AlmaLinux 8.6 : Snort2 , Tripwire , Chkrootkit Install

Contents

SNORT2 Install
Tripwire Install
Chkrootkit Install

SNORT2 Install

1. advance preparation

①Add the CodeReady Red Hat repository and install the required software

# dnf config-manager --set-enabled powertools

1	# dnf config-manager --set-enabled powertools

# dnf -y install bison flex libtool nghttp2 libnghttp2-devel \
libpcap-devel pcre-devel openssl-devel libdnet-devel \
libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel \
luajit-devel xz-devel libnfnetlink-devel libmnl-devel \
libnetfilter_queue-devel uuid-devel libsafec-devel

# dnf -y install bison flex libtool nghttp2 libnghttp2-devel \

libpcap-devel pcre-devel openssl-devel libdnet-devel \

libtirpc-devel git gcc-c++ libunwind-devel cmake hwloc-devel \

luajit-devel xz-devel libnfnetlink-devel libmnl-devel \

libnetfilter_queue-devel uuid-devel libsafec-devel

②DAQ Install

# mkdir /var/src
# cd /var/src
# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
# tar zxvf daq-2.0.7.tar.gz
# cd daq-2.0.7
# autoreconf -f -i
# ./configure
# make
# make install

# mkdir /var/src

# cd /var/src

# wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz

# tar zxvf daq-2.0.7.tar.gz

# cd daq-2.0.7

# autoreconf -f -i

# ./configure

# make

# make install

③Lua Install

# cd /var/src
# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
# tar -zxvf LuaJIT-2.0.5.tar.gz
# cd LuaJIT-2.0.5
# make
# make install

# cd /var/src

# wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz

# tar -zxvf LuaJIT-2.0.5.tar.gz

# cd LuaJIT-2.0.5

# make

# make install

④Create fake release files

# /bin/cat << EOT >/etc/fedora-release
Fedora release 28 (Rawhide)
EOT

# /bin/cat << EOT >/etc/fedora-release

Fedora release 28 (Rawhide)

EOT

2. Snort Download, Compile, Install

# cd /var/src
# wget https://snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz
# tar -zxvf snort-2.9.18.1.tar.gz
# cd snort-2.9.18.1
# ./configure --enable-sourcefire
# make
# make install
# ldconfig
# ln -s /usr/local/bin/snort /usr/sbin/snort

# cd /var/src

# wget https://snort.org/downloads/archive/snort/snort-2.9.18.1.tar.gz

# tar -zxvf snort-2.9.18.1.tar.gz

# cd snort-2.9.18.1

# ./configure --enable-sourcefire

# make

# make install

# ldconfig

# ln -s /usr/local/bin/snort /usr/sbin/snort

Remove fake release files

# rm /etc/fedora-release

1	# rm /etc/fedora-release

3.Create groups and users, necessary directories and files

# groupadd snort
# useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

1 2	# groupadd snort # useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

# mkdir /etc/snort
# mkdir -p /etc/snort/rules
# mkdir /var/log/snort
# mkdir /usr/local/lib/snort_dynamicrules
# mkdir /etc/snort/preproc_rules

# chmod -R 5775 /etc/snort
# chmod -R 5775 /var/log/snort
# chmod -R 5775 /usr/local/lib/snort_dynamicrules
# chown -R snort:snort /etc/snort
# chown -R snort:snort /var/log/snort
# chown -R snort:snort /usr/local/lib/snort_dynamicrules

Create the following files
# touch /etc/snort/rules/white_list.rules
# touch /etc/snort/rules/black_list.rules
# touch /etc/snort/rules/local.rules

# mkdir /etc/snort

# mkdir -p /etc/snort/rules

# mkdir /var/log/snort

# mkdir /usr/local/lib/snort_dynamicrules

# mkdir /etc/snort/preproc_rules

# chmod -R 5775 /etc/snort

# chmod -R 5775 /var/log/snort

# chmod -R 5775 /usr/local/lib/snort_dynamicrules

# chown -R snort:snort /etc/snort

# chown -R snort:snort /var/log/snort

# chown -R snort:snort /usr/local/lib/snort_dynamicrules

Create the following files

# touch /etc/snort/rules/white_list.rules

# touch /etc/snort/rules/black_list.rules

# touch /etc/snort/rules/local.rules

Setup configuration files... Copy all files to the configuration directory.

