Learn Linux Series (#8) - Intrusion detection system TripWire

Learn Linux Series (#8) - Intrusion detection system TripWire

What Will I Learn?

• What is TripWire
• How to install TripWire
• How to Configure the Policy File to Match Your System
• How to Set Up Email Notifications
• How to Automate Tripwire with Cron

Requirements

• Linux system installed
• Basic knowledge of terminal operation
• Average knowledge of linux commands
• Motivation when something goes wrong

Difficulty

• Intermediate
  
  
  
  
  
• What is TripWire
  

Tripwire is a free software security and data integrity tool for monitoring and alerting on specific file changes on a range of systems. This software can keep track of many different filesystem data points in order to detect whether unauthorized changes have occurred.
A host-based intrusion detection system (HIDS), works by collecting details about your computer's filesystem and configuration. It then stores this information to reference and validate the current state of the system. If changes are found between the known-good state and the current state, it could be a sign that your security has been compromised. The project's home page can be found at http://www.tripwire.org. This tool is available for free for Linux.

• How to install TripWire
  
  
  
  The installation of the tool is very simple. Fortunately, tripwire can be found in Ubuntu's default repositories. All you need to do is enter the following command to the terminal:

apt-get install tripwire 

It will ask you if you want to select passphrases during installation. Select "yes" to both of these prompts. It will ask if it can rebuild the configuration file. Select "yes". It will ask a similar question about the policy file. Again, answer "yes".


Next, you will be asked to choose and confirm a site key passphrase. Tripwire uses two keys to secure its configuration files.

1. "site key", used to encrypt configuration files
2. "local key", used to encrypt information about the status of monitored files.
   You will first choose and confirm a passphrase for the site key, and then for the local key. Make sure you choose strong passphrases.
   
   
   
   
   
   

• How to Configure the Policy File to Match Your System
  
  
  
  
  
  
  
  The configuration is done in the /etc/tripwire/twpol.txt file.
  Open the plain text policy in your editor with root privileges:

sudo nano /etc/tripwire/twpol.txt

Do a search for each of the files that were returned in the test_results file. Comment out all of the lines that you find that match.


In the "Boot Scripts" section, you should comment out the /etc/rc.boot line

(
  rulename = "Boot Scripts",
  severity = $(SIG_HI)
)
{
        /etc/init.d             -> $(SEC_BIN) ;
        #/etc/rc.boot            -> $(SEC_BIN) ;
        /etc/rcS.d              -> $(SEC_BIN) ;

There were a lot of files in the /root home directory that needed to be commented out on my system. Anything that is not present on your system should be commented out:

(
  rulename = "Root config files",
  severity = 100
)
{
        /root                           -> $(SEC_CRIT) ; # Catch all additions to /root
        #/root/mail                     -> $(SEC_CONFIG) ;
        #/root/Mail                     -> $(SEC_CONFIG) ;
        #/root/.xsession-errors         -> $(SEC_CONFIG) ;
        #/root/.xauth                   -> $(SEC_CONFIG) ;
        #/root/.tcshrc                  -> $(SEC_CONFIG) ;
        #/root/.sawfish                 -> $(SEC_CONFIG) ;
        #/root/.pinerc                  -> $(SEC_CONFIG) ;
        #/root/.mc                      -> $(SEC_CONFIG) ;
        #/root/.gnome_private           -> $(SEC_CONFIG) ;
        #/root/.gnome-desktop           -> $(SEC_CONFIG) ;
        #/root/.gnome                   -> $(SEC_CONFIG) ;
        #/root/.esd_auth                        -> $(SEC_CONFIG) ;
        #/root/.elm                     -> $(SEC_CONFIG) ;
        #/root/.cshrc                   -> $(SEC_CONFIG) ;
        /root/.bashrc                   -> $(SEC_CONFIG) ;
        #/root/.bash_profile            -> $(SEC_CONFIG) ;
        #/root/.bash_logout             -> $(SEC_CONFIG) ;
        /root/.bash_history             -> $(SEC_CONFIG) ;
        #/root/.amandahosts             -> $(SEC_CONFIG) ;
        #/root/.addressbook.lu          -> $(SEC_CONFIG) ;
        #/root/.addressbook             -> $(SEC_CONFIG) ;
        #/root/.Xresources              -> $(SEC_CONFIG) ;
        #/root/.Xauthority              -> $(SEC_CONFIG) -i ; # Changes Inode number on login
        #/root/.ICEauthority                -> $(SEC_CONFIG) ;
}

