渗透提权-Tripwire检查系统完整性（二）

1.1 实验环境

1.2 Tripwire介绍

Tripwire是目前最为著名的unix下文件系统完整性检查的软件工具，这一软件采用的技术核心就是对每个要监控的文件产生一个数字签名保留下来，当文件现在的数字签名与保留的数字签名不一致时，那么现在这个文件必定被改动过了。

Tripwire可以对要求校验的系统文件进行类似md5的运行，而生成一个唯一的标识，即"快照”snapshot，当这些系统文件的大小inode号、权限、时间等任意属性被修改后，再次运行Tripwire其会进行前后属性的对比，并生成相关的详细报告。

1.3 安装Tripwire

[[email protected] ~]# yum install -y tripwire

1.4 配置Tripwire

1.4.1 生成秘钥文件

为Tripwire生成一个站点(site) 密钥和一个本地(local) 密钥，这可以帮助保护Tripwire免受未经授权的访问。本地密钥用于数据库文件，站点密钥用于配置文件和策略文件，需要记住自己给出的密码，因为您更新策略文件或数据库时需要输入这些密码，下面的命令生成密钥：

[[email protected] ~]# tripwire-setup-keyfiles
Enter the site keyfile passphrase: 123456       # 输入站点密钥文件密码
Verify the site keyfile passphrase: 123456
Enter the local keyfile passphrase: 123456      # 输入本地密钥文件密码
Verify the local keyfile passphrase: 123456
Please enter your site passphrase: 123456       # 请输入您的网站密码
Wrote configuration file: /etc/tripwire/tw.cfg
Please enter your site passphrase: 123456       # 请输入您的网站密码
Wrote policy file: /etc/tripwire/tw.pol

1.4.2 查看生成的秘钥文件

[[email protected] ~]# cd /etc/tripwire/
[[email protected] tripwire]# ls
site.key  test-local.key  tw.cfg  twcfg.txt  tw.pol  twpol.txt

• 秘钥文件用途：
• key：加密站点密钥文件
• cfg：加密配置变量文件
• pol：加密策略文件
• txt：定义数据库、策略文件和Tripwire可执行文件的位置
• txt：定义检测的对象及违规时采取的行为
• xuegod63-local.key：加密本地密钥文件

1.4.3 初始化tripwire

[[email protected] ~]# tripwire --init  # 第一次初始化时会报错No such file or directory,不用管继续后面操作
# 将所有不是centos系统上的文件和目录在配置文件中取消掉
[[email protected] ~]# tripwire --check|grep Filename > filename.txt
[[email protected] ~]# cat>>twpol.sh<<'EOF'
#!/bin/bash

for f in $(grep "Filename:" filename.txt | cut -f2 -d:);
do
    sed -i "s|\($f\)|#\\1|g" /etc/tripwire/twpol.txt
done
EOF
[[email protected] ~]# sh twpol.sh
# 使用twadmin命令重新生成并重新签署tripwire配置
[[email protected] ~]# twadmin -m P /etc/tripwire/twpol.txt
Please enter your site passphrase: 123546
Wrote policy file: /etc/tripwire/tw.pol
[[email protected] ~]# tripwire --init  # 初始化数据库:生成基准数据库
Please enter your local passphrase: 123456  # 输入本地秘钥文件密码，这里是我们设置的密码123456
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/test.twd
The database was successfully generated.    # 初始化tripwire数据库成功，没有任何错误

1.5 验证Tripwire配置和检查系统

1.5.1 修改系统文件

[[email protected] ~]# useradd test2
[[email protected] ~]# echo aaaaa >> /etc/passwd

1.5.2 系统检测

[[email protected] ~]# tripwire --check                 # 检查整个系统
===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/test.twd.bak"

-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/log)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/log/history/2022-08-03/[email protected]_20220803_13:59:40"
"/var/log/history/2022-08-03/[email protected]_20220803_14:02:58"
"/var/log/history/2022-08-04"

Modified:
"/var/log/history"

-------------------------------------------------------------------------------
Rule Name: Security Control (/etc/group)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/group"

-------------------------------------------------------------------------------
Rule Name: Critical configuration files (/etc/group-)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/group-"

-------------------------------------------------------------------------------
Rule Name: Critical configuration files (/etc/passwd)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/etc/passwd"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Modified:
"/root/.lesshst"
[[email protected] ~]# tripwire --check /etc/passwd     # 检查单个文件
[[email protected] ~]# tripwire --check /etc            # 检查单个目录

1.6 添加指定的站点规则

1.6.1 添加规则

需要定义规则名称，严重程度，监视目录和文件类型。在这一步中将在/var/www/htmI/sqli-labs目录下为sqli-labs创建一个名为“Sqli-labs Data”的新规则，严重程度为“HIGH/SIG_HI”并且该目录中的所有文件都是关键的以及源代码不能更改。

[[email protected] ~]# vim /etc/tripwire/twpol.txt
# Ruleset for Sqli-labs     # 在文件最后插入该内容
(
  rulename = "Sqli-labs Data",
  severity = $(SIG_HI)
)
{
  /var/www/html/sqli-labs          -> $(SEC_CRIT);
}

1.6.2 重新生成签名配置

[[email protected] ~]# twadmin -m P /etc/tripwire/twpol.txt
Please enter your site passphrase: 123456
Wrote policy file: /etc/tripwire/tw.pol

1.6.3 重新生成tripwire数据库

[[email protected] ~]# tripwire --init
Please enter your local passphrase: 123456
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/test.twd
The database was successfully generated.

1.6.4 修改后进行验证

[[email protected] ~]# touch /var/www/html/sqli-labs/hack-labs.php
[[email protected] ~]# tripwire --check