# cp /var/src/snort-2.9.18.1/etc/*.conf* /etc/snort
# cp /var/src/snort-2.9.18.1/etc/*.map* /etc/snort

1 2	# cp /var/src/snort-2.9.18.1/etc/.conf /etc/snort # cp /var/src/snort-2.9.18.1/etc/.map /etc/snort

4.Use of Community Rules

①Get Community Rules

# wget https://www.snort.org/rules/community -O ~/community.tar.gz

1	# wget https://www.snort.org/rules/community -O ~/community.tar.gz

②Extract rules and copy to configuration folder

# tar -xvf ~/community.tar.gz -C ~/
# cp ~/community-rules/* /etc/snort/rules

1 2	# tar -xvf ~/community.tar.gz -C ~/ # cp ~/community-rules/* /etc/snort/rules

There are various rule files that are not included in the community rules.
Use the "sed" command to comment out unnecessary lines.

# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

1	# sed -i 's/include \$RULE\_PATH/#include \$RULE\_PATH/' /etc/snort/snort.conf

5. Retrieving Registered User Rules

Once registered on the Snort website, you can use your Oink code to download registered user rules; the Oink code is located in your Snort user account details.
Replace oinkcode with your personal code in the following command

# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz

1	# wget https://www.snort.org/rules/snortrules-snapshot-29181.tar.gz?oinkcode=<oink-code> -O ~/registered.tar.gz

Once download is complete, extract rules to the configuration directory

# tar -xvf ~/registered.tar.gz -C /etc/snort

1	# tar -xvf ~/registered.tar.gz -C /etc/snort

6. Network and Rule Configuration

# vi /etc/snort/snort.conf
●Line 45
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.11.0/24　←adapt to each environment
●Line 48
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET !$HOME_NET
●Line 104-106 :　Comment out and add below
# Path to your rules files (this can be a relative path)
# var RULE_PATH ../rules
# var SO_RULE_PATH ../so_rules
# var PREPROC_RULE_PATH ../preproc_rules
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
●Per line 116 : Comment out and add below
# Set the absolute path appropriately
#var WHITE_LIST_PATH ../rules
#var BLACK_LIST_PATH ../rules
var WHITE_LIST_PATH /etc/snort/rules
var BLACK_LIST_PATH /etc/snort/rules
●Per line 525 :  Add
# unified2
# Recommended for most installs
output unified2: filename snort.log, limit 128
●Per line 550 :  To make custom rules readable, local.rules must be uncommented
include $RULE_PATH/local.rules
●If you are using community rules, also add the following line immediately below the local.rules line
include $RULE_PATH/community.rules

# vi /etc/snort/snort.conf

●Line 45

# Setup the network addresses you are protecting

ipvar HOME_NET 192.168.11.0/24　←adapt to each environment

●Line 48

# Set up the external network addresses. Leave as "any" in most situations

ipvar EXTERNAL_NET !$HOME_NET

●Line 104-106 :　Comment out and add below

# Path to your rules files (this can be a relative path)

# var RULE_PATH ../rules

# var SO_RULE_PATH ../so_rules

# var PREPROC_RULE_PATH ../preproc_rules

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

●Per line 116 : Comment out and add below

# Set the absolute path appropriately

#var WHITE_LIST_PATH ../rules

#var BLACK_LIST_PATH ../rules

var WHITE_LIST_PATH /etc/snort/rules

var BLACK_LIST_PATH /etc/snort/rules

●Per line 525 : Add

# unified2

# Recommended for most installs

output unified2: filename snort.log, limit 128

●Per line 550 : To make custom rules readable, local.rules must be uncommented

include $RULE_PATH/local.rules

●If you are using community rules, also add the following line immediately below the local.rules line

include $RULE_PATH/community.rules

7. Verification of settings

Use parameter -T to test configuration and enable test mode

# snort -T -c /etc/snort/rules/snort.conf

MaxRss at the end of detection rules:809420

--== Initialization Complete ==--

,,_       -*> Snort! <*-
o" )~    Version 2.9.18.1 GRE (Build 1005)
''''       By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.9.1 (with TPACKET_V3)
Using PCRE version: 8.45 2021-06-15
Using ZLIB version: 1.2.11

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: appid Version 1.1 <Build 5>
Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>

Total snort Fixed Memory Cost - MaxRss:809420
Snort successfully validated the configuration!
Snort exiting

