고정 헤더 영역
상세 컨텐츠
본문
트립와이어(tripwire)는 시스템 파일 등 변조와 추가 등을 검사하는 무결성 검사 보안 도구 입니다. 무결성이란 정보(Data)가 인가된 사람만 접근 또는 변경이 가능하다는 것을 의미합니다. 의도치 않는 시스템 파일 변경 확인으로 해킹 징후를 탐지할 수 있어 보안 관리자 입장에서 유용한 도구 입니다. 이번 포스팅에서는 트립와이어(tripwire) 설치와 사용법에 대해 소개하겠습니다.
트립와이어(tripwire) 설치와 정책 설정
▷ 트립와이어 설치는 아래와 같이 진행합니다. 설치 전 epel 레포지토리를 설치 후 진행합니다.
# epel 레포지터리 추가
[root@localhost ~]# dnf -y install epel-release
# 트립와이어 설치
[root@localhost ~]# dnf --enablerepo=epel -y install tripwire
# 트립와이어에서 사용할 키 생성
[root@localhost ~]# tripwire-setup-keyfiles
----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: # 키 패스워드 입력
Verify the site keyfile passphrase: # 키 패스워드 입력
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: # 키 패스워드 입력
Verify the local keyfile passphrase: # 키 패스워드 입력
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase: # 키 패스워드 입력
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase: # 키 패스워드 입력
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
# 트립와이어 레포트 옵션 설정
[root@localhost ~]# vi /etc/tripwire/twcfg.txt
REPORTLEVEL = 3
->
REPORTLEVEL = 4
# 트립와이어 환경설정 생성
[root@localhost ~]# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
# 정책 파일 최적화와 적용
[root@localhost ~]# vi /etc/tripwire/twpolmake.pl
# 아래 내용 추가
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while () {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
[root@localhost ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
[root@localhost ~]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: # 키 패스워드 입력
Wrote policy file: /etc/tripwire/tw.pol
# DB 생성
[root@localhost ~]# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: # 키 패스워드 입력
트립와이어(tripwire)를 이용한 점검과 레포트 확인
▷ 트립와이어를 이용한 점검 방법과 레포트 확인은 아래와 같습니다. 점검 이후 발생한 레포트로 현재 상태를 업데이트 합니다.
# 점검 시작
[root@localhost ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Fri 15 Jan 2021 09:00:14 AM KST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: localhost.localdomain
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/localhost.localdomain.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Critical configuration files 100 0 0 0
Operating System Utilities 100 0 0 0
Root config files 100 0 0 0
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
(/proc/kcore)
Total objects scanned: 37734
Total violations found: 1
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/localhost.localdomain.twd"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
# 레포트 저장 경로
[root@localhost ~]# ls -al /var/lib/tripwire/report
total 8
drwx------. 2 root root 55 Jan 15 09:00 .
drwx------. 3 root root 53 Jan 15 08:56 ..
-rw-r--r--. 1 root root 6614 Jan 15 09:00 localhost.localdomain-20210115-090014.twr
# 최근 검사 리포트로 DB 업데이트
[root@localhost ~]# tripwire -m u -a -s -c /etc/tripwire/tw.cfg -r /var/lib/tripwire/report/localhost.localdomain-20210115-090014.twr
Please enter your local passphrase: # 키 패스워드 입력
▽ 같이 보면 더 좋은 블로그 글 ▽
[CentOS 8] ClamAV 설치와 사용법
ClamAV는 시스코 시스템즈에서 지원하는 오픈소스 소프트웨어 기반 바이러스 검사 소프트웨어로 무료로 사용이 가능합니다. 크로스 플랫폼(AIX, BSD, HP-UX, 리눅스, OS X, 오픈VMS, OSF, 솔라리스, Windows)
mpjamong.tistory.com
[CentOS 8] firewalld 사용법
윈도우즈 OS에서 기본 제공하는 Windows Defender 방화벽과 같이 CentOS에서도 firewalld라는 이름으로 시스템 방화벽을 제공하고 있습니다. iptable이라는 방화벽도 있지만, 이번 포스팅에서는 firewalld 사
mpjamong.tistory.com
'Linux' 카테고리의 다른 글
| [CentOS 8] ausearch, aureport로 Auditd 로그 확인방법 (0) | 2021.01.17 |
|---|---|
| [CentOS 8] Auditd 설정과 사용법 (2) | 2021.01.16 |
| [CentOS 8] ClamAV 설치와 사용법 (2) | 2021.01.14 |
| [CentOS 8] firewalld 사용법 (6) | 2021.01.10 |
| [CentOS 8] 네임서버 존 파일 작성 방법 (0) | 2021.01.07 |
댓글 영역