Ubuntu 16.04
Sponsored Link

Tripwire : Host based IDS
2016/06/19
 
Install and configure Host based IDS (Intrusion Detection System) "Tripwire".
[1] Install Tripwire.
root@dlp:~#
apt-get -y install tripwire

# Enter
 +------------------------+ Tripwire Configuration +-------------------------+
 |                                                                           |
 | Tripwire uses a pair of keys to sign various files, thus ensuring their
 | unaltered state.  By accepting here, you will be prompted for the
 | passphrase for the first of those keys, the site key, during the
 | installation.  You are also agreeing to create a site key if one doesn't
 | exist already.  Tripwire uses the site key to sign files that may be
 | common to multiple systems, e.g. the configuration & policy files.  See
 | twfiles(5) for more information.
 |
 | Unfortunately, due to the Debian installation process, there is a period
 | of time where this passphrase exists in a unencrypted format. Were an
 | attacker to have access to your machine during this period, he could
 | possibly retrieve your passphrase and use it at some later point.
 |
 | If you would rather not have this exposure, decline here.  You will then
 |
 |                                  <Ok>
 |                                                                           |
 +---------------------------------------------------------------------------+

# select Yes and Enter
  +------------------------+ Tripwire Configuration +------------------------+
  |                                                                          |
  | Do you wish to create/use your site key passphrase during installation?  |
  |                                                                          |
  |                    <Yes>                       <No>                      |
  |                                                                          |
  +--------------------------------------------------------------------------+

# Enter
 +------------------------+ Tripwire Configuration +-------------------------+
 |                                                                           |
 | Tripwire uses a pair of keys to sign various files, thus ensuring their
 | unaltered state.  By accepting here, you will be prompted for the
 | passphrase for the second of those keys, the local key, during the
 | installation.  You are also agreeing to create a local key if one
 | doesn't exist already.  Tripwire uses the local key to sign files that
 | are specific to this system, e.g. the tripwire database. See twfiles(5)
 | for more information.
 |
 | Unfortunately, due to the Debian installation process, there is a period
 | of time where this passphrase exists in a unencrypted format. Were an
 | attacker to have access to your machine during this period, he could
 | possibly retrieve your passphrase and use it at some later point.
 |
 | If you would rather not have this exposure, decline here.  You will then
 |
 |                                  <Ok>
 |                                                                           |
 +---------------------------------------------------------------------------+

# select Yes and Enter
 +------------------------+ Tripwire Configuration +-------------------------+
 |                                                                           |
 | Do you wish to create/use your local key passphrase during installation?  |
 |                                                                           |
 |                    <Yes>                       <No>                       |
 |                                                                           |
 +---------------------------------------------------------------------------+

# select Yes and Enter
  +------------------------+ Tripwire Configuration +------------------------+
  |                                                                          |
  | Tripwire keeps its configuration in a encrypted database that is         |
  | generated, by default, from /etc/tripwire/twcfg.txt                      |
  |                                                                          |
  | Any changes to /etc/tripwire/twcfg.txt, either as a result of a change   |
  | in this package or due to administrator activity, require the            |
  | regeneration of the encrypted database before they will take effect.     |
  |                                                                          |
  | Selecting this action will result in your being prompted for the site    |
  | key passphrase during the post-installation process of this package.     |
  |                                                                          |
  | Rebuild Tripwire configuration file?                                     |
  |                                                                          |
  |                    <Yes>                       <No>                      |
  |                                                                          |
  +--------------------------------------------------------------------------+

# select Yes and Enter
 +------------------------+ Tripwire Configuration +-------------------------+
 |                                                                           |
 | Tripwire keeps its policies on what attributes of which files should be   |
 | monitored in a encrypted database that is generated, by default, from     |
 | /etc/tripwire/twpol.txt                                                   |
 |                                                                           |
 | Any changes to /etc/tripwire/twpol.txt, either as a result of a change    |
 | in this package or due to administrator activity, require the             |
 | regeneration of the encrypted database before they will take effect.      |
 |                                                                           |
 | Selecting this action will result in your being prompted for the site     |
 | key passphrase during the post-installation process of this package.      |
 |                                                                           |
 | Rebuild Tripwire policy file?                                             |
 |                                                                           |
 |                    <Yes>                       <No>                       |
 |                                                                           |
 +---------------------------------------------------------------------------+

# set site keyfile passphrase
 +--------------------------+ Get site passphrase +--------------------------+
 | Tripwire uses two different keys for authentication and encryption of     |
 | files.  The site key is used to protect files that could be used across   |
 | several systems.  This includes the policy and configuration files.       |
 |                                                                           |
 | You are being prompted for this passphrase either because no site key     |
 | exists at this time or because you have requested the rebuilding of the   |
 | policy or configuration files.                                            |
 |                                                                           |
 | Remember this passphrase; it is not stored anywhere!                      |
 |                                                                           |
 | Enter site-key passphrase:                                                |
 |                                                                           |
 | ********_________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