# snort -T -c /etc/snort/rules/snort.conf

MaxRss at the end of detection rules:809420

--== Initialization Complete ==--

,,_ -*> Snort! <*-

o" )~ Version 2.9.18.1 GRE (Build 1005)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team

Using libpcap version 1.9.1 (with TPACKET_V3)

Using PCRE version: 8.45 2021-06-15

Using ZLIB version: 1.2.11

Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.2 <Build 1>

Preprocessor Object: SF_DNS Version 1.1 <Build 4>

Preprocessor Object: appid Version 1.1 <Build 5>

Preprocessor Object: SF_S7COMMPLUS Version 1.0 <Build 1>

Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>

Preprocessor Object: SF_POP Version 1.0 <Build 1>

Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>

Total snort Fixed Memory Cost - MaxRss:809420

Snort successfully validated the configuration!

Snort exiting

Copy the relevant files to /etc/snort/rules in case of errors
In our case, the error occurred in the following file

# cp /var/src/snort-2.9.18.1/etc/classification.config /etc/snort/rules
# cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules
# cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules
# cp /var/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules/

# cp /var/src/snort-2.9.18.1/etc/classification.config /etc/snort/rules

# cp /var/src/snort-2.9.18.1/etc/reference.config /etc/snort/rules

# cp /var/src/snort-2.9.18.1/etc/threshold.conf /etc/snort/rules

# cp /var/src/snort-2.9.18.1/etc/unicode.map /etc/snort/rules/

8. Configuration Testing

①To test if Snort is logging alerts, add a custom detection rule alert for incoming ICMP connections to the local.rules file.

# vi /etc/snort/rules/local.rules
●Add the following line to the last line
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

# vi /etc/snort/rules/local.rules

●Add the following line to the last line

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

②Start Snort at the console and output an alert to stdout. The correct network interface (e.g. eth0) must be selected

# snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf

With Snort up and running, ping from another computer; you will see the following notification for each ICMP call in the terminal where Snort is running
Commencing packet processing (pid=39981)
Commencing packet processing (pid=39405)
07/16-11:55:38.469848 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
07/16-11:55:38.469899 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
07/16-11:55:39.483961 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
07/16-11:55:39.484001 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
07/16-11:55:40.494577 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
07/16-11:55:40.494667 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20
07/16-11:55:41.502542 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83
07/16-11:55:41.502629 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

# snort -A console -i eth0 -u snort -g snort -c /etc/snort/snort.conf

With Snort up and running, ping from another computer; you will see the following notification for each ICMP call in the terminal where Snort is running

Commencing packet processing (pid=39981)

Commencing packet processing (pid=39405)

07/16-11:55:38.469848 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83

07/16-11:55:38.469899 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

07/16-11:55:39.483961 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83

07/16-11:55:39.484001 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

07/16-11:55:40.494577 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83

07/16-11:55:40.494667 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

07/16-11:55:41.502542 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.20 -> 192.168.11.83

07/16-11:55:41.502629 [**] [1:10000001:1] ICMP test [**] [Priority: 0] {ICMP} 192.168.11.83 -> 192.168.11.20

9. Running Snort in the background

①Create a startup script for Snort

# vi /lib/systemd/system/snort.service

[Unit]

Description=Snort NIDS Daemon
After=syslog.target network.target

[Service]

Type=simple
ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

[Install]

WantedBy=multi-user.target

# vi /lib/systemd/system/snort.service

[Unit]

Description=Snort NIDS Daemon

After=syslog.target network.target

[Service]

Type=simple

ExecStart=/usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

[Install]

WantedBy=multi-user.target

②After defining the service, reload and run the systemctl daemon

# systemctl daemon-reload
# systemctl start snort

1 2	# systemctl daemon-reload # systemctl start snort

Tripwire Install

1.Download and installation

# cd /usr/local/src
# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm
# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

# cd /usr/local/src

# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm

# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

2.Passphrase setting

Set site passphrase and local passphrase

# tripwire-setup-keyfiles

1	# tripwire-setup-keyfiles

----------------------------------------------
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
----------------------------------------------
Creating key files...
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: ←Enter any "Site Passphrase"
Verify the site keyfile passphrase: ←Enter "Site Passphrase" again
Generating key (this may take several minutes)...Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ←Enter any "local passphrase"
Verify the local keyfile passphrase: ←Enter "Local Passphrase" again
Generating key (this may take several minutes)...Key generation complete.
----------------------------------------------
Signing configuration file...
Please enter your site passphrase: ←Enter "Site Passphrase"
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
----------------------------------------------
Signing policy file...
Please enter your site passphrase: ←Enter "Site Passphrase"
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
～omission～
default values from the current configuration file are used.