However, this will check every file under it. We don't particularly want that. Instead, we will remove this specification, and add configuration options for all of the directories under /proc that we do want to check:

{
        /dev                    -> $(Device) ;
        #/proc                  -> $(Device) ;
        /proc/devices           -> $(Device) ;
        /proc/net               -> $(Device) ;
        /proc/tty               -> $(Device) ;
        /proc/sys               -> $(Device) ;
        /proc/cpuinfo           -> $(Device) ;
        /proc/modules           -> $(Device) ;
        /proc/mounts            -> $(Device) ;
        /proc/dma               -> $(Device) ;
        /proc/filesystems       -> $(Device) ;
        /proc/interrupts        -> $(Device) ;
        /proc/ioports           -> $(Device) ;
        /proc/scsi              -> $(Device) ;
        /proc/kcore             -> $(Device) ;
        /proc/self              -> $(Device) ;
        /proc/kmsg              -> $(Device) ;
        /proc/stat              -> $(Device) ;
        /proc/loadavg           -> $(Device) ;
        /proc/uptime            -> $(Device) ;
        /proc/locks             -> $(Device) ;
        /proc/meminfo           -> $(Device) ;
        /proc/misc              -> $(Device) ;
}

While we are in this portion of the file, we also want to do something with the /dev/pts filesystem. Tripwire will not check that location by default because it is told to check /dev, and /dev/pts is on a separate filesystem, which it will not enter unless specified. To get tripwire to check this as well, we can explicitly name it here:

{
        /dev                    -> $(Device) ;
        /dev/pts                -> $(Device) ;
        #/proc                  -> $(Device) ;
        /proc/devices           -> $(Device) ;
        /proc/net               -> $(Device) ;
        /proc/tty               -> $(Device) ;
        . . .

The last thing we will comment out are the /var/run and /var/lock lines so that our system does not flag normal filesystem changes by services:

(
  rulename = "System boot changes",
  severity = $(SIG_HI)
)
{
        #/var/lock              -> $(SEC_CONFIG) ;
        #/var/run               -> $(SEC_CONFIG) ; # daemon PIDs
        /var/log                -> $(SEC_CONFIG) ;
}

Save and close the file when you are finished editing.

Now that our file is configured, we need to implement it by recreating the encrypted policy file that tripwire actually reads:

sudo twadmin -m P /etc/tripwire/twpol.txt

After this is created, we must reinitialize the database to implement our policy:

sudo tripwire --init

Please enter your local passphrase:
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /var/lib/tripwire/tripit.twd
The database was successfully generated.

All of the warnings that you received earlier should be gone now. If there are still warnings, you should continue editing your /etc/tripwire/twpol.txt file until they are gone.

• How to Set Up Email Notifications
  
  
  
  First of all we must install mail utilities:

sudo apt-get install mailutils

sudo tripwire --check | mail -s "Tripwire report for `uname -n`" [email protected]

for example:

sudo tripwire --check | mail -s "Tripwire report for `uname -n`" [email protected]

We should now "okay" the software changes we made by doing an interactive check to update the database.

sudo tripwire --check --interactive

The important part is near the top. After some introductory information, you should see some lines with check boxes for each of the added or modified files:

Rule Name: Other binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------

Remove the "x" from the adjacent box to prevent updating the database
with the new values for this object.

Added:
[x] "/usr/sbin/maidag"

Modified:
[x] "/usr/sbin"
. . .

change it according to your preferences

• How to Automate Tripwire with Cron
  
  
  
  Check to see if root already has a crontab by issuing this command:

sudo crontab -l

If a crontab is present, you should pipe it into a file to back it up:

sudo sh -c 'crontab -l > crontab.bad'

Afterwards, we can edit the crontab by typing:

sudo crontab -e

The format we need to use is ``` language
min hour * * * command

To have tripwire run at morning every day, we can place a line like this in our file:
minutes hours * * *
``` language
00 6 * * * /usr/sbin/tripwire --check | mail -s "Tripwire report for `uname -n`" [email protected]

Set it according to your preferences.

Curriculum

• Part 1 - TCP/IP Computer Adaptation
• Part 2 - Proftpd management and configuration
• Part 3 - Introduction to programming
• Part 4 - e-mail server (Postfix)
• Part 5 - e-mail server (Exim)
• Part 6 - Attack Detection System Snort
• Part 7 - Defense against port scans PortSentry

---

Posted on Utopian.io - Rewarding Open Source Contributors

---