I'm looking for a mechanism to monitor the integrity of critical files on

FC4 servers. I understand Tripwire is the application to do it but I am having no success getting it set up. I downloaded the source from SourceForge but can not follow how to set it up. I could not locate an

for the application. Any help getting something set up would be greatly appreciated. Thanks! Bill Hahnel CI National Operations Center

On Thu, 2005-09-29 at 14:34, Hahnel William J (CI) wrote: >I'm looking for a mechanism to monitor the integrity of critical files >on my FC4 servers. I understand Tripwire is the application to do it >but I am having no success getting it set up. I downloaded the source >from SourceForge but can not follow how to set it up. I could not >locate an RPM for the application. > >Any help getting something set up would be greatly appreciated. > >Thanks! > >Bill Hahnel >CI National Operations Center > > You should find a tripwire rpm in the extras repository for Fedora. Note: the setup script is now located in /usr/sbin/tripwire-setup-keyfiles. It explains this in one of the readme files that comes with the rpm. That file will setup the key files for your system. You will need to edit the policy file to get things configured the way you want and to eliminate items which are not installed on your system or which you don't want to monitor. Then run through the normal steps for setting up the database and running the report. One alternative to tripwire is AIDE. The last time I looked at it though it seemed to be immature and not quite ready. It did not sign the policy or database files which means to setup this up in a secure manner you would have to arrange to keep those files off line or on read only media. I personally prefer tripwire. I always found this RedHat documentation to be useful when setting up or updating tripwire: http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-trip... The only real change from those docs to now is the initialization script which is /usr/sbin/tripwire-setup-keyfiles now. I also came across this posting. I have not tried this script but if it does what it claims it could be very useful. As always I would recommend you manually check the policy file to make sure it is monitoring the files you want on your system. http://moongroup.com/pipermail/shell.scripting/2004-March/000849.html If you use that script and it works let us know.

On Fri, 2005-09-30 at 20:42, Ian wrote: > I'd never heard of Tripwire before, but it sounds like the ultimate > virus defence to me. Can it stop programs from running if they have > been changed without Tripwire being told? Or do you just get told when > a file has been modified (via the cron job, by which time it's > probably too late)? > The second thought that occurred to me was that, if a virus was trying > to modify system files, wouldn't it also attempt to update the > Tripwire database to match, so Tripwire wouldn't flag the change? > Could that be prevented? Does Tripwire monitor itself??? > Ian It is not a virus defense, it is a host based intrusion detection tool. Tripwires purpose is to periodically examine files specified in the policy file and report any differences. These differences are an indication that something was changed. If you are unable to trace the cause to a system update or modification that you performed then it may be an indication that someone else has modified files on your system. In the past I have used things like Big Brother to examine the tripwire reports and alarm if a violation is indicated. Tripwire will not stop programs from running, you should look to selinux to provide that kind of protection. Selinux will prevent a program from trying to change files or perform operations that are not authorized by the policy on the system. That is where having the policy and database files used by tripwire signed by a key. In order to update the database you must enter the pass phrase used for the system. It is also a good idea to have tripwire monitor its own executables and files so you will get notified if those are changed. Understand that tripwire is an IDS, it lets you know when something appears to have changed. It is not a magic bullet but one part of a system you can use to help protect your system. Also note that tripwire is not prelink aware. You can scare your self pretty bad if you setup a new system configure tripwire and then come back the next day and most of the files in the system are flagged as being changed. :)

On Sat, 2005-10-01 at 18:53, Ian Harris wrote: >On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote: > > >>It is not a virus defense, it is a host based intrusion detection tool. >>Tripwires purpose is to periodically examine files specified in the >>policy file and report any differences. These differences are an >>indication that something was changed. If you are unable to trace the >>cause to a system update or modification that you performed then it may >>be an indication that someone else has modified files on your system. >>In the past I have used things like Big Brother to examine the tripwire >>reports and alarm if a violation is indicated. >> >>Tripwire will not stop programs from running, you should look to selinux >>to provide that kind of protection. Selinux will prevent a program from >>trying to change files or perform operations that are not authorized by >>the policy on the system. >> >>That is where having the policy and database files used by tripwire >>signed by a key. In order to update the database you must enter the >>pass phrase used for the system. It is also a good idea to have >>tripwire monitor its own executables and files so you will get notified >>if those are changed. >> >>Understand that tripwire is an IDS, it lets you know when something >>appears to have changed. It is not a magic bullet but one part of a >>system you can use to help protect your system. >> >>Also note that tripwire is not prelink aware. You can scare your self >>pretty bad if you setup a new system configure tripwire and then come >>back the next day and most of the files in the system are flagged as >>being changed. :) >> >> >Thanks for that Scot, looks like I'm going to have to study the selinux >manual! >Ian > > If you are looking at security of your system start thinking about it in layers. Start with a good firewall and set it to block things coming in as well as going out. Only allow those things that you need to use. Use iptables on your servers. This acts as a second firewall layer. Setup tripwire which will alert you that something has changed. This will reduce the amount of time that someone may have access to your system. Enable selinux. With the right policy this should limit potential damage and exposure should someone manage to execute code on your system. Use good passwords. Disable all services you don't need/use. Review your log files regularly, read roots email. If you want to get really paranoid you can setup snort. Snort is a network intrusion detection tool (depending on how it is configured it could be an intrusion prevention system). It can notify when it sees odd things on your network. It can also be configured to reactively modify firewall rules in response to perceived threats. Similar lighter weight apps like this include portsentry which can be used on individual hosts. Think of security as having multiple layers. That way if someone penetrates one layer they should be blocked by another. To do damage someone should would have to penetrate your firewall, iptables, selinux, evade tripwire, break passwords, and elude snort. Most hackers will move on to other systems that are not protected as well. And for the most part that is what you want to achieve. Make your system just a little harder to crack than then next on the Internet.

On Mon, 2005-10-03 at 11:41 +1000, Ian wrote: >Scot L. Harris wrote: > > > >>On Sat, 2005-10-01 at 18:53, Ian Harris wrote: >> >> >> >> >>>On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote: >>> >>> >>> >>> snip >Excellent advice. I don't have any servers or a network though, my PC is >just a home PC connected directly to the net. >At one stage I had a home network set up with Smoothwall on a dedicated >PC, which had snort enabled. I used to check the logs occasionally, and >I was always gobsmacked at how many attempts to hack the box were >recorded. Hundreds a day sometimes. >Cheers, Ian > > > I beg to differ with you. Your home PC attached to the net IS on a network and IS a server. The complete list of services you have enabled is optional but by default some are (assuming Linux of course), and thus tools for protection are needed. I get attacks on httpd and on sshd (the only ports I allow remote connection to) regularly in a similar scenario. Different types and styles of networking have differing requirements but even a single home PC needs some form of protection (unless it is stand-alone and never connects to ANY network - a rarity indeed nowdays).

A very quick check to see exactly what may be of concern would be to run "nmap yourInternetIPaddress" on the machine and see what it returns. Maybe nothing (in which case you have no concerns) and maybe a list of ports that are open (in which case you have a specific list of ports to be careful of).