----------------------------------------------

The Tripwire site and local passphrases are used to sign a variety of

files, such as the configuration, policy, and database files.

Passphrases should be at least 8 characters in length and contain both

letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------

Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the site keyfile passphrase: ←Enter any "Site Passphrase"

Verify the site keyfile passphrase: ←Enter "Site Passphrase" again

Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically

have upper and lower case letters, digits and punctuation marks, and are

at least 8 characters in length.)

Enter the local keyfile passphrase: ←Enter any "local passphrase"

Verify the local keyfile passphrase: ←Enter "Local Passphrase" again

Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------

Signing configuration file...

Please enter your site passphrase: ←Enter "Site Passphrase"

Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file:

/etc/tripwire/twcfg.txt

has been preserved for your inspection. It is recommended that you

move this file to a secure location and/or encrypt it in place (using a

tool such as GPG, for example) after you have examined it.

----------------------------------------------

Signing policy file...

Please enter your site passphrase: ←Enter "Site Passphrase"

Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file:

/etc/tripwire/twpol.txt

～omission～

default values from the current configuration file are used.

3.Tripwire Configuration

①Configuration File Editing

# vi /etc/tripwire/twcfg.txt
●Per line 9
Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it.
●Per line 12
Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it.
Level 4 provides the most detailed report of the five levels from "0" to "4".
#REPORTLEVEL =3
REPORTLEVEL =4

# vi /etc/tripwire/twcfg.txt

●Per line 9

Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it.

●Per line 12

Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it.

Level 4 provides the most detailed report of the five levels from "0" to "4".

#REPORTLEVEL =3

REPORTLEVEL =4

②Create a Tripwire configuration file (cryptographically signed version)

# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←Enter site passphrase
Wrote configuration file: /etc/tripwire/tw.cfg

# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

Please enter your site passphrase: ←Enter site passphrase

Wrote configuration file: /etc/tripwire/tw.cfg

③Delete Tripwire configuration file (text version)

# rm -f /etc/tripwire/twcfg.txt

1	# rm -f /etc/tripwire/twcfg.txt

④Policy File Settings

# cd /etc/tripwire/
# vi twpolmake.pl

1 2	# cd /etc/tripwire/ # vi twpolmake.pl

Contents of twpolmake.pl

#!/usr/bin/perl
# Tripwire Policy File customize tool
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;

#!/usr/bin/perl

# Tripwire Policy File customize tool

$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;

my($myhost,$thost) ;

my($sharp,$tpath,$cond) ;

my($INRULE) = 0 ;

while (<POL>) {

chomp;

if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {

$myhost = `hostname` ; chomp($myhost) ;

if ($thost ne $myhost) {

$_="HOSTNAME=\"$myhost\";" ;

}

elsif ( /^{/ ) {

$INRULE=1 ;

}

elsif ( /^}/ ) {

$INRULE=0 ;

}

elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {

$ret = ($sharp =~ s/\#//g) ;

if ($tpath eq '/sbin/e2fsadm' ) {

$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;

}

if (! -s $tpath) {

$_ = "$sharp#$tpath$cond" if ($ret == 0) ;

}

else {

$_ = "$sharp$tpath$cond" ;

}

print "$_\n" ;

}

close(POL) ;

⑤policy file optimization

# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

1	# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

⑥Create policy file (cryptographically signed version) based on optimized policy file

# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: ←Enter site passphrase
Wrote policy file: /etc/tripwire/tw.pol

# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new

Please enter your site passphrase: ←Enter site passphrase

Wrote policy file: /etc/tripwire/tw.pol

⑦Create database and check operation

# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←Enter local passphrase

Create test files
# echo test > /root/test.txt
Check Tripwire operation
# tripwire -m c -s -c /etc/tripwire/tw.cfg
OK if it appears as follows

# tripwire -m i -s -c /etc/tripwire/tw.cfg

Please enter your local passphrase: ←Enter local passphrase

Create test files

# echo test > /root/test.txt

Check Tripwire operation

# tripwire -m c -s -c /etc/tripwire/tw.cfg

OK if it appears as follows

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by: root
Report created on: Sat 16 Jul 2022 12:11:35 PM JST
Database last updated on: Never