# confirm above
     +----------------------+ Get site passphrase +-----------------------+
     | Please repeat the site pass phrase to be sure you didn't mistype.  |
     |                                                                    |
     | Repeat the site-key passphrase:                                    |
     |                                                                    |
     | ********__________________________________________________________ |
     |                                                                    |
     |                               <Ok>                                 |
     |                                                                    |
     +--------------------------------------------------------------------+

# set local keyfile passphrase
 +-------------------------+ Get local passphrase +--------------------------+
 | Tripwire uses two different keys for authentication and encryption of     |
 | files.  The local key is used to protect files specific to the local      |
 | machine, such as the Tripwire database.  The local key may also be used   |
 | for signing integrity check reports.                                      |
 |                                                                           |
 | You are being prompted for this passphrase because no local key file      |
 | currently exists.                                                         |
 |                                                                           |
 | Remember this passphrase; it is not stored anywhere!                      |
 |                                                                           |
 | Enter local key passphrase:                                               |
 |                                                                           |
 | ********_________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

# confirm above
    +----------------------+ Get local passphrase +-----------------------+
    | Please repeat the local pass phrase to be sure you didn't mistype.  |
    |                                                                     |
    | Repeat the local key passphrase:                                    |
    |                                                                     |
    | ********___________________________________________________________ |
    |                                                                     |
    |                               <Ok>                                  |
    |                                                                     |
    +---------------------------------------------------------------------+

# Enter
  +-------------------------+ Get local passphrase +-------------------------+
  |                                                                          |
  | Tripwire has been installed                                              |
  |                                                                          |
  | The Tripwire binaries are located in /usr/sbin and the database is       |
  | located in /var/lib/tripwire. It is strongly advised that these          |
  | locations be stored on write-protected media (e.g. mounted RO floppy).   |
  | See /usr/share/doc/tripwire/README.Debian for details.                   |
  |                                                                          |
  |                                  <Ok>                                    |
  |                                                                          |
  +--------------------------------------------------------------------------+
[2] Create keys and initialize database.
root@dlp:~#
cd /etc/tripwire

root@dlp:/etc/tripwire#
vi twcfg.txt
# line 12: report level (4 is max)

REPORTLEVEL =
4
# generate config

root@dlp:/etc/tripwire#
twadmin -m F -c tw.cfg -S site.key twcfg.txt

Please enter your site passphrase:    
# answer with site keyfile passphrase

Wrote configuration file: /etc/tripwire/tw.cfg
# optimize policy file with the script below

root@dlp:/etc/tripwire#
vi twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#     perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;

root@dlp:/etc/tripwire#
perl twpolmake.pl twpol.txt > twpol.txt.new

root@dlp:/etc/tripwire#
twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
# create database

root@dlp:/etc/tripwire#
tripwire -m i -s -c tw.cfg

Please enter your local passphrase:
[3] Execute checking manually. ( Daily check script for Cron is included in package )
root@dlp:~#
tripwire -m c -s -c /etc/tripwire/tw.cfg

Open Source Tripwire(R) 2.4.2.2 Integrity Check Report

Report generated by:          root
Report created on:            Mon 20 Jun 2016 01:54:11 AM JST
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    dlp.srv.world
Host IP address:              10.0.0.30
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/dlp.srv.world.twd
Command line used:            tripwire -m c -s -c /etc/tripwire/tw.cfg

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  Other binaries                  66                0        0        0
  Tripwire Binaries               100               0        0        0
  Other libraries                 66                0        0        0
  Root file-system executables    100               0        0        0
* Tripwire Data Files             100               1        0        0
  System boot changes             100               0        0        0
  Root file-system libraries      100               0        0        0
  (/lib)
  Critical system boot files      100               0        0        0
  Other configuration files       66                0        0        0
  (/etc)
  Boot Scripts                    100               0        0        0
  Security Control                66                0        0        0
  Root config files               100               0        0        0
  Devices & Kernel information    100               0        0        0
  (/dev)
  Invariant Directories           66                0        0        0

Total objects scanned:  27638
Total violations found:  1

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire/dlp.srv.world.twd)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/dlp.srv.world.twd"

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
[4] If there is no ploblem even if some differences are detected, then update database like follows.
# results are saved under the directory below

root@dlp:~#
ll /var/lib/tripwire/report

total 12
drwxr-xr-x 2 root root 4096 Jun 20 13:54 ./
drwxr-xr-x 3 root root 4096 Jun 20 13:53 ../
-rw-r--r-- 1 root root 1678 Jun 20 13:54 dlp.srv.world-20160620-135411.twr

# update database with a specific report

root@dlp:~#
tripwire -m u -a -s -c /etc/tripwire/tw.cfg \
-r /var/lib/tripwire/report/dlp.srv.world-20160620-135411.twr

 
Tweet