Microsoft Word - Tripwire 파일 무결성 구현.doc

[Tripwire 파일무결성구현 ] [01] 개론 [02] 다운로드 & 설치 [03] 환경설정및활용 [01] 개론 tripwire는파일시스템무결성점검을하는서버보안도구로서파일들의변경사항유무를체크할수있는대표적인보안유틸리티이다. - 파일변조여부를모니터링하는프로그램 - 파일속성및디렉토리정보를데이터베이스화하여변조여부비교 - 변경으로인한데이터손상에대한피해를최소화 - policy 파일은자신시스템중어느파일 / 디렉토리를감시할것인가를설정 [02] 다운로드 & 설치공식사이트 : http://sourceforge.net/projects/tripwire/ 다운로드 : http://downloads.sourceforge.net/tripwire/tripwire-2.4.1.2- src.tar.bz2?use_mirror=jaist [ 참고 ] tripwire는 rpm 파일과소스파일둘다제공한다. [root@localhost ~]# mkdir /tripware [root@localhost ~]# cd /tripware/ [root@localhost tripware]# ls tripwire-2.4.1.2-src.tar.bz2 [root@localhost tripware]# tar xvfl tripwire-2.4.1.2-src.tar.bz2 tar: Semantics of -l option will change in the future releases. tar: Please use --one-file-system option instead. tripwire-2.4.1.2-src/ tripwire-2.4.1.2-src/src/... 중간생략... tripwire-2.4.1.2-src/install/ tripwire-2.4.1.2-src/install/install.cfg tripwire-2.4.1.2-src/install/install.sh [root@localhost tripware]# ls -F tripwire-2.4.1.2-src/ tripwire-2.4.1.2-src.tar.bz2 [root@localhost tripware]# cd tripwire-2.4.1.2-src [root@localhost tripwire-2.4.1.2-src]# ls COMMERCIAL Makefile.am config.guess contrib missing

COPYING Makefile.in config.h.in install mkinstalldirs ChangeLog TRADEMARK config.sub install-sh policy INSTALL aclocal.m4 configure lib src MAINTAINERS bin configure.in man [root@localhost tripwire-2.4.1.2-src]#./configure -- prefix=/usr/local/tripwire [root@localhost tripwire-2.4.1.2-src]# make && make install LICENSE AGREEMENT for Tripwire(R) 2.4 Open Source Please read the following license agreement. You must accept the agreement to continue installing Tripwire. Press ENTER to view the License Agreement. // ENTER 키누른다. Please type "accept" to indicate your acceptance of this license agreement. [do not accept] accept [SpaceBar] 계속누르면마지막에 (100%) accept 키보드로친다. Verifying existence of binaries..../bin/siggen found./bin/tripwire found./bin/twprint found./bin/twadmin found This program will copy Tripwire files to the following directories: TWBIN: /usr/local/tripwire/sbin TWMAN: /usr/local/tripwire/man TWPOLICY: /usr/local/tripwire/etc TWREPORT: /usr/local/tripwire/lib/tripwire/report TWDB: /usr/local/tripwire/lib/tripwire TWSITEKEYDIR: /usr/local/tripwire/etc TWLOCALKEYDIR: /usr/local/tripwire/etc CLOBBER is false. Continue with installation? [y/n] y Creating directories...

/usr/local/tripwire/sbin: already exists /usr/local/tripwire/etc: created /usr/local/tripwire/lib/tripwire/report: created /usr/local/tripwire/lib/tripwire: already exists /usr/local/tripwire/etc: already exists /usr/local/tripwire/etc: already exists /usr/local/tripwire/man: created /usr/local/tripwire/doc/tripwire: created Copying files... /usr/local/tripwire/doc/tripwire/copying: copied /usr/local/tripwire/doc/tripwire/trademark: copied /usr/local/tripwire/doc/tripwire/policyguide.txt: copied /usr/local/tripwire/etc/twpol-linux.txt: copied The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: itbank Verify the site keyfile passphrase: itbank [ 참고 ] passphrase 키파일이라는것으로 tripwire에관한중요한설정변경과초기화등을시킬때사용되는패스워드역할을하는것이다. 아래에계속 localkey와 sitekey로사용할패스워드를입력하자.

