到http://sourceforge.net/projects/tripwire/下载最新版本的tripwire. 目前是tripwire-2.4.2.2-src.tar.bz2.
安装非常简单:
tar -jxvf tripwire-2.4.2.2-src.tar.bz2
cd tripwire-2.4.2.2-src解压后进入目录:
./configure --prefix=/usr/local/tripwire
make && make install
Continue with installation [y/n] y #键入y继续安装然后需要输入几个口令就安装完成了. 就安装好了.
设置tripwire:
vi /etc/tripwire/twcfg.txt #修改文本格式的Tripwire配置文件
LOOSEDIRECTORYCHECKING =false #找到这一个行,将false的值变为true(不监测所属目录的数据完整性)
LOOSEDIRECTORYCHECKING =true #变为此状态
REPORTLEVEL =3 #找到这一行,将3变为4(改变监测结果报告的等级)
REPORTLEVEL =4 #变为此状态
$/usr/local/tripwire/sbin/twadmin --create-cfgfile -S site.key twcfg.txt #从文本配置文件建立加密格式配置文件.
Please enter your site passphrase: #输入"site keyfile"口令
Wrote configuration file: /usr/local/tripwire/etc/tw.cfg编辑twpol.txt来控制对哪些目录进行检查,把不需要扫描的路径注释或删除即可. 修改完成后保存twpool.txt文件.
初始化数据库:
$/usr/local/tripwire/sbin/tripwire --init
Please enter your local passphrase: #输入"local keyfile"口令
Parsing policy file: /usr/local/tripwire/etc/tw.pol
Generating the database...
*** Processing Unix File System ***
The object: "/sys" is on a different file system...ignoring.
-------------------
------过程---------
------省略---------
-------------------
Wrote database file: /usr/local/tripwire/lib/tripwire/localhost.localdomain.twd
The database was successfully generated.更新数据库:
当你更新了twpol.txt后需用此命令更新数据库:
cd /usr/local/tripwire
$./sbin/tripwire --update-policy --secure-mode low /usr/local/tripwire/etc/twpol.txt
Parsing policy file: /usr/local/tripwire/etc/twpol.txt
Please enter your local passphrase:#输入"local keyfile"口令
Please enter your site passphrase:#输入"site keyfile"口令
======== Policy Update: Processing section Unix File System.
======== Step 1: Gathering information for the new policy.
The object: "/sys" is on a different file system...ignoring.
-------------------
------过程---------
------省略---------
-------------------
### Continuing...
Wrote database file: /usr/local/tripwire/lib/tripwire/localhost.localdomain.twd
The database was successfully generated.检查文件异动:
安装完tripwire后你可以定期检查文件是否存在异动. 加上interactive在当前显示结果.
./sbin/tripwire --check --interactive
Parsing policy file: /usr/local/tripwire/etc/tw.pol
*** Processing Unix File System ***
-------------------
------过程---------
------省略---------
-------------------查看报告:
所有tripwire的报告以.twr后缀保存在lib/tripwire目录下,需要使用twprint命令来转化成文本格式.
$/sbin/twprint --print-report --twrfile /lib/tripwire/report/localhost.localdomain-20100225-164220.twr>/tmp/tripwire_readable.txt
$cat /tmp/tripwire_readable.txt修改环境变量:
需要注意的是,一般情况下,这仅仅对于普通用户适用,避免修改根用户的环境定义文件,因为那样可能会造成潜在的危险.
$vi .bash_profile #修改环境变量定义文件然后编辑你的PATH声明,其格式为:
PATH=$PATH:/usr/local/tripwire/sbin/
执行命令使其立刻生效.
$source .bash_profileTripwire的使用和维护都比较简单.但要实现对系统的监控,关键还是需要依靠管理员定制完整的策略和检查周期,以便及时发现问题.另外,Tripwire只能告诉您那些文件被修改,以及修改的属性.但判断和维护是依赖管理员操作的,Tripwire是一个"事后诸葛亮"的工具.
最后贴一个报告:
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Tripwire Data Files 0 0 0 0
Monitor Filesystems 0 0 0 0
User Binaries and Libraries 0 0 0 0
Tripwire Binaries 0 0 0 0
OS Binaries and Libraries 0 0 0 0
Temporary Directories 0 0 0 0
Global Configuration Files 0 0 0 0
System Boot Changes 0 0 0 0
RPM Checksum Files 0 0 0 0
OS Devices and Misc Directories 0 0 0 0
OS Boot Files and Mount Points 0 0 0 0
Root Directory and Files 0 0 0 0
Total objects scanned: 48224
Total violations found: 0
===============================================================================额,我的系统没有做过修改!
好了,今天教程到此结束.
