Contents
Suricata インストール
SURICATA IDS/IPSはネットワーク上の通信を監視し、不審なトラフィックを検知するオープンソースのIDSです。基本的な仕組みはシグネチャ型であるため、あらかじめ設定した不正な通信を検知できます。また、Suricataは検知だけでなく防御も行えることが特徴です。
1.事前準備
①EPEL リポジトリをシステム上で有効化する
1 |
# dnf -y install epel-release |
②システムのアップデート
1 |
# dnf update -y |
2.Suricata のインストールと設定
①Suricata のインストール
1 2 3 4 5 |
# dnf install suricata バージョンの確認 # suricata -V This is Suricata version 6.0.12 RELEASE |
②Suricataがネットワークパケットを検査するインターフェースとIPアドレスを決定
1 2 3 |
# ip --brief add lo UNKNOWN 127.0.0.1/8 ::1/128 ens160 UP 192.168.11.83/24 fe80::xxx:xxxx:xxxx:xxx/xx |
③設定ファイルを編集
1 2 3 4 5 6 7 8 9 |
# vi /etc/suricata/suricata.yaml # 15行目 : varsセクションで、ネットワークを定義する HOME_NET: "[192.168.11.0/24]" EXTRNAL_NET: "!$HOME_NET" # 589行目 : af-packetセクションのインターフェース名を設定 af-packet: - interface: ens160 |
1 2 3 4 5 |
# vi /etc/sysconfig/suricata # 8行目 :インターフェイスを指定 # Add options to be passed to the daemon OPTIONS="-i ens160 --user suricata " |
④Suricataのルール更新
1 |
# suricata-update |
⑤Suricataの起動
1 2 |
# systemctl enable --now suricata Created symlink /etc/systemd/system/multiuser.target.wants/suricata.service → /usr/lib/systemd/system/suricata.service. |
⑥Suricataの起動確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# systemctl status suricata ● suricata.service - Suricata Intrusion Detection Service Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset:> Active: active (running) since Sun 2023-05-28 08:54:30 JST; 7s ago Docs: man:suricata(1) Process: 4854 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, s> Main PID: 4855 (Suricata-Main) Tasks: 1 (limit: 22993) Memory: 229.1M CPU: 7.894s CGroup: /system.slice/suricata.service mq4855 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /va> May 28 08:54:30 Lepard systemd[1]: Starting Suricata Intrusion Detection Servic> May 28 08:54:30 Lepard systemd[1]: Started Suricata Intrusion Detection Servic |
ログを確認
1 2 3 4 5 6 7 8 9 10 11 |
# tail /var/log/suricata/suricata.log 28/5/2023 -- 08:54:30 - <Info> - stats output device (regular) initialized: stats.log 28/5/2023 -- 08:54:30 - <Info> - Running in live mode, activating unix socket 28/5/2023 -- 08:54:41 - <Info> - 1 rule files processed. 33831 rules successfully loaded, 0 rules failed 28/5/2023 -- 08:54:41 - <Info> - Threshold config parsed: 0 rule(s) found 28/5/2023 -- 08:54:42 - <Info> - 33834 signatures processed. 1246 are IP-only rules, 5200 are inspecting packet payload, 27181 inspect application layer, 108 are decoder event only 28/5/2023 -- 08:54:49 - <Info> - Going to use 2 thread(s) 28/5/2023 -- 08:54:49 - <Info> - Running in live mode, activating unix socket 28/5/2023 -- 08:54:49 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 28/5/2023 -- 08:54:49 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started. 28/5/2023 -- 08:54:49 - <Info> - All AFP capture threads are running. |
統計情報を確認するには、stats.log ファイルを確認します(デフォルトで8秒ごとに更新)
1 |
# tail -f /var/log/suricata/stats.log |
より高度な出力であるEVE JSONは、以下のコマンドで生成することができる
1 |
# tail -f /var/log/suricata/eve.json |
3.Suricata のテスト
①curl ユーティリティで ping テストを実行
1 2 |
# curl http://testmynids.org/uid/index.html uid=0(root) gid=0(root) groups=0(root) |
②ログに記録されたかどうかを調べるため、アラートログを確認
1 2 3 |
# cat /var/log/suricata/fast.log 05/28/2023-09:02:35.229044 [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.83:55648 -> 18.65.159.104:80 05/28/2023-09:02:35.242726 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.65.159.104:80 -> 192.168.11.83:55648 |
4.Suricata Rulesの設定
①Suricataにパッケージされているルールセットの表示
1 2 3 4 5 6 |
# ls -al /var/lib/suricata/rules/ total 24520 drwxr-s--- 2 root suricata 57 May 28 08:51 . drwxrws--- 4 suricata suricata 33 May 28 08:51 .. -rw-r--r-- 1 root suricata 3228 May 28 08:51 classification.config -rw-r--r-- 1 root suricata 25102338 May 28 08:51 suricata.rules |
②ルールセットを提供するソースのインデックス一覧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# suricata-update list-sources Name: et/open Vendor: Proofpoint Summary: Emerging Threats Open Ruleset License: MIT Name: et/pro Vendor: Proofpoint Summary: Emerging Threats Pro Ruleset License: Commercial Replaces: et/open Parameters: secret-code Subscription: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset Name: oisf/trafficid Vendor: OISF Summary: Suricata Traffic ID ruleset License: MIT Name: scwx/enhanced Vendor: Secureworks Summary: Secureworks suricata-enhanced ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/malware Vendor: Secureworks Summary: Secureworks suricata-malware ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: scwx/security Vendor: Secureworks Summary: Secureworks suricata-security ruleset License: Commercial Parameters: secret-code Subscription: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) Name: sslbl/ssl-fp-blacklist Vendor: Abuse.ch Summary: Abuse.ch SSL Blacklist License: Non-Commercial Name: sslbl/ja3-fingerprints Vendor: Abuse.ch Summary: Abuse.ch Suricata JA3 Fingerprint Ruleset License: Non-Commercial Name: etnetera/aggressive Vendor: Etnetera a.s. Summary: Etnetera aggressive IP blacklist License: MIT Name: tgreen/hunting Vendor: tgreen Summary: Threat hunting rules License: GPLv3 Name: malsilo/win-malware Vendor: malsilo Summary: Commodity malware rules License: MIT Name: stamus/lateral Vendor: Stamus Networks Summary: Lateral movement rules License: GPL-3.0-only |
③ソースを有効にする(et/openを有効にする場合)
1 2 3 4 5 6 7 |
# suricata-update enable-source et/open 28/5/2023 -- 09:04:33 - <Info> -- Using data-directory /var/lib/suricata. 28/5/2023 -- 09:04:33 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 28/5/2023 -- 09:04:33 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 28/5/2023 -- 09:04:33 - <Info> -- Found Suricata version 6.0.12 at /usr/sbin/suricata. 28/5/2023 -- 09:04:33 - <Info> -- Creating directory /var/lib/suricata/update/sources 28/5/2023 -- 09:04:33 - <Info> -- Source et/open enabled |
アップデートを実行
1 |
# suricata-update |
Suricata service再起動
1 |
# systemctl restart suricata |
5.Suricata Custom Rulesの作成
①カスタマールールを含むファイルを作成
1 2 3 |
# vi /etc/suricata/rules/local.rules 下記内容を記載 alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1; rev:1;) |
②設定ファイルを編集(新しいルールのパスを定義)
1 2 3 4 5 6 7 8 |
# vi /etc/suricata/suricata.yaml # 1932行目あたりに追記 default-rule-path: /var/lib/suricata/rules rule-files: - suricata.rules - /etc/suricata/rules/local.rules |
③設定ファイルのテスト
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# suricata -T -c /etc/suricata/suricata.yaml -v 28/5/2023 -- 09:08:07 - <Info> - Running suricata under test mode 28/5/2023 -- 09:08:07 - <Notice> - This is Suricata version 6.0.12 RELEASE running in SYSTEM mode 28/5/2023 -- 09:08:07 - <Info> - CPUs/cores online: 2 28/5/2023 -- 09:08:07 - <Info> - Setting engine mode to IDS mode by default 28/5/2023 -- 09:08:07 - <Info> - fast output device (regular) initialized: fast.log 28/5/2023 -- 09:08:07 - <Info> - eve-log output device (regular) initialized: eve.json 28/5/2023 -- 09:08:07 - <Info> - stats output device (regular) initialized: stats.log 28/5/2023 -- 09:08:19 - <Info> - 2 rule files processed. 33832 rules successfully loaded, 0 rules failed 28/5/2023 -- 09:08:19 - <Info> - Threshold config parsed: 0 rule(s) found 28/5/2023 -- 09:08:19 - <Info> - 33835 signatures processed. 1247 are IP-only rules, 5200 are inspecting packet payload, 27181 inspect application layer, 108 are decoder event only 28/5/2023 -- 09:08:27 - <Notice> - Configuration provided was successfully loaded. Exiting. 28/5/2023 -- 09:08:27 - <Info> - cleaning up signature grouping structure... complete |
Suricat service再起動
1 |
# systemctl restart suricata |
④Custom Rulesの適用テスト
同一ローカルネットワーク上の別のデバイスでpingを実行し、ログに記録されたかどうかを確認する
1 2 3 4 |
# cat /var/log/suricata/fast.log 05/28/2023-09:02:35.229044 [**] [1:2013028:7] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.11.83:55648 -> 18.65.159.104:80 05/28/2023-09:02:35.242726 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 18.65.159.104:80 -> 192.168.11.83:55648 |
JSON形式のログを取得するには、システムにjqをインストールする
1 |
