Tripwire
1.インストール
# dnf -y install tripwire
Installed:
tripwire-2.4.3.7-20.el10_2.x86_64
Complete!
2.パスフレーズ設定
サイトパスフレーズとローカルパスフレーズを設定する
# tripwire-setup-keyfiles
------------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
------------------------------------------------
Creating key files…
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: [site pass]
Verify the site keyfile passphrase: [site pass]
Generating key (this may take several minutes)…Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: [local pass]
Verify the local keyfile passphrase: [local pass]
Generating key (this may take several minutes)…Key generation complete.
------------------------------------------------
Signing configuration file…
Please enter your site passphrase: [site pass]
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
------------------------------------------------
Signing policy file…
Please enter your site passphrase: [site pass]
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
3.Tripwire の設定
①設定ファイル編集
# vi /etc/tripwire/twcfg.txt
9 行目
「LOOSEDIRECTORYCHECKING =true」に変更
12 行目変更
レベル4 にすることで「0 」~「4 」までの5 段階中、最も詳細なレポートが表示されます。
REPORTLEVEL =4
②Tripwire 設定ファイル(暗号署名版)を作成
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←site pass
Wrote configuration file: /etc/tripwire/tw.cfg
③Tripwire 設定ファイル(テキスト版)削除
# rm -f /etc/tripwire/twcfg.txt
④ポリシーファイル設定
# cd /etc/tripwire/
# vi twpolmake.pl
twpolmake.plの内容
#!/usr/bin/perl
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
⑤ポリシーファイル最適化
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
⑥最適化済ポリシーファイルを元に、ポリシーファイル(暗号署名版)作成
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: ←site pass
Wrote policy file: /etc/tripwire/tw.pol
⑦データベースを作成
# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←local pass
⑧動作確認
テスト用ファイルを作成
# echo test > /root/test.txt
Tripwire の動作確認
# tripwire -m c -s -c /etc/tripwire/tw.cfg
下記のように表示される
-------------------------------------------------------------------------------
Added:
"/root/test.txt"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
テスト用ファイルを削除
# rm -f /root/test.txt
⑧Tripwire メールで結果報告用スクリプト作成
# cd /var/www/system
# vi tripwire.sh
#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
#パスフレーズ設定
LOCALPASS=xxxxx # local pass
SITEPASS=xxxxx # site pass
#通知先メールアドレス指定
MAIL="[your mail address] "
cd /etc/tripwire
#Tripwireチェック実行
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL
#ポリシーファイル最新化
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
#データベース最新化
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
# chmod 700 tripwire.sh
cron に追加
# crontab -e
0 3 * * * /var/www/system/tripwire.sh
下記コマンドを実行し、指定したメールアドレスにtripwire実行結果が通知されることを確認
# /var/www/system/tripwire.sh
Logwatch
①インストール
# dnf -y install logwatch
②設定ファイルの編集
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf
# vi /etc/logwatch/conf/logwatch.conf
77 行目 : 通知を受け取りたいメールアドレスを設定
#MailTo = root
MailTo = [メールアドレス]
116行目 : ログ通知の詳細度を設定
#Detail = Low
Detail = High
③Logwatch のレポートを出力
# logwatch --output stdout
下記のようなメッセージが出ます
################### Logwatch 7.11 (07/22/24) ####################
Processing Initiated: Fri Jun 5 09:02:50 2026
Date Range Processed: yesterday
( 2026-Jun-04 )
Period is day.
Detail Level of Output: 10
Type of Output/Format: stdout / text
Logfiles for Host: Lepard
##################################################################
--------------------- Kernel Audit Begin ------------------------
Number of audit daemon starts: 1
Number of audit initializations: 1
**Unmatched Entries**
auditd[1136]: audit dispatcher initialized with q_depth=2000 and 1 active plugins: 1 Time(s)
---------------------- Kernel Audit End -------------------------
~~~~~~~~~~~~~~(Omitted)~~~~~~~~~~~~~~~~~~~~
--------------------- lm_sensors output Begin ------------------------
No sensors found!
Make sure you loaded all the kernel drivers you need.
Try sensors-detect to find out which these are.
