Tripwireとは
TripwireはオープンソースのIDS。
ファイル改ざんを検知できるアプリ。
TripwireでWordPressなどのファイルが
第三者に勝手に
改竄されていないかの確認します。
参考記事
この記事を参考にしました。
https://www.howtoforge.com/tutorial/how-to-monitor-and-detect-modified-files-using-tripwire-on-ubuntu-1604/
apt update and upgrade
以下のコマンドを実行してアップデートとアップグレード
sudo apt update
sudo apt upgrade
apt install tripwire
以下のコマンドでtripwireをインストール
sudo apt install tripwire
Tripwire Configuration
Yesを選択
Yesを選択
Yesを選択
Yesを選択
サイトパスフレーズを入力
パスフレーズを忘れない。
ローカルパスフレーズを入力
パスフレーズを忘れない。
tripwireポリシーを構成する
Tripwire DB を初期化する。
以下のコマンドを実行。
sudo tripwire --init
The database was successfully generated.
が表示されれば成功。
エラーになったら
sudo sh -c "tripwire --check | grep Filename > no-directory.txt"
を、実行して存在しないディレクトリを確認。
twpol.txtに反映させる。
とりあえず一回レポートを作ってみる
sudo tripwire --check
30秒くらいでエラーがバリバリ表示される。
ポリシーファイルを変更する
テキストエディタを起動
sudo vi /etc/tripwire/twpol.txt
以下のように変更した。
#
# Standard Debian Tripwire configuration
#
#
# This configuration covers the contents of all 'Essential: yes'
# packages along with any packages necessary for access to an internet
# or system availability, e.g. name services, mail services, PCMCIA
# support, RAID support, and backup/restore support.
#
#
# Global Variable Definitions
#
# These definitions override those in to configuration file. Do not
# change them unless you understand what you're doing.
#
@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;
#
# File System Definitions
#
@@section FS
#
# First, some variables to make configuration easier
#
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed
# infrequently but accessed
# often
SEC_LOG = $(Growing) ; # Files that grow, but that
# should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never
# change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of
# minimal security impact
SIG_MED = 66 ; # Non-critical files that are of
# significant security impact
SIG_HI = 100 ; # Critical files that are
# significant points of
# vulnerability
#
# Tripwire Binaries
#
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
#
# Tripwire Data Files - Configuration Files, Policy Files, Keys,
# Reports, Databases
#
# NOTE: We remove the inode attribute because when Tripwire creates a
# backup, it does so by renaming the old file and creating a new one
# (which will have a new inode number). Inode is left turned on for
# keys, which shouldn't ever change.
# NOTE: The first integrity check triggers this rule and each
# integrity check afterward triggers this rule until a database update
# is run, since the database file does not exist before that point.
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
$(TWVAR)/$(HOSTNAME).twd -> $(SEC_CONFIG) -i ;
$(TWETC)/tw.pol -> $(SEC_BIN) -i ;
$(TWETC)/tw.cfg -> $(SEC_BIN) -i ;
$(TWETC)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWETC)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ;
}
#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
/lib/modules -> $(SEC_CRIT) ;
}
(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
#/etc/rc.boot -> $(SEC_BIN) ;
/etc/rcS.d -> $(SEC_BIN) ;
/etc/rc0.d -> $(SEC_BIN) ;
/etc/rc1.d -> $(SEC_BIN) ;
/etc/rc2.d -> $(SEC_BIN) ;
/etc/rc3.d -> $(SEC_BIN) ;
/etc/rc4.d -> $(SEC_BIN) ;
/etc/rc5.d -> $(SEC_BIN) ;
/etc/rc6.d -> $(SEC_BIN) ;
}
#
# Critical executables
#
(
rulename = "Root file-system executables",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/sbin -> $(SEC_BIN) ;
}
#
# Critical Libraries
#
(
rulename = "Root file-system libraries",
severity = $(SIG_HI)
)
{
/lib -> $(SEC_BIN) ;
}
#
# Login and Privilege Raising Programs
#
(
rulename = "Security Control",
severity = $(SIG_MED)
)
{
/etc/passwd -> $(SEC_CONFIG) ;
/etc/shadow -> $(SEC_CONFIG) ;
}
#
# These files change every time the system boots
#
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
#/var/lock -> $(SEC_CONFIG) ;
#/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
}
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
#/root/mail -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
#/root/.xsession-errors -> $(SEC_CONFIG) ;
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.tcshrc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.gnome_private -> $(SEC_CONFIG) ;
#/root/.gnome-desktop -> $(SEC_CONFIG) ;
#/root/.gnome -> $(SEC_CONFIG) ;
#/root/.esd_auth -> $(SEC_CONFIG) ;
#/root/.elm -> $(SEC_CONFIG) ;
#/root/.cshrc -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
#/root/.bash_profile -> $(SEC_CONFIG) ;
#/root/.bash_logout -> $(SEC_CONFIG) ;
#/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
#/root/.Xresources -> $(SEC_CONFIG) ;
#/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#/root/.ICEauthority -> $(SEC_CONFIG) ;
}
#
# Critical devices
#
(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
)
{
/dev -> $(Device) ;
/dev/pts -> $(Device);
/dev/shm -> $(Device);
/dev/hugepages -> $(Device);
/dev/mqueue -> $(Device);
#/proc -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/misc -> $(Device) ;
}
#
# Other configuration files
#
(
rulename = "Other configuration files",
severity = $(SIG_MED)
)
{
/etc -> $(SEC_BIN) ;
}
#
# Binaries
#
(
rulename = "Other binaries",
severity = $(SIG_MED)
)
{
/usr/local/sbin -> $(SEC_BIN) ;
/usr/local/bin -> $(SEC_BIN) ;
/usr/sbin -> $(SEC_BIN) ;
/usr/bin -> $(SEC_BIN) ;
}
#
# Libraries
#
(
rulename = "Other libraries",
severity = $(SIG_MED)
)
{
/usr/local/lib -> $(SEC_BIN) ;
/usr/lib -> $(SEC_BIN) ;
}
#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
/usr -> $(SEC_INVARIANT) (recurse = 0) ;
/var -> $(SEC_INVARIANT) (recurse = 0) ;
/var/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
}
ポリシーファイルを再構築
sudo twadmin -m P /etc/tripwire/twpol.txt
Tripwire DBを再構築
sudo tripwire --init
chckecを実行
sudo tripwire --check
WordPressのディレクトリを検知対象に追加
sudo vi /etc/tripwire/twpol.txt
以下を追記
*/var/www/wp-contentsにコンテンツがある例。
通知メール送信先をmyname@example.jpに設定。
# Ruleset for Wordpress
(
rulename = "Wordpress Ruleset",
severity= $(SIG_HI),
emailto = myname@example.jp
)
{
/var/www/wp-contents -> $(SEC_CRIT);
}
ポリシーを再構築
sudo twadmin -m P /etc/tripwire/twpol.txt
Tripwire DBを再構築
sudo tripwire --init
チェックしてみる
sudo tripwire --check
No violations.
No Errors
を確認。
ファイルを更新してみる
touch /var/www/wp-contents/foobar
sudo tripwire --check
以下の表示を確認。
Total violations found: 2
Added:
"/var/www/wp-contents/foobar"
Modified:
"/var/www/wp-contents"
メール送信テスト
tripwire --test --email test@example.com
メールが届く事確認
cronの設定
以下の例は毎日午前0時0分に実行
sudo crontab -e -u root
0 0 * * * tripwire --check --email-report
/var/lib/tripwire/report/ ディレクトリにファイルが作られるのでこれをチェックする。