Tripwire導入メモ

### 1.ソースの取得とインストール
# cd /usr/local/src/
# wget http://jaist.dl.sourceforge.net/project/tripwire/tripwire-src/tripwire-2.4.2.2/tripwire-2.4.2.2-src.tar.bz2
# tar jxvf tripwire-2.4.2.2-src.tar.bz2
# cd tripwire-2.4.2.2-src
# ./configure
# make
# make install


### 2.テスト用の監視対象ファイルを作成
# touch /tmp/sample.txt


### 3.動作確認のためのポリシーファイル作成
vi /tmp/twpol.txt
(
rulename = "Sample", )
{
/tmp/sample.txt -> +p;
}

# twadmin --create-polfile --site-keyfile /usr/local/etc/site.key /tmp/twpol.txt


### 4.データベースを初期化
# tripwire --init


### 5.なんの変更もない状態で確認
# tripwire --check

Parsing policy file: /usr/local/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /usr/local/lib/tripwire/report/lpic303-CentOS6-20150605-035915.twr


Open Source Tripwire(R) 2.4.2.2 Integrity Check Report

Report generated by:          root
Report created on:            Fri Jun  5 03:59:15 2015
Database last updated on:     Fri Jun  5 03:39:02 2015

===============================================================================
Report Summary:
===============================================================================

Host name:                    lpic303-CentOS6
Host IP address:              Unknown IP
Host ID:                      None
Policy file used:             /usr/local/etc/tw.pol
Configuration file used:      /usr/local/etc/tw.cfg
Database file used:           /usr/local/lib/tripwire/lpic303-CentOS6.twd
Command line used:            tripwire --check 

===============================================================================
Rule Summary: 
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Sample                          0                 0        0        0        
  (/tmp/sample.txt)

Total objects scanned:  1
Total violations found:  0

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

No violations.

===============================================================================
Error Report: 
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.


### 6. 変更を加える
setfacl -m user:testuser:rwx /tmp/sample.txt


### 7. 再度チェック
tripwire --check
Parsing policy file: /usr/local/etc/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /usr/local/lib/tripwire/report/lpic303-CentOS6-20150605-040008.twr


Open Source Tripwire(R) 2.4.2.2 Integrity Check Report

Report generated by:          root
Report created on:            Fri Jun  5 04:00:08 2015
Database last updated on:     Fri Jun  5 03:39:02 2015

===============================================================================
Report Summary:
===============================================================================

Host name:                    lpic303-CentOS6
Host IP address:              Unknown IP
Host ID:                      None
Policy file used:             /usr/local/etc/tw.pol
Configuration file used:      /usr/local/etc/tw.cfg
Database file used:           /usr/local/lib/tripwire/lpic303-CentOS6.twd
Command line used:            tripwire --check 

===============================================================================
Rule Summary: 
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
* Sample                          0                 0        0        1        
  (/tmp/sample.txt)

Total objects scanned:  1
Total violations found:  1

===============================================================================
Object Summary: 
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Sample (/tmp/sample.txt)
Severity Level: 0
-------------------------------------------------------------------------------

Modified:
"/tmp/sample.txt"

===============================================================================
Error Report: 
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.


### 8. レポート確認
# twprint --print-report --report-level 0 --twrfile /usr/local/lib/tripwire/report/lpic303-CentOS6-20150605-040008.twr 
Note: Report is not encrypted.
TWReport lpic303-CentOS6 20150605040008 V:1 S:0 A:0 R:0 C:1

————————————————
V:違反の数
S:重要度
A:追加されたファイル・ディレクトリ
R:削除されたファイル・ディレクトリ
C:変更されたファイル・ディレクトリ
————————————————

### 9.データベースの更新
# tripwire --update --twrfile /usr/local/lib/tripwire/report/lpic303-CentOS6-20150605-040008.twr 
Please enter your local passphrase: 
Wrote database file: /usr/local/lib/tripwire/lpic303-CentOS6.twd


### 10.システム設定ファイルの内容表示・編集
# twadmin --print-cfgfile
ROOT          =/usr/local/sbin
POLFILE       =/usr/local/etc/tw.pol
DBFILE        =/usr/local/lib/tripwire/$(HOSTNAME).twd
REPORTFILE    =/usr/local/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE   =/usr/local/etc/site.key
LOCALKEYFILE  =/usr/local/etc/lpic303-CentOS6-local.key
EDITOR        =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL   =3
MAILMETHOD    =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM   =/usr/sbin/sendmail -oi -t


### 11.ポリシーファイルの内容確認
# twadmin --print-polfile
(
rulename = "Sample", )
{
/tmp/sample.txt -> +p;
}