Tripwire : Host based IDS
2016/06/19 |
Install and configure Host based IDS (Intrusion Detection System) "Tripwire".
|
|
[1] | Install Tripwire. |
root@dlp:~# apt-get -y install tripwire
# Enter +------------------------+ Tripwire Configuration +-------------------------+ | | | Tripwire uses a pair of keys to sign various files, thus ensuring their | unaltered state. By accepting here, you will be prompted for the | passphrase for the first of those keys, the site key, during the | installation. You are also agreeing to create a site key if one doesn't | exist already. Tripwire uses the site key to sign files that may be | common to multiple systems, e.g. the configuration & policy files. See | twfiles(5) for more information. | | Unfortunately, due to the Debian installation process, there is a period | of time where this passphrase exists in a unencrypted format. Were an | attacker to have access to your machine during this period, he could | possibly retrieve your passphrase and use it at some later point. | | If you would rather not have this exposure, decline here. You will then | | <Ok> | | +---------------------------------------------------------------------------+ # select Yes and Enter +------------------------+ Tripwire Configuration +------------------------+ | | | Do you wish to create/use your site key passphrase during installation? | | | | <Yes> <No> | | | +--------------------------------------------------------------------------+ # Enter +------------------------+ Tripwire Configuration +-------------------------+ | | | Tripwire uses a pair of keys to sign various files, thus ensuring their | unaltered state. By accepting here, you will be prompted for the | passphrase for the second of those keys, the local key, during the | installation. You are also agreeing to create a local key if one | doesn't exist already. Tripwire uses the local key to sign files that | are specific to this system, e.g. the tripwire database. See twfiles(5) | for more information. | | Unfortunately, due to the Debian installation process, there is a period | of time where this passphrase exists in a unencrypted format. Were an | attacker to have access to your machine during this period, he could | possibly retrieve your passphrase and use it at some later point. | | If you would rather not have this exposure, decline here. You will then | | <Ok> | | +---------------------------------------------------------------------------+ # select Yes and Enter +------------------------+ Tripwire Configuration +-------------------------+ | | | Do you wish to create/use your local key passphrase during installation? | | | | <Yes> <No> | | | +---------------------------------------------------------------------------+ # select Yes and Enter +------------------------+ Tripwire Configuration +------------------------+ | | | Tripwire keeps its configuration in a encrypted database that is | | generated, by default, from /etc/tripwire/twcfg.txt | | | | Any changes to /etc/tripwire/twcfg.txt, either as a result of a change | | in this package or due to administrator activity, require the | | regeneration of the encrypted database before they will take effect. | | | | Selecting this action will result in your being prompted for the site | | key passphrase during the post-installation process of this package. | | | | Rebuild Tripwire configuration file? | | | | <Yes> <No> | | | +--------------------------------------------------------------------------+ # select Yes and Enter +------------------------+ Tripwire Configuration +-------------------------+ | | | Tripwire keeps its policies on what attributes of which files should be | | monitored in a encrypted database that is generated, by default, from | | /etc/tripwire/twpol.txt | | | | Any changes to /etc/tripwire/twpol.txt, either as a result of a change | | in this package or due to administrator activity, require the | | regeneration of the encrypted database before they will take effect. | | | | Selecting this action will result in your being prompted for the site | | key passphrase during the post-installation process of this package. | | | | Rebuild Tripwire policy file? | | | | <Yes> <No> | | | +---------------------------------------------------------------------------+ # set site keyfile passphrase +--------------------------+ Get site passphrase +--------------------------+ | Tripwire uses two different keys for authentication and encryption of | | files. The site key is used to protect files that could be used across | | several systems. This includes the policy and configuration files. | | | | You are being prompted for this