Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".(Japanese Version)

OpenSUSE15.4; Tripwire Chkrootkit Logwatch Install

1. Tripwire

Tripwire is a host-based intrusion detection system (IDS) that monitors files and directories and notifies you when changes are made.

1.1 Install and configuration

① install

② Passphrase Settings

③ Tripwire Configuration

④ Create a Tripwire configuration file (cryptographically signed version)

⑤Delete Tripwire configuration file (text version)

Reference) To restore the Tripwire configuration file (text version), execute the following command

⑥ Policy File Settings

Contents of twpolmake.txt

⑦ Policy File Optimizations

⑧ Create policy file (cryptographically signed version) based on optimized policy file
Delete policy file (text version)
⑨Create database and check operation
Create test files
Check Tripwire operation
If successful, the following will be displayed
Delete test files

1.2 Run Tripwire regularly

①Creation of auto-execution scripts
Contents of "tripwire.sh"
②Add to cron to have Tripwire run periodically

Reference: Script for reporting results by e-mail

2. chkrootkit インストール

Install a rootkit detection tool called chkrootkit to check whether a rootkit has been installed on the Linux server.

①chkrootkit download,install

➁Move chkrootkit command to /root/bin directory

③Create chkrootkit periodic execution script and change permissions

Contents of "chkrootkit.sh"

④Periodic execution of chkrootkit

⑥Backup commands used by chkrootkit
Back up these commands because if the commands used by chkrootkit are tampered with, rootkit will not be detected. If necessary, run chkrootkit using the backed up commands

⑦Run chkrootkit on the copied command
Since netstat is not installed by default in openSUSE15.4, run the following first

Execution.

⑧Compresses backed up commands

⑨Move the backed up compressed file to the general user's home directory

⑩Copy the chkrootkit_cmd.tar.gz file to the Windows side using WinSCP

⑪Delete commands on the backed up server

⑫Changed script to report rootkit by email when detected

Contents of new "chkrootkit.sh"

3. Logwatch

logwatch is a software program that automatically analyzes logs and reports the results to support operations.

① Logwatch install
② Edit configuration file
③ Output Logwatch reports
④ Test to see if the report is delivered to the address you set.
Copied title and URL