I'm looking for a mechanism to monitor the integrity of critical files on my FC4 servers. I understand Tripwire is the application to do it but I am having no success getting it set up. I downloaded the source from SourceForge but can not follow how to set it up. I could not locate an RPM for the application.
Any help getting something set up would be greatly appreciated.
Thanks!
Bill Hahnel CI National Operations Center
I've successfully used Samhain in the past to accomplish the same thing. Tripwire went to crap after going commercial.
-Tim ----- Original Message ----- From: "Hahnel William J (CI)" William.Hahnel@ci.irs.gov
I'm looking for a mechanism to monitor the integrity of critical files on
my
FC4 servers. I understand Tripwire is the application to do it but I am having no success getting it set up. I downloaded the source from SourceForge but can not follow how to set it up. I could not locate an
RPM
for the application.
Any help getting something set up would be greatly appreciated.
Thanks!
Bill Hahnel CI National Operations Center
On Thu, 2005-09-29 at 14:34, Hahnel William J (CI) wrote:
I'm looking for a mechanism to monitor the integrity of critical files on my FC4 servers. I understand Tripwire is the application to do it but I am having no success getting it set up. I downloaded the source from SourceForge but can not follow how to set it up. I could not locate an RPM for the application.
Any help getting something set up would be greatly appreciated.
Thanks!
Bill Hahnel CI National Operations Center
You should find a tripwire rpm in the extras repository for Fedora.
Note: the setup script is now located in /usr/sbin/tripwire-setup-keyfiles. It explains this in one of the readme files that comes with the rpm. That file will setup the key files for your system. You will need to edit the policy file to get things configured the way you want and to eliminate items which are not installed on your system or which you don't want to monitor. Then run through the normal steps for setting up the database and running the report.
One alternative to tripwire is AIDE. The last time I looked at it though it seemed to be immature and not quite ready. It did not sign the policy or database files which means to setup this up in a secure manner you would have to arrange to keep those files off line or on read only media.
I personally prefer tripwire. I always found this RedHat documentation to be useful when setting up or updating tripwire:
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-tripwir...
The only real change from those docs to now is the initialization script which is /usr/sbin/tripwire-setup-keyfiles now.
I also came across this posting. I have not tried this script but if it does what it claims it could be very useful. As always I would recommend you manually check the policy file to make sure it is monitoring the files you want on your system.
http://moongroup.com/pipermail/shell.scripting/2004-March/000849.html
If you use that script and it works let us know.
I'd never heard of Tripwire before, but it sounds like the ultimate virus defence to me. Can it stop programs from running if they have been changed without Tripwire being told? Or do you just get told when a file has been modified (via the cron job, by which time it's probably too late)? The second thought that occurred to me was that, if a virus was trying to modify system files, wouldn't it also attempt to update the Tripwire database to match, so Tripwire wouldn't flag the change? Could that be prevented? Does Tripwire monitor itself??? Ian
Scot L. Harris wrote:
On Thu, 2005-09-29 at 14:34, Hahnel William J (CI) wrote:
I'm looking for a mechanism to monitor the integrity of critical files on my FC4 servers. I understand Tripwire is the application to do it but I am having no success getting it set up. I downloaded the source from SourceForge but can not follow how to set it up. I could not locate an RPM for the application.
Any help getting something set up would be greatly appreciated.
Thanks!
Bill Hahnel CI National Operations Center
You should find a tripwire rpm in the extras repository for Fedora.
Note: the setup script is now located in /usr/sbin/tripwire-setup-keyfiles. It explains this in one of the readme files that comes with the rpm. That file will setup the key files for your system. You will need to edit the policy file to get things configured the way you want and to eliminate items which are not installed on your system or which you don't want to monitor. Then run through the normal steps for setting up the database and running the report.
One alternative to tripwire is AIDE. The last time I looked at it though it seemed to be immature and not quite ready. It did not sign the policy or database files which means to setup this up in a secure manner you would have to arrange to keep those files off line or on read only media.
I personally prefer tripwire. I always found this RedHat documentation to be useful when setting up or updating tripwire:
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-tripwir...
The only real change from those docs to now is the initialization script which is /usr/sbin/tripwire-setup-keyfiles now.
I also came across this posting. I have not tried this script but if it does what it claims it could be very useful. As always I would recommend you manually check the policy file to make sure it is monitoring the files you want on your system.
http://moongroup.com/pipermail/shell.scripting/2004-March/000849.html
If you use that script and it works let us know.
