CentOS 5
Sponsored Link

Host based IDS - Tripwire2009/03/31

[1] Install Host based IDS ( Intrusion Detection System ). Tripwire is a kind of it and this example shows to install and configure it.
[root@www ~]#
yum --enablerepo=epel -y install tripwire
 
# install from EPEL


[root@www ~]#
/usr/sbin/tripwire-setup-keyfiles


# input pass phrase during installation like below

Enter the site keyfile passphrase:
# (1) set passphrase

Verify the site keyfile passphrase:
# verify


Enter the local keyfile passphrase:
# (2) set passphrase

Verify the local keyfile passphrase:
# verify


Please enter your site passphrase:
# (1) input passphrase


Please enter your site passphrase:
# (1) input passphrase


[root@www ~]#
cd /etc/tripwire

[root@www tripwire]#
vi twcfg.txt


# line 9: change

LOOSEDIRECTORYCHECKING =
true


# line 12: change

REPORTLEVEL =
4


[root@www tripwire]#
twadmin -m F -c tw.cfg -S site.key twcfg.txt

Please enter your site passphrase:
# (1) input passphrase

Wrote configuration file: /etc/tripwire/tw.cfg

# create the file below

[root@www tripwire]#
vi twpolmake.pl


#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#    perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
     chomp;
     if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
          $myhost = `hostname` ; chomp($myhost) ;
          if ($thost ne $myhost) {
               $_="HOSTNAME=\"$myhost\";" ;
          }
     }
     elsif ( /^{/ ) {
          $INRULE=1 ;
     }
     elsif ( /^}/ ) {
          $INRULE=0 ;
     }
     elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
          $ret = ($sharp =~ s/\#//g) ;
          if ($tpath eq '/sbin/e2fsadm' ) {
               $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
          }
          if (! -s $tpath) {
               $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
          }
          else {
               $_ = "$sharp$tpath$cond" ;
          }
     }
     print "$_\n" ;
}
close(POL) ;


[root@www tripwire]#
perl twpolmake.pl twpol.txt > twpol.txt.new

[root@www tripwire]#
twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

Please enter your site passphrase:
# passphrase

Wrote policy file: /etc/tripwire/tw.pol
[root@www tripwire]#
tripwire -m i -s -c tw.cfg
# create DB

Please enter your local passphrase:
# passphrase

[root@www tripwire]#
tripwire -m c -s -c tw.cfg
# run checking

Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:
root

Report created on:
Wed 16 May 2007 10:17:40 PM JST

Database last updated on:
Never


======================================================
Report Summary:
======================================================

Host name:
www.server-linux.info

Host IP address:
127.0.0.1

Host ID:
None

Policy file used:
/usr/local/etc/tw.pol

Configuration file used:
/usr/local/etc/tw.cfg

Database file used:
/usr/local/lib/tripwire/www.server-linux.info.twd

Command line used:
tripwire -m c -s -c tw.cfg


======================================================
Rule Summary:
======================================================

------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------
  Rule Name
Severity Level
Added
Removed
Modified

  ---------
--------------
-----   
-------   
--------

  Tripwire Data Files
  0
0
0
0

* Monitor Filesystems
  0
0
0
2

  User Binaries and Libraries
  0
0
0
0

  Tripwire Binaries
  0
0
0
0

  OS Binaries and Libraries
  0
0
0
0

  Temporary Directories
  0
0
0
0

  Global Configuration Files
  0
0
0
0

  System Boot Changes
  0
0
0
0

  RPM Checksum Files
  0
0
0
0

  (/var/lib/rpm)
  OS Devices and Misc Directories
  0
0
0
0

  OS Boot Files and Mount Points
  0
0
0
0

  Root Directory and Files
  0
0
0
0


Total objects scanned: 60551
Total violations found: 2

======================================================
Object Summary:
======================================================

------------------------------------------------------
# Section: Unix File System
------------------------------------------------------

------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
------------------------------------------------------

Modified:
"/var/yp/binding/server-linux.info.1"
"/var/yp/binding/server-linux.info.2"

======================================================
Error Report:
======================================================

No Errors

------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved.
[2] Add a new file and Try to cheking again.
[root@www tripwire]#
[root@www ~]#
touch hacking