---------------------- lm_sensors output End -------------------------
###################### Logwatch End #########################
④設定したアドレスにレポートが届くかテストを行います。上記の様なログレポートメールが届いているか確認
# /etc/cron.daily/0logwatch
DNS更新
ネットが切断されたり、ルーターが切断再起動したときにおこるグローバルIPの変更の度に、ダイナミックDNSにアクセスしグローバルIPが変更されたことを知らせなくてはいけません。
専用のpythonファイルを作成しCronで定期実行します(今回はValudomainでのDNS設定です)
# cd /var/www/system
# vi ddnsset.py
ddnsset.pyの内容
#setddns.py
import requests
import ipaddress
from datetime import datetime
from pathlib import Path
# SETTING DATA
MY_DOMAIN = "example.jp" ←自ドメイン
MY_PASS = "xxxxxxxxxx" ←パスワード
MY_HOSTNAME = "xxxx" ←ホスト名
OUT_FILE = Path("/tmp/ipadress") ←IPアドレス記録ファイル
def time_msg():
now = datetime.now()
return now.strftime("%Y/%m/%d %H:%M:%S")
def is_valid_ip(ip_str):
try:
ipaddress.ip_address(ip_str)
return True
except ValueError:
return False
def main():
# Check Global IP Address
url_get_ip = "https://dyn.value-domain.com/cgi-bin/dyn.fcg?ip"
try:
response = requests.get(url_get_ip, timeout=10)
response.raise_for_status()
current_ip = response.text.strip()
except requests.RequestException as e:
print(f"{time_msg()} Failed to get IP: {e}")
return
# IP check
mssg = time_msg()
if not current_ip:
print(f"{mssg} invalid IP NULL")
return
if not is_valid_ip(current_ip):
print(f"{mssg} invalid IP={current_ip}")
return
# Read previous IP
previous_ip = ""
if OUT_FILE.exists():
with open(OUT_FILE, "r") as f:
previous_ip = f.read().strip()
if current_ip == previous_ip:
print(f"{time_msg()} no change IP={current_ip}")
return
else:
print(f"change IP from {previous_ip} to {current_ip}")
# Update DDNS
mssg = time_msg()
print(f"{mssg} access to value-domain")
url_set_ddns = (
f"https://dyn.value-domain.com/cgi-bin/dyn.fcg?"
f"d={MY_DOMAIN}&p={MY_PASS}&h={MY_HOSTNAME}"
)
try:
response = requests.get(url_set_ddns, timeout=10)
response.raise_for_status()
# 改行をスペースに変換し、連続するスペースを1つにまとめる
result = ' '.join(response.text.strip().split())
except requests.RequestException as e:
print(f"{time_msg()} Failed to update DDNS: {e}")
return
mssg = time_msg()
print(f"{mssg} {MY_HOSTNAME}.{MY_DOMAIN} {result} IP={current_ip}")
# DDNS更新が成功した場合のみIPを保存
if "status=0" in result:
with open(OUT_FILE, "w") as f:
f.write(current_ip)
print(f"{mssg} Successfully saved new IP: {current_ip}")
else:
print(f"{mssg} DDNS update failed, IP not saved")
if __name__ == "__main__":
main()
IPアドレス記録ファイル作成
# touch /tmp/ipadress
定期的に実行
# crontab -e
* 00 * * * /usr/bin/python3 /var/www/system/ddnsset.py >> /var/log/ddns_updater.log 2>&1
ディスク使用率チェックスクリプト
1. スクリプト作成
# cd /var/www/system
# vi disk_capacity_check.sh
disk_capacity_check.shの内容
#!/bin/bash
#通知先メールアドレス指定
MAIL="<your mailaddress>"
DVAL=`/bin/df / | /usr/bin/tail -1 | /bin/sed 's/^.* \([0-9]*\)%.*$/\1/'`
if [ $DVAL -gt 80 ]; then
echo "Disk usage alert: $DVAL %" | mail -s "Disk Space Alert in `hostname`" $MAIL
fi
# chmod 700 disk_capacity_check.sh
2. 実行確認
①現在の使用率を確認
# df -h
次のように表示される
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rl-root 25G 6.4G 19G 26% /
devtmpfs 1.8G 0 1.8G 0% /dev
tmpfs 1.8G 0 1.8G 0% /dev/shm
tmpfs 725M 9.4M 715M 2% /run
tmpfs 1.0M 0 1.0M 0% /run/credentials/systemd-journald.service
/dev/loop2 128K 128K 0 100% /var/lib/snapd/snap/hello-world/29
/dev/loop4 50M 50M 0 100% /var/lib/snapd/snap/snapd/26865
/dev/loop1 106M 106M 0 100% /var/lib/snapd/snap/core/17292
/dev/loop3 67M 67M 0 100% /var/lib/snapd/snap/core24/1643
/dev/loop0 74M 74M 0 100% /var/lib/snapd/snap/certbot/5603
/dev/nvme0n1p2 2.0G 437M 1.6G 23% /boot
tmpfs 1.0M 0 1.0M 0% /run/credentials/getty@tty1.service
tmpfs 363M 16K 363M 1% /run/user/1000
②使用率80%以上になるようダミーファイルを作成(例ではdummyfile という名前で15G程度)
# dd if=/dev/zero of=dummyfile bs=1M count=15000
③再度確認
# df -h
を実行して80%以上になっていることを確認
④ディスク容量チェックスクリプトを実行
# /var/www/system/disk_capacity_check.sh
設定したメールアドレスに本文の内容として「Disk usage alert: 85 %」のように記載のメールが届きます
⑤作成した「dummyfile」を削除
# rm dummyfile
⑥定期実行設定
# crontab -e
30 2 * * * /var/www/system/disk_capacity_check.sh