|
국내에 이 프로그램에 대한 설명이 거의 없더군요.
보안관련글에 file System의 Checksum을 한다는 정도로 끝내서 오늘 한번 설치/사용을 간단히 설명하려 합니다.
참고로 tripwire는 file system의 CheckSum을 Database하여 변화를 감지해낼 수 있는 툴입니다.
보통 BackDoor, Rootkit이 설치되었는가는 감지할때 많이 사용합니다.
예전 1.1.2버전에서 최근 Gene Kim과 Dr.Eugene가 회사(www.tripwiresecurity.com)를 설립하면서
commercial version으로 바뀌었더군요. 버전도 2000년 9월 20일 현재 2.2.1으로 업그레이드되었습니다.
아카데믹버전(ASR)인 1.3.1은 소스까지 제공하며 non-commercial한 것 같네요. 영어번역하기도 번거롭고 해서 대충 훑어봤습니다.
현재 리눅스버전은 http://www.tripwiresecurity.com/downloads/에서 제공하고 있습니다. 리눅스버전의 경우,
특별히 commercial하지 않고 무슨 라이선스라고 하는걸 적용하는 것 같습니다.
아무튼 저는 이것으로 설치하기로 했습니다. 이 버전은 ACR버전과는 설정부분에서 조금 다릅니다.
http://www.tripwiresecurity.com/downloads/에서
Tripwire 2.2.1 for Linux* (Intel)라고 되어 있는 부분을 클릭하여 파일을 다운받습니다.
다음과 같은 파일을 다운받습니다.
Tripwire_221_for_Linux_x86[1].tar.gz
설치
유닉스계열의 경우 보통 사용자프로그램의 설치는 관례적으로 /usr/local에서 하게 됩니다.
(컴파일을 해야하는 소스가 있는 프로그램의 경우 /usr/local/src에서 하게 됩니다.)
[root@dev local]# pwd
/usr/local
[root@dev local]# mkdir TSS
[root@dev local]# cd TSS
tripwire의 경우 특이하게도 디렉토리를 생성하며 tar가 풀리지가 않으므로 TSS라는 디렉토리를 만들었습니다.
이 디렉토리에 다운받은 파일을 둡니다.
[root@dev TSS]# ls -l
total 2508
-rw-r--r-- 1 root root 2556173 Sep 21 08:06 Tripwire_221_for_Linux_x86[1].tar.gz
[root@dev TSS]# tar xvzf "Tripwire_221_for_Linux_x86[1].tar.gz"
License.txt
README
Release_Notes
install.cfg
install.sh
pkg/
pkg/bin.pkg
pkg/man.pkg
pkg/policy.pkg
[root@dev TSS]# rm "Tripwire_221_for_Linux_x86[1].tar.gz"
rm: remove `Tripwire_221_for_Linux_x86[1].tar.gz'? y
이제 실제 설치를 시작합니다.
[root@dev TSS]# ./install.sh
Installer program for:
Tripwire(R) 2.2.1 for Unix
Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R)
is a registered trademark of the Purdue Research Foundation and is
licensed exclusively to Tripwire (R) Security Systems, Inc.
* * * * Warning * * * *
The uname command, which tells what operating system is running on this
machine, returned a result that this installation script did not expect.
Tripwire 2.2.1 for Unix is supported on the following configurations:
Hewlett-Packard HP-UX 10.20
Hewlett-Packard HP-UX 11.0
IBM AIX 4.2
IBM AIX 4.3
Sun Solaris - Sparc 2.6
Sun Solaris - Sparc 7.0
Sun Solaris - Intel 2.6
Sun Solaris - Intel 7.0
Redhat Linux 5.2
Redhat Linux 6.0
SGI Irix 6.5
Compaq Tru64 Unix 4.0
Continue with installation? [y/n] y
LICENSE AGREEMENT for Tripwire(R) 2.2.1 for Unix
Please read the following license agreement. You must accept the
agreement to continue installing Tripwire.
Press ENTER to view the License Agreement.
END USER SOFTWARE LICENSE AGREEMENT
This Tripwire Security Systems, Inc. ("Tripwire") End-User License
Agreement ("EULA") is a legal agreement between you (either an
individual or a legal entity) and Tripwire for the enclosed software
product, which includes computer software and associated media and
printed materials, and may include "online" or electronic documentation
("Software"). By signing below, and/or by installing, copying, or
otherwise using the Software, you agree to be bound by the terms of this
EULA. If you do not agree to the terms of this EULA, promptly return the
unused Software to Tripwire for a full refund.
