integrit – Tripwire 的替代品

文件系统完整性检查是安全中的重要一环。类 Unix 操作系统环境下文件系统完整性检查工具最负盛名的要数 Tripwire 了。 虽然 Tripwire 虽然很早就商业化了,但并不是独一份, AIDE 是一个不那么好用的可选的替代品,而 integrit 则是另外一个 Tripwire 的替代工具。尝试用了一下,觉得如下几个特点不错:

  • 安装、配置、使用都简单便捷
  • 占用资源较少,
  • 使用最新的加密算法

从 integrit 站点下载文件后,解压.

# ./configure && make && make install

首先需要创建一个配置文件:

# cat /opt/oracle/software/integrit.conf
current=/opt/oracle/software/integrit.cdb
known=/opt/oracle/software/integritKnown.cdb
root=/opt/oracle/oradata

第一行设定当前的加密资料库. 第二行指的已知的加密资料库(使用的是 cdb)。第三行代表需要检查的系统目录。最基本配置的只需要这三行就可以了。


提示: integrit -h 显示命令帮助。
编辑完毕配置文件后,运行如下命令初始化或者更新资料库:

# integrit -C /opt/oracle/software/integrit.conf -u
integrit: ---- integrit, version 3.05 -----------------
integrit:                      output : human-readable
integrit:                   conf file : /opt/oracle/software/integrit.conf
integrit:                    known db : /opt/oracle/software/integritKnown.cdb
integrit:                  current db : /opt/oracle/software/integrit.cdb
integrit:                        root : /opt/oracle/oradata
integrit:                    do check : no
integrit:                   do update : yes
integrit: current-state db md5sum --------------
integrit: 515bb5d2f6159a94aeff4897fb29c1a6  /opt/oracle/software/integrit.cdb

把得到的资料库存储为已知的资料库(可选)。这一步的目的是有一个基准,以便新旧状态的对比分析。

# cp /opt/oracle/software/integrit.cdb /opt/oracle/software/integritKnown.cdb

进行差异性对比检查:

# integrit -C /opt/oracle/software/integrit.conf -c
integrit: ---- integrit, version 3.05 -----------------
integrit:                      output : human-readable
integrit:                   conf file : /opt/oracle/software/integrit.conf
integrit:                    known db : /opt/oracle/software/integritKnown.cdb
integrit:                  current db : /opt/oracle/software/integrit.cdb
integrit:                        root : /opt/oracle/oradata
integrit:                    do check : yes
integrit:                   do update : no
changed: /opt/oracle/oradata/demo/sysaux01.dbf    s(d767300ae7992b694acd0dbd2d98f6cc9d8fd34a:5388d21fdc1881e34569a608318421e20435f210)
changed: /opt/oracle/oradata/demo/sysaux01.dbf    m(20060727-140328:20060727-141559) c(20060727-140328:20060727-141559)
changed: /opt/oracle/oradata/demo/redo02.log      s(8a9f29801d83ce5d783772e376bb1b495b18283d:c9c6552b6be8c04d14eb9742c50c61e97845730a)
changed: /opt/oracle/oradata/demo/redo02.log      m(20060727-140354:20060727-141601) c(20060727-140354:20060727-141601)
changed: /opt/oracle/oradata/demo/system01.dbf    s(5f68493e460072801856927f805e5643c139339e:37d04ffff72e1f30e460ca1093d819d9a6200928)
changed: /opt/oracle/oradata/demo/system01.dbf    m(20060727-140355:20060727-141553) c(20060727-140355:20060727-141553)
changed: /opt/oracle/oradata/demo/undotbs01.dbf   s(6ee4c7c5d6dda9e656ffb6af309b70cda6289bd9:a1f092d410d8f1918f1e997c24184aabd45fb926)
changed: /opt/oracle/oradata/demo/undotbs01.dbf   m(20060727-140355:20060727-141641) c(20060727-140355:20060727-141641)
changed: /opt/oracle/oradata/demo/control01.ctl   s(ec692bdeec475df7afc2932110433e45919a3947:c0071d216db7fe0dc2cfdb05b45f5797a64576cf)
changed: /opt/oracle/oradata/demo/control01.ctl   m(20060727-140420:20060727-141643) c(20060727-140420:20060727-141643)
changed: /opt/oracle/oradata/demo/control02.ctl   s(becc90726e800c707cb70d6d5d8e2454fe51b545:7680f589473c5a90e70cc6173a889abfdfd7edcd)
changed: /opt/oracle/oradata/demo/control02.ctl   m(20060727-140420:20060727-141643) c(20060727-140420:20060727-141643)
changed: /opt/oracle/oradata/demo/control03.ctl   s(becc90726e800c707cb70d6d5d8e2454fe51b545:7680f589473c5a90e70cc6173a889abfdfd7edcd)
changed: /opt/oracle/oradata/demo/control03.ctl   m(20060727-140420:20060727-141643) c(20060727-140420:20060727-141643)
integrit: not doing update, so no check for missing files

检查之后,列出来相关的文件变动信息。(这里为了说明问题,我选定了一个特定的目录。)
当然,integrit 并不是只有这么简单,也有更为复杂的设定条件,具体可以参考 integrit 手册


6 thoughts on “integrit – Tripwire 的替代品

  3. li_jiaqi

    你是不是作弊了?这篇文档对integrit的介绍不多啊,怎么还能排第二?而且我用美国专线都是这样。郁闷

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *