Tripwire
商用化されたという記述が多いが、オープンソース版は GPLv2+ ライセンスで利用可能。
HIDS
Tripwire 以外の主な HIDS は以下の通り。
- AFICK 3.5.2 (2016/08/05) - SourceForge に rpm パッケージがある。
- AIDE 0.16 (2016/07/25) - CentOS の Base リポジトリーにある。
- OSSEC 2.9_beta5 (2016/04/26) - inotify 対応。Atomic リポジトリーにある。
- Samhain 4.2.0 (2016/10/13) - inotify 対応。
- Tripwire 2.4.3.1 (2016/04/24)- EPEL リポジトリーにある。
インストール
EPEL リポジトリーの追加
yum install epel-release
Tripwire
yum install tripwire
key
tripwire-setup-keyfiles
初期化
tripwire --init
Warning: File system error. が出力されまくる。設定ファイルを変更しないといけないようだ。
チェック
tripwire --check
出力例
Open Source Tripwire(R) 2.4.3.1 Integrity Check Report
Report generated by: root
Report created on: 2016年08月27日 04時09分49秒
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: localhost.localdomain
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/localhost.localdomain.twd
Command line used: tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
* Root config files 100 0 0 2
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
Total objects scanned: 39112
Total violations found: 3
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/localhost.localdomain.twd"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/root"
"/root/.viminfo"
===============================================================================
Error Report:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
1. File system error.
Filename: /usr/sbin/fixrmtab
(省略)
163. File system error.
Filename: /proc/pci
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
設定ファイル
/etc/tripwire/twcfg.txt
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
/etc/cron.daily/tripwire-check
#!/bin/sh
HOST_NAME=`uname -n`
if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****"
echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"
else
test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check
fi
セキュリティ関連記事
- PHPセキュリティ強化モジュール Suhosin
- DoS攻撃/ブルートフォース攻撃対策アプリの近況
- Linuxアンチウイルスソフト ClamAV
- Linux Malware Detect
- ルートキット検出ツール Rootkit Hunter (rkhunter)
- ルートキット検出ツール chkrootkit
- ファイル改ざん検知ツール AFICK
- ファイル改ざん検知ツール AIDE
- ファイル改ざん検知ツール OSSEC
- ファイル改ざん検知ツール Samhain
- ファイル改ざん検知ツール Tripwire
- 脆弱性スキャナー OpenVAS
- 脆弱性スキャナー Nessus
- 脆弱性スキャナー Nikto
- Linuxセキュリティ監査ツール Lynis