[root@www ~]#
tripwire -m c -s -c /etc/tripwire/tw.cfg

Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:
root

Report created on:
Wed 16 May 2007 10:17:40 PM JST

Database last updated on:
Never


======================================================
Report Summary:
======================================================

Host name:
www.server-linux.info

Host IP address:
127.0.0.1

Host ID:
None

Policy file used:
/usr/local/etc/tw.pol

Configuration file used:
/usr/local/etc/tw.cfg

Database file used:
/usr/local/lib/tripwire/www.server-linux.info.twd

Command line used:
tripwire -m c -s -c tw.cfg


======================================================
Rule Summary:
======================================================

------------------------------------------------------
  Section: Unix File System
------------------------------------------------------

  Rule Name
Severity Level
Added
Removed
Modified

  ---------
--------------
-----   
-------   
--------

  Tripwire Data Files
  0
0
0
0

* Monitor Filesystems
  0
0
0
2

  User Binaries and Libraries
  0
0
0
0

  Tripwire Binaries
  0
0
0
0

  OS Binaries and Libraries
  0
0
0
0

  Temporary Directories
  0
0
0
0

  Global Configuration Files
  0
0
0
0

  System Boot Changes
  0
0
0
0

  RPM Checksum Files
  0
0
0
0

  (/var/lib/rpm)
  OS Devices and Misc Directories
  0
0
0
0

  OS Boot Files and Mount Points
  0
0
0
0

* Root Directory and Files
  0
1
0
0


Total objects scanned: 60552
Total violations found: 3

======================================================
Object Summary:
======================================================

------------------------------------------------------
# Section: Unix File System
------------------------------------------------------

------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
------------------------------------------------------

Modified:
"/var/yp/binding/server-linux.info.1"
"/var/yp/binding/server-linux.info.2"

------------------------------------------------------
Rule Name: Root Directory and Files (/root)
Severity Level: 0
------------------------------------------------------

Added:
"/root/hacking"
# just detected


======================================================
Error Report:
======================================================

No Errors

------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved.
[3] When you run tripwire and if it's no ploblem, update database like below.
[root@www ~]#
tripwire -m u -r /var/lib/tripwire/report/www.server-linux.info-20070517-014755.twr


Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by:
root

Report created on:
Wed 16 May 2007 10:17:40 PM JST

Database last updated on:
Never


======================================================
Report Summary:
======================================================

Host name:
www.server-linux.info

Host IP address:
127.0.0.1

Host ID:
None

Policy file used:
/usr/local/etc/tw.pol

Configuration file used:
/usr/local/etc/tw.cfg

Database file used:
/usr/local/lib/tripwire/www.server-linux.info.twd

Command line used:
tripwire -m c -s -c tw.cfg


======================================================
Rule Summary:
======================================================

------------------------------------------------------
  Section: Unix File System
------------------------------------------------------

  Rule Name
Severity Level
Added
Removed
Modified

  ---------
--------------
-----   
-------   
--------

  Tripwire Data Files
  0
0
0
0

* Monitor Filesystems
  0
0
0
2

  User Binaries and Libraries
  0
0
0
0

  Tripwire Binaries
  0
0
0
0

  OS Binaries and Libraries
  0
0
0
0

  Temporary Directories
  0
0
0
0

  Global Configuration Files
  0
0
0
0

  System Boot Changes
  0
0
0
0

  RPM Checksum Files
  0
0
0
0

  (/var/lib/rpm)
  OS Devices and Misc Directories
  0
0
0
0

  OS Boot Files and Mount Points
  0
0
0
0

* Root Directory and Files
  0
1
0
0


Total objects scanned: 60552
Total violations found: 3

======================================================
Object Summary:
======================================================

------------------------------------------------------
# Section: Unix File System
------------------------------------------------------

------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Modified:
[x] "/var/yp/binding/server-linux.info.1"
[x] "/var/yp/binding/server-linux.info.2"

------------------------------------------------------
Rule Name: Root Directory and Files (/root)
Severity Level: 0
------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Added:
[x] "/root/hacking"

======================================================
Error Report:
======================================================

No Errors

------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved.

# save and exit if it's all no ploblem. Then passphrase is required. Input it and then database is updated.

Please enter your local passphrase:
Wrote database file: /usr/local/lib/tripwire/www.server-linux.info.twd
Matched Content