Learn Linux Series (#8) - Intrusion detection system TripWire
utopian-io·@vitusc·
0.000 HBDLearn Linux Series (#8) - Intrusion detection system TripWire
Learn Linux Series (#8) - Intrusion detection system TripWire
https://steemitimages.com/0x0/https://habrastorage.org/getpro/habr/post_images/9e3/d19/948/9e3d19948ac4132613bf784ef7c7d229.png
#### What Will I Learn?
- What is TripWire
- How to install TripWire
- How to Configure the Policy File to Match Your System
- How to Set Up Email Notifications
- How to Automate Tripwire with Cron
#### Requirements
- Linux system installed
- Basic knowledge of terminal operation
- Average knowledge of linux commands
- Motivation when something goes wrong
#### Difficulty
- Intermediate
<br><br>
http://r1.securityinfowatch.com/files/base/SIW/image/2016/03/16x9/640x360/Tripwire.56d8642c5a4ad.jpg<br>
- What is TripWire<br>
**Tripwire** is a free software security and data integrity tool for monitoring and alerting on specific file changes on a range of systems. This software can keep track of many different filesystem data points in order to detect whether unauthorized changes have occurred.
A host-based intrusion detection system (HIDS), works by collecting details about your computer's filesystem and configuration. It then stores this information to reference and validate the current state of the system. If changes are found between the known-good state and the current state, it could be a sign that your security has been compromised. The project's home page can be found at [http://www.tripwire.org](http://www.tripwire.org). This tool is available for free for Linux.
<br>
- How to install TripWire<br>
<br>
The installation of the tool is very simple. Fortunately, tripwire can be found in Ubuntu's default repositories. All you need to do is enter the following command to the terminal:
``` language
apt-get install tripwire
```
It will ask you if you want to select passphrases during installation. Select "yes" to both of these prompts. It will ask if it can rebuild the configuration file. Select "yes". It will ask a similar question about the policy file. Again, answer "yes".
<br>
Next, you will be asked to choose and confirm a site key passphrase. Tripwire uses two keys to secure its configuration files.<br>
1) "site key", used to encrypt configuration files
2) "local key", used to encrypt information about the status of monitored files.
You will first choose and confirm a passphrase for the site key, and then for the local key. Make sure you choose strong passphrases.<br><br>
<br>
<br>
- How to Configure the Policy File to Match Your System
<br>
http://www.riskmanageworks.com/images/Solutions/Tripwire-Enterprise-chain-links.png
<br>
<br>
The configuration is done in the /etc/tripwire/twpol.txt file.
Open the plain text policy in your editor with root privileges:
``` language
sudo nano /etc/tripwire/twpol.txt
```
Do a search for each of the files that were returned in the ***test_results*** file. Comment out all of the lines that you find that match.
<br>
In the "Boot Scripts" section, you should comment out the ***/etc/rc.boot*** line
``` language
(
rulename = "Boot Scripts",
severity = $(SIG_HI)
)
{
/etc/init.d -> $(SEC_BIN) ;
#/etc/rc.boot -> $(SEC_BIN) ;
/etc/rcS.d -> $(SEC_BIN) ;
```
There were a lot of files in the /root home directory that needed to be commented out on my system. Anything that is not present on your system should be commented out:
``` language
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
#/root/mail -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
#/root/.xsession-errors -> $(SEC_CONFIG) ;
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.tcshrc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.gnome_private -> $(SEC_CONFIG) ;
#/root/.gnome-desktop -> $(SEC_CONFIG) ;
#/root/.gnome -> $(SEC_CONFIG) ;
#/root/.esd_auth -> $(SEC_CONFIG) ;
#/root/.elm -> $(SEC_CONFIG) ;
#/root/.cshrc -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
#/root/.bash_profile -> $(SEC_CONFIG) ;
#/root/.bash_logout -> $(SEC_CONFIG) ;
/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
#/root/.Xresources -> $(SEC_CONFIG) ;
#/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#/root/.ICEauthority -> $(SEC_CONFIG) ;
}
```
However, this will check every file under it. We don't particularly want that. Instead, we will remove this specification, and add configuration options for all of the directories under ***/proc*** that we do want to check:
``` language
{
/dev -> $(Device) ;
#/proc -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/misc -> $(Device) ;
}
```
While we are in this portion of the file, we also want to do something with the ***/dev/pts*** filesystem. Tripwire will not check that location by default because it is told to check ***/dev***, and ***/dev/pts*** is on a separate filesystem, which it will not enter unless specified. To get tripwire to check this as well, we can explicitly name it here:
``` language
{
/dev -> $(Device) ;
/dev/pts -> $(Device) ;
#/proc -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
. . .
