From 9ca33226eee2dc3f1ef1c666d45ee7c366d241cf Mon Sep 17 00:00:00 2001 From: wale soyinka Date: Wed, 27 Sep 2023 15:26:39 -0400 Subject: [PATCH 1/6] Create lab3-auditing_the_system Security Module : lab3 - auditing the system start --- docs/labs/security/lab3-auditing_the_system | 967 ++++++++++++++++++++ 1 file changed, 967 insertions(+) create mode 100644 docs/labs/security/lab3-auditing_the_system diff --git a/docs/labs/security/lab3-auditing_the_system b/docs/labs/security/lab3-auditing_the_system new file mode 100644 index 0000000000..e2a55652bb --- /dev/null +++ b/docs/labs/security/lab3-auditing_the_system @@ -0,0 +1,967 @@ +# Lab 3: Auditing the System + +## Objectives + + +After completing this lab, you will be able to + +- create a simple and custom auditing tool from scratch +- use and understand security auditing tools like tripwire + +Estimated time to complete this lab: 90 minutes + + + + + + + +# A simple home grown integrity checker + +Before we begin to install and configure tripwire we will first create a sample script that performs a similar function to tripwire. This script will help in gaining a better understanding of how Tripwire and similar tools function. + +The script relies heavily on the md5sum program. The md5sum program is used to compute a 128-bit checksum (or "fingerprint") for a specified FILE. + +The script functions’ as summarized below: + +i) Right after the base system has been installed, it will back up some of the system configuration files in the /etc directory, into a directory called etc.bak in roots home directory. + +In particular it will back up all the files under /etc with the suffix “*.conf” + +It does this when run with the initialization option ( -- initialization| -i) + +ii) The script will then be used to obtain the md5 checksums of the known good files (untainted files). + +iii) The list of MD5 sums will be stored in a file called “md5_good”. + +iv) When the script is run in a verify mode, the md5sum program will be called with the “ - -check” option to check the current MD5 sums against a given list (the md5_good file). + + +The script will print the output of the verification to the standard output and will also send a copy of the + +result via e-mail to the super-user. + +v) Whenever changes are made (legal or illegal) to the configuration files under /etc the script can be called + +with the “--rebuild| -r” option to approve the changes and rebuild the baseline pseudo database. + +vi) You can periodically manually run the script or create a cron job to automatically run the script. + + +The script below can be fine tuned and scaled to do much more than it does. It is left to you and your imagination to make it do whatever you want it to do. + +If you are lazy (like me) and just want a quick and dirty way to get the job done the script will suffice but for everything else there is MasterCard – excuse me, I meant, for everything else there is Tripwire. + + +### Exercise 1 + +1. Log in as root and launch your text editor of choice. Enter the text below: + +``` +#!/bin/sh +# This script checks for changes in the MD5 sums of files named "/etc/*.conf" + + +case $1 in + + -i|--initialize) + +# This section will run if the script is run in an initialization mode +# Delete old directory, make directory, backup good files and change directory to /root/etc.bak + +rm -rf /root/etc.bak && mkdir /root/etc.bak && cp /etc/*.conf /root/etc.bak && cd /root/etc.bak + + +# Create our baseline file containing a list of good MD5 sums + + for i in /etc/*.conf ; do + + md5sum $i >> md5_good + done + echo -e "nUntainted baseline file ("~/etc.bak/md5_good") has been created !!n" + ;; + + + -v|--verify) + +# This section will run if the script is called in a verify mode + + cd /root/etc.bak + + +# Check if there is any file containing output from a previous run + + if [ -f md5_diffs ] ; then + + rm -f md5_diffs # if it exists we delete it + fi + + +# We re-create the file with a pretty sub-heading and some advice + + echo -e "n **** Possibly tainted File(s) ****" > md5_diffs + +# echo "" >> md5_diffs # append a blank line + +# Run the md5sum program against a known good list i.e. "md5_good" file + + md5sum -c md5_good 2> /dev/null | grep FAILED >> md5_diffs + + + + if [ $? -ge 1 ] ; then + echo "Nothing wrong here." + else + + +# append some "advice" to the md5_diffs file + + echo -e "\n Update the baseline file if you approve of the changes to the file(s) above \n" >> md5_diffs + + echo -e "Re-run the script with the re-build option (e.g. ./check.sh --rebuild) to approven" >> md5_diffs + + + cat md5_diffs # print the md5_diffs file to the display + + mail -s "Changed Files" root < md5_diffs # also e-mail the md5_diffs file to root + + fi + + ;; + + -r|--rebuild) + + +# This section is for