.
The object: "/raid1" is on a different file system...ignoring.
The object: "/sys" is on a different file system...ignoring.
### Warning: File system error.
### Filename: /usr/local/doc
### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98
### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80
### \xec\x97\x86\xec\x9d\x8c
### Continuing...

- 중략

Wrote database file: /usr/local/tripwire/lib/tripwire/server3.co.kr.twd
The database was successfully generated.
[root@server3 sbin]#

-------------------------------------------------------------------

2. 무결성 검사

[root@server3 sbin]# ./tripwire --check - 무결성 검사

- 중략

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
[root@server3 sbin]#

-------------------------------------------------------------------

무결성 검사가 끝나고 나면 xxx.twr 이라는 파일이 생성된다.

[root@server3 ~]# cd /usr/local/tripwire/lib/tripwire/report/
[root@server3 report]# ls
server3.co.kr-20090203-114212.twr - twr 파일은 암화화 되어있기 때문에 twprint를 이용해 txt파일로 변환해 준다.

-------------------------------------------------------------------

[root@server3 sbin]# pwd
/usr/local/tripwire/sbin
[root@server3 sbin]# ./twprint -m r --twrfile /usr/local/tripwire/lib/tripwire/report/server3.co.kr-20090203-114212.twr > report.txt
[root@server3 sbin]# vi report.txt - 파일의 속성 및 디렉토리 정보를 데이터 베이스화 한 정보를 볼 수 있다.
Note: Report is not encrypted.
Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:          root
Report created on:            2009년 02월 03일 (화) 오전 11시 42분 12초
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    server3.co.kr
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /usr/local/tripwire/etc/tw.pol
Configuration file used:      /usr/local/tripwire/etc/tw.cfg
Database file used:           /usr/local/tripwire/lib/tripwire/server3.co.kr.twd
Command line used:            ./tripwire --check

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
* Tripwire Data Files             0                 1        0        0
* Monitor Filesystems             0                 0        0        19
* User Binaries and Libraries     0                 0        0        1
  Tripwire Binaries               0                 0        0        0
  OS Binaries and Libraries       0                 0        0        0
  Temporary Directories           0                 0        0        0
* Global Configuration Files      0                 0        0        2
  System Boot Changes             0                 0        0        0
  RPM Checksum Files              0                 0        0        0
  OS Devices and Misc Directories 0                 0        0        0
  OS Boot Files and Mount Points  0                 0        0        0
* Root Directory and Files        0                 3        0        15

Total objects scanned:  243249
Total violations found:  41

- 중략

-------------------------------------------------------------------

3. 데이터베이스 업데이트

[root@server3 sbin]# ./tripwire --update - 무결성 검사가 끝난 후에는 자신의 시스템에 대한 데이터베이스를 만들고 저장한다.
### Error: File could not be opened.
### Filename:
### /usr/local/tripwire/lib/tripwire/report/server3.co.kr-20090203-133624.twr
### \xea\xb7\xb8\xeb\x9f\xb0 \xed\x8c\x8c\xec\x9d\xbc\xec\x9d\xb4\xeb\x82\x98
### \xeb\x94\x94\xeb\xa0\x89\xed\x86\xa0\xeb\xa6\xac\xea\xb0\x80
### \xec\x97\x86\xec\x9d\x8c
### Exiting...
[root@server3 sbin]#



[출처] http://bban2.tistory.com/236
신고

+ Recent posts

티스토리 툴바