============================================================
Report Summary:
============================================================Host name: Alma
Host IP address: 192.168.11.83
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/Alma.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg

============================================================
Rule Summary:
============================================================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
Operating System Utilities 100 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
* Tripwire Data Files 100 1 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Critical configuration files 100 0 0 0
* Root config files 100 1 0 0
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
(/proc/kcore)

Total objects scanned: 40925
Total violations found: 2

============================================================
Object Summary:
============================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/Alma.twd"

-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/root/test.txt"

============================================================
Error Report:
============================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by: root

Report created on: Sat 16 Jul 2022 12:11:35 PM JST

Database last updated on: Never

============================================================

Report Summary:

============================================================Host name: Alma

Host IP address: 192.168.11.83

Host ID: None

Policy file used: /etc/tripwire/tw.pol

Configuration file used: /etc/tripwire/tw.cfg

Database file used: /var/lib/tripwire/Alma.twd

Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg

============================================================

Rule Summary:

============================================================

-------------------------------------------------------------------------------

Section: Unix File System

-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified

--------- -------------- ----- ------- --------

User binaries 66 0 0 0

Tripwire Binaries 100 0 0 0

Libraries 66 0 0 0

Operating System Utilities 100 0 0 0

File System and Disk Administraton Programs

100 0 0 0

Kernel Administration Programs 100 0 0 0

Networking Programs 100 0 0 0

System Administration Programs 100 0 0 0

Hardware and Device Control Programs

100 0 0 0

System Information Programs 100 0 0 0

Application Information Programs

100 0 0 0

(/sbin/rtmon)

Critical Utility Sym-Links 100 0 0 0

Shell Binaries 100 0 0 0

Critical system boot files 100 0 0 0

* Tripwire Data Files 100 1 0 0

System boot changes 100 0 0 0

OS executables and libraries 100 0 0 0

Security Control 100 0 0 0

Critical configuration files 100 0 0 0

* Root config files 100 1 0 0

Invariant Directories 66 0 0 0

Temporary directories 33 0 0 0

Critical devices 100 0 0 0

(/proc/kcore)

Total objects scanned: 40925

Total violations found: 2

============================================================

Object Summary:

============================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

Rule Name: Tripwire Data Files (/var/lib/tripwire)

Severity Level: 100

-------------------------------------------------------------------------------

Added:

"/var/lib/tripwire/Alma.twd"

-------------------------------------------------------------------------------

Rule Name: Root config files (/root)

Severity Level: 100

-------------------------------------------------------------------------------

Added:

"/root/test.txt"

============================================================

Error Report:

============================================================

No Errors

-------------------------------------------------------------------------------

*** End of report ***

trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;

for details use --version. This is free software which may be redistributed

or modified only under certain conditions; see COPYING for details.

Delete test files

# rm -f /root/test.txt

1	# rm -f /root/test.txt

⑧Tripwire Scheduled Scripts

# cd /var/www/system
# vi tripwire.sh

1 2	# cd /var/www/system # vi tripwire.sh

Contents of tripwire.sh

#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Passphrase setting
LOCALPASS=xxxxxxx ←local passphrase
SITEPASS=xxxxxx 　←site passphrase

cd /etc/tripwire

# Tripwire check run
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root

# Policy File Update
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

# Database modernization
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Passphrase setting

LOCALPASS=xxxxxxx ←local passphrase

SITEPASS=xxxxxx 　←site passphrase

cd /etc/tripwire

# Tripwire check run

tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root

# Policy File Update

twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt

perl twpolmake.pl twpol.txt > twpol.txt.new

twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null

rm -f twpol.txt* *.bak

# Database modernization

rm -f /usr/local/tripwire/lib/tripwire/*.twd*

tripwire -m i -s -c tw.cfg -P $LOCALPASS

⑨Tripwire Autorun Script Execution Settings

# chmod 700 tripwire.sh

Add to cron
# crontab -e
0 3 * * *

# chmod 700 tripwire.sh

Add to cron

# crontab -e

0 3 * * *

Reference: Script for reporting results by e-mail

#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Passphrase setting
LOCALPASS=xxxxxxx ←local passphrase
SITEPASS=xxxxxx 　←site passphrase

