Contents
1. Tripwire Install
Tripwire is a host-based intrusion detection system (IDS) that monitors files and directories and notifies the user of any changes.
1.1 Installation and configuration
① Download and install
|
1 2 3 |
# cd /usr/local/src # wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm # rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm |
② Set passphrase
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# tripwire-setup-keyfiles ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←Enter any "Site Passphrase". Verify the site keyfile passphrase: ←Enter the "Site Passphrase" again. Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←Enter any "Local Passphrase". Verify the local keyfile passphrase: ←Enter the "Local Passphrase" again. Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ←Enter "Site Passphrase". Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ←Enter "Site Passphrase". Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt ~summary~ default values from the current configuration file are used. |
③ Configuring Tripwire
|
1 2 3 4 5 6 7 8 |
# vi /etc/tripwire/twcfg.txt ■Per line 9 Add "#" to the beginning of the line and "LOOSEDIRECTORYCHECKING =true" to the line below it. LOOSEDIRECTORYCHECKING =true ■Per line 13 Add "#" to the beginning of the line, and add "REPORTLEVEL =4" to the line below it. #REPORTLEVEL =3 REPORTLEVEL =4 |
④ Create a Tripwire configuration file (cryptographically signed version)
|
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←Enter your site passphrase Wrote configuration file: /etc/tripwire/tw.cfg |
⑤Delete Tripwire configuration file (text version)
|
1 |
# rm -f /etc/tripwire/twcfg.txt |
Reference) To restore the Tripwire configuration file (text version), execute the following command
|
1 |
# twadmin -m f -c /etc/tripwire/tw.cfg > /etc/tripwire/twcfg.txt |
⑥ Policy file settings
|
1 2 |
# cd /etc/tripwire/ # vi twpolmake.txt |
Contents of twpolmake.txt ↓
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
#!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ;while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
|
1 2 |
# mv twpolmake.txt twpolmake.pl # perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑧ Create a policy file (cryptographically signed version) based on the optimized policy file.
|
1 2 3 4 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←Enter your site passphrase Wrote policy file: /etc/tripwire/tw.pol |
|
1 |
# rm -f /etc/tripwire/twpol.txt* |
|
1 2 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←Enter your local passphrase |
Create a test file
|
1 |
# echo test > /root/test.txt |
|
1 |
# tripwire -m c -s -c /etc/tripwire/tw.cfg |
If successful, the following will be displayed
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Sun Jan 16 22:28:26 2022 Database last updated on: Never ============================================================== Report Summary: ============================================================== Host name: Lepard Host IP address: Unknown IP Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/Lepard.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg ・・・・・Abbreviation・・・・・・ ------------------------------------------------------------------------------- Added: "/root/test.txt" ============================================================== Error Report: ============================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
|
1 |
# rm -f /root/test.txt |
1.2 Make Tripwire run periodically
①Create Tripwire autorun script
|
1 2 |
# cd /srv/www/system # vi tripwire.sh |
Contents of "tripwire.sh"
Enter the local passphrase and site passphrase.
