环境:centos7
工作流程:
- 当前的系统数据状态建立数据库
- 定期比较系统现状与数据库中的状态
- 属性改变有详细报告
- 分析报告发现入侵
1、安装相关软件包
[root@hello ~]# yum install epel-release -y
已加载插件:fastestmirror
Repository base is listed more than once in the configuration
base | 3.6 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
[root@hello ~]# yum install tripwire -y
已加载插件:fastestmirror
Repository base is listed more than once in the configuration
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 tripwire.x86_64.0.2.4.3.7-1.el7 将被 安装
--> 解决依赖关系完成
生成密钥(123456)
[root@hello ~]# tripwire-setup-keyfiles
----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
2、初始化数据库
[root@hello ~]# tripwire --init
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /usr/sbin/fixrmtab
### 没有那个文件或目录
- 就地解决报错
[root@hello ~]# sh -c "tripwire --check | grep Filename > cat no-directory.txt
"
#将报错中不存在的目录和文件加到no-directory.txt中
### Warning: File system error.
### Filename: /usr/sbin/fixrmtab
### 没有那个文件或目录
[root@hello ~]# vim tripwire.sh
#写个脚本
for f in $(grep "Filename:" no-directory.txt | cut -f2 -d:); do
sed -i "s|\($f\) |#\\1|g" /etc/tripwire/twpol.txt
done
[root@hello ~]# twadmin -m P /etc/tripwire/twpol.txt
#重新签署配置
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
[root@hello ~]# tripwire --init
#重新初始化
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
3、测试:更改/etc/passwd文件(添加了以下k)
4、发现异常
[root@hello ~
最低0.47元/天 解锁文章
扫一扫
401
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
