MiracleLinux9.4 ; Tripwire , Chkrootkit , Logwatch etc

Tripwire

1. Download & Install

2. Passphrase setting

Set site passphrase and local passphrase

3. Tripwire Configuration

Configuration File Edit

reate a Tripwire configuration file (cryptographically signed version)

Delete Tripwire configuration file (text version)

Policy File Settings

Contents of twpolmake.pl

Policy File Optimizations

Create policy file (cryptographically signed version) based on optimized policy file

Create database and check operation

Create test files

Check Tripwire operation

Delete test files

Tripwire Scheduled Scripts

Contents of tripwire.sh

Reference: Script for reporting results by e-mail

Execute the following command to confirm that the mail has been received

Chkrootkit

Install a rootkit detection tool called chkrootkit to check whether a rootkit has been installed on the Linux server.
Since chkrootkit is checked using the following command, it is desirable to install it in the early stages after Linux installation, since it is useless after the command itself has been tampered with so that rootkit cannot be detected.

[Commands used by chkrootkit]
awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed, uname

Note that chkrootkit can only detect known rootkits and cannot detect new rootkits.

Download and install chkrootkit

Create /root/bin directory and move chkrootkit command to that directory

Check chkrootkit.

Checking `chsh'... INFECTED
The chsh command changes the shell. If you do not use it, rename the file /usr/bin/chsh to chsh.bak and the display will disappear.
There is no problem even if the file is not renamed.

Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily

Scheduled Script Contents

Add execution permission to chkrootkit execution script

⑤Backup commands used by chkrootkit

If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command

⑥Run chkrootkit on the copied command

⑦Compresses backed up commands

⑧Send chkrootkit use command (compressed version) to root by e-mail

⑨Download and save chkrootkit_cmd.tar.gz file to Windows

⑩Delete backed up commands on the server

Logwatch

①Install

②Edit configuration file

③Output Logwatch reports

It will appear as follows

④Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.

Introduce disk usage check script

1. Script Creation

Contents of disk_capacity_check.sh

2. Execution Confirmation

①Check current usage rates

It appears as follows

②Create a dummy file to achieve at least 80% utilization(In the example, the name is dummyfile and it is about 6G.)

③check again
Confirm that it is above 80% by performing the following

④Run check scripts

You will receive an email to the email address you have set up, stating something like "Disk usage alert: 89 %".

⑤Delete "dummyfile"

⑥Periodic Execution Setting

Copied title and URL