Вчера я установил Tripwire (я новичок в Tripwire) на свой новый VPS (созданный два дня назад). Я пошел по стопам этот учебник чтобы настроить Tripwire, и все работало нормально, и в моем отчете не было никаких нарушений или ошибок.
Сегодня я снова запустил проверку tripwire и получил сюрприз: в отчете было 2624 нарушения, включая скрипты загрузки. Отчет очень большой, поэтому я поместил сюда только основные части.
===============================================================================
Report Summary:
===============================================================================
Command line used: tripwire --check
===============================================================================
Rule Summary:
===============================================================================
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
* Other binaries 66 0 0 75
Tripwire Binaries 100 0 0 0
* Other libraries 66 0 0 1271
* Root file-system executables 100 0 0 5
Tripwire Data Files 100 0 0 0
* System boot changes 100 4 0 1
(/var/log)
* Root file-system libraries 100 40 0 18
(/lib)
* Critical system boot files 100 1159 0 6
* Other configuration files 66 1 1 22
(/etc)
* Boot Scripts 100 0 0 4
Security Control 66 0 0 0
* Root config files 100 0 0 1
* Devices & Kernel information 100 15 1 0
Invariant Directories 66 0 0 0
Total objects scanned: 17460
Total violations found: 2624
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: Other binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/usr/sbin"
"/usr/sbin/dnsmasq"
-------------------------------------------------------------------------------
Rule Name: Other libraries (/usr/lib)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/usr/lib/git-core"
"/usr/lib/git-core/git"
"/usr/lib/git-core/git-add"
"/usr/lib/git-core/git-add--interactive"
"/usr/lib/git-core/git-am"
Many other files of /usr/lib/git-core
"/usr/lib/gnupg"
"/usr/lib/gnupg/gpgkeys_curl"
"/usr/lib/gnupg/gpgkeys_finger"
"/usr/lib/gnupg/gpgkeys_hkp"
"/usr/lib/gnupg/gpgkeys_ldap"
"/usr/lib/gnupg/gpgkeys_mailto"
"/usr/lib/pm-utils/sleep.d"
"/usr/lib/pm-utils/sleep.d/000record-status"
"/usr/lib/policykit-1"
"/usr/lib/policykit-1/polkit-agent-helper-1"
"/usr/lib/policykit-1/polkitd"
"/usr/lib/python3/dist-packages"
"/usr/lib/python3/dist-packages/__pycache__"
"/usr/lib/python3/dist-packages/__pycache__/apport_python_hook.cpython-35.pyc"
"/usr/lib/python3/dist-packages/__pycache__/problem_report.cpython-35.pyc"
"/usr/lib/python3/dist-packages/apport"
Many other files of /usr/lib/python-3/dist-packages
"/usr/lib/ssl"
"/usr/lib/ssl/misc"
"/usr/lib/ssl/misc/CA.pl"
"/usr/lib/ssl/misc/CA.sh"
"/usr/lib/ssl/misc/c_hash"
"/usr/lib/ssl/misc/c_info"
"/usr/lib/ssl/misc/c_issuer"
"/usr/lib/ssl/misc/c_name"
"/usr/lib/ssl/misc/tsget"
"/usr/lib/ssl/openssl.cnf"
"/usr/lib/x86_64-linux-gnu"
"/usr/lib/x86_64-linux-gnu/libelf-0.165.so"
"/usr/lib/x86_64-linux-gnu/libelf.so.1"
"/usr/lib/x86_64-linux-gnu/libmagic.so.1"
"/usr/lib/x86_64-linux-gnu/libmagic.so.1.0.0"
"/usr/lib/x86_64-linux-gnu/libperl.so.5.22"
"/usr/lib/x86_64-linux-gnu/libperl.so.5.22.1"
"/usr/lib/x86_64-linux-gnu/libpng12.so.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-agent-1.so.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-agent-1.so.0.0.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-backend-1.so.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-backend-1.so.0.0.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-gobject-1.so.0"
"/usr/lib/x86_64-linux-gnu/libpolkit-gobject-1.so.0.0.0"
"/usr/lib/x86_64-linux-gnu/libstdc++.so.6"