Generating key (this may take several minutes)...key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: itbank Verify the local keyfile passphrase: itbank Generating key (this may take several minutes)...key generation complete. Generating Tripwire configuration file... Creating signed configuration file... Please enter your site passphrase: itbank Wrote configuration file: /usr/local/tripwire/etc/tw.cfg A clear-text version of the Tripwire configuration file /usr/local/tripwire/etc/twcfg.txt has been preserved for your inspection. It is recommended that you delete this file manually after you have examined it. Customizing default policy file... Creating signed policy file... Please enter your site passphrase: itbank Wrote policy file: /usr/local/tripwire/etc/tw.pol A clear-text version of the Tripwire policy file /usr/local/tripwire/etc/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. The installation succeeded. Please refer to for release information and to the printed user documentation

for further instructions on using Tripwire 2.4 Open Source. make[3]: Leaving directory `/tripware/tripwire-2.4.1.2-src' make[2]: Leaving directory `/tripware/tripwire-2.4.1.2-src' make[1]: Leaving directory `/tripware/tripwire-2.4.1.2-src' [root@localhost tripwire-2.4.1.2-src]# 위에서 tripwire의정책파일을생성하는것으로설치의마지막과정이다. 정책파일이란 tripwire가파일시스템무결성점검실행시에참조하게되는설정파일이다. 이파일을 /usr/local/tripwire/etc/tw.pol 디렉토리에 tw.pol 이라는파일로저장했음을알리고있다. [root@localhost tripwire-2.4.1.2-src]# cd ~ [root@localhost ~]# [root@localhost ~]# ls /usr/local/tripwire/etc/* /usr/local/tripwire/etc/localhost.localdomain-local.key /usr/local/tripwire/etc/site.key /usr/local/tripwire/etc/tw.cfg /usr/local/tripwire/etc/tw.pol /usr/local/tripwire/etc/twcfg.txt /usr/local/tripwire/etc/twpol.txt [03] 환경설정및활용 작업의편의성을위해서 PATH 걸어두자. [root@localhost ~]# vi ~/.bash_profile #.bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then. ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin:/usr/local/server/mysql/bin:/usr/local/tripwire /sbin export PATH unset USERNAME [root@localhost ~]# source ~/.bash_profile

데이터베이스생성하기 (tripwire 초기화 ) 초기화하기전에불필요한디렉토리를제거하자! [root@localhost ~]# cd /usr/local/tripwire/etc [root@localhost etc]# ls localhost.localdomain-local.key tw.cfg twcfg.txt site.key tw.pol twcfg.txt_old [root@localhost etc]# cp twpol.txt twpol.txt_old [root@localhost etc]# [root@localhost etc]# vi twpol.txt 위 twpol.txt 문서에서아래를찾아 # 주석문을걸어두자! /etc/mail/statistics // 149 Line : vi Line /cdrom // 169 Line /floppy // 170 Line /initrd // 186 Line /var/lost+found // 189 Line /home/lost+found // 190 Line /usr/x11r6/lib // 213 Line /usr/local/doc // 229 Line /usr/local/man // 235 Line /usr/local/sysinfo // 239 Line twpol.txt [root@localhost ~]# tripwire --init 여기서초기화란마지막으로점검했던파일들의무결성점검결과를저장하고있던 DB를초기화한다는것이다. 즉, 초기화시키기전의변동사항은이후에적용되지않는다는의미이기대문에중요하다. Please enter your local passphrase: itbank Parsing policy file: /usr/local/tripwire/etc/tw.pol Generating the database... *** Processing Unix File System *** The object: "/misc" is on a different file system...ignoring. The object: "/net" is on a different file system...ignoring. The object: "/sys" is on a different file system...ignoring.... 중간생략... ### \xec\x97\x86\xec\x9d\x8c ### Continuing... Wrote database file: /usr/local/tripwire/lib/tripwire/localhost.localdomain.twd The database was successfully generated.

[root@localhost ~]# [root@localhost ~]# ls -al /usr/local/tripwire/lib/tripwire/localhost.localdomain.twd -rw-r--r-- 1 root root 10563588 4월 1 04:23 /usr/local/tripwire/lib/tripwire/localhost.localdomain.twd 5~10분이상의시간이걸린다. 파일생성 / 변조 / 삭제유무점검하기 [root@localhost ~]# tripwire --check Parsing policy file: /usr/local/tripwire/etc/tw.pol *** Processing Unix File System *** Performing integrity check...... 중간생략... *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. Integrity check complete. [root@localhost ~]# tripwire --check 명령어는 tripwire 로써서버에사용중인파일들의무결성을체크하여보고서를만들게되는명령어이다. 적용되는정책파일 /usr/local/tripwire/etc/tw.pol 이고결과보고서는 /usr/local/tripwire/lib/tripwire/report 이곳에저장된다. [root@localhost ~]# cd /usr/local/tripwire/lib/tripwire/report [root@localhost report]# ls localhost.localdomain-20090401-042713.twr twr 파일은암호화되어있기때문에 twprint를이용해 txt 파일로변환하자. [root@localhost report]# twprint -m r --twrfile localhost.localdomain- 20090401-042713.twr > 2009.04.01.txt [root@localhost report]# [root@localhost report]# ls 2009.04.01.txt localhost.localdomain-20090401-042713.twr [root@localhost report]# cat 2009.04.01 결과를눈으로확인해보자!