On Fri, 2005-09-30 at 20:42, Ian wrote:
I'd never heard of Tripwire before, but it sounds like the ultimate virus defence to me. Can it stop programs from running if they have been changed without Tripwire being told? Or do you just get told when a file has been modified (via the cron job, by which time it's probably too late)? The second thought that occurred to me was that, if a virus was trying to modify system files, wouldn't it also attempt to update the Tripwire database to match, so Tripwire wouldn't flag the change? Could that be prevented? Does Tripwire monitor itself??? Ian
It is not a virus defense, it is a host based intrusion detection tool. Tripwires purpose is to periodically examine files specified in the policy file and report any differences. These differences are an indication that something was changed. If you are unable to trace the cause to a system update or modification that you performed then it may be an indication that someone else has modified files on your system. In the past I have used things like Big Brother to examine the tripwire reports and alarm if a violation is indicated.
Tripwire will not stop programs from running, you should look to selinux to provide that kind of protection. Selinux will prevent a program from trying to change files or perform operations that are not authorized by the policy on the system.
That is where having the policy and database files used by tripwire signed by a key. In order to update the database you must enter the pass phrase used for the system. It is also a good idea to have tripwire monitor its own executables and files so you will get notified if those are changed.
Understand that tripwire is an IDS, it lets you know when something appears to have changed. It is not a magic bullet but one part of a system you can use to help protect your system.
Also note that tripwire is not prelink aware. You can scare your self pretty bad if you setup a new system configure tripwire and then come back the next day and most of the files in the system are flagged as being changed. :)
On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote:
On Fri, 2005-09-30 at 20:42, Ian wrote:
I'd never heard of Tripwire before, but it sounds like the ultimate virus defence to me. Can it stop programs from running if they have been changed without Tripwire being told? Or do you just get told when a file has been modified (via the cron job, by which time it's probably too late)? The second thought that occurred to me was that, if a virus was trying to modify system files, wouldn't it also attempt to update the Tripwire database to match, so Tripwire wouldn't flag the change? Could that be prevented? Does Tripwire monitor itself??? Ian
It is not a virus defense, it is a host based intrusion detection tool. Tripwires purpose is to periodically examine files specified in the policy file and report any differences. These differences are an indication that something was changed. If you are unable to trace the cause to a system update or modification that you performed then it may be an indication that someone else has modified files on your system. In the past I have used things like Big Brother to examine the tripwire reports and alarm if a violation is indicated.
Tripwire will not stop programs from running, you should look to selinux to provide that kind of protection. Selinux will prevent a program from trying to change files or perform operations that are not authorized by the policy on the system.
That is where having the policy and database files used by tripwire signed by a key. In order to update the database you must enter the pass phrase used for the system. It is also a good idea to have tripwire monitor its own executables and files so you will get notified if those are changed.
Understand that tripwire is an IDS, it lets you know when something appears to have changed. It is not a magic bullet but one part of a system you can use to help protect your system.
Also note that tripwire is not prelink aware. You can scare your self pretty bad if you setup a new system configure tripwire and then come back the next day and most of the files in the system are flagged as being changed. :)
Thanks for that Scott, looks like I'm going to have to study the selinux manual! Ian
On Sat, 2005-10-01 at 18:53, Ian Harris wrote:
On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote:
It is not a virus defense, it is a host based intrusion detection tool. Tripwires purpose is to periodically examine files specified in the policy file and report any differences. These differences are an indication that something was changed. If you are unable to trace the cause to a system update or modification that you performed then it may be an indication that someone else has modified files on your system. In the past I have used things like Big Brother to examine the tripwire reports and alarm if a violation is indicated.
Tripwire will not stop programs from running, you should look to selinux to provide that kind of protection. Selinux will prevent a program from trying to change files or perform operations that are not authorized by the policy on the system.
That is where having the policy and database files used by tripwire signed by a key. In order to update the database you must enter the pass phrase used for the system. It is also a good idea to have tripwire monitor its own executables and files so you will get notified if those are changed.
Understand that tripwire is an IDS, it lets you know when something appears to have changed. It is not a magic bullet but one part of a system you can use to help protect your system.
Also note that tripwire is not prelink aware. You can scare your self pretty bad if you setup a new system configure tripwire and then come back the next day and most of the files in the system are flagged as being changed. :)
Thanks for that Scot, looks like I'm going to have to study the selinux manual! Ian
If you are looking at security of your system start thinking about it in layers. Start with a good firewall and set it to block things coming in as well as going out. Only allow those things that you need to use.
Use iptables on your servers. This acts as a second firewall layer.
Setup tripwire which will alert you that something has changed. This will reduce the amount of time that someone may have access to your system.