중략..
Should you have any questions concerning this Agreement, or if you
desire to contact Tripwire Security Systems, Inc. for any reason, please
contact us at: Tripwire Security Systems, Inc., 1631 NW Thurman St.,
Portland, OR 97209-2518, USA, http://www.tripwiresecurity.com/.
Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept
Using configuration file install.cfg
Checking for programs specified in install configuration file....
/usr/lib/sendmail exists. Continuing installation.
/bin/vi exists. Continuing installation.
This program will copy Tripwire files to the following directories:
TWROOT: /usr/TSS
TWBIN: /usr/TSS/bin
TWMAN: /usr/TSS/man
TWPOLICY: /usr/TSS/policy
TWREPORT: /usr/TSS/report
TWDB: /usr/TSS/db
TWSITEKEYDIR: /usr/TSS/key
TWLOCALKEYDIR: /usr/TSS/key
CLOBBER is false.
Continue with installation? [y/n] y
----------------------------------------------
Creating directories...
/usr/TSS: already exists
/usr/TSS/bin: already exists
/usr/TSS/policy: already exists
/usr/TSS/report: already exists
/usr/TSS/db: already exists
/usr/TSS/key: already exists
/usr/TSS/key: already exists
/usr/TSS/man: already exists
----------------------------------------------
Copying files...
/usr/TSS/bin/siggen: file already exists
/usr/TSS/bin/twprint: file already exists
/usr/TSS/bin/twadmin: file already exists
/usr/TSS/bin/tripwire: file already exists
/usr/TSS/policy/policyguide.txt: file already exists
/usr/TSS/policy/twpol.txt: file already exists
/usr/TSS/man/man4/twconfig.4: file already exists
/usr/TSS/man/man4/twpolicy.4: file already exists
/usr/TSS/man/man5/twfiles.5: file already exists
/usr/TSS/man/man8/siggen.8: file already exists
/usr/TSS/man/man8/tripwire.8: file already exists
/usr/TSS/man/man8/twadmin.8: file already exists
/usr/TSS/man/man8/twintro.8: file already exists
/usr/TSS/man/man8/twprint.8: file already exists
/usr/TSS/README: file already exists
/usr/TSS/Release_Notes: file already exists
/usr/TSS/License.txt: file already exists
----------------------------------------------
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.
Passphrases should be at least 8 characters in length
and contain both letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: 비밀번호를 설정합니다.
Verify the site keyfile passphrase: 비밀번호를 설정합니다.
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: 비밀번호를 설정합니다.
Verify the local keyfile passphrase: 비밀번호를 설정합니다.
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Generating Tripwire configuration file...
----------------------------------------------
Creating signed configuration file...
Please enter your site passphrase: 비밀번호를 입력합니다.
Wrote configuration file: /usr/TSS/bin/tw.cfg
A clear-text version of the Tripwire configuration file
/usr/TSS/bin/twcfg.txt
has been preserved for your inspection. It is recommended
that you delete this file manually after you have examined it.
----------------------------------------------
Customizing default policy file...
----------------------------------------------
Creating signed policy file...
Please enter your site passphrase: 비밀번호를 입력합니다.
Wrote policy file: /usr/TSS/policy/tw.pol
A clear-text version of the Tripwire policy file
/usr/TSS/policy/twpol.txt
has been preserved for your inspection. This implements
a minimal policy, intended only to test essential
Tripwire functionality. You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.
----------------------------------------------
The installation succeeded.
Please refer to /usr/TSS/Release_Notes
for release information and to the printed user documentation
for further instructions on using Tripwire 2.2.1 for Unix.
이제 Tripwire의 설정을 시작합니다.
[root@dev TSS]# cd /usr/TSS
[root@dev TSS]# ls -l
total 47
-r--r--r-- 1 root root 9825 9월 21 08:09 License.txt
-r--r--r-- 1 root root 7060 9월 21 08:09 README
-r--r--r-- 1 root root 23065 9월 21 08:09 Release_Notes
drwxr-x--- 2 root root 1024 9월 21 08:11 bin
drwxr-x--- 2 root root 1024 9월 21 08:09 db
drwxr-x--- 2 root root 1024 9월 21 08:11 key
drwxr-xr-x 5 root root 1024 9월 21 08:09 man
drwxr-x--- 2 root root 1024 9월 21 08:11 policy
drwxr-x--- 2 root root 1024 9월 21 08:09 report
[root@dev TSS]# cd policy
[root@dev policy]# ls -l
total 47
-r--r----- 1 root root 9684 12월 10 1999 policyguide.txt
-rw-r----- 1 root root 4159 9월 21 08:11 tw.pol
-rw-r----- 1 root root 14878 9월 21 08:11 twpol.txt
-rw-r----- 1 root root 14766 9월 21 08:11 twpol.txt.bak
어떠한 파일이나 디렉토리에 대해 Checksum을 하느냐를 지정합니다.