Added: /root/.mysql_history /root/.ssh 새로생성된파일을확인한결과 Removed: /root/.backup.sh.swp 파일이삭제되었음을알려주는결과 Modified: /root/bin 변조된파일이있음을알려주는결과 그리고종합적인결과로 Security Level Added Removed Modified 항목을표로 만들어서보여준다. 설정파일확인및변경 /usr/local/tripwire/etc/twcfg.txt 이파일은 tripwire가어떤환경으로실행될것인가를정의해둔파일이다. [root@localhost ~]# cat /usr/local/tripwire/etc/twcfg.txt ROOT =/usr/local/tripwire/sbin POLFILE =/usr/local/tripwire/etc/tw.pol DBFILE =/usr/local/tripwire/lib/tripwire/$(hostname).twd REPORTFILE =/usr/local/tripwire/lib/tripwire/report/$(hostname)- $(DATE).twr SITEKEYFILE =/usr/local/tripwire/etc/site.key LOCALKEYFILE =/usr/local/tripwire/etc/localhost.localdomain-local.key EDITOR =/bin/vi LATEPROMPTING =false LOOSEDIRECTORYCHECKING =false MAILNOVIOLATIONS =true EMAILREPORTLEVEL =3 REPORTLEVEL =3 MAILMETHOD =SENDMAIL SYSLOGREPORTING =false MAILPROGRAM =/usr/sbin/sendmail -oi -t [root@localhost ~]# 실행파일의위치, 정책파일 (tw.pol) 의위치, tripwire 데이터베이스파일의위치등을모두이파일에서정의하고있다.

만약 tripwire 의실행환경이변경된다면이파일의내용을수정해주면된다. ( 예 ) sendmail의위치가맞지않다면 MAILPROGRAM 지시자에 sendmail의실제위치를설정해주면된다. 참고로이파일에설정된내용들은모두 /usr/local/tripwire/etc/tw.cfg 파일 ( 바이너리파일 ) 에적용되어 tripwire에사사용하게된다. 정책파일수정및변경 [root@localhost ~]# cd /usr/local/tripwire/etc [root@localhost etc]# ls localhost.localdomain-local.key tw.cfg twcfg.txt twpol.txt site.key tw.pol twcfg.txt_old twpol.txt_old [root@localhost etc]# 위 twpol.txt 파일에서 # 으로주석문을하면점검대상을제외시킬수도있고물론추가시킬수도있다. cron을이용한 tripwire 서버점검활용 [ 조건 ] tripwire 설치되어있어야한다. tripwire를실행시키는간단한쉘스크립트작성 ( 예 ) tripwire.sh 이때실행된결과를웹으로확인할수있도록한다. 웹서비스가되어야한다. [root@localhost ~]# cd /usr/local/tripwire/sbin/ [root@localhost sbin]# ls siggen tripwire twadmin twprint [root@localhost sbin]# vi tripwire.sh #!/bin/bash echo "============ $HOSTNAME System Check Start ============" echo "=================== `date` =====================" echo "" echo "tripwire File Check" tripwire --check echo "" echo "============== $HOST System Check End ===============" [root@localhost sbin]# chmod 700 tripwire.sh [root@localhost sbin]# ls -al 합계 5520 drwxr-xr-x 2 root root 4096 4월 1 05:02.

drwxr-xr-x 8 root root 4096 4 월 1 03:40.. -rwxr-xr-x 1 root root 1196420 4 월 1 03:36 siggen -rwxr-xr-x 1 root root 1663638 4 월 1 03:36 tripwire -rwx------ 1 root root 279 4 월 1 05:02 tripwire.sh -rwxr-xr-x 1 root root 1452021 4 월 1 03:36 twadmin -rwxr-xr-x 1 root root 1301572 4 월 1 03:36 twprint [root@localhost sbin]# crontab e */10 * * * * /usr/bin/rdate -s time.bora.net && /sbin/clock -w 00 05 * * * su - root -c '/usr/local/tripwire/sbin/tripwire.sh' > /usr/local/se rver/apache/htdocs/tripwire_result [root@localhost sbin]#./tripwire.sh 실행하면웹서비스하고있는 /usr/local/server/apache/htdocs/tripwire_result 파일로저장이되서웹에서확인할수있다. 우리는직접확인하기위해위 cron 설정값을 5 분후로해보자. http://cafe.naver.com/linuxlog krintiz@naver.com