４：tripwireの設定

先ずはインストールだがEPELを有効にしておく事（ここの最後を参照）
参考（https://centossrv.com/tripwire.shtml）
# dnf -y install tripwire　　　インストール
# tripwire-setup-keyfiles　　設定ファイルを作成
表示が出た後
Enter the site keyfile passphrase:　　ここで自分で決めたサイトPWを入力
Verify the site keyfile passphrase:　　再度入力
少しして
Enter the local keyfile passphrase:　　ここで自分で決めたローカルPWを入力
Verify the local keyfile passphrase:　　再度入力 する
少しして
Please enter your site passphrase: 　　
となるので、サイトPWを入力 再度聞いてくる、
Please enter your site passphrase: 　　となるので、サイトPWを入力 これで終了
# gedit /etc/tripwire/twcfg.txt   　　設定の修正
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =true　　　　trueに変更
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =4　　　　　　　　　　　　　4に変更
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
で保存しておく、次にTripwire設定ファイル(暗号署名版)作成
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
site passphraseを聞いてくるので入力。その後設定ファイルを削除
# rm -f /etc/tripwire/twcfg.txt
ポリシーファイル最適化スクリプト作成
# gedit /etc/tripwire/twpolmake.pl

#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#    perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;

# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new　←　ポリシーファイル最適化
# echo ! “/var/lib/tripwire/`hostname`.twd ;” >> /etc/tripwire/twpol.txt.new　←　Tripwireデータベース自体をチェック対象外にする
# echo ! “/tmp/tripwire.log ;” >> /etc/tripwire/twpol.txt.new　←　Tripwireログをチェック対象外にする
最適化済ポリシーファイルを元にポリシーファイル(暗号署名版)作成
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
site passphraseを聞いてくるので入力。そしてポリシーファイル(テキスト版)削除
# rm -f /etc/tripwire/twpol.txt*
Tripwireデータベース作成
# tripwire -m i -s -c /etc/tripwire/tw.cfg
local passphraseを聞いてくるので入力 。少し時間がかかる
Tripwireチェック実行
# tripwire -m c -s -c /etc/tripwire/tw.cfg　これも少し時間がかかる

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by:          root
Report created on:            2023年01月17日 05時40分21秒
Database last updated on:     Never

=========================================================================
Report Summary:
=========================================================================

Host name:                    kvm5.inpac.jp
Host IP address:              133.149.213.105
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/kvm5.inpac.jp.twd
Command line used:            tripwire -m c -s -c /etc/tripwire/tw.cfg 

=========================================================================
Rule Summary: 
=========================================================================

-------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------

  Rule Name                   Severity Level    Added    Removed Modified 
  ---------                       --------------    -----    -------  ---
  User binaries                   66                0        0        0        
  Tripwire Binaries               100               0        0        0        
  Libraries                       66                0        0        0        
  Operating System Utilities      100               0        0        0        
  File System and Disk Administraton Programs
                                  100               0        0        0        
  Kernel Administration Programs  100               0        0        0        
  Networking Programs             100               0        0        0        
  System Administration Programs  100               0        0        0        
  Hardware and Device Control Programs
                                  100               0        0        0        
  System Information Programs     100               0        0        0        
  (/sbin/runlevel)
  Application Information Programs
                                  100               0        0        0        
  (/sbin/rtmon)
  Critical Utility Sym-Links      100               0        0        0        
  Shell Binaries                  100               0        0        0        
  Critical system boot files      100               0        0        0        
* Tripwire Data Files             100               1        0        0        
  System boot changes             100               0        0        0        
  OS executables and libraries    100               0        0        0        
  Security Control                100               0        0        0        
  Login Scripts                   100               0        0        0        
  Critical configuration files    100               0        0        0        
* Root config files               100               0        0        1        
  Invariant Directories           66                0        0        0        
  Temporary directories           33                0        0        0        
  Critical devices                100               0        0        0        
  (/proc/kcore)

Total objects scanned:  44064
Total violations found:  2

=========================================================================
Object Summary: 
=========================================================================
# Section: Unix File System
-------------------------------------------------------------------------

-------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------

Added:
"/var/lib/tripwire/kvm5.inpac.jp.twd"

-------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------

Modified:
"/root/.local/share/gnome-shell/application_state"

=========================================================================
Error Report: 
=========================================================================

No Errors

-------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc.  Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

ある一定の時間を過ぎたファイルやディレクトリを削除したい時などに tmpwatch をインストールする
# dnf install tmpwatch
そして、tripwireを定期的に走らせるスクリプトを作成する
# gedit tripwire.sh

#!/bin/bash

# 既存のTripwire定期自動実行設定削除
rm -f /etc/cron.daily/tripwire-check

# パスフレーズ設定
LOCALPASS=xxxxxxx    # ローカルパスフレーズ
SITEPASS=xxxxxxxx      # サイトパスフレーズ

TRIPWIRE=/usr/sbin/tripwire
TWADMIN=/usr/sbin/twadmin
TWPRINT=/usr/sbin/twprint
cd /etc/tripwire

# Tripwireチェック実行
# ※ファイル変更を検知した場合のみroot宛にサマリをメールする
rm -f /var/lib/tripwire/report/`hostname`-`date +%Y%m%d`-*.twr
${TRIPWIRE} -m c -s -c tw.cfg > /tmp/tripwire.log
if [ $(grep "Total violations found" /tmp/tripwire.log | awk '{print $4}') -ne 0 ]; then
${TWPRINT} -m r --report-level 1 -c tw.cfg -r /var/lib/tripwire/report/`hostname`-`date +%Y%m%d`-*.twr | \
mail -s "Tripwire Integrity Check Report from `hostname`" root
fi

# Tripwireチェック実行結果（過去分）削除
# ※過去90日分保管
tmpwatch -m 2160 /var/lib/tripwire/report

# ポリシーファイル最新化
${TWADMIN} -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
${TWADMIN} -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

# データベース最新化
rm -f /var/lib/tripwire/*.twd*
${TRIPWIRE} -m i -s -c tw.cfg -P $LOCALPASS

これを /rootに保存し、/etc/cron.d に tripwire.sh を定時に走らせる設定を作る。
# echo “15 4 * * * root /root/tripwire.sh” > /etc/cron.d/tripwire
これで毎日4時15分に tripwire.shが動き、ファイルの変更があった時にメールが送られてくる(と言っても毎日何らかの変更があるので(log等)毎日送られて来るが。