Enable selinux. With the right policy this should limit potential damage and exposure should someone manage to execute code on your system.
Use good passwords. Disable all services you don't need/use.
Review your log files regularly, read roots email.
If you want to get really paranoid you can setup snort. Snort is a network intrusion detection tool (depending on how it is configured it could be an intrusion prevention system). It can notify when it sees odd things on your network. It can also be configured to reactively modify firewall rules in response to perceived threats. Similar lighter weight apps like this include portsentry which can be used on individual hosts.
Think of security as having multiple layers. That way if someone penetrates one layer they should be blocked by another. To do damage someone should would have to penetrate your firewall, iptables, selinux, evade tripwire, break passwords, and elude snort. Most hackers will move on to other systems that are not protected as well. And for the most part that is what you want to achieve. Make your system just a little harder to crack than then next on the Internet.
Scot L. Harris wrote:
On Sat, 2005-10-01 at 18:53, Ian Harris wrote:
On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote:
It is not a virus defense, it is a host based intrusion detection tool. Tripwires purpose is to periodically examine files specified in the policy file and report any differences. These differences are an indication that something was changed. If you are unable to trace the cause to a system update or modification that you performed then it may be an indication that someone else has modified files on your system. In the past I have used things like Big Brother to examine the tripwire reports and alarm if a violation is indicated.
Tripwire will not stop programs from running, you should look to selinux to provide that kind of protection. Selinux will prevent a program from trying to change files or perform operations that are not authorized by the policy on the system.
That is where having the policy and database files used by tripwire signed by a key. In order to update the database you must enter the pass phrase used for the system. It is also a good idea to have tripwire monitor its own executables and files so you will get notified if those are changed.
Understand that tripwire is an IDS, it lets you know when something appears to have changed. It is not a magic bullet but one part of a system you can use to help protect your system.
Also note that tripwire is not prelink aware. You can scare your self pretty bad if you setup a new system configure tripwire and then come back the next day and most of the files in the system are flagged as being changed. :)
Thanks for that Scot, looks like I'm going to have to study the selinux manual! Ian
If you are looking at security of your system start thinking about it in layers. Start with a good firewall and set it to block things coming in as well as going out. Only allow those things that you need to use.
Use iptables on your servers. This acts as a second firewall layer.
Setup tripwire which will alert you that something has changed. This will reduce the amount of time that someone may have access to your system.
Enable selinux. With the right policy this should limit potential damage and exposure should someone manage to execute code on your system.
Use good passwords. Disable all services you don't need/use.
Review your log files regularly, read roots email.
If you want to get really paranoid you can setup snort. Snort is a network intrusion detection tool (depending on how it is configured it could be an intrusion prevention system). It can notify when it sees odd things on your network. It can also be configured to reactively modify firewall rules in response to perceived threats. Similar lighter weight apps like this include portsentry which can be used on individual hosts.
Think of security as having multiple layers. That way if someone penetrates one layer they should be blocked by another. To do damage someone should would have to penetrate your firewall, iptables, selinux, evade tripwire, break passwords, and elude snort. Most hackers will move on to other systems that are not protected as well. And for the most part that is what you want to achieve. Make your system just a little harder to crack than then next on the Internet.
Excellent advice. I don't have any servers or a network though, my PC is just a home PC connected directly to the net. At one stage I had a home network set up with Smoothwall on a dedicated PC, which had snort enabled. I used to check the logs occasionally, and I was always gobsmacked at how many attempts to hack the box were recorded. Hundreds a day sometimes. Cheers, Ian
On Mon, 2005-10-03 at 11:41 +1000, Ian wrote:
Scot L. Harris wrote:
On Sat, 2005-10-01 at 18:53, Ian Harris wrote:
On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote:
snip
Excellent advice. I don't have any servers or a network though, my PC is just a home PC connected directly to the net. At one stage I had a home network set up with Smoothwall on a dedicated PC, which had snort enabled. I used to check the logs occasionally, and I was always gobsmacked at how many attempts to hack the box were recorded. Hundreds a day sometimes. Cheers, Ian
I beg to differ with you.
Your home PC attached to the net IS on a network and IS a server. The complete list of services you have enabled is optional but by default some are (assuming Linux of course), and thus tools for protection are needed. I get attacks on httpd and on sshd (the only ports I allow remote connection to) regularly in a similar scenario.
Different types and styles of networking have differing requirements but even a single home PC needs some form of protection (unless it is stand-alone and never connects to ANY network - a rarity indeed nowdays).
