Host based IDS - Tripwire
|
[1] | Install Host based IDS ( Intrusion Detection System ). Tripwire is a kind of it and this example shows to install and configure it. |
[root@www ~]# yum --enablerepo=epel -y install tripwire # install from EPEL [root@www ~]# /usr/sbin/tripwire-setup-keyfiles # input pass phrase during installation like below Enter the site keyfile passphrase: # (1) set passphrase Verify the site keyfile passphrase: # verify Enter the local keyfile passphrase: # (2) set passphrase Verify the local keyfile passphrase: # verify Please enter your site passphrase: # (1) input passphrase Please enter your site passphrase: # (1) input passphrase [root@www ~]# cd /etc/tripwire [root@www tripwire]# vi twcfg.txt # line 9: change LOOSEDIRECTORYCHECKING = true # line 12: change REPORTLEVEL = 4 [root@www tripwire]# twadmin -m F -c tw.cfg -S site.key twcfg.txt Please enter your site passphrase: # (1) input passphrase Wrote configuration file: /etc/tripwire/tw.cfg # create the file below [root@www tripwire]# vi twpolmake.pl
#!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; [root@www tripwire]# perl twpolmake.pl twpol.txt > twpol.txt.new [root@www tripwire]# twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new Please enter your site passphrase: # passphrase Wrote policy file: /etc/tripwire/tw.pol [root@www tripwire]# tripwire -m i -s -c tw.cfg # create DB Please enter your local passphrase: # passphrase [root@www tripwire]# tripwire -m c -s -c tw.cfg # run checking Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Wed 16 May 2007 10:17:40 PM JST Database last updated on: Never ====================================================== Report Summary: ====================================================== Host name: www.server-linux.info Host IP address: 127.0.0.1 Host ID: None Policy file used: /usr/local/etc/tw.pol Configuration file used: /usr/local/etc/tw.cfg Database file used: /usr/local/lib/tripwire/www.server-linux.info.twd Command line used: tripwire -m c -s -c tw.cfg ====================================================== Rule Summary: ====================================================== ------------------------------------------------------ Section: Unix File System ------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Tripwire Data Files 0 0 0 0 * Monitor Filesystems 0 0 0 2 User Binaries and Libraries 0 0 0 0 Tripwire Binaries 0 0 0 0 OS Binaries and Libraries 0 0 0 0 Temporary Directories 0 0 0 0 Global Configuration Files 0 0 0 0 System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 (/var/lib/rpm) OS Devices and Misc Directories 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0 Root Directory and Files 0 0 0 0 Total objects scanned: 60551 Total violations found: 2 ====================================================== Object Summary: ====================================================== ------------------------------------------------------ # Section: Unix File System ------------------------------------------------------ ------------------------------------------------------ Rule Name: Monitor Filesystems (/var) Severity Level: 0 ------------------------------------------------------ Modified: "/var/yp/binding/server-linux.info.1" "/var/yp/binding/server-linux.info.2" ====================================================== Error Report: ====================================================== No Errors ------------------------------------------------------ *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
[2] | Add a new file and Try to cheking again. |
[root@www tripwire]# [root@www ~]# touch hacking [root@www ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Wed 16 May 2007 10:17:40 PM JST Database last updated on: Never ====================================================== Report Summary: ====================================================== Host name: www.server-linux.info Host IP address: 127.0.0.1 Host ID: None Policy file used: /usr/local/etc/tw.pol Configuration file used: /usr/local/etc/tw.cfg Database file used: /usr/local/lib/tripwire/www.server-linux.info.twd Command line used: tripwire -m c -s -c tw.cfg ====================================================== Rule Summary: ====================================================== ------------------------------------------------------ Section: Unix File System ------------------------------------------------------ Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Tripwire Data Files 0 0 0 0 * Monitor Filesystems 0 0 0 2 User Binaries and Libraries 0 0 0 0 Tripwire Binaries 0 0 0 0 OS Binaries and Libraries 0 0 0 0 Temporary Directories 0 0 0 0 Global Configuration Files 0 0 0 0 System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 (/var/lib/rpm) OS Devices and Misc Directories 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0 * Root Directory and Files 0 1 0 0 Total objects scanned: 60552 Total violations found: 3 ====================================================== Object Summary: ====================================================== ------------------------------------------------------ # Section: Unix File System ------------------------------------------------------ ------------------------------------------------------ Rule Name: Monitor Filesystems (/var) Severity Level: 0 ------------------------------------------------------ Modified: "/var/yp/binding/server-linux.info.1" "/var/yp/binding/server-linux.info.2" ------------------------------------------------------ Rule Name: Root Directory and Files (/root) Severity Level: 0 ------------------------------------------------------ Added: "/root/hacking" # just detected ====================================================== Error Report: ====================================================== No Errors ------------------------------------------------------ *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. |
[3] | When you run tripwire and if it's no ploblem, update database like below. |
[root@www ~]# tripwire -m u -r /var/lib/tripwire/report/www.server-linux.info-20070517-014755.twr Open Source Tripwire(R) 2.4.1 Integrity Check Report Report generated by: root Report created on: Wed 16 May 2007 10:17:40 PM JST Database last updated on: Never ====================================================== Report Summary: ====================================================== Host name: www.server-linux.info Host IP address: 127.0.0.1 Host ID: None Policy file used: /usr/local/etc/tw.pol Configuration file used: /usr/local/etc/tw.cfg Database file used: /usr/local/lib/tripwire/www.server-linux.info.twd Command line used: tripwire -m c -s -c tw.cfg ====================================================== Rule Summary: ====================================================== ------------------------------------------------------ Section: Unix File System ------------------------------------------------------ Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- Tripwire Data Files 0 0 0 0 * Monitor Filesystems 0 0 0 2 User Binaries and Libraries 0 0 0 0 Tripwire Binaries 0 0 0 0 OS Binaries and Libraries 0 0 0 0 Temporary Directories 0 0 0 0 Global Configuration Files 0 0 0 0 System Boot Changes 0 0 0 0 RPM Checksum Files 0 0 0 0 (/var/lib/rpm) OS Devices and Misc Directories 0 0 0 0 OS Boot Files and Mount Points 0 0 0 0 * Root Directory and Files 0 1 0 0 Total objects scanned: 60552 Total violations found: 3 ====================================================== Object Summary: ====================================================== ------------------------------------------------------ # Section: Unix File System ------------------------------------------------------ ------------------------------------------------------ Rule Name: Monitor Filesystems (/var) Severity Level: 0 ------------------------------------------------------ Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/var/yp/binding/server-linux.info.1" [x] "/var/yp/binding/server-linux.info.2" ------------------------------------------------------ Rule Name: Root Directory and Files (/root) Severity Level: 0 ------------------------------------------------------ Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/root/hacking" ====================================================== Error Report: ====================================================== No Errors ------------------------------------------------------ *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved. # save and exit if it's all no ploblem. Then passphrase is required. Input it and then database is updated. Please enter your local passphrase: Wrote database file: /usr/local/lib/tripwire/www.server-linux.info.twd |