Tripwire
1.インストール
# dnf -y install tripwire
Installed:
tripwire-2.4.3.7-16.el9.x86_64
Complete!
2.パスフレーズ設定
サイトパスフレーズとローカルパスフレーズを設定する
# tripwire-setup-keyfiles
------------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
------------------------------------------------
Creating key files…
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: [site pass]
Verify the site keyfile passphrase: [site pass]
Generating key (this may take several minutes)…Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: [local pass]
Verify the local keyfile passphrase: [local pass]
Generating key (this may take several minutes)…Key generation complete.
------------------------------------------------
Signing configuration file…
Please enter your site passphrase: [site pass]
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
------------------------------------------------
Signing policy file…
Please enter your site passphrase: [site pass]
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.
Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).
Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.
3.Tripwire の設定
①設定ファイル編集
# vi /etc/tripwire/twcfg.txt
9 行目
「LOOSEDIRECTORYCHECKING =true」に変更
12 行目変更
レベル4 にすることで「0 」~「4 」までの5 段階中、最も詳細なレポートが表示されます。
REPORTLEVEL =4
②Tripwire 設定ファイル(暗号署名版)を作成
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←site pass
Wrote configuration file: /etc/tripwire/tw.cfg
③Tripwire 設定ファイル(テキスト版)削除
# rm -f /etc/tripwire/twcfg.txt
④ポリシーファイル設定
# cd /etc/tripwire/
# vi twpolmake.pl
twpolmake.plの内容
#!/usr/bin/perl
#
$POLFILE=$ARGV[0];
open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;
while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;
⑤ポリシーファイル最適化
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
⑥最適化済ポリシーファイルを元に、ポリシーファイル(暗号署名版)作成
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: ←site pass
Wrote policy file: /etc/tripwire/tw.pol
⑦データベースを作成、動作確認
# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←local pass
テスト用ファイルを作成
# echo test > /root/test.txt
Tripwire の動作確認
# tripwire -m c -s -c /etc/tripwire/tw.cfg
下記のように表示されればOK
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Fri 03 Jul 2026 02:30:21 PM JST
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: Lepard
Host IP address: 192.168.11.83
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/Lepard.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
(/sbin/runlevel)
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Critical configuration files 100 0 0 0
* Root config files 100 1 0 0
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
(/proc/kcore)
Total objects scanned: 47684
Total violations found: 2
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/lib/tripwire/Lepard.twd"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/root/test.txt"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
テスト用ファイルを削除
# rm -f /root/test.txt
⑧メールで結果報告用スクリプト作成
# cd /var/www/system
# vi tripwire.sh
#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin
#パスフレーズ設定
LOCALPASS=xxxxx # local pass
SITEPASS=xxxxx # site pass
#通知先メールアドレス指定
MAIL="[your mail address] "
cd /etc/tripwire
#Tripwireチェック実行
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL
#ポリシーファイル最新化
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak
#データベース最新化
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
# chmod 700 tripwire.sh
cron に追加
# crontab -e
0 3 * * * /var/www/system/tripwire.sh
下記コマンドを実行し、指定したメールアドレスにtripwire実行結果が通知されることを確認
# /var/www/system/tripwire.sh
Chkrootkit
chkrootkitというrootkit検知ツールを導入して、rootkitがLinuxサーバーにインストールされてしまっていないかチェックする。
chkrootkitは、以下のコマンドを使用してチェックするため、コマンド自体がrootkitを検知できないように改竄されてからでは意味がないので、Linuxインストール後の初期の段階で導入しておくのが望ましい。
【chkrootkitが使用するコマンド】
awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname
なお、chkrootkitが検知できるのは既知のrootkitのみであり、新たなrootkitの検知はできない。
①chkrootkit をダウンロード、インストール
# cd /usr/local/src
# wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz
# tar xvf chkrootkit-0.55.tar.gz
➁/root/bin ディレクトリを作成し、そのディレクトリにchkrootkit コマンドを移動
# mkdir -p /root/bin
# mv chkrootkit-0.55/chkrootkit /root/bin
➂chkrootkit を確認
# chkrootkit | grep INFECTED
何も表示されなければ問題ありません
Checking `chsh'... INFECTED と表示される場合は、RPMデータベースの情報と比較します
chshのRPMパッケージを確認
# rpm -qf $(which chsh)
util-linux-user-2.37.4-25.el9.x86_64
指定したパッケージがインストールされた時と比べて、改変されていないかを検査する
# rpm -V util-linux-user
出力なし(差異がない場合、何も出力されません)---差異が見つからなかったため、誤検知と判断できます
④chkrootkit 定期実行スクリプトの作成と権限変更
chkrootkit実行スクリプトを毎日自動実行されるディレクトリへ作成
# vi /etc/cron.daily/chkrootkit
定期実行スクリプトの内容
#!/bin/bash
PATH=/usr/bin:/bin:/root/bin
LOG=/tmp/$(basename ${0})
# chkrootkit実行
chkrootkit > $LOG 2>&1
# ログ出力
cat $LOG | logger -t $(basename ${0})
# SMTPSのbindshell誤検知対応
if [ ! -z "$(grep 465 $LOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $LOG
fi
# upstartパッケージ更新時のSuckit誤検知対応
if [ ! -z "$(grep Suckit $LOG)" ] && \
[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then
sed -i '/Suckit/d' $LOG
fi
# rootkit検知時のみroot宛メール送信
[ ! -z "$(grep INFECTED $LOG)" ] && \
grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root
chkrootkit実行スクリプトへ実行権限付加
# chmod 700 /etc/cron.daily/chkrootkit
⑤chkrootkit が使用するコマンドをバックアップ
chkrootkit が使用するコマンドが改ざんされた場合、rootkit を検出できなくなるので、
これらのコマンドをバックアップしておきます。
必要な場合は、バックアップしたコマンドを使用してchkrootkit を実行します
# cd /root
# mkdir /root/chkrootkit_cmd
# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/
# ls -l /root/chkrootkit_cmd/
total 2668
-rwxr-xr-x 1 root root 714928 Jul 3 15:05 awk
-rwxr-xr-x 1 root root 44648 Jul 3 15:05 cut
-rwxr-xr-x 1 root root 27936 Jul 3 15:05 echo
-rwxr-xr-x 1 root root 32 Jul 3 15:05 egrep
-rwxr-xr-x 1 root root 291792 Jul 3 15:05 find
-rwxr-xr-x 1 root root 40552 Jul 3 15:05 head
-rwxr-xr-x 1 root root 40472 Jul 3 15:05 id
-rwxr-xr-x 1 root root 140744 Jul 3 15:05 ls
-rwxr-xr-x 1 root root 160616 Jul 3 15:05 netstat
-rwxr-xr-x 1 root root 144536 Jul 3 15:05 ps
-rwxr-xr-x 1 root root 115544 Jul 3 15:05 sed
-rwxr-xr-x 1 root root 917872 Jul 3 15:05 ssh
-rwxr-xr-x 1 root root 32504 Jul 3 15:05 strings
-rwxr-xr-x 1 root root 32232 Jul 3 15:05 uname
⑥コピーしたコマンドにchkrootkit を実行
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED
Checking `chsh'... INFECTED
Checking `chsh'… INFECTEDと表示されますが誤検知です
⑦バックアップしたコマンドを圧縮
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd
chkrootkit_cmd/
chkrootkit_cmd/awk
chkrootkit_cmd/cut
chkrootkit_cmd/echo
chkrootkit_cmd/egrep
chkrootkit_cmd/find
chkrootkit_cmd/head
chkrootkit_cmd/id
chkrootkit_cmd/ls
chkrootkit_cmd/netstat
chkrootkit_cmd/ps
chkrootkit_cmd/strings
chkrootkit_cmd/sed
chkrootkit_cmd/ssh
chkrootkit_cmd/uname
# ls -l
total 7488
-rw-r--r-- 1 root root 2590063 Mar 25 23:57 4-5-12
-rw-------. 1 root root 1305 Jun 30 15:28 anaconda-ks.cfg
drwxr-xr-x 2 root root 24 Jul 3 14:47 bin
drwxr-xr-x 2 root root 172 Jul 3 15:05 chkrootkit_cmd
-rw-r--r-- 1 root root 1244819 Jul 3 15:07 chkrootkit_cmd.tar.gz
drwxrwxr-x 22 root root 4096 Jul 2 14:19 nagios-4.5.12
drwxr-xr-x 15 root root 4096 Jul 2 14:24 nagios-plugins-2.5
-rw-r--r-- 1 root root 2752957 Apr 1 00:47 nagios-plugins-2.5.tar.gz
drwxrwxr-x 10 root root 4096 Jul 2 14:45 nrpe-4.1.3
-rw-r--r-- 1 root root 526925 Dec 11 2024 nrpe-4.1.3.tar.gz
-rw-r--r-- 1 root root 526925 Dec 11 2024 nrpe-4.1.3.tar.gz.1
drwx------ 3 root root 21 Jul 2 08:47 snap
⑧chkrootkit使用コマンド(圧縮版)をroot宛にメール送信
# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root
⑨Windows にchkrootkit_cmd.tar.gz ファイルをダウンロードして退避
⑩バックアップしたサーバー上のコマンドを削除
# rm -f chkrootkit_cmd.tar.gz