#Designation of e-mail address to be notified
MAIL="<your mailaddress>"

cd /etc/tripwire

# Tripwire check run
tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL

# Policy File Update
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

# Database modernization
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Passphrase setting

LOCALPASS=xxxxxxx ←local passphrase

SITEPASS=xxxxxx 　←site passphrase

#Designation of e-mail address to be notified

MAIL="<your mailaddress>"

cd /etc/tripwire

# Tripwire check run

tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL

# Policy File Update

twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt

perl twpolmake.pl twpol.txt > twpol.txt.new

twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null

rm -f twpol.txt* *.bak

# Database modernization

rm -f /usr/local/tripwire/lib/tripwire/*.twd*

tripwire -m i -s -c tw.cfg -P $LOCALPASS

Chkrootkit Install

①chkrootkit Download and Install

# cd /usr/local/src
# wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz
# tar xvf chkrootkit-0.55.tar.gz

# cd /usr/local/src

# wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz

# tar xvf chkrootkit-0.55.tar.gz

➁Create /root/bin directory and move chkrootkit command to that directory

# mkdir -p /root/bin
# mv chkrootkit-0.55/chkrootkit /root/bin

1 2	# mkdir -p /root/bin # mv chkrootkit-0.55/chkrootkit /root/bin

➂Check chkrootkit.

# chkrootkit | grep INFECTED
If nothing is displayed, no problem.

1 2	# chkrootkit \| grep INFECTED If nothing is displayed, no problem.

Searching for Linux.Xor.DDoS ... INFECTED: Possible Malicious Linux.Xor.DDoS installed

If you get the above error
It seems to be a false positive that occurs when there is an executable file under /tmp.
In our case, we have disabled the following files from execution.

# chmod -x /tmp/ks-script-ha_lzbh5 /tmp/ks-script-uu6cvhzn

1	# chmod -x /tmp/ks-script-ha_lzbh5 /tmp/ks-script-uu6cvhzn

④Create chkrootkit periodic execution script and change permissions

Create chkrootkit execution script in a directory where it is automatically executed daily

# vi /etc/cron.daily/chkrootkit.sh

1	# vi /etc/cron.daily/chkrootkit.sh

Scheduled Script Contents

#!/bin/bash

PATH=/usr/bin:/bin:/root/bin

LOG=/tmp/$(basename ${0})

# Run chkrootkit
chkrootkit > $LOG 2>&1

# log output
cat $LOG | logger -t $(basename ${0})

# SMTPS false positive response to windshell false positives
if [ ! -z "$(grep 465 $LOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $LOG
fi

#Support for Suckit false positives when updating upstart package
if [ ! -z "$(grep Suckit $LOG)" ] && \
[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then
sed -i '/Suckit/d' $LOG
fi

# Send mail to root only when rootkit is detected
[ ! -z "$(grep INFECTED $LOG)" ] && \
grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root

#!/bin/bash

PATH=/usr/bin:/bin:/root/bin

LOG=/tmp/$(basename ${0})

# Run chkrootkit

chkrootkit > $LOG 2>&1

# log output

cat $LOG | logger -t $(basename ${0})

# SMTPS false positive response to windshell false positives

if [ ! -z "$(grep 465 $LOG)" ] && \

[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then

sed -i '/465/d' $LOG

#Support for Suckit false positives when updating upstart package

if [ ! -z "$(grep Suckit $LOG)" ] && \

[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then

sed -i '/Suckit/d' $LOG

# Send mail to root only when rootkit is detected

[ ! -z "$(grep INFECTED $LOG)" ] && \

grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root

Add execution permission to chkrootkit execution script

# chmod 700 /etc/cron.daily/chkrootkit.sh

1	# chmod 700 /etc/cron.daily/chkrootkit.sh

⑥Backup commands used by chkrootkit

If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command

# cd /root
# mkdir /root/chkrootkit_cmd
# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/
# ls -l /root/chkrootkit_cmd/
total 2516
-rwxr-xr-x 1 root root 685848 Jul 16 12:51 awk
-rwxr-xr-x 1 root root 50928 Jul 16 12:51 cut
-rwxr-xr-x 1 root root 38464 Jul 16 12:51 echo
-rwxr-xr-x 1 root root 28 Jul 16 12:51 egrep
-rwxr-xr-x 1 root root 261992 Jul 16 12:51 find
-rwxr-xr-x 1 root root 46840 Jul 16 12:51 head
-rwxr-xr-x 1 root root 46760 Jul 16 12:51 id
-rwxr-xr-x 1 root root 143480 Jul 16 12:51 ls
-rwxr-xr-x 1 root root 162488 Jul 16 12:51 netstat
-rwxr-xr-x 1 root root 137840 Jul 16 12:51 ps
-rwxr-xr-x 1 root root 118248 Jul 16 12:51 sed
-rwxr-xr-x 1 root root 775816 Jul 16 12:51 ssh
-rwxr-xr-x 1 root root 38432 Jul 16 12:51 strings
-rwxr-xr-x 1 root root 38480 Jul 16 12:51 uname