"/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/lib4758cca.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libaep.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libatalla.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libcapi.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libchil.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libcswift.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgmp.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libnuron.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libpadlock.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libsureware.so"
"/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libubsec.so"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B/Concise.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B/Showlex.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B/Terse.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B/Xref.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/B.pm"
"/usr/lib/x86_64-linux-gnu/perl/5.22.1/CORE"
Many other files of /usr/lib/x86_64-linux-gnu/perl
"/usr/lib/x86_64-linux-gnu/perl-base"
"/usr/lib/x86_64-linux-gnu/perl-base/AutoLoader.pm"
"/usr/lib/x86_64-linux-gnu/perl-base/Carp"
"/usr/lib/x86_64-linux-gnu/perl-base/Carp/Heavy.pm"
"/usr/lib/x86_64-linux-gnu/perl-base/Carp.pm"
Many other files of /usr/lib/x86_64-linux-gnu/perl-base
"/usr/lib/x86_64-linux-gnu/polkit-1/extensions"
"/usr/lib/x86_64-linux-gnu/polkit-1/extensions/libnullbackend.so"
-------------------------------------------------------------------------------
Rule Name: Other binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/usr/bin"
"/usr/bin/apport-bug"
"/usr/bin/apport-cli"
"/usr/bin/apport-collect"
"/usr/bin/apport-unpack"
"/usr/bin/c2ph"
"/usr/bin/c_rehash"
"/usr/bin/corelist"
"/usr/bin/cpan"
"/usr/bin/cpan5.22-x86_64-linux-gnu"
"/usr/bin/enc2xs"
"/usr/bin/encguess"
"/usr/bin/file"
Many other files of /usr/bin/
-------------------------------------------------------------------------------
Rule Name: Root file-system executables (/sbin)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin"
"/sbin/sysctl"
-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/log)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/var/log/mail.err"
"/var/log/syslog.1"
"/var/log/mail.log"
"/var/log/unattended-upgrades/unattended-upgrades-dpkg.log"
Modified:
"/var/log/syslog"
-------------------------------------------------------------------------------
Rule Name: Root file-system libraries (/lib)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/lib/modprobe.d/blacklist_linux_4.4.0-130-generic.conf"
"/lib/firmware/4.4.0-130-generic"
"/lib/firmware/4.4.0-130-generic/whiteheat_loader.fw"
"/lib/firmware/4.4.0-130-generic/korg"
"/lib/firmware/4.4.0-130-generic/korg/k1212.dsp"
"/lib/firmware/4.4.0-130-generic/qlogic"
"/lib/firmware/4.4.0-130-generic/qlogic/sd7220.fw"
"/lib/firmware/4.4.0-130-generic/qlogic/1280.bin"
"/lib/firmware/4.4.0-130-generic/qlogic/1040.bin"
"/lib/firmware/4.4.0-130-generic/qlogic/12160.bin"
Many other files of /lib/firmware/4.4.0-130-generic
Modified:
"/lib/firmware"
"/lib/modprobe.d"
"/lib/systemd/system"
"/lib/systemd/system/apport-forward.socket"
"/lib/systemd/system/apport-forward@.service"
"/lib/systemd/system/polkitd.service"
"/lib/udev/rules.d"
"/lib/udev/rules.d/50-apport.rules"
"/lib/udev/rules.d/60-gnupg.rules"
"/lib/x86_64-linux-gnu"
"/lib/x86_64-linux-gnu/libcrypto.so.1.0.0"
"/lib/x86_64-linux-gnu/libgcrypt.so.20"
"/lib/x86_64-linux-gnu/libgcrypt.so.20.0.5"
"/lib/x86_64-linux-gnu/libpng12.so.0"
"/lib/x86_64-linux-gnu/libpng12.so.0.54.0"
"/lib/x86_64-linux-gnu/libprocps.so.4"
"/lib/x86_64-linux-gnu/libprocps.so.4.0.0"
"/lib/x86_64-linux-gnu/libssl.so.1.0.0"
-------------------------------------------------------------------------------
Rule Name: Critical system boot files (/lib/modules)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/lib/modules/4.4.0-130-generic"
"/lib/modules/4.4.0-130-generic/modules.alias"
"/lib/modules/4.4.0-130-generic/initrd"
"/lib/modules/4.4.0-130-generic/modules.alias.bin"
"/lib/modules/4.4.0-130-generic/kernel"
