5.       如何要求 tripwire 监控某些文件呢？Red Hat 所附的 twpol.txt 已把重要的配置文件与程序行入监控的范围，你可以找到如附 图内的这一段：(

（

  rulename = "Security Control",

  severity = $(SIG_HI)

)

{

 /etc/group                           -> $(SEC_CRIT) ;

 /etc/security                         -> $(SEC_CRIT) ;

}

这一段把 /etc/group 以及 /etc/security 这两个对象纳入 『Security Control』这一组，警戒程度为由 SIG_HI 这个变量定义， 值为 100(稍后会介绍)。而 tripwire 会监控 /etc/group 及 /etc/security 的哪些项目呢？则由 SEC_CRIT 这个变量来定义。

6.       从 twpol.txt 的前端往后浏览，可以找到如附图的这一段：

@@section FS

SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change

SEC_SUID      = $(IgnoreNone)-SHa ;  # Binaries with the SUID or SGID flags set

SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change

SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often

SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership

SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership

SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact

SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact

SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability

你可以发现 SIG_HI 的值就如上一点所提的，为 100。 而 tripwire 会监控 /etc/group 的哪些项目是由 SEC_CRIT 所定义； 在此处你发现 SEC_CRIT 等于『$(IgnoreNone)-SHa』，究竟是哪些项目？

要解开这个谜，必须先找出 IgnoreNone 的变量究竟定义为何。 但找遍 twpol.txt 还是解不开，原来 IgnoreNone 跟下面的 ReadOnly, Dynamic, Growing 等均为 tripwire 预先定义好的变量， 在 twpolicy 的 man page 中『Variables』一节内可以找到如附图的内容：    

ReadOnly       ReadOnly is good for files that are widely                      available but are intended to be read-only.                      Value: +pinugtsdbmCM-rlacSH

Dynamic        Dynamic is good for monitoring user direc-                      tories and files that tend to be dynamic in                     behavior.  value: +pinugtd-srlbamcCMSH

Growing        The Growing variable is intended for files                      that should only get larger.  Value: +pinugtdl-srbamcCMSH

 Device         Device is good for devices or other files                      that Tripwire should not attempt to open.                      Value: +pugsdr-intlbamcCMSH

IgnoreAll      IgnoreAll tracks a file''''s presence or                      absence, but doesn''''t check any other prop-                      erties.  Value: -pinugtsdrlbamcCMSH

IgnoreNone     IgnoreNone turns on all properties and pro-vides a convenient starting point for                      defining your own property masks.                      (For example, mymask = $(IgnoreNone) -ar;)                      Value: +pinugtsdrbamcCMSH-l

从上面得知『IgnoreNone』的值为『+pinugtsdrbamcCMSH-l』， 其中『+』后所列的是要监控的项目，而『-』后所列的则为不监控的项目。那么『$(IgnoreNone)-SHa』呢？就是把 IgnoreNone 内原本列入监控的 SHa 项目改列为不监控。

你可以按照需求来修改这个文件。。

7.       接着在 在 /etc/tripwire 内执行 ./twinstall.sh。 执行过程中会要求你设定两个密码(pass phrase)：

§         site pass phrase ：加密 twpol.txt 及 twcfg.txt 时用。

§        

上一页  [1] [2] [3] [4] [5] [6]  下一页