Contents
1. Tripwire
Tripwire is a host-based intrusion detection system (IDS) that monitors files and directories and notifies you when changes are made.
1.1 Install and configuration
① install
|
1 2 3 |
# cd /usr/local/src # wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm # rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm |
② Passphrase Settings
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# tripwire-setup-keyfiles ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: ←Enter any "Site Passphrase" Verify the site keyfile passphrase: ←Enter any "Site passphrase" again Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: ←Enter any "local passphrase" Verify the local keyfile passphrase: ←Enter any "local passphrase" again Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Signing configuration file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file: /etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you move this file to a secure location and/or encrypt it in place (using a tool such as GPG, for example) after you have examined it. ---------------------------------------------- Signing policy file... Please enter your site passphrase: ←Enter "Site Passphrase" Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file: /etc/tripwire/twpol.txt ~abbreviation~ default values from the current configuration file are used. |
③ Tripwire Configuration
|
1 2 3 4 5 6 7 8 |
# vi /etc/tripwire/twcfg.txt ■ Per Line 9 Add "#" at the beginning of the line and "LOOSEDIRECTORYCHECKING =true" on the line below it. LOOSEDIRECTORYCHECKING =true ■ Per Line 12 Add "#" at the beginning of the line and "REPORTLEVEL =4" on the line below it. #REPORTLEVEL =3 REPORTLEVEL =4 |
④ Create a Tripwire configuration file (cryptographically signed version)
|
1 2 3 |
# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt Please enter your site passphrase: ←Enter site passphrase Wrote configuration file: /etc/tripwire/tw.cfg |
⑤Delete Tripwire configuration file (text version)
|
1 |
# rm -f /etc/tripwire/twcfg.txt |
Reference) To restore the Tripwire configuration file (text version), execute the following command
|
1 |
# twadmin -m f -c /etc/tripwire/tw.cfg > /etc/tripwire/twcfg.txt |
⑥ Policy File Settings
|
1 2 |
# cd /etc/tripwire/ # vi twpolmake.txt |
Contents of twpolmake.txt
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
#!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0];open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ;while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; |
|
1 2 |
# mv twpolmake.txt twpolmake.pl # perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new |
⑧ Create policy file (cryptographically signed version) based on optimized policy file
|
1 2 3 4 |
# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new Please enter your site passphrase: ←Enter site passphrase Wrote policy file: /etc/tripwire/tw.pol |
|
1 |
# rm -f /etc/tripwire/twpol.txt* |
|
1 2 |
# tripwire -m i -s -c /etc/tripwire/tw.cfg Please enter your local passphrase: ←設定したローカルパスフレーズを入力 |
Create test files
|
1 |
# echo test > /root/test.txt |
|
1 |
# tripwire -m c -s -c /etc/tripwire/tw.cfg |
If successful, the following will be displayed
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report Report generated by: root Report created on: Fri Sep 16 12:45:02 2022 Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: Lepard Host IP address: 192.168.11.83 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/Lepard.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg =============================================================================== ・・・・・omission・・・・・・ ------------------------------------------------------------------------------- Added: "/root/test.txt" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
|
1 |
# rm -f /root/test.txt |
1.2 Run Tripwire regularly
①Creation of auto-execution scripts
|
1 2 |
# cd /srv/www/system # vi tripwire.sh |
Contents of "tripwire.sh"
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS= xxxxxxxx # Local passphrase SITEPASS= xxxxxxxx # Site passphrase cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" root # Policy File Update twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database Update rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
|
1 |
# chmod 700 tripwire.sh |
|
1 2 |
# crontab -e 0 3 * * * /srv/www/system/tripwire.sh |
Reference: Script for reporting results by e-mail
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
#!/bin/bash PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin # Passphrase setting LOCALPASS=xxxxx # Local passphrase SITEPASS=xxxxx # Site passphrase #Email Address for Notification MAIL="<your mail address> " cd /etc/tripwire # Tripwire check run tripwire -m c -s -c tw.cfg|mail -s "Tripwire(R) Integrity Check Report in `hostname`" $MAIL # Policy File Update twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt perl twpolmake.pl twpol.txt > twpol.txt.new twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null rm -f twpol.txt* *.bak # Database Update rm -f /usr/local/tripwire/lib/tripwire/*.twd* tripwire -m i -s -c tw.cfg -P $LOCALPASS |
2. chkrootkit インストール
Install a rootkit detection tool called chkrootkit to check whether a rootkit has been installed on the Linux server.
