Edited at

ファイル改ざん検知ツール Tripwire

More than 1 year has passed since last update.


Tripwire

商用化されたという記述が多いが、オープンソース版は GPLv2+ ライセンスで利用可能。


HIDS

Tripwire 以外の主な HIDS は以下の通り。



  • AFICK 3.5.2 (2016/08/05) - SourceForge に rpm パッケージがある。


  • AIDE 0.16 (2016/07/25) - CentOS の Base リポジトリーにある。


  • OSSEC 2.9_beta5 (2016/04/26) - inotify 対応。Atomic リポジトリーにある。


  • Samhain 4.2.0 (2016/10/13) - inotify 対応。


  • Tripwire 2.4.3.1 (2016/04/24)- EPEL リポジトリーにある。


インストール


EPEL リポジトリーの追加

yum install epel-release


Tripwire

yum install tripwire


key

tripwire-setup-keyfiles


初期化

tripwire --init

Warning: File system error. が出力されまくる。設定ファイルを変更しないといけないようだ。


チェック

tripwire --check


出力例

Open Source Tripwire(R) 2.4.3.1 Integrity Check Report

Report generated by: root
Report created on: 2016年08月27日 04時09分49秒
Database last updated on: Never

===============================================================================
Report Summary:
===============================================================================

Host name: localhost.localdomain
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/localhost.localdomain.twd
Command line used: tripwire --check

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Critical configuration files 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
Critical system boot files 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
* Root config files 100 0 0 2
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0

Total objects scanned: 39112
Total violations found: 3

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/localhost.localdomain.twd"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/root"
"/root/.viminfo"

===============================================================================
Error Report:
===============================================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

1. File system error.
Filename: /usr/sbin/fixrmtab
(省略)
163. File system error.
Filename: /proc/pci

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.



設定ファイル


/etc/tripwire/twcfg.txt

ROOT                   =/usr/sbin

POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t


/etc/cron.daily/tripwire-check

#!/bin/sh

HOST_NAME=`uname -n`
if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****"
echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"
else
test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check
fi


セキュリティ関連記事