Tripwire: atualização de base de dados

Após a execução de uma verificação no tripwire, são reportados quais arquivos foram adicionados, alterados, ou removidos.

Para demonstrar isto, eu fiz uma atualização do sistema operacional (yum -y update), o que certamente causou diversas destas violações, veja abaixo em “Rule Summary” (eu cortei parte da saída, pois eram alguns milhares de arquivos).

[root@Gaspar ~]# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
### Warning: File system error.
### Filename: /usr/sbin/fixrmtab
### Arquivo ou diretório não encontrado
### Continuing...
...
Wrote report file: /var/lib/tripwire/report/Gaspar.localdomain-20170719-065500.twr


Open Source Tripwire(R) 2.4.3.5 Integrity Check Report

Report generated by:          root
Report created on:            Qua 19 Jul 2017 06:55:00 -03
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    Gaspar.localdomain
Host IP address:              192.168.15.10
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/Gaspar.localdomain.twd
Command line used:            tripwire --check

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
* User binaries                   66                0        0        30
  Tripwire Binaries               100               0        0        0
* Critical configuration files    100               0        0        5
* Libraries                       66                2905     3        320
* Operating System Utilities      100               0        0        1
* Critical system boot files      100               6        0        4
  File System and Disk Administraton Programs
                                  100               0        0        0
* Kernel Administration Programs  100               0        0        1
  Networking Programs             100               0        0        0
  System Administration Programs  100               0        0        0
  Hardware and Device Control Programs
                                  100               0        0        0
  System Information Programs     100               0        0        0
  Application Information Programs
                                  100               0        0        0
  Shell Related Programs          100               0        0        0
  Critical Utility Sym-Links      100               0        0        0
  Shell Binaries                  100               0        0        0
* Tripwire Data Files             100               1        0        0
* System boot changes             100               2902     0        1
  OS executables and libraries    100               0        0        0
  Security Control                100               0        0        0
  Login Scripts                   100               0        0        0
* Root config files               100               0        0        4
  Invariant Directories           66                0        0        0
  Temporary directories           33                0        0        0
  Critical devices                100               0        0        0

Total objects scanned:  50335
Total violations found:  6183

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/usr/sbin"
"/usr/sbin/build-locale-archive"
"/usr/sbin/glibc_post_upgrade.x86_64"
"/usr/sbin/iconvconfig"
"/usr/sbin/iconvconfig.x86_64"
"/usr/sbin/ldconfig"
"/usr/sbin/sln"
"/usr/sbin/zdump"
"/usr/sbin/zic"

-------------------------------------------------------------------------------
Rule Name: Libraries (/usr/lib)
Severity Level: 66
-------------------------------------------------------------------------------

Added:
"/usr/lib/modules/3.10.0-514.26.2.el7.x86_64"
...

Modified:
"/usr/lib/locale"
"/usr/lib/locale/locale-archive"
"/usr/lib/locale/locale-archive.tmpl"
"/usr/lib/modules"
"/usr/lib/systemd/system"
"/usr/lib/systemd/system/cpupower.service"

-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------

Modified:
"/usr/bin"
"/usr/bin/catchsegv"
"/usr/bin/centrino-decode"
"/usr/bin/cpupower"
"/usr/bin/gencat"
"/usr/bin/getconf"
"/usr/bin/getent"
"/usr/bin/iconv"
"/usr/bin/ldd"
"/usr/bin/locale"
"/usr/bin/localedef"
"/usr/bin/makedb"
"/usr/bin/pldd"
"/usr/bin/powernow-k8-decode"
"/usr/bin/rpcgen"
"/usr/bin/sotruss"
"/usr/bin/sprof"
"/usr/bin/tmon"
"/usr/bin/turbostat"
"/usr/bin/tzselect"
"/usr/bin/x86_energy_perf_policy"

-------------------------------------------------------------------------------
Rule Name: Libraries (/usr/lib64)
Severity Level: 66
-------------------------------------------------------------------------------

Added:
"/usr/lib64/mysql/libmysqlclient.so.20"
"/usr/lib64/mysql/libmysqlclient.so.20.3.6"
"/usr/lib64/mysql/libmysqlclient.so.18.1.0"
"/usr/lib64/mysql/libmysqlclient_r.so.18"
"/usr/lib64/mysql/libmysqlclient_r.so.18.1.0"

Removed:
"/usr/lib64/mysql/plugin/dialog.so"
"/usr/lib64/mysql/plugin/mysql_clear_password.so"
"/usr/lib64/mysql/libmysqlclient.so.18.0.0"

Modified:
"/usr/lib64"
...

-------------------------------------------------------------------------------
Rule Name: Kernel Administration Programs (/sbin/ldconfig)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/ldconfig"

-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/sbin/sln)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/sbin/sln"

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/Gaspar.localdomain.twd"

-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/log)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/log/sa/sar18"
"/var/log/sa/sa19"

-------------------------------------------------------------------------------
Rule Name: System boot changes (/lib/modules)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/lib/modules/3.10.0-514.26.2.el7.x86_64"
...