Jeff Vian wrote:
On Mon, 2005-10-03 at 11:41 +1000, Ian wrote:
Scot L. Harris wrote:
On Sat, 2005-10-01 at 18:53, Ian Harris wrote:
On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote:
snip
Excellent advice. I don't have any servers or a network though, my PC is just a home PC connected directly to the net. At one stage I had a home network set up with Smoothwall on a dedicated PC, which had snort enabled. I used to check the logs occasionally, and I was always gobsmacked at how many attempts to hack the box were recorded. Hundreds a day sometimes. Cheers, Ian
I beg to differ with you.
Your home PC attached to the net IS on a network and IS a server. The complete list of services you have enabled is optional but by default some are (assuming Linux of course), and thus tools for protection are needed. I get attacks on httpd and on sshd (the only ports I allow remote connection to) regularly in a similar scenario.
Different types and styles of networking have differing requirements but even a single home PC needs some form of protection (unless it is stand-alone and never connects to ANY network - a rarity indeed nowdays).
Couldn't agree more. I used Norton for years on Windoze, and use Zonealarm now. Wouldn't consider connecting to the net without them. When I installed FC4 I ensured no services where set up (http, ftp, etc) because I couldn't think of a reason for letting other people on the net connect to my PC without me connecting to them first. So, in terms of my rather meagre understanding, I'm not serving anything to anybody on the net. I'm still vulnerable to port scans and other hacker activity of course, and this is all I'm trying to protect myself against. Since I don't *really* understand selinux, iptables, firestarter et al (haven't RTFMed yet) I'm just hoping the default settings as set up by the FC4 install are adequate for my purposes. So far no problems <touch wood>. Cheers, Ian
On Mon, 2005-10-03 at 14:19 +1000, Ian wrote:
Jeff Vian wrote:
On Mon, 2005-10-03 at 11:41 +1000, Ian wrote:
Scot L. Harris wrote:
On Sat, 2005-10-01 at 18:53, Ian Harris wrote:
On Sat, 1 Oct 2005 01:46 pm, Scot L. Harris wrote:
snip
Excellent advice. I don't have any servers or a network though, my PC is just a home PC connected directly to the net. At one stage I had a home network set up with Smoothwall on a dedicated PC, which had snort enabled. I used to check the logs occasionally, and I was always gobsmacked at how many attempts to hack the box were recorded. Hundreds a day sometimes. Cheers, Ian
I beg to differ with you.
Your home PC attached to the net IS on a network and IS a server. The complete list of services you have enabled is optional but by default some are (assuming Linux of course), and thus tools for protection are needed. I get attacks on httpd and on sshd (the only ports I allow remote connection to) regularly in a similar scenario.
Different types and styles of networking have differing requirements but even a single home PC needs some form of protection (unless it is stand-alone and never connects to ANY network - a rarity indeed nowdays).
Couldn't agree more. I used Norton for years on Windoze, and use Zonealarm now. Wouldn't consider connecting to the net without them. When I installed FC4 I ensured no services where set up (http, ftp, etc) because I couldn't think of a reason for letting other people on the net connect to my PC without me connecting to them first. So, in terms of my rather meagre understanding, I'm not serving anything to anybody on the net. I'm still vulnerable to port scans and other hacker activity of course, and this is all I'm trying to protect myself against. Since I don't *really* understand selinux, iptables, firestarter et al (haven't RTFMed yet) I'm just hoping the default settings as set up by the FC4 install are adequate for my purposes. So far no problems <touch wood>. Cheers, Ian
A very quick check to see exactly what may be of concern would be to run "nmap yourInternetIPaddress" on the machine and see what it returns. Maybe nothing (in which case you have no concerns) and maybe a list of ports that are open (in which case you have a specific list of ports to be careful of).
On Mon, 2005-10-03 at 00:51, Jeff Vian wrote:
A very quick check to see exactly what may be of concern would be to run "nmap yourInternetIPaddress" on the machine and see what it returns. Maybe nothing (in which case you have no concerns) and maybe a list of ports that are open (in which case you have a specific list of ports to be careful of).
You may want to try a scan from an external site such as http://www.grc.com use the shields up utility on that site. It does a fair job of showing open ports on your site.
I would also recommend one of those cheap hardware routers/firewalls like linksys, netgear or others put out. They do a good job of hiding your system and are less susceptible to being disabled accidentally. It is still a good idea to run iptables on your system even with one of these on your Internet connection.
And configure ssh to permit specific users in and consider moving ssh port to a different port. Moving the port just keeps the script kiddies from knocking on the door, don't consider this a real security measure since a real hacker would scan and find the port anyway.
-
Hahnel William J (CI) -
Ian -
Jeff Vian -
Scot L. Harris -
Tim Prendergast