How to use file integrity checking to detect file modifications on CentOS systems

How to use file integrity checking to detect file modifications on CentOS systems

Introduction:
In modern computer systems, file integrity checking is one of the important means to ensure system security. By periodically checking the integrity of system files, tampered or damaged files can be discovered and repaired in a timely manner, preventing the system from unknown security threats. In this article, we will explain how to use the file integrity check feature on CentOS systems.

1. File integrity checking tool in CentOS system
CentOS system comes with a powerful file integrity checking tool——tripwire. This tool can perform hash calculations on specified files and save the results in the file database. When a file is modified or the hash value is changed, tripwire will sound an alert and alert the administrator to take action.

2. Installation and configurationtripwire

1. Installationtripwire：

   sudo yum install tripwire

2. Initializationtripwire:

   sudo tripwire-setup-keyfiles
   sudo tripwire --init

3. Parameter settings in the configuration file (/etc/tripwire/twcfg.txt):
4. ROOT: The path to the root directory, the default is /, generally does not need to be modified unless there are special requirements.
5. POLFILE: The path to the policy file, which defines the files or directories that need to be checked. The default is /etc/tripwire/twpol.txt.
6. SITEKEYFILE: The path to store the tripwire key, the default is /etc/tripwire/site.key.

3. Create a policy file (/etc/tripwire/twpol.txt)
According to actual needs, you can specify files that need to be integrity checked in the policy file. or directory. Take checking the /etc/passwd file as an example. The content of the policy file is as follows:

(
    rulename = "etc_passwd",         # 规则名称
    severity = $(SIG_HI),            # 严重级别
    emailto = "admin@example.com",   # 发送警报的邮件地址
    files = (
        "/etc/passwd",               # 需要检查的文件路径
    ),
)

4. Generate configuration files and database files

1. Generate configuration File:

   sudo twadmin --create-cfgfile -P tripwire.cfg

2. Generate database file:

   sudo tripwire --update -P tripwire.cfg /etc/tripwire/twpol.txt

5. Regular inspection and automation

1. Manually run the check:

   sudo tripwire --check -P tripwire.cfg

2. Set up regular tasks:
   Use cron or other scheduled task tools to run the tripwire check command regularly to Implement automated inspections and reporting.

6. Operation Example

1. View detailed inspection results of tripwire:

   sudo tripwire --check | more

2. View alarm Logs:
   Alert logs are saved by default in the /var/lib/tripwire/581ce0c2a03eb2244e4d3a83f2c5e59d-1d78a9a384cca7aba89b0d5f2a964e41.twr file.

Conclusion:
By using the tripwire tool, we can automatically check and monitor file integrity on CentOS systems. This helps us protect the security of our systems and detect and address any potential security issues promptly. At the same time, reasonable setting of inspection strategies and regular automation can reduce the operational pressure of administrators and improve work efficiency. Hopefully this article has been helpful for you to use file integrity checking to detect file modifications on CentOS systems.

The above is the detailed content of How to use file integrity checking to detect file modifications on CentOS systems. For more information, please follow other related articles on the PHP Chinese website!