Tuesday, 9 June 2015

Host based IDS: Tripwire in RHEL7

Host-based IDSes mainly rely on integrity checking. Integrity checking involves the creation of a protected database of checksums, hashes, and other attributes of a host's critical system files. The integrity checker periodically checks those files against the database. if a file has changed, an alert is logged. Both Tripwire and AIDE are utilities used to monitor the integrity of files. They both create a secure password protected database of file and directory attributes that is used to compare against the current files and directories for changes. If files being monitored are modified in any way, Tripwire and AIDE will notify administrators.

We will install and configure tripwire on the following machine:

Server name         :meru.mycompany.com
Server IP Address:

Perform the following steps:
1) Install tripwire.
1.1) Install EPEL repository.
[root@server1 ~]# yum install epel-release

1.2) Install tripwire from the EPEL repository.
[root@meru ~]# yum --disablerepo=\* --enablerepo=epel install tripwire

2) Create site and local passphrase.
The site passphrase is used to encrypt and sign the Tripwire configuration and policy files. The local passphrase is used to encrypt and sign Tripwire's databases and reports. 

2.1) Create site passphrase 'site.key'.
[root@meru ~]# cd /etc/tripwire/
[root@meru tripwire]# twadmin --generate-keys --site-keyfile site.key
Enter the site keyfile passphrase: 
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...
Key generation complete.

2.2) Create local passphrase 'meru.mycompany.com-local.key'.(In our case $HOSTNAME will expand to 'meru.mycompany.com')
[root@meru tripwire]# twadmin --generate-keys --local-keyfile $HOSTNAME-local.key
Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...
Key generation complete.

2.3) View the generated passphrases.
[root@meru tripwire]# ls
meru.mycompany.com-local.key  site.key  twcfg.txt  twpol.txt

3) View and edit configuration and policy file. 
The configuration file 'twcfg.txt' controls basic characteristics of tripwire's environment and behavior. The Policy file 'twpol.txt' determines what tripwire looks for and how it reacts.

3.1) View configuration settings in clear text configuration file 'twcfg.txt'.

3.2) View the clear text policy file 'twpol.txt'.

A Tripwire policy is a sequence of two kind of rules. Normal ones define which properties of a file or directory tree must be checked, in this format:

object_name -> property_mask (attribute = value);
object_name is the Tripwire term for files and directories.

property_mask is a series of file or directory  properties to examine or ignore for a given object. There are a number of predefined variables that describe common property masks such as ReadOnly, Dynamic, Growing, IgnoreNone, Device.

Attributes provide additional, rule-specific information. There are 4 attributes: rulename, severity, emailto, recurse.

The other kind of rules are stop points, which define an exception to a rule (tell Tripwire not to scan a particular file or directory).

For example,
/home/shabbir/www  ->  $(ReadOnly)  (recurse=1) ;  

tells Tripwire to treat the first level of my WWW directory as read-only. recurse=1 means to check the dir down one level (the dir itself plus everything immediately below, but no further).

!/home/shabbir/www/guestbook.html ;

is a stop point. Tells tripwire to ignore changes to the file guestbook.html.

4) Encrypt configuration and policy files.

4.1) Encrypt cleartext configuration file 'twcfg.txt' using the site key to create encrypted binary config file 'tw.cfg'.
 [root@meru tripwire]# twadmin --create-cfgfile --site-keyfile ./site.key twcfg.txt
Please enter your site passphrase:
Wrote configuration file: /etc/tripwire/tw.cfg

4.2) Encrypt cleartext policy file 'twpol.txt' using the site key to create encrypted binary policy file 'tw.pol'.
[root@meru tripwire]# twadmin --create-polfile  --site-keyfile ./site.key twpol.txt
Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol

NOTE: The reason why the two files must be encrypted is that Tripwire will discover if they are corrupted much more easily than if they were in plain-text format. You should delete the plain text versions after encrypting them. The plain text versions can be retrieved later by the commands:
twadmin --print-cfgfile > twcfg.txt
twadmin --print-polfile > twpol.txt

5) Create (Initialize) the Database.
Tripwire reads the policy file, generates a database based on its contents, and then crypto‐graphically signs the resulting database.  

[root@meru tripwire]# tripwire --init
Wrote database file: /var/lib/tripwire/meru.mycompany.com.twd
The database was successfully generated.

6) Run Periodic Checks.
[root@meru tripwire]# tripwire --check

This compares all protected files against the hash database and prints a report both on the screen and to a binary file. The report will reside in '/var/lib/tripwire/report' with a time-date stamp appended to it's filename. The report can be viewed later with the command
[root@meru tripwire]# twprint --print-report --report-level 4 --twrfile /var/lib/tripwire/report/meru.mycompany.com-20150608-154127.twr

The generated report describes each policy file violation in detail, depending on whether the specified file system object was added, deleted, or changed.  Each report item lists the properties of the object as it currently resides on the file system, and, if appropriate, the old value stored in the database.

If there are differences between the database and the current system, the administrator can either fix the problem by replacing the current file with the correct file (e.g., an intruder replaced /bin/login), or update the database to reflect the new file (e.g., a fellow system administrator installed a new version of /usr/local/bin/emacs).

7) Updating Tripwire's database after violations. 
Running tripwire in Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violation from showing up in future reports. If the reported change is unexpected and potentially malicious, then the changed file should be replaced with the original version.  If there is a valid reason for the change, the database must be changed to match the current files.

[root@meru tripwire]# tripwire --update --twrfile /var/lib/tripwire/report/meru.mycompany.com-20150608-154127.twr

Remove the "x" from the adjacent box to prevent updating the database with the new values for this object.
[x] "/home/shabbir/www"

NOTE: If the change is legitimate, leave the 'x' there. If it isn't , delete the 'x'. 

The second way to update the database is to run the check in interactive mode, which starts the update session after the check finishes.
[root@meru tripwire]# tripwire --check --interactive

8) Changing Tripwire's Policy.
twadmin command should be used to install only the initial policy, not updated policies. If you need to change your tripwire policy after the database has been initialized (i.e. after you've run tripwire --init), use the below commands to dump, edit and install it again.

8.1) Generate the plain text version
[root@meru tripwire]# twadmin --print-polfile > twpol.txt

8.2) Edit the plain text policy file
[root@meru tripwire]# vi twpol.txt

8.3) Install the updated policy
[root@meru tripwire]# tripwire --update-policy twpol.txt

Tripwire will parse the policy file, generate a new database, and compare all records that the new and old database have in common. If any of the common records don't match, tripwire will not update the database or the policy. You will need to run a tripwire --check followed by --update (or  --check --interactive). Then run the policy update again.

9) Run automatic checking.
A cron job has already been set up. The tripwire RPM installs the script '/etc/cron.daily/tripwire-chec'. Tripwire will perform an integrity check once  every day,  and the generated report will be emailed to root.

1 comment:

  1. Hi All!

    I'm selling fresh & genuine SSN Leads, with good connectivity. All data properly checked & verified.
    Headers in Leads:

    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |

    *You can ask for sample before any deal
    *Each lead will be cost $1
    *Premium Lead will be cost $5
    *If anyone wants in bulk I will negotiate
    *Sampling is just for serious buyers

    Hope for the long term deal
    For detailed information please contact me on:

    Whatsapp > +923172721122
    email > leads.sellers1212@gmail.com
    telegram > @leadsupplier
    ICQ > 752822040