tripwireダウンロードします
[root@centos ~]# wget http://jaist.dl.sourceforge.net/sourceforge/tripwire/tripwire-2.4.1.2-src.tar.bz2

ダウンロードしたtripwireを解凍展開します
[root@centos ~]# tar jxvf tripwire-2.4.1.2-src.tar.bz2

tripwire展開先ディレクトリへ移動します
[root@centos ~]# cd tripwire-2.4.1.2-src

tripwireをコンパイル、インストールします
[root@centos tripwire-2.4.1.2-src]# ./configure –prefix=/usr/local/tripwire sysconfdir=/etc/tripwire
〜　configureのログは省略　〜
[root@centos tripwire-2.4.1.2-src]# make
〜　makeのログは省略　〜
[root@centos tripwire-2.4.1.2-src]# make install
〜　make install の冒頭のログは省略　〜

Installer program for:
Tripwire(R) 2.4 Open Source

Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R)
is a registered trademark of the Purdue Research Foundation and is
licensed exclusively to Tripwire (R) Security Systems, Inc.

LICENSE AGREEMENT for Tripwire(R) 2.4 Open Source

〜　中略　〜

Press ENTER to view the License Agreement. [Enter]キーを押下する

GNU GENERAL PUBLIC LICENSE
Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

〜　中略　〜

Please type “accept” to indicate your acceptance of this
license agreement. [do not accept] accept
Using configuration file ./install/install.cfg

Checking for programs specified in install configuration file….

/usr/sbin/sendmail -oi -t exists. Continuing installation.

/bin/vi exists. Continuing installation.

———————————————-
Verifying existence of binaries…

./bin/siggen found
./bin/tripwire found
./bin/twprint found
./bin/twadmin found

This program will copy Tripwire files to the following directories:

TWBIN: /usr/local/tripwire/sbin
TWMAN: /usr/local/tripwire/man
TWPOLICY: /etc/tripwire
TWREPORT: /usr/local/tripwire/lib/tripwire/report
TWDB: /usr/local/tripwire/lib/tripwire
TWSITEKEYDIR: /etc/tripwire
TWLOCALKEYDIR: /etc/tripwire

CLOBBER is false.

Continue with installation? [y/n] y

———————————————-
Creating directories…

/usr/local/tripwire/sbin: already exists
/etc/tripwire: created
/usr/local/tripwire/lib/tripwire/report: created
/usr/local/tripwire/lib/tripwire: already exists
/etc/tripwire: already exists
/etc/tripwire: already exists
/usr/local/tripwire/man: created
/usr/local/tripwire/doc/tripwire: created

———————————————-
Copying files…

/usr/local/tripwire/doc/tripwire/COPYING: copied
/usr/local/tripwire/doc/tripwire/TRADEMARK: copied
/usr/local/tripwire/doc/tripwire/policyguide.txt: copied
/etc/tripwire/twpol-Linux.txt: copied

———————————————-
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.

Passphrases should be at least 8 characters in length
and contain both letters and numbers.

See the Tripwire manual for more information.

———————————————-
Creating key files…

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase: サイトキーパスフレーズを入力
Verify the site keyfile passphrase: サイトキーパスフレーズを再入力
サイトパスフレーズは、Tripewire の設定、ポリシーファイルの暗号化に使用します
Generating key (this may take several minutes)…Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase: ローカルキーパスフレーズを入力
Verify the local keyfile passphrase: ローカルキーパスフレーズを再入力
ローカルパスフレーズは、データベース、レポートファイルの暗号化に使用します
Generating key (this may take several minutes)…Key generation complete.

———————————————-
Generating Tripwire configuration file…

———————————————-
Creating signed configuration file…
Please enter your site passphrase: サイトキーパスフレーズを応答
Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended
that you delete this file manually after you have examined it.

———————————————-
Customizing default policy file…

———————————————-
Creating signed policy file…
Please enter your site passphrase: サイトキーパスフレーズを応答
Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements
a minimal policy, intended only to test essential
Tripwire functionality. You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.

———————————————-
The installation succeeded.

make install 最後のログは省略

ホームディレクトリ（rootユーザなので/root）へ移動
[root@centos tripwire-2.4.1.2-src]# cd

tripwire展開先ディレクトリを削除
[root@centos ~]# rm -rf tripwire-2.4.1.2-src

ダウンロードしたtripwireを削除
[root@centos ~]# rm -f tripwire-2.4.1.2-src.tar.bz2

tripwire実行ファイル格納ディレクトリへパスを通す
[root@centos ~]# echo PATH=$PATH:/usr/local/tripwire/sbin >> .bashrc ; source .bashrc

tripwireインストール直後の設定ファイル格納ディレクトリの一覧を表示します
[root@centos ~]# ls -la /etc/tripwire
合計 84
drwxr-x— 2 root root 4096 1月 26 23:56 .
drwxr-xr-x 80 root root 4096 1月 26 23:52 ..
-rw-r—– 1 root root 931 1月 26 23:54 centos.centos.com-local.key
-rw-r—– 1 root root 931 1月 26 23:54 site.key
-rw-r—– 1 root root 4586 1月 26 23:55 tw.cfg
-rw-r—– 1 root root 4159 1月 26 23:56 tw.pol
-rw-r—– 1 root root 537 1月 26 23:54 twcfg.txt
-rw-r—– 1 root root 13745 1月 26 23:55 twpol.txt