①chkrootkit download,install
|
1 2 3 |
# zypper addrepo https://download.opensuse.org/repositories/security/openSUSE_Leap_15.3_Update//security.repo # zypper refresh # zypper install chkrootkit |
➁Move chkrootkit command to /root/bin directory
|
1 |
# mv /usr/sbin/chkrootkit /root/bin |
③Create chkrootkit periodic execution script and change permissions
|
1 |
# vi /srv/www/system/chkrootkit.sh |
Contents of "chkrootkit.sh"
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin TMPLOG=`mktemp` # Run chkrootkit chkrootkit > $TMPLOG # log output cat $TMPLOG | logger -t chkrootkit # SMTPS false positive response to windshell false positives if [ ! -z "$(grep 465 $TMPLOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $TMPLOG fi # Support for Suckit false positives when updating upstart package #if [ ! -z "$(grep Suckit $TMPLOG)" ] && \ # [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then # sed -i '/Suckit/d' $TMPLOG #fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $TMPLOG)" ] && \ grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" root rm -f $TMPLOG |
|
1 |
# chmod 700 /srv/www/system/chkrootkit.sh |
④Periodic execution of chkrootkit
|
1 2 |
# crontab -e 0 2 * * * /srv/www/system/chkrootkit.sh ←追加 |
⑥Backup commands used by chkrootkit
Back up these commands because if the commands used by chkrootkit are tampered with, rootkit will not be detected. If necessary, run chkrootkit using the backed up commands
|
1 2 3 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep find head id ls snmpnetstat ps strings sed ssh uname` chkrootkit_cmd/ |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# ls -l /root/chkrootkit_cmd/ total 2404 -rwxr-xr-x 1 root root 614520 Jan 9 18:48 awk -rwxr-xr-x 1 root root 47952 Jan 9 18:48 cut -rwxr-xr-x 1 root root 31408 Jan 9 18:48 echo -rwxr-xr-x 1 root root 28 Jan 9 18:48 egrep -rwxr-xr-x 1 root root 304024 Jan 9 18:48 find -rwxr-xr-x 1 root root 43792 Jan 9 18:48 head -rwxr-xr-x 1 root root 39760 Jan 9 18:48 id -rwxr-xr-x 1 root root 138904 Jan 9 18:48 ls -rwxr-xr-x 1 root root 130200 Jan 9 18:48 ps -rwxr-xr-x 1 root root 155032 Jan 9 18:48 sed -rwxr-xr-x 1 root root 70088 Jan 9 18:48 snmpnetstat -rwxr-xr-x 1 root root 793432 Jan 9 18:48 ssh -rwxr-xr-x 1 root root 31896 Jan 9 18:48 strings -rwxr-xr-x 1 root root 35568 Jan 9 18:48 uname |
⑦Run chkrootkit on the copied command
Since netstat is not installed by default in openSUSE15.4, run the following first
Since netstat is not installed by default in openSUSE15.4, run the following first
|
1 |
# zypper -n install net-tools-deprecated |
Execution.
|
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
⑧Compresses backed up commands
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname chkrootkit_cmd/snmpnetstat |
⑨Move the backed up compressed file to the general user's home directory
|
1 |
# mv chkrootkit_cmd.tar.gz /home/suse/ |
⑩Copy the chkrootkit_cmd.tar.gz file to the Windows side using WinSCP
⑪Delete commands on the backed up server
|
1 2 |
# rm -rf chkrootkit_cmd # rm -rf /home/suse/chkrootkit_cmd.tar.gz |
⑫Changed script to report rootkit by email when detected
|
1 2 3 |
# cd /srv/www/system # mv chkrootkit.sh chkrootkit.sh.bak # vi chkrootkit.sh |
Contents of new "chkrootkit.sh"
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
#!/bin/bash #Email Address for Notification MAIL="<mail address>" PATH=/usr/bin:/bin:/root/bin TMPLOG=`mktemp` # Run chkrootkit chkrootkit > $TMPLOG # log output cat $TMPLOG | logger -t chkrootkit # SMTPS false positive response to windshell false positives if [ ! -z "$(grep 465 $TMPLOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $TMPLOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $TMPLOG)" ] && \ grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" $MAIL rm -f $TMPLOG |
|
1 |
# chmod 700 /srv/www/system/chkrootkit.sh |
3. Logwatch
logwatch is a software program that automatically analyzes logs and reports the results to support operations.
① Logwatch install
|
1 |
# zypper -n install logwatch |
② Edit configuration file
|
1 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf |
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/logwatch/conf/logwatch.conf ■ Per Line 45 Insert "#" at the beginning of the "MailTo = root" line and set the email address you want to receive notifications to the line below it. #MailTo = root MailTo = <mail.address> ■ Per Line 79 Set the level of detail for log notifications #Detail = Low Detail = High |
③ Output Logwatch reports
|
1 |
# logwatch --output stdout |
|
1 |
# logwatch --output mail |