re-building the Baseline file just incase +# the changes to the configuration files are legal and sanctioned + + cd /root/etc.bak/ + mv md5_good md5_good.bak # make a backup copy of current untainted baseline file + + + for j in /etc/*.conf ; do + md5sum $j >> md5_good + + done + echo -e "n Baseline file updated with approved changes !!!n " + ;; + + *) + + echo "This script accepts: only ( -i|--initialize or -v|--verify or -r|--rebuild ) parameters" + + ;; + +esac +``` + +Save the text above in a text file and name the file “check.sh” + +#### To use the check.sh script + +1. Create a directory under root’s home directory called “scripts” + +2. Copy the script you created above into your scripts directory. + +3. Make the script executable. + +4. Run the script with the initialization option. Type: + +``` +[root@localhost scripts]# *./check.sh -i* +``` + + +Untainted baseline file (~/etc.bak/md5_good) has been created !! + +5. Use the ls command to view contents root’s home directory. You should have a new directory named + +“etc.bak” therein. Use the cat command to view the “/root/etc.bak/md5_good” file – just for fun. + +6. Run the script using the verify option. Type: + +``` +[root@localhost scripts]# ./check.sh -v + +Nothing wrong here. +``` + + +You should get the output above if all is well. + +7. You will deliberately alter the /etc/modules.conf files under the /etc directory. Type: + +``` +[root@localhost scripts]# echo "# This is just a test" >> /etc/modules.conf +``` + + +8. Now run the check.sh script again in verification mode. Type: + +``` +[root@localhost scripts]# ./check.sh -v + + + **** + +/etc/modules.conf: FAILED +``` + +Update the baseline file if you approve of the changes to the file(s) above + +Re-run the script with the re-build option (e.g. ./check.sh --rebuild) to approve + + +9. Per the warning above, you should go and investigate further to see if the altered file meets your + +approval. If it does you may run the script with a - - rebuild option. + +To view only the differences between the “tainted” file and the “untainted” file you could type: + + + +[root@localhost scripts]# *sdiff -s /etc/modules.conf /root/etc.bak/modules.conf* + + + < + +# Tripwire + +One of the first things you should do after building any new system is to get a snapshot of a known good state of the system before the system is “contaminated” or before deploying the system into production. + +There are several tools available for doing this. One of such tools is tripwire. Tripwire is an advanced tool, so brace yourself for a plethora of options, syntax, idiosyncrasies and switches. + +Tripwire can be regarded as a form of a host based intrusion detection system (IDS). It performs intrusion detection functions by taking a snapshot of a "healthy system" and later on comparing this healthy state with any other suspect states. It provides a means of knowing/monitoring whether certain sensitive files have been altered illegally. The system administrator of course decides what files are to be monitored. + +The authors of tripwire describe it as an Open Source Security, Intrusion Detection, Damage Assessment and Recovery, Forensics software. + +Tripwire simply compares a file’s new signature with that taken when the database was initially created. + +The steps involved in installing and configuring tripwire are as listed below: + +i. Install the software from source or binary + +ii. Run the configuration script: (twinstall.sh). This script is used to: + +a) Create the site key and the local key and prompts for pass phrases for both + +b) Sign the policy file and configuration file with the site key. + +iii. Initialize the tripwire database + +iv. Run the first integrity check. + +v. Edit the configuration file (twcfg.txt) + +vi. Edit the policy file (twpol.txt) + +Tripwire accepts the following command line options: + + +#### Database Initialization mode: +``` + + -m i --init + -v --verbose + -s --silent, --quiet + -c cfgfile --cfgfile cfgfile + -p polfile --polfile polfile + -d database --dbfile database + -S sitekey --site-keyfile sitekey + -L localkey --local-keyfile localkey + -P passphrase --local-passphrase passphrase + -e --no-encryption + +``` + +#### Integrity Checking mode: +``` + + -m c --check + -I --interactive + -v --verbose + -s --silent, --quiet + -c cfgfile --cfgfile cfgfile + -p polfile --polfile polfile + -d database --dbfile database + -r report --twrfile report + -S sitekey --site-keyfile sitekey + -L localkey --local-keyfile localkey + -P passphrase --local-passphrase passphrase + -n --no-tty-output + -V editor --visual editor + -E --signed-report + -i list --ignore list + -l { level | name } --severity { level | name } + -R rule --rule-name rule + -x section --section section + -M --email-report + -t { 