Enter the local passphrase and site passphrase.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Set passphrase LOCALPASS= xxxxxxxx # local passphrase SITEPASS= xxxxxxxx # Site passphrase cd /etc/tripwire # Run a Tripwire check tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # Update policy files twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Modernization of database rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
|
1 |
# chmod 700 tripwire.sh |
|
1 2 |
# crontab -e 0 3 * * * /srv/www/system/tripwire.sh |
Reference: Script for reporting results by email
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Set passphrase LOCALPASS= xxxxxxxx # local passphrase SITEPASS= xxxxxxxx # Site passphrase #Specify e-mail address for notification MAIL="<your mail address> " cd /etc/tripwire # Run a Tripwire check tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # Update policy files twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Modernization of database rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
2. Chkrootkit Install
①Download and install chkrootkit
|
1 2 3 |
# zypper addrepo https://download.opensuse.org/repositories/security/openSUSE_Leap_15.3_Update//security.repo # zypper refresh # zypper install chkrootkit |
➁Move the chkrootkit command to the /root/bin directory
|
1 |
# mv /usr/sbin/chkrootkit /root/bin |
③Create and change permissions of the chkrootkit regular execution script
|
1 |
# vi /srv/www/system/chkrootkit.sh |
Contents of "chkrootkit.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin TMPLOG=`mktemp` # Run chkrootkit chkrootkit > $TMPLOG #Log output cat $TMPLOG | logger -t chkrootkit # Handling of SMTPS bindshell false positives if [ ! -z "$(grep 465 $TMPLOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $TMPLOG fi # Addressed Suckit false positive when updating upstart package. #if [ ! -z "$(grep Suckit $TMPLOG)" ] && \ # [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then # sed -i '/Suckit/d' $TMPLOG #fi #Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $TMPLOG)" ] && \ grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" root rm -f $TMPLOG |
|
1 |
# chmod 700 /srv/www/system/chkrootkit.sh |
④Periodic execution of chkrootkit
|
1 2 |
# crontab -e 0 2 * * * /srv/www/system/chkrootkit.sh |
⑥Backup the commands used by chkrootkit
If the commands used by chkrootkit are tampered with, you will not be able to detect the rootkit, so back up these commands.
|
1 2 3 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep find head id ls snmpnetstat ps strings sed ssh uname` chkrootkit_cmd/ |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# ls -l /root/chkrootkit_cmd/ total 2404 -rwxr-xr-x 1 root root 614520 Jan 9 18:48 awk -rwxr-xr-x 1 root root 47952 Jan 9 18:48 cut -rwxr-xr-x 1 root root 31408 Jan 9 18:48 echo -rwxr-xr-x 1 root root 28 Jan 9 18:48 egrep -rwxr-xr-x 1 root root 304024 Jan 9 18:48 find -rwxr-xr-x 1 root root 43792 Jan 9 18:48 head -rwxr-xr-x 1 root root 39760 Jan 9 18:48 id -rwxr-xr-x 1 root root 138904 Jan 9 18:48 ls -rwxr-xr-x 1 root root 130200 Jan 9 18:48 ps -rwxr-xr-x 1 root root 155032 Jan 9 18:48 sed -rwxr-xr-x 1 root root 70088 Jan 9 18:48 snmpnetstat -rwxr-xr-x 1 root root 793432 Jan 9 18:48 ssh -rwxr-xr-x 1 root root 31896 Jan 9 18:48 strings -rwxr-xr-x 1 root root 35568 Jan 9 18:48 uname |
⑦Run chkrootkit on the copied command
openSUSE15.3 does not have netstat installed by default, so run the following first
openSUSE15.3 does not have netstat installed by default, so run the following first
|
1 |
# zypper -n install net-tools-deprecated |
Execute.
|
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
⑧Compress the backed up commands
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname chkrootkit_cmd/snmpnetstat |
⑨Move the backed up compressed files to the home directory of a regular user.
|
1 |
# mv chkrootkit_cmd.tar.gz /home/suse/ |
⑩Copy the chkrootkit_cmd.tar.gz file to the Windows side using WinSCP.
⑪Delete the command on the backed up server.
|
1 2 |
# rm -rf chkrootkit_cmd # rm -rf /home/suse/chkrootkit_cmd.tar.gz |
⑫Change to a script that reports rootkit detection via email.
