如何在 Debian 中配置 Tripewire IDS
================================================================================
本文是一篇关于 Debian 中安装和配置 Tripewire 的文章。它是 Linux 环境下基于主机的入侵检测系统(IDS)。tripwire 的高级功能有检测并报告任何 Linux 中未授权的(文件和目录)的更改。tripewire 安装之后,会先创建一个基本的数据库,tripewire 监控并检测新文件的创建修改和谁修改了它等等。如果修改是合法的,你可以接受修改并更新 tripwire 的数据库。

### 安装和配置 ###

tripwire 在 Debian VM 中的安装如下。

    # apt-get install tripwire

![installation](http://blog.linoxide.com/wp-content/uploads/2015/11/installation.png)

安装中,tripwire 会有下面的配置提示。

#### 站点密钥创建 ####

tripwire 需要一个站点口令(site passphrase)来加密 tripwire 的配置文件 tw.cfg 和策略文件 tw.pol。tripewire 使用指定的密码加密两个文件。一个 tripewire 实例必须指定站点口令。

![site key1](http://blog.linoxide.com/wp-content/uploads/2015/11/site-key1.png)

#### 本地密钥口令 ####

本地口令用来保护 tripwire 数据库和报告文件。本地密钥用于阻止非授权的 tripewire 数据库修改。

![local key1](http://blog.linoxide.com/wp-content/uploads/2015/11/local-key1.png)

#### tripwire 配置路径 ####

tripewire 配置存储在 /etc/tripwire/twcfg.txt。它用于生成加密的配置文件 tw.cfg。

![configuration file](http://blog.linoxide.com/wp-content/uploads/2015/11/configuration-file.png)

**tripwire 策略路径**

tripwire 在 /etc/tripwire/twpol.txt 中保存策略文件。它用于生成加密的策略文件 tw.pol。

![tripwire policy](http://blog.linoxide.com/wp-content/uploads/2015/11/tripwire-policy.png)

安装完成后如下图所示。

![installed tripewire1](http://blog.linoxide.com/wp-content/uploads/2015/11/installed-tripewire1.png)

#### tripwire 配置文件 (twcfg.txt) ####

tripewire 配置文件(twcfg.txt)细节如下图所示。加密策略文件(tw.pol)、站点密钥(site.key)和本地密钥(hostname-local.key)在后面展示。

    ROOT         =/usr/sbin
    
    POLFILE       =/etc/tripwire/tw.pol
    
    DBFILE       =/var/lib/tripwire/$(HOSTNAME).twd
    
    REPORTFILE   =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
    
    SITEKEYFILE   =/etc/tripwire/site.key
    
    LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
    
    EDITOR       =/usr/bin/editor
    
    LATEPROMPTING =false
    
    LOOSEDIRECTORYCHECKING =false
    
    MAILNOVIOLATIONS =true
    
    EMAILREPORTLEVEL =3
    
    REPORTLEVEL   =3
    
    SYSLOGREPORTING =true
    
    MAILMETHOD   =SMTP
    
    SMTPHOST     =localhost
    
    SMTPPORT     =25
    
    TEMPDIRECTORY =/tmp

#### tripwire 策略配置 ####

在生成基础数据库之前先配置 tripwire 配置。有必要经用一些策略如 /dev、 /proc 、/root/mail 等。详细的 twpol.txt 策略文件如下所示。

    @@section GLOBAL
    TWBIN = /usr/sbin;
    TWETC = /etc/tripwire;
    TWVAR = /var/lib/tripwire;
    
    #
    # File System Definitions
    #
    @@section FS
    
    #
    # First, some variables to make configuration easier
    #
    SEC_CRIT      = $(IgnoreNone)-SHa ; # Critical files that cannot change
    
    SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change
    
    SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed
    # infrequently but accessed
    # often
    
    SEC_LOG       = $(Growing) ;         # Files that grow, but that
    # should never change ownership
    
    SEC_INVARIANT = +tpug ;              # Directories that should never
    # change permission or ownership
    
    SIG_LOW       = 33 ;                 # Non-critical files that are of
    # minimal security impact
    
