Ubuntu Server24.04 ; Tripwire , disk usage check script , Logwatch


Implement a system to detect file tampering on Linux servers by crackers.
This time, Tripwire, a host-based IDS (IDS=Intrusion Detection System), will be installed as the file tampering detection system.
Tripwire detects file additions/changes/deletions by creating a database of file status at the time of installation and comparing the database with the current status of the file.

1. Installation and configuration.

①Create Site Key
Tripwire requires a site passphrase to secure the "tw.cfg" tripwire configuration file and the "tw.pol" tripwire policy file.
The specified passphrase is used to encrypt both files.
The site passphrase is also required for a single instance of tripwire.

②local key passphrase
A local passphrase is required to protect the tripwire database and report files.
A local key used by tripwire to avoid unauthorized modification of the tripwire baseline database.

③tripwire configuration path
The tripwire configuration is stored in the file /etc/tripwire/twcfg.txt.
It is used to generate the encrypted configuration file tw.cfg.

④tripwire policy path
tripwire stores policies in the file /etc/tripwire/twpol.txt.
This is used to generate the encrypted policy file tw.pol used by tripwire.

⑤Enter site key passphrase

You will be asked to enter the site key passphrase again.

⑥Enter local key passphrase

⑦You will be asked to enter the local key passphrase again.

⑧Installation will proceed and complete.

2.  Configuration File Settings

①Tripwire configuration file (twcfg.txt)
The tripwire configuration file (twcfg.txt) is detailed below.
The paths to the encrypted policy file (tw.pol), site key (site.key), and local key (hostname local.key), etc. are as follows

3. Initial setup such as key creation, database creation, etc.

Edit twcfg.txt

configuration file generation

③ Optimize Policy
Use the following policy optimization scripts to optimize your policy

Policy Optimization Script Contents

④Database Creation

If it stops with an error on the way, re-run with the "--verbose" option.

View the progress and check the files that stop with errors.
In our environment, it stopped at Snort-related files.

Paths and files expected to stop
After granting ownership and permissions to the above file, run the following again

When completed, the following will appear

4. Perform checks

Create test file

Check Tripwire operation

If successful, the following display appears

Delete the test file.

5. Tripwire Autorun

①Create an auto-execution script (tripwire.sh) and have it run automatically

Contents of auto-execute script (tripwire.sh)

Give execute permission and execute periodically by Cron.

Execute the following command to confirm that notifications are delivered to the address set above

Introduce disk usage check script

1. Script Creation

Contents of disk_capacity_check.sh

2. Execution Confirmation

①Check current usage

It appears as follows

Create a dummy file so that it is 80% or more (in this case, create about 5G).

③again Confirmation

Confirmation that it is above 80%.

④Run disk space check script

You will receive an email to the email address you set up with the body of the message as "Disk usage alert: 89 %".

⑤Delete the "dummyfile" you created.

⑥Periodic Execution Setting

Log analysis tool Logwatch installed

1.  Install logwatch

2. Edit logwatch configuration file

①Copy the default configuration file

②Change email address, etc.

3. Creating Directories

There is no directory used by the cache, so create one.

4. operation check

When logwatch is installed, cron is registered by default, so you will receive daily report emails.
If you want to check it immediately, do the following

Copied title and URL