Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

openSUSE ; Tripwire Chkrootkit Logwatch DiCE

1. Tripwire Install

Tripwire is a host-based intrusion detection system (IDS) that monitors files and directories and notifies the user of any changes.

1.1 Installation and configuration

① Download and install

# cd /usr/local/src
# wget https://rpmfind.net/linux/epel/8/Everything/x86_64/Packages/t/tripwire-2.4.3.7-5.el8.x86_64.rpm
# rpm -Uvh tripwire-2.4.3.7-5.el8.x86_64.rpm

② Set passphrase

# tripwire-setup-keyfiles
———————————————-
The Tripwire site and local passphrases are used to sign a variety of
files, such as the configuration, policy, and database files.
Passphrases should be at least 8 characters in length and contain both
letters and numbers.
See the Tripwire manual for more information.
———————————————-
Creating key files…
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the site keyfile passphrase: ←Enter any “Site Passphrase”.
Verify the site keyfile passphrase: ←Enter the “Site Passphrase”  again.
Generating key (this may take several minutes)…Key generation complete.
(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)
Enter the local keyfile passphrase: ←Enter any “Local Passphrase”.
Verify the local keyfile passphrase: ←Enter the “Local Passphrase”  again.
Generating key (this may take several minutes)…Key generation complete.
———————————————-
Signing configuration file…
Please enter your site passphrase: ←Enter “Site Passphrase”.
Wrote configuration file: /etc/tripwire/tw.cfg
A clear-text version of the Tripwire configuration file:
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended that you
move this file to a secure location and/or encrypt it in place (using a
tool such as GPG, for example) after you have examined it.
———————————————-
Signing policy file…
Please enter your site passphrase: ←Enter “Site Passphrase”.
Wrote policy file: /etc/tripwire/tw.pol
A clear-text version of the Tripwire policy file:
/etc/tripwire/twpol.txt
~summary~
default values from the current configuration file are used.

③ Configuring Tripwire

# vi /etc/tripwire/twcfg.txt
■Per line 9
Add “#” to the beginning of the line and “LOOSEDIRECTORYCHECKING =true” to the line below it.
LOOSEDIRECTORYCHECKING =true
■Per line 13
Add “#” to the beginning of the line, and add “REPORTLEVEL =4” to the line below it.
#REPORTLEVEL =3
REPORTLEVEL =4

④ Create a Tripwire configuration file (cryptographically signed version)

# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: ←Enter your site passphrase
Wrote configuration file: /etc/tripwire/tw.cfg

⑤Delete Tripwire configuration file (text version)

# rm -f /etc/tripwire/twcfg.txt
Reference) To restore the Tripwire configuration file (text version), execute the following command
# twadmin -m f -c /etc/tripwire/tw.cfg > /etc/tripwire/twcfg.txt

⑥ Policy file settings

# cd /etc/tripwire/
# vi twpolmake.txt

Contents of twpolmake.txt ↓

#!/usr/bin/perl
# Tripwire Policy File customize tool
# —————————————————————-
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307, USA.
# —————————————————————-
# Usage:
# perl twpolmake.pl {Pol file}
# —————————————————————-
#
$POLFILE=$ARGV[0];open(POL,”$POLFILE”) or die “open error: $POLFILE” ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;while (<POL>) {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_=”HOSTNAME=\”$myhost\”;” ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq ‘/sbin/e2fsadm’ ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = “$sharp#$tpath$cond” if ($ret == 0) ;
}
else {
$_ = “$sharp$tpath$cond” ;
}
}
print “$_\n” ;
}
close(POL) ;

⑦ Policy file optimization

# mv twpolmake.txt twpolmake.pl
# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new
⑧ Create a policy file (cryptographically signed version) based on the optimized policy file.

# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new

Please enter your site passphrase: ←Enter your site passphrase
Wrote policy file: /etc/tripwire/tw.pol

Delete policy file (text version)

# rm -f /etc/tripwire/twpol.txt*
⑨ Create a database and check its operation.
# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: ←Enter your local passphrase
Create a test file
# echo test > /root/test.txt
Check Tripwire operation
# tripwire -m c -s -c /etc/tripwire/tw.cfg
If successful, the following will be displayed
Open Source Tripwire(R) 2.4.3.7 Integrity Check Report
Report generated by: root
Report created on: Sun Jan 16 22:28:26 2022
Database last updated on: Never
==============================================================
Report Summary:
==============================================================
Host name: Lepard
Host IP address: Unknown IP
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/Lepard.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg
・・・・・Abbreviation・・・・・・
——————————————————————————-
Added:
“/root/test.txt”
==============================================================
Error Report:
==============================================================
No Errors
——————————————————————————-
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use –version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Delete the test file
# rm -f /root/test.txt

1.2 Make Tripwire run periodically

①Create Tripwire autorun script
# cd /srv/www/system
# vi tripwire.sh
Contents of “tripwire.sh”
Enter the local passphrase and site passphrase.