Modified:
"/lib/modules"

-------------------------------------------------------------------------------
Rule Name: Critical configuration files (/etc/sysconfig)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/sysconfig"
"/etc/sysconfig/cpupower"

-------------------------------------------------------------------------------
Rule Name: Critical configuration files (/etc/default)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/default"
"/etc/default/nss"

-------------------------------------------------------------------------------
Rule Name: Critical configuration files (/etc/rpc)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/rpc"

-------------------------------------------------------------------------------
Rule Name: Critical system boot files (/boot)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/boot/.vmlinuz-3.10.0-514.26.2.el7.x86_64.hmac"
"/boot/System.map-3.10.0-514.26.2.el7.x86_64"
"/boot/config-3.10.0-514.26.2.el7.x86_64"
"/boot/symvers-3.10.0-514.26.2.el7.x86_64.gz"
"/boot/vmlinuz-3.10.0-514.26.2.el7.x86_64"
"/boot/initramfs-3.10.0-514.26.2.el7.x86_64.img"

Modified:
"/boot"
"/boot/grub2"
"/boot/grub2/grub.cfg"
"/boot/grub2/grubenv"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/root"
"/root/.cache/abrt"
"/root/.cache/abrt/lastnotification"
"/root/RADM-Diario.sh"

===============================================================================
Error Report:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

1.   File system error.
     Filename: /usr/sbin/fixrmtab
     Arquivo ou diretório não encontrado
...

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000-2017 Tripwire, Inc.  Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
[root@Gaspar ~]#

Após analisar as alterações detectadas, vamos atualizar a base de dados. Deverá ser indicado o arquivo de relatório indicado lá em cima (em “Wrote report file”).

[root@Gaspar ~]# tripwire --update --twrfile /var/lib/tripwire/report/Gaspar.localdomain-20170719-065500.twr
Please enter your local passphrase:
Wrote database file: /var/lib/tripwire/Gaspar.localdomain.twd
[root@Gaspar ~]#

Este comando irá abrir o relatório no vi (por padrão), como na imagem abaixo.

Mais abaixo, veja que o relatório informa que os arquivos que estiverem com o [X] marcado serão atualizados na base dados. Se há algum arquivo suspeito, que não devia ter sido alterado, remova o X, e a violação continuará a ser reportada em uma nova verificação.

Como eu fiz uma verificação logo antes de atualizar o sistema, sei que todas estas alterações são provenientes desta operação.

Ao finalizar a análise, salve o arquivo. Será solicitada a senha indicada na configuração do tripwire para atualização da base de dados.

Agora uma nova verificação não indicará mais as violações detectadas anteriormente – apenas a própria base de dados do Tripwire foi alterada.

[root@Gaspar ~]# tripwire --check
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
### Warning: File system error.
### Filename: /usr/sbin/fixrmtab
### Arquivo ou diretório não encontrado
### Continuing...
...
Wrote report file: /var/lib/tripwire/report/Gaspar.localdomain-20170719-070305.twr


Open Source Tripwire(R) 2.4.3.5 Integrity Check Report

Report generated by:          root
Report created on:            Qua 19 Jul 2017 07:03:05 -03
Database last updated on:     Qua 19 Jul 2017 07:00:04 -03

===============================================================================
Report Summary:
===============================================================================

Host name:                    Gaspar.localdomain
Host IP address:              192.168.15.10
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/Gaspar.localdomain.twd
Command line used:            tripwire --check

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  User binaries                   66                0        0        0
  Tripwire Binaries               100               0        0        0
  Critical configuration files    100               0        0        0
  Libraries                       66                0        0        0
  Operating System Utilities      100               0        0        0
  Critical system boot files      100               0        0        0
  File System and Disk Administraton Programs
                                  100               0        0        0
  Kernel Administration Programs  100               0        0        0
  Networking Programs             100               0        0        0
  System Administration Programs  100               0        0        0
  Hardware and Device Control Programs
                                  100               0        0        0
  System Information Programs     100               0        0        0
  Application Information Programs
                                  100               0        0        0
  Shell Related Programs          100               0        0        0
  Critical Utility Sym-Links      100               0        0        0
  Shell Binaries                  100               0        0        0
* Tripwire Data Files             100               1        0        0
  System boot changes             100               0        0        0
  OS executables and libraries    100               0        0        0
  Security Control                100               0        0        0
  Login Scripts                   100               0        0        0
  Root config files               100               0        0        0
  Invariant Directories           66                0        0        0
  Temporary directories           33                0        0        0
  Critical devices                100               0        0        0

Total objects scanned:  50336
Total violations found:  1

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/Gaspar.localdomain.twd.bak"

===============================================================================
Error Report:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

1.   File system error.
     Filename: /usr/sbin/fixrmtab
     Arquivo ou diretório não encontrado
...

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000-2017 Tripwire, Inc.  Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
[root@Gaspar ~]#

Leave a Reply

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *

Esse site utiliza o Akismet para reduzir spam. Aprenda como seus dados de comentários são processados.