"/lib/modules/4.4.0-130-generic/kernel/lib"
"/lib/modules/4.4.0-130-generic/kernel/lib/xz"
"/lib/modules/4.4.0-130-generic/kernel/lib/xz/xz_dec_test.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/ts_fsm.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/test_static_keys.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/test_bpf.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/reed_solomon"
"/lib/modules/4.4.0-130-generic/kernel/lib/reed_solomon/reed_solomon.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/842"
"/lib/modules/4.4.0-130-generic/kernel/lib/842/842_compress.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/842/842_decompress.ko"
"/lib/modules/4.4.0-130-generic/kernel/lib/test_printf.ko"
Many other files of /lib/modules/4.4.0-130-generic/
Modified:
"/lib/modules"
-------------------------------------------------------------------------------
Rule Name: Other configuration files (/etc)
Severity Level: 66
-------------------------------------------------------------------------------
Added:
"/etc/ssh/sshd_config.save"
Removed:
"/etc/tripwire/twpol.txt"
Modified:
"/etc"
"/etc/apport"
"/etc/apport/blacklist.d"
"/etc/apt/apt.conf.d"
"/etc/apt/apt.conf.d/01autoremove-kernels"
"/etc/bash_completion.d"
"/etc/cron.daily"
"/etc/dbus-1/system.d"
"/etc/default"
"/etc/init"
"/etc/ld.so.cache"
"/etc/logrotate.d"
"/etc/pam.d"
"/etc/perl/Net"
"/etc/polkit-1/localauthority.conf.d"
"/etc/polkit-1/nullbackend.conf.d"
"/etc/ssh"
"/etc/ssh/ssh_config"
"/etc/ssh/sshd_config"
"/etc/ssl"
"/etc/sysctl.d"
"/etc/tripwire"
-------------------------------------------------------------------------------
Rule Name: Boot Scripts (/etc/init.d)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/etc/init.d"
"/etc/init.d/.depend.boot"
"/etc/init.d/.depend.start"
"/etc/init.d/.depend.stop"
-------------------------------------------------------------------------------
Rule Name: Critical system boot files (/boot)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/boot/retpoline-4.4.0-130-generic"
"/boot/abi-4.4.0-130-generic"
"/boot/config-4.4.0-130-generic"
"/boot/System.map-4.4.0-130-generic"
"/boot/initrd.img-4.4.0-130-generic"
"/boot/vmlinuz-4.4.0-130-generic"
Modified:
"/boot"
"/boot/grub"
"/boot/grub/grub.cfg"
"/boot/grub/menu.lst"
"/boot/grub/menu.lst~"
-------------------------------------------------------------------------------
Rule Name: Root file-system executables (/bin)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin"
"/bin/kill"
"/bin/ps"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/root/.nano/search_history"
-------------------------------------------------------------------------------
Rule Name: Devices & Kernel information (/dev/pts)
Severity Level: 100
-------------------------------------------------------------------------------
Removed:
"/dev/pts/1"
-------------------------------------------------------------------------------
Rule Name: Devices & Kernel information (/proc/sys)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/proc/sys/fs/xfs"
"/proc/sys/fs/xfs/error_level"
"/proc/sys/fs/xfs/filestream_centisecs"
"/proc/sys/fs/xfs/inherit_noatime"
"/proc/sys/fs/xfs/inherit_nodefrag"
"/proc/sys/fs/xfs/inherit_nodump"
"/proc/sys/fs/xfs/inherit_nosymlinks"
"/proc/sys/fs/xfs/inherit_sync"
"/proc/sys/fs/xfs/irix_sgid_inherit"
"/proc/sys/fs/xfs/irix_symlink_mode"
"/proc/sys/fs/xfs/panic_mask"
"/proc/sys/fs/xfs/rotorstep"
"/proc/sys/fs/xfs/speculative_prealloc_lifetime"
"/proc/sys/fs/xfs/stats_clear"
"/proc/sys/fs/xfs/xfssyncd_centisecs"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Эти изменения файлов нормальны? Может они означают, что мой VPS взломали? Я не вносил никаких изменений в систему между двумя проверками. Я также выполнил несколько мер безопасности, таких как включение ключей SSH, отключение аутентификации на основе пароля и установка брандмауэра (UFW).