Oct 11
Tripping
Securing your Linux server takes the same Unix philosophy as other parts of the system, meaning you have an assortment of tools each does its own special thing and does it well.
One of these tools is Tripwire an intrusion detection tool that safe guard the servers filesystem integrity, Tripwire creates a hash DB of a configurable files list, on each check tripwire report back on suspicious changes.
In this post ill showcase how to set it up on your Ubuntu server, starting with installation, while some posts suggest installing from source id rather go with the pretty latest version in the repos:
$ sudo aptitude install tripwireDuring the installation you will be asked for a site and local passphrase, generate some good passwords for those and get ready for configuration.
Tripwire configuration consists of two main files, twcfg.txt and twpol.txt (both under /etc/tripwire), its suggested to encrypt and back them up after configuration is done (so that the bad guys won't know what folders your watching>?), the twpol (policy) file include which folders/files to watch for changes and the severeness level that such changes imply.
Unfortunately the Ubuntu package generates a file that point to /proc, this is problematic since it contains files that represent process (those are bound to change), go ahead and apply the following in the policy file:
#
# Critical devices
#
(
rulename = "Devices & Kernel information",
severity = $(SIG_HI),
)
{
/dev -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/version -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/cmdline -> $(Device) ;
/proc/misc -> $(Device) ;
}
Another spot I had to adjust is the /root part:
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
/root/.bash_history -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
/root/.profile -> $(SEC_CONFIG) ;
}
Now we are ready to apply our configuration changes:
$ sudo twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key /etc/tripwi re/twpol.txtLets create our initial DB:
$ sudo tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/narkisr.com-local.keyAnd run our first check:
$ sudo tripwire --check
# ...
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Tripwire Data Files 100 0 0 0
Other binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Other libraries 66 0 0 0
Root file-system executables 100 0 0 0
System boot changes 100 0 0 0
Root file-system libraries 100 0 0 0
(/lib)
Critical system boot files 100 0 0 0
Other configuration files 66 0 0 0
(/etc)
Boot Scripts 100 0 0 0
Security Control 66 0 0 0
Root config files 100 0 0 0
Devices & Kernel information 100 0 0 0
Total objects scanned: 12050
Total violations found: 0
The report list all the changes that were made to you system since the last check, lets play a bit:
$ sudo touch /bin/bla
$ sudo tripwire --check
# ...
-------------------------------------------------------------------------------
Rule Name: Root file-system executables (/bin)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/bin/bla"
Modified:
"/bin"
As you can see tripwire warns us about the new file, lets fix it up:
$ sudo rm /bin/bla
$ sudo tripwire --check
#... /bin has still been changed
-------------------------------------------------------------------------------
Rule Name: Root file-system executables (/bin)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/bin/bla"
Modified:
"/bin"
$ sudo tripwire --update -Z low --twrfile /var/lib/tripwire/report/narkisr.com-20111007-185529.twr
# ...
Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.
Modified:
[x] "/bin"
Tripwire marks changes with "[x]" giving us the options to accept changes that were made as legal, further checks will not warn us about them.The last thing left is to automate the reporting to that we can follow if things break on a regular basis:
$ sudo cat /etc/cron.d/tripwire
0 2 * * * /usr/sbin/tripwire --check | /usr/bin/mail "narkisr@somewhere.com" -s "Tripwire Check" 2>&1
Follow me online