Webサイトの改ざん検知として以下のツールを導入する手順について記載。
1.tripwireのインストール。
yum --enablerepo=epel -y install tripwire
実行結果
読み込んだプラグイン:priorities, update-motd, upgrade-helper
epel/x86_64/metalink | 3.7 kB 00:00
epel | 4.3 kB 00:00
(1/3): epel/x86_64/group_gz | 150 kB 00:00
(2/3): epel/x86_64/updateinfo | 760 kB 00:00
(3/3): epel/x86_64/primary_db | 5.9 MB 00:00
1041 packages excluded due to repository priority protections
依存性の解決をしています
--> トランザクションの確認を実行しています。
---> パッケージ tripwire.x86_64 0:2.4.3.5-1.el6 を インストール
--> 依存性解決を終了しました。
依存性を解決しました
================================================================================
Package アーキテクチャー
バージョン リポジトリー 容量
================================================================================
インストール中:
tripwire x86_64 2.4.3.5-1.el6 epel 1.4 M
トランザクションの要約
================================================================================
インストール 1 パッケージ
総ダウンロード容量: 1.4 M
インストール容量: 4.0 M
Downloading packages:
警告: /var/cache/yum/x86_64/latest/epel/packages/tripwire-2.4.3.5-1.el6.x86_64.rpm: ヘッダー V3 RSA/SHA256 Signature、鍵 ID 0608b895: NOKEY
tripwire-2.4.3.5-1.el6.x86_64.rpm の公開鍵がインストールされていません
tripwire-2.4.3.5-1.el6.x86_64.rpm | 1.4 MB 00:00
file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 から鍵を取得中です。
Importing GPG key 0x0608B895:
Userid : "EPEL (6) <epel@fedoraproject.org>"
Fingerprint: 8c3b e96a f230 9184 da5c 0dae 3b49 df2a 0608 b895
Package : epel-release-6-8.9.amzn1.noarch (installed)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
インストール中 : tripwire-2.4.3.5-1.el6.x86_64 1/1
検証中 : tripwire-2.4.3.5-1.el6.x86_64 1/1
インストール:
tripwire.x86_64 0:2.4.3.5-1.el6
完了しました!
1.パスフレーズの設定
※パスフレーズ(パスワード)を2つ用意しておきます。
tripwire-setup-keyfiles
----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.)
Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
「site keyfile passphrase」として1つ目のパスフレーズを設定します。
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.)
Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
「local keyfile passphrase」として2つ目のパスフレーズを設定します。
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase:
先ほど設定した「site passphrase」を入力します。
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase:
先ほど設定した「site passphrase」を入力します。
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the clear-text version to a secure location and/or encrypt it in place (using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This reads the policy file, generates a database based on its contents, and then cryptographically signs the resulting database. Options can be entered on the command line to specify which policy, configuration, and key files are used to create the database. The filename for the database can be specified as well. If no options are specified, the default values from the current configuration file are used.clear-text version to a secure location and/or encrypt it in place (using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This reads the policy file, generates a database based on its contents, and then cryptographically signs the resulting database. Options can be entered on the command line to specify which policy, configuration, and key files are used to create the database. The filename for the database can be specified as well. If no options are specified, the default values from the current configuration file are used.
2.ポリシーファイルの設定
vi /etc/tripwire/twpol.txt
# identifier: tripwire IDS policy input file
....省略
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability....
....以下省略
特定行以降を削除
# identifier: tripwire IDS policy input file
....省略
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
--これ移行を削除--
削除した行移行に以下の値を追加して保存します。
# identifier: tripwire IDS policy input file
....省略
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# DocumentRoot
(
rulename = "Web Server DocumentRootCheck",
emailto = "mail@example.com"
)
{
/var/www/html -> $(SEC_CRIT) ;
}
3.環境ファイルの設定
vi /etc/tripwire/twcfg.txt
実行結果
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
以下の値に修正または追加します。
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SMTP
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi –t
MAILFROMADDRESS =mail@example.com
13行目 SMTPに変更します。
16行目 送信元のメールアドレス行を追加します。
4.ポリシーファイルの暗号化
twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
「site passphrase」を入力します。
Please enter your site passphrase:
実行結果
Wrote policy file: /etc/tripwire/tw.pol
5.環境ファイルの暗号化
twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
「site passphrase」を入力します。
Please enter your site passphrase:
実行結果
Wrote configuration file: /etc/tripwire/tw.cfg
6.データベースの初期化
tripwire --init
「local passphrase」を入力します。
Please enter your local passphrase:
実行結果
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/ip-***-***-***-***.twd
The database was successfully generated.
tripwire --check --email-report
実行結果
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Web Server DocumentRootCheck 0 0 0 0
(/var/www/html)
Total objects scanned: 1
Total violations found: 0
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
メールが受信されている事を確認します。
※受信できていない場合ログを確認してください。
sudo cat /var/log/maillog
ファイルを作成して改ざん検知のテストを行います。
touch /var/www/html/tripwire_test_file
改ざん検知を実行します。
tripwire --check --email-report
実行結果
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/ip-***-***-***-***-yyyymmdd-hhmmss.twr
Open Source Tripwire(R) 2.4.3.5 Integrity Check Report
Report generated by: root
Report created on: 20xx年xx月xx日 xx時xx分xx秒
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: ip-***-***-***-***
Host IP address: ***.***.***.***
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/ip-***-***-***-***.twd
Command line used: tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
* Web Server DocumentRootCheck 0 1 0 1
(/var/www/html)
Total objects scanned: 2
Total violations found: 2
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Web Server DocumentRootCheck (/var/www/html)
Severity Level: 0
-------------------------------------------------------------------------------
Added:
"/var/www/html/test.txt"
Modified:
"/var/www"
「Modified」の値が増えている事が確認できます。
日次でチェックを行いレポートを送信されるようにスケジュールを設定します。 次のコマンドを実行します。
vi /etc/cron.daily/tripwire-check
#!/bin/sh
HOST_NAME=`uname -n`
if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****"
echo "**** Run \"/etc/tripwire/twinstall.sh\" and/or \"tripwire --init\". ****"
elif [ -f /etc/tripwire/tw.cfg ]; then
# if GLOBALEMAIL is configured, use it rather than cron mail
if [ -n "`/usr/sbin/twadmin -m f | sed -n 's/^GLOBALEMAIL\W*=//p'`" ]; then
/usr/sbin/tripwire --check --email-report --silent --no-tty-output
else
/usr/sbin/tripwire --check
fi
fi
以下の値に修正して保存します。
#!/bin/sh
HOST_NAME=`uname -n`
if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****"
echo "**** Run \"/etc/tripwire/twinstall.sh\" and/or \"tripwire --init\". ****"
else
test -f /etc/tripwire/tw.cfg && env LANG=C /usr/sbin/tripwire --check --email-report > /dev/null
if [ $? -lt 8 ] ; then
tripwire --init --local-passphrase ローカルパフスレーズ> /dev/null
fi
fi