passphrase either because no site key | | exists at this time or because you have requested the rebuilding of the | | policy or configuration files. | | | | Remember this passphrase; it is not stored anywhere! | | | | Enter site-key passphrase: | | | | ********_________________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ # confirm above +----------------------+ Get site passphrase +-----------------------+ | Please repeat the site pass phrase to be sure you didn't mistype. | | | | Repeat the site-key passphrase: | | | | ********__________________________________________________________ | | | | <Ok> | | | +--------------------------------------------------------------------+ # set local keyfile passphrase +-------------------------+ Get local passphrase +--------------------------+ | Tripwire uses two different keys for authentication and encryption of | | files. The local key is used to protect files specific to the local | | machine, such as the Tripwire database. The local key may also be used | | for signing integrity check reports. | | | | You are being prompted for this passphrase because no local key file | | currently exists. | | | | Remember this passphrase; it is not stored anywhere! | | | | Enter local key passphrase: | | | | ********_________________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------------+ # confirm above +----------------------+ Get local passphrase +-----------------------+ | Please repeat the local pass phrase to be sure you didn't mistype. | | | | Repeat the local key passphrase: | | | | ********___________________________________________________________ | | | | <Ok> | | | +---------------------------------------------------------------------+ # Enter +-------------------------+ Get local passphrase +-------------------------+ | | | Tripwire has been installed | | | | The Tripwire binaries are located in /usr/sbin and the database is | | located in /var/lib/tripwire. It is strongly advised that these | | locations be stored on write-protected media (e.g. mounted RO floppy). | | See /usr/share/doc/tripwire/README.Debian for details. | | | | <Ok> | | | +--------------------------------------------------------------------------+ |
[2] | Create keys and initialize database. |
root@dlp:~# cd /etc/tripwire
root@dlp:/etc/tripwire#
vi twcfg.txt # line 12: report level (4 is max) REPORTLEVEL = 4
# generate config root@dlp:/etc/tripwire# twadmin -m F -c tw.cfg -S site.key twcfg.txt
Please enter your site passphrase:
# answer with site keyfile passphrase Wrote configuration file: /etc/tripwire/tw.cfg #!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ;
root@dlp:/etc/tripwire#
perl twpolmake.pl twpol.txt > twpol.txt.new root@dlp:/etc/tripwire# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol # create database root@dlp:/etc/tripwire# tripwire -m i -s -c tw.cfg Please enter your local passphrase: |
[3] | Execute checking manually. ( Daily check script for Cron is included in package ) |
root@dlp:~# tripwire -m c -s -c /etc/tripwire/tw.cfg Open Source Tripwire(R) 2.4.2.2 Integrity Check Report Report generated by: root Report created on: Mon 20 Jun 2016 01:54:11 AM JST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: dlp.srv.world Host IP address: 10.0.0.30 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/dlp.srv.world.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Other binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Other libraries 66 0 0 0 Root file-system executables 100 0 0 0 * Tripwire Data Files 100 1 0 0 System boot changes 100 0 0 0 Root file-system libraries 100 0 0 0 (/lib) Critical system boot files 100 0 0 0 Other configuration files 66 0 0 0 (/etc) Boot Scripts 100 0 0 0 Security Control 66 0 0 0 Root config files 100 0 0 0 Devices & Kernel information 100 0 0 0 (/dev) Invariant Directories 66 0 0 0 Total objects scanned: 27638 Total violations found: 1 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire/dlp.srv.world.twd) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/lib/tripwire/dlp.srv.world.twd" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
[4] | If there is no ploblem even if some differences are detected, then update database like follows. |
# results are saved under the directory below root@dlp:~# ll /var/lib/tripwire/report total 12 drwxr-xr-x 2 root root 4096 Jun 20 13:54 ./ drwxr-xr-x 3 root root 4096 Jun 20 13:53 ../ -rw-r--r-- 1 root root 1678 Jun 20 13:54 dlp.srv.world-20160620-135411.twr # update database with a specific report root@dlp:~# tripwire -m u -a -s -c /etc/tripwire/tw.cfg \ -r /var/lib/tripwire/report/dlp.srv.world-20160620-135411.twr |