# dnf install jq |
1 |
# systemctl restart suricata |
下記コマンドを実行し、同一ローカルネットワーク上の別のデバイスでpingを実行する
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
# tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' pingを実行するとコンソールに下記のように表示される { "timestamp": "2023-05-28T09:10:34.895931+0900", "flow_id": 1466544969919419, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.22", "src_port": 0, "dest_ip": "192.168.11.83", "dest_port": 0, "proto": "ICMP", "icmp_type": 8, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2023-05-28T09:10:34.895931+0900" } } { "timestamp": "2023-05-28T09:10:34.896018+0900", "flow_id": 1466544969919419, "in_iface": "ens160", "event_type": "alert", "src_ip": "192.168.11.83", "src_port": 0, "dest_ip": "192.168.11.22", "dest_port": 0, "proto": "ICMP", "icmp_type": 0, "icmp_code": 0, "alert": { "action": "allowed", "gid": 1, "signature_id": 1, "rev": 1, "signature": "ICMP Ping", "category": "", "severity": 3 }, "flow": { "pkts_toserver": 1, "pkts_toclient": 1, "bytes_toserver": 74, "bytes_toclient": 74, "start": "2023-05-28T09:10:34.895931+0900" } } |
Tripwire
1.インストール
1 |
# dnf install -y tripwire |
2.パスフレーズ設定
サイトパスフレーズとローカルパスフレーズを設定する
1 |
# tripwire-setup-keyfiles |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←任意の「サイトパスフレーズ」を入力 Verify the site keyfile passphrase: ←再度「サイトパスフレーズ」を入力 Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←任意の「ローカルパスフレーズ」を入力 Verify the local keyfile passphrase: ←再度「ローカルパスフレーズ」を入力 Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ←「サイトパスフレーズ」を入力 Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ←「サイトパスフレーズ」を入力 Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt ~中略~ default values from the current configuration file are used. |
3.Tripwire の設定
①設定ファイル編集
1 2 3 4 5 6 7 8 |
# vi /etc/tripwire/twcfg.txt ●9 行目あたり 行頭に「#」を追加し、その下の行に「LOOSEDIRECTORYCHECKING =true」を追加します。 ●12 行目あたり 行頭に「#」を追加し、その下の行に「REPORTLEVEL =4」を追加します。 レベル4 にすることで「0 」~「4 」までの5 段階中、最も詳細なレポートが表示されます。 #REPORTLEVEL =3 REPORTLEVEL =4 |
②Tripwire 設定ファイル(暗号署名版)を作成
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←サイトパスフレーズを入力 Wrote configuration file: /etc/tripwire/tw.cfg |
③Tripwire 設定ファイル(テキスト版)削除
1 |
# rm -f /etc/tripwire/twcfg.txt |
④ポリシーファイル設定
1 2 |
# cd /etc/tripwire/ # vi twpolmake.pl |
twpolmake.plの内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
#!/usr/bin/perl # Tripwire Policy File customize tool # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
⑤ポリシーファイル最適化
1 |
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑥最適化済ポリシーファイルを元に、ポリシーファイル(暗号署名版)作成
1 2 3 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←サイトパスフレーズを入力 Wrote policy file: /etc/tripwire/tw.pol |
⑦データベースを作成、動作確認
1 2 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←ローカルパスフレーズを入力 |
テスト用ファイルを作成
1 |
# echo test > /root/test.txt |
Tripwire の動作確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# tripwire -m c -s -c /etc/tripwire/tw.cfg 下記のように表示されればOK Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Sun 28 May 2023 09:28:42 AM JST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: Lepard Host IP address: 192.168.11.83 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/Lepard.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 Operating System Utilities 100 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 (/sbin/runlevel) Application Information Programs 100 0 0 0 (/sbin/rtmon) Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical system boot files 100 0 0 0 * Tripwire Data Files 100 1 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 Critical configuration files 100 0 0 0 * Root config files 100 1 0 0 Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 Critical devices 100 0 0 0 (/proc/kcore) Total objects scanned: 33118 Total violations found: 2 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/lib/tripwire/Lepard.twd" ------------------------------------------------------------------------------- Rule Name: Root config files (/root) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/root/test.txt" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
