Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

OpenSUSE15.3 ; Tripwire Chkrootkit Logwatch DiCE

1. Tripwire Install

Tripwire is a host-based intrusion detection system (IDS) that monitors files and directories and notifies the user of any changes.

1.1 Installation and configuration

① Download and install

② Set passphrase

③ Configuring Tripwire

④ Create a Tripwire configuration file (cryptographically signed version)

⑤Delete Tripwire configuration file (text version)

Reference) To restore the Tripwire configuration file (text version), execute the following command

⑥ Policy file settings

Contents of twpolmake.txt ↓

⑦ Policy file optimization

⑧ Create a policy file (cryptographically signed version) based on the optimized policy file.
Delete policy file (text version)
⑨ Create a database and check its operation.
Create a test file
Check Tripwire operation
If successful, the following will be displayed
Delete the test file

1.2 Make Tripwire run periodically

①Create Tripwire autorun script
Contents of "tripwire.sh"
Enter the local passphrase and site passphrase.
②Add Tripwire to cron to be run periodically

Reference: Script for reporting results by email

2. Chkrootkit Install

①Download and install chkrootkit

➁Move the chkrootkit command to the /root/bin directory

③Create and change permissions of the chkrootkit regular execution script

Contents of "chkrootkit.sh

④Periodic execution of chkrootkit

⑥Backup the commands used by chkrootkit
If the commands used by chkrootkit are tampered with, you will not be able to detect the rootkit, so back up these commands.

⑦Run chkrootkit on the copied command
openSUSE15.3 does not have netstat installed by default, so run the following first

Execute.

⑧Compress the backed up commands

⑨Move the backed up compressed files to the home directory of a regular user.

⑩Copy the chkrootkit_cmd.tar.gz file to the Windows side using WinSCP.

⑪Delete the command on the backed up server.

⑫Change to a script that reports rootkit detection via email.

Contents of the new "chkrootkit.sh"

3. Logwatch Install

① Install

② Edit the configuration file

③ Output Logwatch report

④ Test if the report is delivered to the address you set.

4. DiCE  Install

Every time the global IP is changed, which happens when the Internet is disconnected or the router is disconnected and rebooted, the dynamic DNS must be accessed to notify the change in global IP.
DiCE does that work for you automatically.

4.1 Download and install Dice

①Download

②Setting  DiCE
The output characters of DiCE are garbled because of EUC.
To convert them to UTF-8, install nkf.

③Start DiCE

4.2 Adding an Event

The DNS service should be VALUEDOMAIN.

Confirmation of events

4.3 Automatic execution of Dice

Start the DiCE daemon

Make sure it's running.
タイトルとURLをコピーしました