원본설정파일은 백업받아두고 새로운 설정을 적용합시다.
[root@dev policy]# mv twpol.txt twpol.txt.org
twpol.txt파일을 다음과 같이 작성합니다.
#모든 파일은 read-only해야한다.
/etc -> $(ReadOnly)
(emailto="myunggyu@orgio.net",severity=90);
이제 설정을 반영하여 database를 초기화 시켜 줍니다.
[root@dev policy]# cd ..
[root@dev TSS]# cd bin
[root@dev bin]# ./twadmin --create-polfile ../policy/twpol.txt
Please enter your site passphrase:비밀번호를 입력합니다.
Wrote policy file: /usr/TSS/policy/tw.pol
[root@dev bin]# ./tripwire --init
Please enter your local passphrase:
Parsing policy file: /usr/TSS/policy/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /usr/TSS/db/dev.arreo.com.twd
The database was successfully generated.
[root@dev bin]#
모든 설정이 완료되었습니다.
이제 테스트를 해서 어떻게 사용하는지 설명합니다.
위에서 /etc디렉토리만 CheckSum하기로 설정했으므로 확인해봅니다.
확인은 다음과 같은 명령으로 할 수 있습니다.
[root@dev bin]# ./tripwire --check
Parsing policy file: /usr/TSS/policy/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /usr/TSS/report/dev.arreo.com-20000921-082250.twr
Tripwire(R) 2.2.1 Integrity Check Report
Report generated by: root
Report created on: Thu Sep 21 08:22:50 2000
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: dev.arreo.com
Host IP address: 211.55.26.64
Host ID: 37d3401a
Policy file used: /usr/TSS/policy/tw.pol
Configuration file used: /usr/TSS/bin/tw.cfg
Database file used: /usr/TSS/db/dev.arreo.com.twd
Command line used: ./tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
etc 90 0 0 0
(/etc)
Total objects scanned: 506
Total violations found: 0
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Copyright (C) 1998-2000 Tripwire(R) Security Systems, Inc.
Tripwire(R) is a registered trademark of the Purdue Research
Foundation and is licensed exclusively to Tripwire(R) Security
Systems, Inc.
Integrity check complete.
[root@dev bin]#
위에서 보듯이 Database를 초기화한후 처음 실행한 것이므로 /etc/디렉토리에 아무런 변화가
없음을 알 수 있습니다. 그럼 테스트삼아 /etc/디렉토리에 tripwire_test라는 파일을 생성한후,
다시 실행해봅시다.
[root@dev bin]# touch /etc/tripwire_test
[root@dev bin]# ./tripwire --check
Parsing policy file: /usr/TSS/policy/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /usr/TSS/report/dev.arreo.com-20000921-082654.twr
Tripwire(R) 2.2.1 Integrity Check Report
Report generated by: root
Report created on: Thu Sep 21 08:26:54 2000
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: dev.arreo.com
Host IP address: 211.55.26.64
Host ID: 37d3401a
Policy file used: /usr/TSS/policy/tw.pol
Configuration file used: /usr/TSS/bin/tw.cfg
Database file used: /usr/TSS/db/dev.arreo.com.twd
Command line used: ./tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
* etc 90 1 0 1
(/etc)
Total objects scanned: 507
Total violations found: 2
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: etc (/etc)
Severity Level: 90
-------------------------------------------------------------------------------
Added:
"/etc/tripwire_test"
Modified:
"/etc"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Copyright (C) 1998-2000 Tripwire(R) Security Systems, Inc.
Tripwire(R) is a registered trademark of the Purdue Research
Foundation and is licensed exclusively to Tripwire(R) Security
Systems, Inc.
Integrity check complete.
[root@dev bin]#
참고원문
http://www.tripwiresecurity.com/literature/AdvancedApps.PDF |
