Debian12.5 ; Nagios Server , Tripwire Install

Nagios Server installed

Nagios is an open source monitoring solution running on Linux.
Nagios is designed to periodically check critical network, application, or server parameters.
These parameters include microprocessor load, number of running processes, log files, disk and memory usage, as well as many other services such as SMTP (Simple Mail Transfer Protocol), HTTP (Hypertext Transfer Protocol), POP3 (Post Office Protocol 3), etc. can be checked.

These parameters require a microprocessor load, a database such as PHP or MySQL to run Nagois, and a web server such as Apache or Nginx. We will proceed under the assumption that all of these have already been configured

1. nstall necessary packages

2. Installing Nagios Core

Download

②Install

It appears as follows

compile

It appears as follows

Create Nagios Users and Groups

Add Apache User to Nagios Group

Install Nagios Core

Install Nagios init script

Install external command files and permissions

Install Nagios Configuration Files

Install Apache configuration files for Nagios

3. Install Nagios Plugin

①Download the latest code from the Nagios Plugins page

②Install

Create necessary directories

4. Creating a Nagios Web User

Create a user account to access the Nagios Web Dashboard. This user account is used for authentication.
The default name of the user is nagiosadmin, which is defined as the preferred user name in the /usr/local/nagios/etc/cgi.cfg file.

Set ownership and permissions

Restart Apache

Allow HTTP service port in firewall

Start and Enable Nagios Services

Reboot system

Confirmation of service execution

5. Access the Nagios Web Interface

Access http://[IP_Address]/nagios/ with any browser
Username : nagoisadmin
Password : Password specified when the user was created above

After successful login, the following dashboard will appear

Show host availability
Click on [Hosts] in the left menu

Click [Tactical Overview] on the left menu to view the monitoring data

6. Nagios Agent Configuration

To monitor the agent. Install the following
• Nagios plugins for data collection
• NRPE Agent to run plugins

6.1  Installing Nagios plugins

The Nagios plugin is located in the /usr/local/nagios/libexec/ directory.
List this directory to see all available plug-ins in the system.

The following nagios-plugins are available

Restart Nagios daemon to apply installed plugins

6.2  Installing Nagios NRPE Agent
NRPE agent available in default Debian repository

Version Check

Start and activate the service

Check if the service is running

Allow services to pass through the firewall
NRPE uses TCP port 5666 by default.

Check if port 5666/tcp is listening

7.  Adding a monitored host

Add the following server to the host and configure it as a target for simple ping death/activity monitoring
OS : OracleLinux8.8
IP Address : 192.168.11.100

7.1 Configuration File Editing

7.2 Directory Create

7.3 Create new definition file

7.4 Restart Nagios server

Log in to the Nagios server (http://[server IP address]/nagios) and look at Hosts, and the host is added.

8.  Adding Monitoring Services

Add monitoring services to the hosts added above.
OS : OracleLinux8.8
IP Address : 192.168.11.100
Services to be added
[check_users]
[check_load]
[check_disk]
[check_procs]

8.1 Configuration on the server to be monitored

8.1.1 Agent installed on monitored hosts
Install nrpe and typical service plugins from EPEL

8.1.2 Configuration File Editing

8.1.3 nrpe server activation and startup

8.1.4 Open NRPE ports 5666 on firewall

8.2 Nagios Server Side Configuration

8.2.1 nrpe plugin installation

8.2.2 Copy to nagios plugin directory

8.2.3 commands.cfg edit

8.2.4 Edit and add korodes.cfg created when you added the host earlier

8.2.5 Restart Nagios

8.2.6 Access http://[Nagios Server IP Address]/nagios
Newly added monitoring services are added as shown in the figure below.

Tripwire Install

Implement a system to detect file tampering on Linux servers by crackers.
This time, Tripwire, a host-based IDS (IDS=Intrusion Detection System), will be installed as the file tampering detection system.
Tripwire creates a database of file status at the time of installation, and detects file additions/changes/deletions by comparing the database with the current status of the file.

1 Installation and Configuration

Site Key Creation
Tripwire requires a site passphrase to secure the "tw.cfg" tripwire configuration file and the "tw.pol" tripwire policy file. The specified passphrase is used to encrypt both files. The site passphrase is also required for a single instance of tripwire.

②local key Creation
A local passphrase is required to protect the tripwire database and report files; a local key used by tripwire to avoid unauthorized modification of the tripwire baseline database.

③tripwire configuration path
The tripwire configuration is stored in the file /etc/tripwire/twcfg.txt. It is used to generate the encrypted configuration file tw.cfg.

④tripwire policy path
tripwire stores policies in the file /etc/tripwire/twpol.txt. This is used to generate the encrypted policy file tw.pol used by tripwire.

Enter site key passphrase

⑥You will be asked to enter the site key passphrase again.

⑦Enter local key passphrase

⑧You will be asked to enter the local key passphrase again.

⑨Installation will proceed and complete.

2 Configuration File Settings

①Tripwire configuration file (twcfg.txt)
The tripwire configuration file (twcfg.txt) is detailed below. The paths to the encrypted policy file (tw.pol), site key (site.key), and local key (hostnamelocal.key), etc. are as follows

3 Initial setup including key creation, database creation, etc.

Edit twcfg.txt

configuration file generation

③ Optimize policies
Use the following policy optimization scripts to optimize your policy

Policy Optimization Script Contents

Database Creation

If it stops with an error on the way, reexecute with the "--verbose" option.

Display the progress, check the files and directories that stop with errors, set the owner and access rights, and execute the following again

In our case, the error occurred in the following file
Software interrupt forced exit /usr/lib/firmware/intel
Segmentation fault
I solved the problem by changing the ownership of /usr/lib/firmware/intel to root

4 Perform checks

Create test files

Check Tripwire operation

If successful, the following display appears

Delete the test file.

5 Tripwire Autorun

Create an auto-execution script (tripwire.sh) and have it run automatically

Contents of auto-execute script (tripwire.sh)

Give execute permission and execute periodically by Cron.

Reference: Script for reporting results by e-mail

Execute the following and confirm that the results are delivered to the specified e-mail address

Copied title and URL