0|1|2|3|4 } --email-report-level { 0|1|2|3|4 } + -h --hexadecimal + [ object1 [ object2... ]] + + +``` +#### Database Update mode: + +``` + -m u --update + -v --verbose + -s --silent, --quiet + -c cfgfile --cfgfile cfgfile + -p polfile --polfile polfile + -d database --dbfile database + -r report --twrfile report + -S sitekey --site-keyfile sitekey + -L localkey --local-keyfile localkey + -P passphrase --local-passphrase passphrase + -V editor --visual editor + -a --accept-all + -Z { low | high } --secure-mode { low | high } +``` + + + + +Policy Update mode: + +``` + -m p --update-policy + -v --verbose + -s --silent, --quiet + -c cfgfile --cfgfile cfgfile + -p polfile --polfile polfile + -d database --dbfile database + -S sitekey --site-keyfile sitekey + -L localkey --local-keyfile localkey + -P passphrase --local-passphrase passphrase + -Q passphrase --site-passphrase passphrase + -Z { low | high } --secure-mode { low | high } + policyfile.txt +``` + + +Summary Of Options for the tripwire command: + +``` +SYNOPSIS + Database Initialization: tripwire { -m i | --init } [ options... ] + Integrity Checking: tripwire { -m c | --check } [ options... ] + [ object1 [ object2... ]] + Database Update: tripwire { -m u | --update } [ options... ] + Policy update: tripwire { -m p | --update-policy } [ options... ] + policyfile.txt + Test: tripwire { -m t | --test } [ options... ] + +``` + + + + + +#### twadmin + +The twadmin utility is used to perform administrative functions related to tripwire files and configuration options. Specifically, twadmin allows encoding, decoding, signing, and verification of tripwire files, and provides a means to generate and change local and site keys. + +Create Configuration File: twadmin [-m F|--create-cfgfile][options] cfgfile.txt + +Print Configuration File: twadmin [-m f|--print-cfgfile] [options] + +Create Policy File: twadmin [-m P|--create-polfile] [options] polfile.txt + +Print Policy File: twadmin [-m p|--print-polfile] [options] + +Remove Encryption: twadmin [-m R|--remove-encryption] [options] [file1...] + +Encryption: twadmin [-m E|--encrypt] [options] [file1...] + +Examine Encryption: twadmin [-m e|--examine] [options] [file1...] + +Generate Keys: twadmin [-m G|--generate-keys] [options] + +#### twprint + +Prints Tripwire database and report files in clear text format. + +Print Report mode: + +``` +-m r --print-report + +-v --verbose + +-s --silent, --quiet + +-c cfgfile --cfgfile cfgfile + +-r report --twrfile report + +-L localkey --local-keyfile localkey + +-t { 0|1|2|3|4 } --report-level { 0|1|2|3|4 } +``` + +Print Database mode: + +``` +-m d --print-dbfile + +-v --verbose + +-s --silent, --quiet + +-c cfgfile --cfgfile cfgfile + +-d database --dbfile database + +-L localkey --local-keyfile localkey + +[object1 [object2 ...] +``` + +#### siggen + +siggen is a signature gathering routine for Tripwire. It is a utility that displays the hash function values for the specified files. + +``` +OPTIONS + ‐t, --terse + Terse mode. Prints requested hashes for a given file on one line, delimited by spaces, with no extraneous information. + + ‐h, --hexadecimal + Display results in hexadecimal rather than base64 notation. + + ‐a, --all + Display all hash function values (default). + + ‐C, --CRC32 + Display CRC-32, POSIX 1003.2 compliant 32-bit Cyclic Redundancy Check. + + ‐M, --MD5 + Display MD5, the RSA Data Security, Inc. Message Digest Algorithm. + + ‐S, --SHA + Display SHA, Tripwire's implementation of the NIST Secure Hash Standard, SHS (NIST FIPS 180). + + ‐H, --HAVAL + Display Haval value, a 128-bit hash code. + + file1 [ file2... ] + List of filesystem objects for which to display values. +``` + + + +### Exercise 1 + +#### To install Tripwire + +1. Check to see if you already have tripwire installed on your system. Type: + +[root@localhost root]# rpm -q tripwire + +tripwire-* + +If you get an output similar to the one above then you already have it installed. Skip the next step. + +2. If you dont have it installed, obtain the tripwire binary and install it. Type: + +[root@localhost root]# dnf -y install tripwire + + +#### To Configure tripwire + +Configuring tripwire involves customizing the tripwire configuration file if needed, then customizing the policy file if needed and then running the configuration script which will prompt you for a passphrase that will be used to sign/protect the configuration file, the policy file and the database file. + + +1. Change your pwd to the tripwire’s working directory: Type: + +[root@localhost root]# cd /etc/tripwire/ + +2. List the contents of the directory + + +3. Use any pager or text editor to view/study the files in the directory. + +4. We will accept the settings that come with the default config. file (twcfg.txt) and the provided default + +policy