# cd /root

# mkdir /root/chkrootkit_cmd

# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/

# ls -l /root/chkrootkit_cmd/

total 2516

-rwxr-xr-x 1 root root 685848 Jul 16 12:51 awk

-rwxr-xr-x 1 root root 50928 Jul 16 12:51 cut

-rwxr-xr-x 1 root root 38464 Jul 16 12:51 echo

-rwxr-xr-x 1 root root 28 Jul 16 12:51 egrep

-rwxr-xr-x 1 root root 261992 Jul 16 12:51 find

-rwxr-xr-x 1 root root 46840 Jul 16 12:51 head

-rwxr-xr-x 1 root root 46760 Jul 16 12:51 id

-rwxr-xr-x 1 root root 143480 Jul 16 12:51 ls

-rwxr-xr-x 1 root root 162488 Jul 16 12:51 netstat

-rwxr-xr-x 1 root root 137840 Jul 16 12:51 ps

-rwxr-xr-x 1 root root 118248 Jul 16 12:51 sed

-rwxr-xr-x 1 root root 775816 Jul 16 12:51 ssh

-rwxr-xr-x 1 root root 38432 Jul 16 12:51 strings

-rwxr-xr-x 1 root root 38480 Jul 16 12:51 uname

⑦Run chkrootkit on the copied command

# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED
If nothing is displayed, no problem.

1 2	# chkrootkit -p /root/chkrootkit_cmd \| grep INFECTED If nothing is displayed, no problem.

⑧Compresses backed up commands

# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd
chkrootkit_cmd/
chkrootkit_cmd/awk
chkrootkit_cmd/cut
chkrootkit_cmd/echo
chkrootkit_cmd/egrep
chkrootkit_cmd/find
chkrootkit_cmd/head
chkrootkit_cmd/id
chkrootkit_cmd/ls
chkrootkit_cmd/netstat
chkrootkit_cmd/ps
chkrootkit_cmd/strings
chkrootkit_cmd/sed
chkrootkit_cmd/ssh
chkrootkit_cmd/uname

# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd

chkrootkit_cmd/

chkrootkit_cmd/awk

chkrootkit_cmd/cut

chkrootkit_cmd/echo

chkrootkit_cmd/egrep

chkrootkit_cmd/find

chkrootkit_cmd/head

chkrootkit_cmd/id

chkrootkit_cmd/ls

chkrootkit_cmd/netstat

chkrootkit_cmd/ps

chkrootkit_cmd/strings

chkrootkit_cmd/sed

chkrootkit_cmd/ssh

chkrootkit_cmd/uname

# ls -l
total 96248
-rw-------. 1 root root 1464 Jul 14 19:48 anaconda-ks.cfg
drwxr-xr-x 2 root root 24 Jul 16 12:43 bin
drwxr-xr-x 2 root root 172 Jul 16 12:51 chkrootkit_cmd
-rw-r--r-- 1 root root 1162606 Jul 16 12:53 chkrootkit_cmd.tar.gz

# ls -l

total 96248

-rw-------. 1 root root 1464 Jul 14 19:48 anaconda-ks.cfg

drwxr-xr-x 2 root root 24 Jul 16 12:43 bin

drwxr-xr-x 2 root root 172 Jul 16 12:51 chkrootkit_cmd

-rw-r--r-- 1 root root 1162606 Jul 16 12:53 chkrootkit_cmd.tar.gz

⑨Send chkrootkit use command (compressed version) to root by e-mail

# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root

1	# echo\|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root

⑩Download and save chkrootkit_cmd.tar.gz file to Windows

⑪Delete commands on the backed up server

# rm -f chkrootkit_cmd.tar.gz

1	# rm -f chkrootkit_cmd.tar.gz

Go to top