Contents
1. Tripwire
Tripwire is a host-based intrusion detection system (IDS) that monitors files and directories and notifies you when changes are made.
1.1 Install and configuration
①Install
1 2 3 |
# cd /usr/local/src # wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm # rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm |
② Passphrase Settings
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# tripwire-setup-keyfiles ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←Enter any "Site Passphrase" Verify the site keyfile passphrase: ←Enter any "Site Passphrase" Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←Enter any "local passphrase" Verify the local keyfile passphrase: ←Enter any "local passphrase" Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt ~中略~ default values from the current configuration file are used. |
③ Tripwire Configuration
1 2 3 4 5 6 7 8 |
# vi /etc/tripwire/twcfg.txt ■Per Line 9 Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it. LOOSEDIRECTORYCHECKING =true ■Per Line 12 Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it. #REPORTLEVEL =3 REPORTLEVEL =4 |
④ Create a Tripwire configuration file (cryptographically signed version)
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←Enter site passphrase Wrote configuration file: /etc/tripwire/tw.cfg |
⑤Delete Tripwire configuration file (text version)
1 |
# rm -f /etc/tripwire/twcfg.txt |
Reference) To restore the Tripwire configuration file (text version), execute the following command
1 |
# twadmin -m f -c /etc/tripwire/tw.cfg > /etc/tripwire/twcfg.txt |
⑥ Policy File Settings
1 2 |
# cd /etc/tripwire/ # vi twpolmake.txt |
Contents of twpolmake.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
#!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ;while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
⑦ Policy File Optimizations
1 2 |
# mv twpolmake.txt twpolmake.pl # perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑧ Create policy file (cryptographically signed version) based on optimized policy file
1 2 3 4 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←Enter site passphrase Wrote policy file: /etc/tripwire/tw.pol |
Delete policy file (text version)
1 |
# rm -f /etc/tripwire/twpol.txt* |
⑨ Create database and check operation
1 2 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←Enter local passphrase |
Create test files
1 |
# echo test > /root/test.txt |
Check Tripwire operation
1 |
# tripwire -m c -s -c /etc/tripwire/tw.cfg |
If successful, the following will be displayed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Wed Jun 14 21:24:53 2023 Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: Lepard Host IP address: 192.168.11.83 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/Lepard.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg =============================================================================== Rule Summary: =============================================================================== ・・・・・omission・・・・・・ ------------------------------------------------------------------------------- Added: "/root/test.txt" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
Delete test files
1 |
# rm -f /root/test.txt |
1.2 Run Tripwire regularly
①Creation of auto-execution scripts
1 2 |
# cd /srv/www/system # vi tripwire.sh |
Contents of "tripwire.sh"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS= xxxxxxxx # Local passphrase SITEPASS= xxxxxxxx # Site passphrase cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # Policy File Update twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database Update rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
1 |
# chmod 700 tripwire.sh |
②Add to cron to have Tripwire run periodically
1 2 |
# crontab -e 0 3 * * * /srv/www/system/tripwire.sh |
Reference: Script for reporting results by e-mail
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS=xxxxx # Local passphrase SITEPASS=xxxxx # Site passphrase #Email Address for Notification MAIL="<your mail address> " cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # Policy File Update twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database Update rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
Execute the following command and confirm that the notification is delivered to the specified e-mail address
1 |
# /srv/www/system/tripwire.sh |
2. Logwatch
①Logwatch install
1 |
# zypper -n install logwatch |
② Edit configuration file
1 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf |
1 2 3 4 5 6 7 8 9 |
# vi /etc/logwatch/conf/logwatch.conf ■ Per Line 53 Insert "#" at the beginning of the "MailTo = root" line and set the email address you want to receive notifications to the line below it. #MailTo = root MailTo = <mail.address> ■ Per Line 86 Set the level of detail for log notifications #Detail = Low Detail = High |
③ Output Logwatch reports
1 |
# logwatch --output stdout |
④ Test to see if the report is delivered to the address you set.
1 |
# logwatch --output mail |