    SIG_MED       = 66 ;                 # Non-critical files that are of
    # significant security impact
    
    SIG_HI        = 100 ;                # Critical files that are
    # significant points of
    # vulnerability
    
    #
    # tripwire Binaries
    #
    (
    rulename = "tripwire Binaries",
    severity = $(SIG_HI)
    )
    {
    $(TWBIN)/siggen            -> $(SEC_BIN) ;
    $(TWBIN)/tripwire        -> $(SEC_BIN) ;
    $(TWBIN)/twadmin        -> $(SEC_BIN) ;
    $(TWBIN)/twprint        -> $(SEC_BIN) ;
    }
    {
    /boot            -> $(SEC_CRIT) ;
    /lib/modules        -> $(SEC_CRIT) ;
    }
    
    (
    rulename = "Boot Scripts",
    severity = $(SIG_HI)
    )
    {
    /etc/init.d        -> $(SEC_BIN) ;
    #/etc/rc.boot        -> $(SEC_BIN) ;
    /etc/rcS.d        -> $(SEC_BIN) ;
    /etc/rc0.d        -> $(SEC_BIN) ;
    /etc/rc1.d        -> $(SEC_BIN) ;
    /etc/rc2.d        -> $(SEC_BIN) ;
    /etc/rc3.d        -> $(SEC_BIN) ;
    /etc/rc4.d        -> $(SEC_BIN) ;
    /etc/rc5.d        -> $(SEC_BIN) ;
    /etc/rc6.d        -> $(SEC_BIN) ;
    }
    
    (
    rulename = "Root file-system executables",
    severity = $(SIG_HI)
    )
    {
    /bin            -> $(SEC_BIN) ;
    /sbin            -> $(SEC_BIN) ;
    }
    
    #
    # Critical Libraries
    #
    (
    rulename = "Root file-system libraries",
    severity = $(SIG_HI)
    )
    {
    /lib            -> $(SEC_BIN) ;
    }
    
    #
    # Login and Privilege Raising Programs
    #
    (
    rulename = "Security Control",
    severity = $(SIG_MED)
    )
    {
    /etc/passwd        -> $(SEC_CONFIG) ;
    /etc/shadow        -> $(SEC_CONFIG) ;
    }
    {
    #/var/lock        -> $(SEC_CONFIG) ;
    #/var/run        -> $(SEC_CONFIG) ; # daemon PIDs
    /var/log        -> $(SEC_CONFIG) ;
    }
    
    # These files change the behavior of the root account
    (
    rulename = "Root config files",
    severity = 100
    )
    {
    /root                -> $(SEC_CRIT) ; # Catch all additions to /root
    #/root/mail            -> $(SEC_CONFIG) ;
    #/root/Mail            -> $(SEC_CONFIG) ;
    /root/.xsession-errors        -> $(SEC_CONFIG) ;
    #/root/.xauth            -> $(SEC_CONFIG) ;
    #/root/.tcshrc            -> $(SEC_CONFIG) ;
    #/root/.sawfish            -> $(SEC_CONFIG) ;
    #/root/.pinerc            -> $(SEC_CONFIG) ;
    #/root/.mc            -> $(SEC_CONFIG) ;
    #/root/.gnome_private        -> $(SEC_CONFIG) ;
    #/root/.gnome-desktop        -> $(SEC_CONFIG) ;
    #/root/.gnome            -> $(SEC_CONFIG) ;
    #/root/.esd_auth            -> $(SEC_CONFIG) ;
    #    /root/.elm            -> $(SEC_CONFIG) ;
    #/root/.cshrc                -> $(SEC_CONFIG) ;
    #/root/.bashrc            -> $(SEC_CONFIG) ;
    #/root/.bash_profile        -> $(SEC_CONFIG) ;
    #    /root/.bash_logout        -> $(SEC_CONFIG) ;
    #/root/.bash_history        -> $(SEC_CONFIG) ;
    #/root/.amandahosts        -> $(SEC_CONFIG) ;
    #/root/.addressbook.lu        -> $(SEC_CONFIG) ;
    #/root/.addressbook        -> $(SEC_CONFIG) ;
    #/root/.Xresources        -> $(SEC_CONFIG) ;
    #/root/.Xauthority        -> $(SEC_CONFIG) -i ; # Changes Inode number on login
    /root/.ICEauthority            -> $(SEC_CONFIG) ;
    }
    