Tripwire設定ファイル(テキスト版)を修正します
[root@centos ~]# vi /etc/tripwire/twcfg.txt
ROOT =/usr/local/tripwire/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/usr/local/tripwire/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/usr/local/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/centos.centos.com-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
検査対象に何らかの変化があった時にそのファイルを格納しているディレクトリも報告の対象とする場合はtrue
LOOSEDIRECTORYCHECKING =true　false から true に変更
MAILNOVIOLATIONS =true
メールで送信されるレポートの詳細レベルを一番高レベルの4に変更
EMAILREPORTLEVEL =4　3 から 4 に変更
レポートの詳細レベルを一番高レベルの4に変更
EREPORTLEVEL =4　3 から 4 に変更
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
保存してviエディタを終了します

Tripwire設定ファイルに暗号署名を行います
[root@centos ~]# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: サイトパスフレーズ応答
Wrote configuration file: /etc/tripwire/.cfg

Tripwire設定ファイル(テキスト版)削除
[root@centos ~]# rm -f /etc/tripwire/twcfg.txt

※Tripwire設定ファイル(テキスト版)を復元する場合
[root@centos ~]# twadmin -m f -c /etc/tripwire/tw.cfg > /etc/tripwire/twcfg.txt

[root@centos ~]# ls -la /etc/tripwire
合計 88
drwxr-x— 2 root root 4096 1月 27 00:25 .
drwxr-xr-x 80 root root 4096 1月 26 23:52 ..
-rw-r—– 1 root root 931 1月 26 23:54 centos.centos.com-local.key
-rw-r—– 1 root root 931 1月 26 23:54 site.key
-rw-r—– 1 root root 4586 1月 27 00:20 tw.cfg　　　今回作成したTripwire設定ファイル(暗号署名版)
-rw-r—– 1 root root 4586 1月 27 00:20 tw.cfg.bak　元々あったTripwire設定ファイル(暗号署名版)が自動リネームされた
-rw-r—– 1 root root 4159 1月 26 23:56 tw.pol
-rw-r—– 1 root root 13745 1月 26 23:55 twpol.txt

ポリシーファイル最適化スクリプト作成
[root@centos ~]# vi /etc/tripwire/twpolmake.pl
viエディタが起動するので以下のテキストを入力します
#!/usr/bin/perl
# Tripwire Policy File customize tool
# —————————————————————-
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307, USA.
# —————————————————————-
# Usage:
# perl twpolmake.pl {Pol file}
# —————————————————————-
#
$POLFILE=$ARGV[0];

open(POL,”$POLFILE”) or die “open error: $POLFILE” ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while ( ) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_=”HOSTNAME=\”$myhost\”;” ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq ‘/sbin/e2fsadm’ ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = “$sharp#$tpath$cond” if ($ret == 0) ;
}
else {
$_ = “$sharp$tpath$cond” ;
}
}
print “$_\n” ;
}
close(POL) ;保存してviエディタを終了します

[root@centos ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

[root@centos ~]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: サイトパスフレーズ応答
Wrote policy file: /etc/tripwire/tw.pol

ポリシーファイル(テキスト版)削除
[root@centos ~]# rm -f /etc/tripwire/twpol.txt*

※ポリシーファイル(テキスト版)を復元する場合
[root@centos ~]# twadmin -m p -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key > /etc/tripwire/twpol.txt

[root@centos ~]# ls -la /etc/tripwire
合計 88
drwxr-x— 2 root root 4096 1月 27 00:31 .
drwxr-xr-x 80 root root 4096 1月 26 23:52 ..
-rw-r—– 1 root root 931 1月 26 23:54 centos.centos.com-local.key
-rw-r—– 1 root root 931 1月 26 23:54 site.key
-rw-r—– 1 root root 4586 1月 27 00:20 tw.cfg
-rw-r—– 1 root root 4586 1月 27 00:20 tw.cfg.bak
-rw-r—– 1 root root 4159 1月 27 00:30 tw.pol　　　今回作成したポリシーファイル(暗号署名版)
-rw-r—– 1 root root 4159 1月 27 00:30 tw.pol.bak　元々あったポリシーファイル(暗号署名版)が自動リネームされた
-rw-r–r– 1 root root 1908 1月 27 00:30 twpolmake.pl