```
The last thing we will comment out are the ***/var/run*** and ***/var/lock*** lines so that our system does not flag normal filesystem changes by services:
``` language
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
#/var/lock -> $(SEC_CONFIG) ;
#/var/run -> $(SEC_CONFIG) ; # daemon PIDs
/var/log -> $(SEC_CONFIG) ;
}
```
Save and close the file when you are finished editing.
Now that our file is configured, we need to implement it by recreating the encrypted policy file that tripwire actually reads:
``` language
sudo twadmin -m P /etc/tripwire/twpol.txt
```
After this is created, we must reinitialize the database to implement our policy:
``` language
sudo tripwire --init
```
``` language
Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/tripit.twd
The database was successfully generated.
```
All of the warnings that you received earlier should be gone now. If there are still warnings, you should continue editing your ***/etc/tripwire/twpol.txt*** file until they are gone.
<br><br>
- How to Set Up Email Notifications
<br><br>
First of all we must install mail utilities:
``` language
sudo apt-get install mailutils
```
``` language
sudo tripwire --check | mail -s "Tripwire report for `uname -n`" your_email@domain.com
```
for example:
``` language
sudo tripwire --check | mail -s "Tripwire report for `uname -n`" utopian-io@gmail.com
```
We should now "okay" the software changes we made by doing an interactive check to update the database.
``` language
sudo tripwire --check --interactive
```
The important part is near the top. After some introductory information, you should see some lines with check boxes for each of the added or modified files:
``` language
Rule Name: Other binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Added:
[x] "/usr/sbin/maidag"
Modified:
[x] "/usr/sbin"
. . .
```
change it according to your preferences<br><br>
- How to Automate Tripwire with Cron<br>
<br>
Check to see if root already has a crontab by issuing this command:
``` language
sudo crontab -l
```
If a crontab is present, you should pipe it into a file to back it up:
``` language
sudo sh -c 'crontab -l > crontab.bad'
```
Afterwards, we can edit the crontab by typing:
``` language
sudo crontab -e
```
The format we need to use is ``` language
min hour * * * command
```. The command that we want to use is the same one we used to mail our report before. We don't need to use sudo since this is going to be run as root.
To have tripwire run at morning every day, we can place a line like this in our file:
minutes hours * * *
``` language
00 6 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" utopian-io@gmail.com
```
Set it according to your preferences.
<br><br><br><br>
#### Curriculum
- [Part 1 - TCP/IP Computer Adaptation](https://utopian.io/utopian-io/@vitusc/learn-linux-series-1-tcp-ip-computer-adaptation)
- [Part 2 - Proftpd management and configuration](https://utopian.io/utopian-io/@vitusc/learn-linux-series-2-proftpd-management-and-configuration)
- [Part 3 - Introduction to programming](https://utopian.io/utopian-io/@vitusc/learn-linux-series-3-introduction-to-programming)
- [Part 4 - e-mail server (Postfix)](https://utopian.io/utopian-io/@vitusc/learn-linux-series-4-e-mail-server-postfix)
- [Part 5 - e-mail server (Exim)](https://utopian.io/utopian-io/@vitusc/learn-linux-series-5-e-mail-server-exim)
- [Part 6 - Attack Detection System Snort](https://utopian.io/utopian-io/@vitusc/learn-linux-series-6-attack-detection-system-snort)
- [Part 7 - Defense against port scans PortSentry](https://utopian.io/utopian-io/@vitusc/learn-linux-series-7-defense-against-port-scans-portsentry)
<br /><hr/><em>Posted on <a href="https://utopian.io/utopian-io/@vitusc/learn-linux-series-8-intrusion-detection-system-tripwire">Utopian.io - Rewarding Open Source Contributors</a></em><hr/>