業務用エアコン関連の技術情報、エラーコード、環境問題対策に関する別サイト「エアコンの安全な修理・適切なフロン回収」

AlmaLinux9.8 : Tripwire , Chkrootkit インストール

Tripwire

1.インストール

# dnf -y install tripwire
Installed:
  tripwire-2.4.3.7-16.el9.x86_64

Complete!

2.パスフレーズ設定

サイトパスフレーズとローカルパスフレーズを設定する

# tripwire-setup-keyfiles

------------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.

Passphrases should be at least 8 characters in length and contain both
letters and numbers.

See the Tripwire manual for more information.
------------------------------------------------
Creating key files…

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase: [site pass]
Verify the site keyfile passphrase: [site pass]
Generating key (this may take several minutes)…Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase: [local pass]
Verify the local keyfile passphrase: [local pass]
Generating key (this may take several minutes)…Key generation complete.

------------------------------------------------
Signing configuration file…
Please enter your site passphrase: [site pass]
Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.

------------------------------------------------
Signing policy file…
Please enter your site passphrase: [site pass]
Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements a minimal
policy, intended only to test essential Tripwire functionality. You
should edit the policy file to describe your system, and then use
twadmin to generate a new signed copy of the Tripwire policy.

Once you have a satisfactory Tripwire policy file, you should move the
clear-text version to a secure location and/or encrypt it in place
(using a tool such as GPG, for example).

Now run "tripwire --init" to enter Database Initialization Mode. This
reads the policy file, generates a database based on its contents, and
then cryptographically signs the resulting database. Options can be
entered on the command line to specify which policy, configuration, and
key files are used to create the database. The filename for the
database can be specified as well. If no options are specified, the
default values from the current configuration file are used.

3.Tripwire の設定

①設定ファイル編集

# vi /etc/tripwire/twcfg.txt

9 行目
「LOOSEDIRECTORYCHECKING =true」に変更

12 行目変更
レベル4 にすることで「0 」~「4 」までの5 段階中、最も詳細なレポートが表示されます。
REPORTLEVEL =4

②Tripwire 設定ファイル(暗号署名版)を作成

# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←site pass
Wrote configuration file: /etc/tripwire/tw.cfg

③Tripwire 設定ファイル(テキスト版)削除

# rm -f /etc/tripwire/twcfg.txt

④ポリシーファイル設定

# cd /etc/tripwire/
# vi twpolmake.pl

twpolmake.plの内容

#!/usr/bin/perl
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;

⑤ポリシーファイル最適化

# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

⑥最適化済ポリシーファイルを元に、ポリシーファイル(暗号署名版)作成

# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: ←site pass
Wrote policy file: /etc/tripwire/tw.pol

⑦データベースを作成、動作確認

# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←local pass

テスト用ファイルを作成

# echo test > /root/test.txt

Tripwire の動作確認

# tripwire -m c -s -c /etc/tripwire/tw.cfg

下記のように表示されればOK

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by:          root
Report created on:            Fri 03 Jul 2026 02:30:21 PM JST
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    Lepard
Host IP address:              192.168.11.83
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/Lepard.twd
Command line used:            tripwire -m c -s -c /etc/tripwire/tw.cfg

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  User binaries                   66                0        0        0
  Tripwire Binaries               100               0        0        0
  Libraries                       66                0        0        0
  Operating System Utilities      100               0        0        0
  File System and Disk Administraton Programs
                                  100               0        0        0
  Kernel Administration Programs  100               0        0        0
  Networking Programs             100               0        0        0
  System Administration Programs  100               0        0        0
  Hardware and Device Control Programs
                                  100               0        0        0
  System Information Programs     100               0        0        0
  (/sbin/runlevel)
  Application Information Programs
                                  100               0        0        0
  (/sbin/rtmon)
  Critical Utility Sym-Links      100               0        0        0
  Shell Binaries                  100               0        0        0
  Critical system boot files      100               0        0        0
* Tripwire Data Files             100               1        0        0
  System boot changes             100               0        0        0
  OS executables and libraries    100               0        0        0
  Security Control                100               0        0        0
  Login Scripts                   100               0        0        0
  Critical configuration files    100               0        0        0
* Root config files               100               1        0        0
  Invariant Directories           66                0        0        0
  Temporary directories           33                0        0        0
  Critical devices                100               0        0        0
  (/proc/kcore)

Total objects scanned:  47684
Total violations found:  2

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/Lepard.twd"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/root/test.txt"

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc.  Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

テスト用ファイルを削除

# rm -f /root/test.txt

メールで結果報告用スクリプト作成

# cd /var/www/system
# vi tripwire.sh
tripwire.shの内容

#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

#パスフレーズ設定
LOCALPASS=xxxxx # local pass
SITEPASS=xxxxx # site pass

#通知先メールアドレス指定
MAIL="[your mail address] "

cd /etc/tripwire

#Tripwireチェック実行
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL

#ポリシーファイル最新化
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

#データベース最新化
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

# chmod 700 tripwire.sh

cron に追加
# crontab -e
0 3 * * * /var/www/system/tripwire.sh

下記コマンドを実行し、指定したメールアドレスにtripwire実行結果が通知されることを確認

# /var/www/system/tripwire.sh

Chkrootkit

chkrootkitというrootkit検知ツールを導入して、rootkitがLinuxサーバーにインストールされてしまっていないかチェックする。
chkrootkitは、以下のコマンドを使用してチェックするため、コマンド自体がrootkitを検知できないように改竄されてからでは意味がないので、Linuxインストール後の初期の段階で導入しておくのが望ましい。

【chkrootkitが使用するコマンド】
awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname

なお、chkrootkitが検知できるのは既知のrootkitのみであり、新たなrootkitの検知はできない。

①chkrootkit をダウンロード、インストール

# cd /usr/local/src
# wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz
# tar xvf chkrootkit-0.55.tar.gz

➁/root/bin ディレクトリを作成し、そのディレクトリにchkrootkit コマンドを移動

# mkdir -p /root/bin
# mv chkrootkit-0.55/chkrootkit /root/bin

➂chkrootkit を確認

# chkrootkit | grep INFECTED
何も表示されなければ問題ありません

Checking `chsh'... INFECTED と表示される場合は、RPMデータベースの情報と比較します

chshのRPMパッケージを確認
# rpm -qf $(which chsh)
util-linux-user-2.37.4-25.el9.x86_64

指定したパッケージがインストールされた時と比べて、改変されていないかを検査する
# rpm -V util-linux-user
出力なし(差異がない場合、何も出力されません)---差異が見つからなかったため、誤検知と判断できます

④chkrootkit 定期実行スクリプトの作成と権限変更
chkrootkit実行スクリプトを毎日自動実行されるディレクトリへ作成

# vi /etc/cron.daily/chkrootkit

定期実行スクリプトの内容

#!/bin/bash

PATH=/usr/bin:/bin:/root/bin

LOG=/tmp/$(basename ${0})

# chkrootkit実行
chkrootkit > $LOG 2>&1

# ログ出力
cat $LOG | logger -t $(basename ${0})

# SMTPSのbindshell誤検知対応
if [ ! -z "$(grep 465 $LOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $LOG
fi

# upstartパッケージ更新時のSuckit誤検知対応
if [ ! -z "$(grep Suckit $LOG)" ] && \
[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then
sed -i '/Suckit/d' $LOG
fi

# rootkit検知時のみroot宛メール送信
[ ! -z "$(grep INFECTED $LOG)" ] && \
grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root

chkrootkit実行スクリプトへ実行権限付加

# chmod 700 /etc/cron.daily/chkrootkit

⑤chkrootkit が使用するコマンドをバックアップ

chkrootkit が使用するコマンドが改ざんされた場合、rootkit を検出できなくなるので、
これらのコマンドをバックアップしておきます。
必要な場合は、バックアップしたコマンドを使用してchkrootkit を実行します

# cd /root
# mkdir /root/chkrootkit_cmd
# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/
# ls -l /root/chkrootkit_cmd/
total 2668
-rwxr-xr-x 1 root root 714928 Jul  3 15:05 awk
-rwxr-xr-x 1 root root  44648 Jul  3 15:05 cut
-rwxr-xr-x 1 root root  27936 Jul  3 15:05 echo
-rwxr-xr-x 1 root root     32 Jul  3 15:05 egrep
-rwxr-xr-x 1 root root 291792 Jul  3 15:05 find
-rwxr-xr-x 1 root root  40552 Jul  3 15:05 head
-rwxr-xr-x 1 root root  40472 Jul  3 15:05 id
-rwxr-xr-x 1 root root 140744 Jul  3 15:05 ls
-rwxr-xr-x 1 root root 160616 Jul  3 15:05 netstat
-rwxr-xr-x 1 root root 144536 Jul  3 15:05 ps
-rwxr-xr-x 1 root root 115544 Jul  3 15:05 sed
-rwxr-xr-x 1 root root 917872 Jul  3 15:05 ssh
-rwxr-xr-x 1 root root  32504 Jul  3 15:05 strings
-rwxr-xr-x 1 root root  32232 Jul  3 15:05 uname

⑥コピーしたコマンドにchkrootkit を実行

# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED
Checking `chsh'... INFECTED

Checking `chsh'… INFECTEDと表示されますが誤検知です

⑦バックアップしたコマンドを圧縮

# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd
chkrootkit_cmd/
chkrootkit_cmd/awk
chkrootkit_cmd/cut
chkrootkit_cmd/echo
chkrootkit_cmd/egrep
chkrootkit_cmd/find
chkrootkit_cmd/head
chkrootkit_cmd/id
chkrootkit_cmd/ls
chkrootkit_cmd/netstat
chkrootkit_cmd/ps
chkrootkit_cmd/strings
chkrootkit_cmd/sed
chkrootkit_cmd/ssh
chkrootkit_cmd/uname
# ls -l
total 7488
-rw-r--r--   1 root root 2590063 Mar 25 23:57 4-5-12
-rw-------.  1 root root    1305 Jun 30 15:28 anaconda-ks.cfg
drwxr-xr-x   2 root root      24 Jul  3 14:47 bin
drwxr-xr-x   2 root root     172 Jul  3 15:05 chkrootkit_cmd
-rw-r--r--   1 root root 1244819 Jul  3 15:07 chkrootkit_cmd.tar.gz
drwxrwxr-x  22 root root    4096 Jul  2 14:19 nagios-4.5.12
drwxr-xr-x  15 root root    4096 Jul  2 14:24 nagios-plugins-2.5
-rw-r--r--   1 root root 2752957 Apr  1 00:47 nagios-plugins-2.5.tar.gz
drwxrwxr-x  10 root root    4096 Jul  2 14:45 nrpe-4.1.3
-rw-r--r--   1 root root  526925 Dec 11  2024 nrpe-4.1.3.tar.gz
-rw-r--r--   1 root root  526925 Dec 11  2024 nrpe-4.1.3.tar.gz.1
drwx------   3 root root      21 Jul  2 08:47 snap

⑧chkrootkit使用コマンド(圧縮版)をroot宛にメール送信

# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root

⑨Windows にchkrootkit_cmd.tar.gz ファイルをダウンロードして退避

⑩バックアップしたサーバー上のコマンドを削除

# rm -f chkrootkit_cmd.tar.gz