#!/bin/bash

PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Set passphrase
LOCALPASS= xxxxxxxx # local passphrase
SITEPASS= xxxxxxxx # Site passphrase

cd /etc/tripwire

# Run a Tripwire check
tripwire -m c -s -c tw.cfg|mail -s “Tripwire(R) Integrity Check Report in `hostname`” root

# Update policy files
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

# Modernization of database
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

# chmod 700 tripwire.sh
②Add Tripwire to cron to be run periodically
# crontab -e
0 3 * * * /srv/www/system/tripwire.sh

Reference: Script for reporting results by email

#!/bin/bash
PATH=/usr/sbin:/usr/bin:/bin:/usr/local/tripwire/sbin

# Set passphrase
LOCALPASS= xxxxxxxx # local passphrase
SITEPASS= xxxxxxxx # Site passphrase

#Specify e-mail address for notification
MAIL=”<your mail address>

cd /etc/tripwire

# Run a Tripwire check
tripwire -m c -s -c tw.cfg|mail -s “Tripwire(R) Integrity Check Report in `hostname`” $MAIL

# Update policy files
twadmin -m p -c tw.cfg -p tw.pol -S site.key > twpol.txt
perl twpolmake.pl twpol.txt > twpol.txt.new
twadmin -m P -c tw.cfg -p tw.pol -S site.key -Q $SITEPASS twpol.txt.new > /dev/null
rm -f twpol.txt* *.bak

# Modernization of database
rm -f /usr/local/tripwire/lib/tripwire/*.twd*
tripwire -m i -s -c tw.cfg -P $LOCALPASS

2. Chkrootkit Install

①Download and install chkrootkit

# zypper addrepo https://download.opensuse.org/repositories/security/openSUSE_Leap_15.3/security.repo
# zypper refresh
# zypper install chkrootkit

➁Move the chkrootkit command to the /root/bin directory

# mv /usr/sbin/chkrootkit /root/bin
③Create and change permissions of the chkrootkit regular execution script
# vi /srv/www/system/chkrootkit.sh
Contents of “chkrootkit.sh

#!/bin/bash
PATH=/usr/bin:/bin:/root/bin

TMPLOG=`mktemp`

# Run chkrootkit
chkrootkit > $TMPLOG

#Log output
cat $TMPLOG | logger -t chkrootkit

# Handling of SMTPS bindshell false positives
if [ ! -z “$(grep 465 $TMPLOG)” ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i ‘/465/d’ $TMPLOG
fi

# Addressed Suckit false positive when updating upstart package.
#if [ ! -z “$(grep Suckit $TMPLOG)” ] && \
# [ -z $(rpm -V `rpm -qf /sbin/init`) ]; then
# sed -i ‘/Suckit/d’ $TMPLOG
#fi

#Send mail to root only when rootkit is detected
[ ! -z “$(grep INFECTED $TMPLOG)” ] && \
grep INFECTED $TMPLOG | mail -s “chkrootkit report in `hostname`” root

rm -f $TMPLOG

# chmod 700 /srv/www/system/chkrootkit.sh
④Periodic execution of chkrootkit
# crontab -e
0 2 * * * /srv/www/system/chkrootkit.sh

⑥Backup the commands used by chkrootkit
If the commands used by chkrootkit are tampered with, you will not be able to detect the rootkit, so back up these commands.

# cd /root
# mkdir /root/chkrootkit_cmd
# cp `which –skip-alias awk cut echo egrep find head id ls snmpnetstat ps strings sed ssh uname` chkrootkit_cmd/
# ls -l /root/chkrootkit_cmd/
total 2404
-rwxr-xr-x 1 root root 614520 Jan 9 18:48 awk
-rwxr-xr-x 1 root root 47952 Jan 9 18:48 cut
-rwxr-xr-x 1 root root 31408 Jan 9 18:48 echo
-rwxr-xr-x 1 root root 28 Jan 9 18:48 egrep
-rwxr-xr-x 1 root root 304024 Jan 9 18:48 find
-rwxr-xr-x 1 root root 43792 Jan 9 18:48 head
-rwxr-xr-x 1 root root 39760 Jan 9 18:48 id
-rwxr-xr-x 1 root root 138904 Jan 9 18:48 ls
-rwxr-xr-x 1 root root 130200 Jan 9 18:48 ps
-rwxr-xr-x 1 root root 155032 Jan 9 18:48 sed
-rwxr-xr-x 1 root root 70088 Jan 9 18:48 snmpnetstat
-rwxr-xr-x 1 root root 793432 Jan 9 18:48 ssh
-rwxr-xr-x 1 root root 31896 Jan 9 18:48 strings
-rwxr-xr-x 1 root root 35568 Jan 9 18:48 uname
⑦Run chkrootkit on the copied command
openSUSE15.3 does not have netstat installed by default, so run the following first
# zipper -n install net-tools-deprecated
Execute.
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED
⑧Compress the backed up commands
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd
chkrootkit_cmd/
chkrootkit_cmd/awk
chkrootkit_cmd/cut
chkrootkit_cmd/echo
chkrootkit_cmd/egrep
chkrootkit_cmd/find
chkrootkit_cmd/head
chkrootkit_cmd/id
chkrootkit_cmd/ls
chkrootkit_cmd/ps
chkrootkit_cmd/strings
chkrootkit_cmd/sed
chkrootkit_cmd/ssh
chkrootkit_cmd/uname
chkrootkit_cmd/snmpnetstat
⑨Move the backed up compressed files to the home directory of a regular user.
# mv chkrootkit_cmd.tar.gz /home/lan/
⑩Copy the chkrootkit_cmd.tar.gz file to the Windows side using WinSCP.
⑪Delete the command on the backed up server.
# rm -rf chkrootkit_cmd
# rm -rf /home/lan/chkrootkit_cmd.tar.gz
⑫Change to a script that reports rootkit detection via email.
# cd /srv/www/system
# mv chkrootkit.sh chkrootkit.sh.bak
# vi chkrootkit.sh
Contents of the new “chkrootkit.sh”

