Difference between revisions of "Tripwire"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 26: | Line 26: | ||
cd /etc/tripwire | cd /etc/tripwire | ||
| − | twadmin --create- | + | twadmin --create-cfgfile --cfgfile ./tw.cfg --site-keyfile ./site.key ./twcfg.txt |
Revision as of 07:23, 25 January 2011
Logika tripwire adalah membuat baseline database dari file yang ada di system. Jika file tersebut berubah maka tripwire akan mencatat atau memberitahukan administrator.
Instalasi tripwire
apt-get install tripwire
Enter site key passphrase Enter local key passphrase
Pastikan konfigurasi tripwire aman dan hanya bisa di akses oleh root saja.
cd /etc/tripwire chmod 0600 tw.cfg tw.pol
Edit Policy
vi /etc/tripwire/twpol.txt
cd /etc/tripwire twadmin --create-polfile --cfgfile ./tw.cfg --site-keyfile ./site.key ./twpol.txt
Edit Configurasi
vi /etc/tripwire/twcfg.txt
cd /etc/tripwire twadmin --create-cfgfile --cfgfile ./tw.cfg --site-keyfile ./site.key ./twcfg.txt
Inisialisasi Database
Inisialisasi baseline database
tripwire --init --cfgfile /etc/tripwire/tw.cfg \ --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key \ --local-keyfile /etc/tripwire/HOSTNAME-local.key
atau jika HOSTNAME anda adalah ubuntu maka
tripwire --init --cfgfile /etc/tripwire/tw.cfg \ --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key \ --local-keyfile /etc/tripwire/ubuntu-local.key
Ini akan membutuhkan waktu beberapa lama karena dia akan mencek seluruh harddisk.
Check System
Untuk mencek apakah terjadi perubahan file kita dapat melakukan
tripwire --check
Untuk server yang beroperasi 24/7 kita dapat menggunakan cron dan e-mail hasilnya ke administrator.
Updating the policy
If you update your policy, for example to exclude directories from the scan, then the tripwire command has a policy update mode which means that a change in policy does not require us to reinitialise the database. The policy update mode simply synchronises the existing database with the new policy file. The new policy file expected is the plain-text version - Tripwire will then ask for the local and site passphrases, synchronise the database and sign both the new policy file and the database.
[root@home /etc/tripwire]# tripwire --update-policy --cfgfile ./tw.cfg --polfile ./tw.pol \ --site-keyfile ./site.key --local-keyfile ./HOSTNAME-local.key ./twpol.txt
Regular Updates
You will also need to do regular updates to keep your database current with your file system. Do the checks and examine the before making updates. Perform updates regularly (determine your schedule) and also after making any major changes to the file architecture.
[root@home /etc/tripwire]# tripwire --update -Z low
This command will compare your database against your current file system and then launch an editor so that you can choose to make changes to your database.
If you try this command but get an error message about a missing report file, the reason is most likely that the last check was not run immediately prior to the update. The report file in the /var/lib/tripwire/report directory is named by hostname, then date (yyyymmdd) then time. If you have recently run a check and want the update to proceed using your most recent report file, then use the -r option and provide the report filename that you want the update to use.
[root@home /etc/tripwire]# tripwire --update -Z low --twrfile host-yyyymmdd-tttttt.twr
Local Manual
/usr/share/doc/tripwire/README.Debian
Referensi
- http://remoteadmin.org.uk/tutorials/42-linux/56-tripwire-ubuntu
- http://www.ubuntu-unleashed.com/2007/08/protecting-your-ubuntu-machine.html
- http://www.ubuntugeek.com/list-of-security-tools-available-in-ubuntu.html