|
1 2 3 |
# cd /srv/www/system # mv chkrootkit.sh chkrootkit.sh.bak # vi chkrootkit.sh |
Contents of the new "chkrootkit.sh"
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
#!/bin/bash #Specify e-mail address for notification MAIL="<Email address>" PATH=/usr/bin:/bin:/root/bin TMPLOG=`mktemp` # Run chkrootkit chkrootkit > $TMPLOG # Log output cat $TMPLOG | logger -t chkrootkit # Handling of SMTPS bindshell false positives if [ ! -z "$(grep 465 $TMPLOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $TMPLOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $TMPLOG)" ] && \ grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" $MAIL rm -f $TMPLOG |
|
1 |
# chmod 700 /srv/www/system/chkrootkit.sh |
3. Logwatch Install
① Install
|
1 |
# zypper -n install logwatch |
② Edit the configuration file
|
1 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf |
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/logwatch/conf/logwatch.conf ■Per Line 52 Insert a "#" at the beginning of the line "MailTo = root" and set the email address you want to receive notifications at the bottom of the line. #MailTo = root MailTo = <mail.address> ■Per line 84 Set the level of detail for log notifications #Detail = Low Detail = High |
③ Output Logwatch report
|
1 |
# logwatch --output stdout |
④ Test if the report is delivered to the address you set.
|
1 |
# logwatch --output mail |
4. DiCE Install
Every time the global IP is changed, which happens when the Internet is disconnected or the router is disconnected and rebooted, the dynamic DNS must be accessed to notify the change in global IP.
DiCE does that work for you automatically.
DiCE does that work for you automatically.
4.1 Download and install Dice
①Download
|
1 2 3 4 |
# cd /usr/local/bin # wget http://www.hi-ho.ne.jp/yoshihiro_e/dice/diced01914.tar.gz # tar -xzvf diced01914.tar.gz # cd /usr/local/bin/DiCE |
②Setting DiCE
The output characters of DiCE are garbled because of EUC.
To convert them to UTF-8, install nkf.
The output characters of DiCE are garbled because of EUC.
To convert them to UTF-8, install nkf.
|
1 |
# zypper install nkf |
③Start DiCE
|
1 2 |
# cd /usr/local/bin/DiCE # ./diced | nkf -uw |
4.2 Adding an Event
The DNS service should be VALUEDOMAIN.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# ./diced | nkf -uw : add Please enter the DynamicDNS service name. (P)Return >VALUEDOMAIN Please enter a domain name. (P)Return ><Domain name> ←VALUEDOMAIN Please enter a host name (P)Return ><Host Host name> ←Host name registered with VALUEDOMAIN Please enter your login user name (P)Return ><User name> ←User name registered in VALUEDOMAIN Please enter your login password. (P)Return ><passwd> ←Password to log in to VALVEDOMAIN Enter the IP address to be registered If left blank, the current IP address will be detected automatically. (P)Return >blank space Please give this event a title. (P)Return >xxxxxxxxx(Any name) Specify the frequency of execution (enter a number) (0)One time only(1)Once a day (2)Once a week(3)Once a month (4)Other cycles (5)When IP address changes (6)startup (point in) time (P)Return >5 ←Any If you are in an environment where your IP address does not change often, your account may be deleted after a certain period of time without updating it. If your IP address does not change often, your account may be deleted after a certain period of time without updating. Please specify the interval to run when the IP address does not change. (0)Every 7 days (1)Every 14 days (2)Every 21 days (3)Every 28 days (4)Every 35 days (5)Every 56 days (6)Every 84 days (P)Return >0 ←Any Do you want to enable this event? (Y/N) >y Do you want to save the event? (Y/N) >y |
Confirmation of events
|
1 2 3 4 5 6 7 8 |
:list (No.) (Event Name) (Schedule) (Next time to decide) 0 * xxxxxxxxx When IP address changes (every 7 days) 01/25 17:43 Manual execution :ex 0 + 1/19 13:13 xxxxxxxxx has been executed. IP address updated. |
4.3 Automatic execution of Dice
Start the DiCE daemon
|
1 |
# /usr/local/bin/DiCE/diced -d -l |
|
1 2 3 |
# ps aux | grep diced root 64904 2.2 0.0 3204 120 ? Ss 14:48 0:00 /usr/local/bin/DiCE/diced -d -l root 64908 0.0 0.0 7680 848 pts/0 S+ 14:49 0:00 grep --color=auto diced |