#!/bin/bash
#Specify e-mail address for notification
MAIL=”<Email address>”
PATH=/usr/bin:/bin:/root/bin

TMPLOG=`mktemp`

# Run chkrootkit
chkrootkit > $TMPLOG

# Log output
cat $TMPLOG | logger -t chkrootkit

# Handling of SMTPS bindshell false positives
if [ ! -z “$(grep 465 $TMPLOG)” ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i ‘/465/d’ $TMPLOG
fi

# Send mail to root only when rootkit is detected
[ ! -z “$(grep INFECTED $TMPLOG)” ] && \
grep INFECTED $TMPLOG | mail -s “chkrootkit report in `hostname`” $MAIL

rm -f $TMPLOG

# chmod 700 /srv/www/system/chkrootkit.sh

3. Logwatch Install

① Install
# zypper -n install logwatch
② Edit the configuration file
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf
# vi /etc/logwatch/conf/logwatch.conf
■Per Line 52
Insert a “#” at the beginning of the line “MailTo = root” and set the email address you want to receive notifications at the bottom of the line.
#MailTo = root
MailTo = <mail.address>
■Per line 84
Set the level of detail for log notifications
#Detail = Low
Detail = High
③ Output Logwatch report

# logwatch –output stdout

④ Test if the report is delivered to the address you set.

# /etc/cron.daily/0logwatch

4. DiCE  Install

Every time the global IP is changed, which happens when the Internet is disconnected or the router is disconnected and rebooted, the dynamic DNS must be accessed to notify the change in global IP.
DiCE does that work for you automatically.

4.1 Download and install Dice

①Download
# cd /usr/local/bin/
# wget https://centos.rcg.jp/download/DiCE.tar.gz
# tar -xzvf DiCE.tar.gz
②Setting  DiCE
The output characters of DiCE are garbled because of EUC.
To convert them to UTF-8, install nkf.
# zypper install nkf
③Start DiCE
# cd /usr/local/bin/DiCE
# ./diced | nkf -uw

4.2 Adding an Event

The DNS service should be VALUEDOMAIN.
# ./diced | nkf -uw
: add
Please enter the DynamicDNS service name.
(P)Return
>VALUEDOMAIN
Please enter a domain name.
(P)Return
><Domain name>    ←VALUEDOMAIN
Please enter a host name
(P)Return
><Host Host name>    ←Host name registered with VALUEDOMAIN
Please enter your login user name
(P)Return
><User name>  ←User name registered in VALUEDOMAIN
Please enter your login password.
(P)Return
><passwd>  ←Password to log in to VALVEDOMAIN
Enter the IP address to be registered
If left blank, the current IP address will be detected automatically.
(P)Return
>blank space
Please give this event a title.
(P)Return
>xxxxxxxxx(Any name)
Specify the frequency of execution (enter a number)
(0)One time only(1)Once a day (2)Once a week(3)Once a month
(4)Other cycles (5)When IP address changes (6)startup (point in) time
(P)Return
>5    ←Any
If you are in an environment where your IP address does not change often, your account may be deleted after a certain period of time without updating it.
If your IP address does not change often, your account may be deleted after a certain period of time without updating.
Please specify the interval to run when the IP address does not change.
(0)Every 7 days (1)Every 14 days (2)Every 21 days (3)Every 28 days
(4)Every 35 days (5)Every 56 days (6)Every 84 days
(P)Return
>0  ←Any
Do you want to enable this event? (Y/N)
>y
Do you want to save the event? (Y/N)
>y
Confirmation of events

:list
(No.)   (Event Name)     (Schedule)                            (Next time to decide)
0 *       xxxxxxxxx   When IP address changes (every 7 days)     01/25 17:43

Manual execution
:ex 0
+ 1/19 13:13 xxxxxxxxx has been executed.
IP address updated.

4.3 Automatic execution of Dice

Start the DiCE daemon

# /usr/local/bin/DiCE/diced -d -l

Make sure it’s running.

# ps aux | grep diced
root 29500 0.0 0.0 7816 632 pts/0 S+ 13:18 0:00 grep –color=auto diced

Set to start automatically.

# vi /etc/rc.local
/usr/local/bin/DiCE/diced -d -l  
タイトルとURLをコピーしました