Tripwireデータベース作成
[root@centos ~]# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ローカルパスフレーズ応答

Tripwireチェック実行
[root@centos ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by: root
Report created on: 2009年01月27日 00時34分55秒
Database last updated on: Never

===============================================================================
Report Summary:
===============================================================================

Host name: centos.centos.com
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /usr/local/tripwire/lib/tripwire/centos.centos.com.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg

===============================================================================
Rule Summary:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

Rule Name Severity Level Added Removed Modified
——— ————– —– ——- ——–
* Tripwire Data Files 0 1 0 0
Monitor Filesystems 0 0 0 0
User Binaries and Libraries 0 0 0 0
Tripwire Binaries 0 0 0 0
OS Binaries and Libraries 0 0 0 0
Temporary Directories 0 0 0 0
Global Configuration Files 0 0 0 0
System Boot Changes 0 0 0 0
RPM Checksum Files 0 0 0 0
OS Boot Files and Mount Points 0 0 0 0
OS Devices and Misc Directories 0 0 0 0
Root Directory and Files 0 0 0 0

Total objects scanned: 65125
Total violations found: 1

===============================================================================
Object Summary:
===============================================================================

——————————————————————————-
# Section: Unix File System
——————————————————————————-

——————————————————————————-
Rule Name: Tripwire Data Files (/usr/local/tripwire/lib/tripwire)
Severity Level: 0
——————————————————————————-

Added:
“/usr/local/tripwire/lib/tripwire/centos.centos.com.twd”

===============================================================================
Error Report:
===============================================================================

No Errors

——————————————————————————-
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use –version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

ファイルが追加された時の検証をしてみます
[root@centos ~]# echo test > test.txt
Tripwireチェック再実行
[root@centos ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by: root
Report created on: 2009年01月27日 00時37分07秒
Database last updated on: Never

===============================================================================
Report Summary:
===============================================================================

Host name: centos.centos.com
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /usr/local/tripwire/lib/tripwire/centos.centos.com
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg

===============================================================================
Rule Summary:
===============================================================================

——————————————————————————-
Section: Unix File System
——————————————————————————-

Rule Name Severity Level Added Removed Modified
——— ————– —– ——- ——–
* Tripwire Data Files 0 1 0 0
Monitor Filesystems 0 0 0 0
User Binaries and Libraries 0 0 0 0
Tripwire Binaries 0 0 0 0
OS Binaries and Libraries 0 0 0 0
Temporary Directories 0 0 0 0
Global Configuration Files 0 0 0 0
System Boot Changes 0 0 0 0
RPM Checksum Files 0 0 0 0
OS Boot Files and Mount Points 0 0 0 0
OS Devices and Misc Directories 0 0 0 0
* Root Directory and Files 0 1 0 0

Total objects scanned: 65126
Total violations found: 2

===============================================================================
Object Summary:
===============================================================================

——————————————————————————-
# Section: Unix File System
——————————————————————————-

——————————————————————————-
Rule Name: Tripwire Data Files (/usr/local/tripwire/lib/tripwire)
Severity Level: 0
——————————————————————————-

Added:
“/usr/local/tripwire/lib/tripwire/centos.centos.com.twd”

——————————————————————————-
Rule Name: Root Directory and Files (/root)
Severity Level: 0
——————————————————————————-

Added:
“/root/test.txt”　（※追加されたファイルが表示されます）

===============================================================================
Error Report:
===============================================================================

No Errors

——————————————————————————-
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use –version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

※過去のチェック結果を参照したい場合は以下のコマンドを入力します。
[root@centos ~]# twprint -m r -c /etc/tripwire/tw.cfg -r /usr/local/tripwire/lib/tripwire/report/centos.centossrv.com-20060331-202128.twr

Tripwire定期自動実行スクリプトを作成します
[root@centos ~]# vi tripwire.sh
viエディタが起動するので以下のテキストを入力します
#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# パスフレーズ設定
LOCALPASS=xxxxxxxx # ローカルパスフレーズ
SITEPASS=xxxxxxxx # サイトパスフレーズ

cd /etc/tripwire

# Tripwireチェック実行
tripwire -m c -s -c tw.cfg|mail -s “Tripwire(R) Integrity Check Report in `hostname`” root

# ポリシーファイル最新化
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

# データベース最新化
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS
保存してviエディタを終了します

Tripwire定期自動実行スクリプトへ実行権限を付与します
[root@centos ~]# chmod 700 tripwire.sh

Cron（スケジューラ）に午前3時にTripwire定期自動実行スクリプトが起動するように設定します
[root@centos ~]# crontab -e
viエディタが起動するので以下のテキストを入力します
00 05 * * * /root/systemupdate.sh > /root/systemupdate.log 2>&1
00 01 * * * /root/clamav.sh
00 03 * * * /root/tripwire.sh　追加します
保存してviエディタを終了します