テスト用ファイルを削除
1 |
# rm -f /root/test.txt |
⑧Tripwire 定期実行スクリプト
1 2 |
# cd /var/www/system # vi tripwire.sh |
tripwire.shの内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # パスフレーズ設定 LOCALPASS= ←ローカルパスフレーズ SITEPASS= ←サイトパスフレーズ cd /etc/tripwire # Tripwireチェック実行 tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # ポリシーファイル最新化 twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # データベース最新化 rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
⑨Tripwire 自動実行スクリプト実行設定
1 2 3 4 5 |
# chmod 700 tripwire.sh cron に追加 # crontab -e 0 3 * * * /var/www/system/tripwire.sh |
参考: メールで結果報告用スクリプト
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # パスフレーズ設定 LOCALPASS=xxxxx # ローカルキーパスフレーズ SITEPASS=xxxxx # サイトキーパスフレーズ #通知先メールアドレス指定 MAIL="<your mailaddress> " cd /etc/tripwire # Tripwireチェック実行 tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # ポリシーファイル最新化 twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # データベース最新化 rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
下記コマンドを実行し、指定したメールアドレスにtripwire実行結果が通知されることを確認
1 |
# /var/www/system/tripwire.sh |
Chkrootkit インストール
① ダウンロード、インストール
1 2 3 |
# cd /usr/local/src # wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz # tar xvf chkrootkit.tar.gz |
➁/root/bin ディレクトリを作成し、そのディレクトリにchkrootkit コマンドを移動
1 2 |
# mkdir -p /root/bin # mv chkrootkit-0.57/chkrootkit /root/bin |
➂chkrootkit を確認
1 |
# chkrootkit | grep INFECTED |
何も表示されなければ問題ありません
Checking `chsh'... INFECTED
上記の表示が出る場合はおそらく誤検知だと思います。
④chkrootkit 定期実行スクリプトの作成と権限変更
chkrootkit実行スクリプトを毎日自動実行されるディレクトリへ作成
1 |
# vi /etc/cron.daily/chkrootkit |
定期実行スクリプトの内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin LOG=/tmp/$(basename ${0}) # chkrootkit実行 chkrootkit > $LOG 2>&1 # ログ出力 cat $LOG | logger -t $(basename ${0}) # SMTPSのbindshell誤検知対応 if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # upstartパッケージ更新時のSuckit誤検知対応 if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # rootkit検知時のみroot宛メール送信 [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
chkrootkit実行スクリプトへ実行権限付加
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
⑥chkrootkit が使用するコマンドをバックアップ
chkrootkit が使用するコマンドが改ざんされた場合、rootkit を検出できなくなるので、これらのコマンドをバックアップしておきます。
必要な場合は、バックアップしたコマンドを使用してchkrootkit を実行します
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep grep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/ # ls -l /root/chkrootkit_cmd/ total 2616 -rwxr-xr-x 1 root root 714968 May 28 09:48 awk -rwxr-xr-x 1 root root 48760 May 28 09:48 cut -rwxr-xr-x 1 root root 36144 May 28 09:48 echo -rwxr-xr-x 1 root root 32 May 28 09:48 egrep -rwxr-xr-x 1 root root 292760 May 28 09:48 find -rwxr-xr-x 1 root root 44648 May 28 09:48 head -rwxr-xr-x 1 root root 40472 May 28 09:48 id -rwxr-xr-x 1 root root 140760 May 28 09:48 ls -rwxr-xr-x 1 root root 161624 May 28 09:48 netstat -rwxr-xr-x 1 root root 144432 May 28 09:48 ps -rwxr-xr-x 1 root root 116736 May 28 09:48 sed -rwxr-xr-x 1 root root 851208 May 28 09:48 ssh -rwxr-xr-x 1 root root 32504 May 28 09:48 strings -rwxr-xr-x 1 root root 32232 May 28 09:48 uname |
⑦コピーしたコマンドにchkrootkit を実行
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
何も表示されなければ問題ありません
⑧バックアップしたコマンドを圧縮
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/netstat chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname chkrootkit_cmd/grep |
1 2 3 4 5 6 7 8 9 |
# ls -l total 1280 -rw-------. 1 root root 1201 May 24 22:46 anaconda-ks.cfg drwxr-xr-x 2 root root 24 May 28 09:41 bin drwxr-xr-x 2 root root 184 May 28 09:52 chkrootkit_cmd -rw-r--r-- 1 root root 1296351 May 28 09:53 chkrootkit_cmd.tar.gz -rw------- 1 root root 4683 May 28 09:32 dead.letter drwx------ 5 root root 39 May 28 09:42 Maildir drwx------ 3 root root 21 May 27 16:27 snap |
⑨chkrootkit使用コマンド(圧縮版)をroot宛にメール送信
1 |
# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root |
⑩Windows にchkrootkit_cmd.tar.gz ファイルをダウンロードして退避
⑪バックアップしたサーバー上のコマンドを削除
1 |
# rm -f chkrootkit_cmd.tar.gz |