    #
    # Critical devices
    #
    (
    rulename = "Devices & Kernel information",
    severity = $(SIG_HI),
    )
    {
    #/dev        -> $(Device) ;
    #/proc        -> $(Device) ;
    }

#### tripwire 报告 ####

**tripwire-check** 命令检查 twpol.txt 文件并基于此文件生成 tripwire 报告如下。如果 twpol.txt 中有任何错误,tripwire 不会生成报告。

![tripwire report](http://blog.linoxide.com/wp-content/uploads/2015/11/tripwire-report.png)

**文本形式报告**

    root@VMdebian:/home/labadmin# tripwire --check
    
    Parsing policy file: /etc/tripwire/tw.pol
    
    *** Processing Unix File System ***
    
    Performing integrity check...
    
    Wrote report file: /var/lib/tripwire/report/VMdebian-20151024-122322.twr
    
    Open Source tripwire(R) 2.4.2.2 Integrity Check Report
    
    Report generated by:         root
    
    Report created on:           Sat Oct 24 12:23:22 2015
    
    Database last updated on:     Never
    
    Report Summary:
    
    =========================================================
    
    Host name:                   VMdebian
    
    Host IP address:             127.0.1.1
    
    Host ID:                     None
    
    Policy file used:             /etc/tripwire/tw.pol
    
    Configuration file used:     /etc/tripwire/tw.cfg
    
    Database file used:           /var/lib/tripwire/VMdebian.twd
    
    Command line used:           tripwire --check
    
    =========================================================
    
    Rule Summary:
    
    =========================================================
    
    -------------------------------------------------------------------------------
    
    Section: Unix File System
    
    -------------------------------------------------------------------------------
    
    Rule Name                       Severity Level   Added   Removed Modified
    
    ---------                       --------------   -----   ------- --------
    
    Other binaries                 66               0       0       0      
    
    tripwire Binaries               100               0       0       0      
    
    Other libraries                 66               0       0       0      
    
    Root file-system executables   100               0       0       0      
    
    tripwire Data Files             100               0       0       0      
    
    System boot changes             100               0       0       0      
    
    (/var/log)
    
    Root file-system libraries     100               0       0       0      
    
    (/lib)
    
    Critical system boot files     100               0       0       0      
    
    Other configuration files       66               0       0       0      
    
    (/etc)
    
    Boot Scripts                   100               0       0       0      
    
    Security Control               66               0       0       0      
    
    Root config files               100               0       0       0      
    
    Invariant Directories           66               0       0       0      
    
    Total objects scanned: 25943
    
    Total violations found: 0
    
    =========================Object Summary:================================
    
    -------------------------------------------------------------------------------
    
    # Section: Unix File System
    
    -------------------------------------------------------------------------------
    
    No violations.
    
    ===========================Error Report:=====================================
    
    No Errors
    
    -------------------------------------------------------------------------------
    
    *** End of report ***
    
    Open Source tripwire 2.4 Portions copyright 2000 tripwire, Inc. tripwire is a registered
    
    trademark of tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
    
    for details use --version. This is free software which may be redistributed
    
    or modified only under certain conditions; see COPYING for details.
    
    All rights reserved.
    
    Integrity check complete.

### 总结 ###

本篇中,我们学习安装配置开源入侵检测软件 tripwire。首先生成基础数据库并通过比较检测出任何改动(文件/文件夹)。然而,tripwire 并不是实时监测的 IDS。

--------------------------------------------------------------------------------

via: http://linoxide.com/security/configure-tripwire-ids-debian/

作者:[nido][a]
译者:[geekpi](https://github.com/geekpi)
校对:[wxy](https://github.com/wxy)

本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

[a]:http://linoxide.com/author/naveeda/