file (twpol.txt) for now. + +5. Execute the tripwire configuration utility as root. You will be prompted (twice) for site keyfile passphrase. Select any passphrase that you + +WILL NOT forget ( The site key is meant for the twcfg.txt file and the twpol.txt file) Type: + +``` +[root@localhost tripwire]# tripwire-setup-keyfiles +..... +Enter the site keyfile passphrase: +Verify the site keyfile passphrase: +...... +Generating key (this may take several minutes)...Key generation complete. +``` + + +Next you will be prompted for a local key. Again select another password YOU WILL not forget. ( The local key signs the tripwire database files and the reports files) + + + +``` +Enter the local keyfile passphrase: +Verify the local keyfile passphrase: +.... +Generating key (this may take several minutes)...Key generation complete. + +``` + + + +After choosing your passphrases the “twinstall.sh” script will then proceed with the actual creation/signing of the encrypted versions of the original plain text files ( i.e tw.cfg and tw.pol will be created respectively) You will be prompted again for the passphrases you choose earlier. At this point just follow the prompts until the script exits. + +``` +---------------------------------------------- +Signing configuration file... +Please enter your site passphrase: +`````` + +``` +---------------------------------------------- +Signing policy file... +Please enter your site passphrase: ******** +...... + +Wrote policy file: /etc/tripwire/tw.pol + +``` + +6. List the new contents of the /etc/tripwire directory. + + +7. Per the warning you got while the tripwire-setup-keyfiles utility was running, you will now move the plain text versions of the configuration file and policy files away from the local system. You could store them + +on an external removal medium or encrypt them in place [using a tool like GPG for example] OR completely delete them if you are feeling particularly daring. Type: + +[root@localhost tripwire]# mkdir /root/tripwire_stuff && mv twcfg.txt twpol.txt /root/tripwire_stuff + + +!!!NOTE +It may be useful to keep the plain text versions in safe place, just incase you forget your passphrases. You can then always re-run the “tripwire-setup-keyfiles” based on the configurations and policies you have fine tuned over time. + + + +#### To initialize the database + +Initializing the database is the tripwire terminology for, taking an initial “untainted” snapshot of the files you have decided to monitor (based on the policy file). This generates the database and also signs the database with the local key. The database serves as the baseline for all future integrity checks. + +1. While still logged in as root type: + +``` +[root@localhost tripwire]# tripwire --init + +Please enter your local passphrase: +Parsing policy file: /etc/tripwire/tw.pol +Generating the database... +*** Processing Unix File System *** + +``` + +Enter your local passphrase when prompted. The database creation will run to conclusion and you should get an output similar to the one below: + + +**The database was successfully generated.** + +2. Use the `ls` command to verify that the database was indeed created under the stated location. Type: + +``` +[root@localhost tripwire]# ls -lh /var/lib/tripwire/$(hostname).twd +-rw-r--r--. 1 root root 3.3M Sep 27 18:35 /var/lib/tripwire/localhost.twd +``` + + +### Exercise 2 + +Integrity checking and viewing reports + +In this exercise you will learn how to run an integrity check of the system and view the reports that tripwire generates for you. + +#### To run an integrity check + +Running tripwire in this mode (integrity check mode) compares the current file system objects with their properties in the tripwire database. Discrepancies between database and the current file system objects are printed to the standard output while tripwire is running in this mode. After the check is complete tripwire also generates a report file in the directory specified in the twcfg.txt file (/var/lib/tripwire/report/). + +1. Run an integrity check. Type: + +``` +[root@localhost tripwire]# tripwire --check +``` + +You'll see some [expected] warnings stream by during this check. + +Check under the /var/lib/tripwire/report directory to see if a report was also created in there for you. + +Write down the name of the report file that was created? + +FILE_NAME = + + + +2. Run the integrity check again but manually specify a file name for the report file. Type: +``` +[root@localhost tripwire]# tripwire -m c -r /root/tripwire_report.twr +``` + +3. Now make sure that a new file was created for you under root’s home directory. Type: + +``` +[root@localhost tripwire]# ls -l /root/tripwire_report.twr +``` + +#### To examine the report + +Tripwire’s report files, are a collection of rule violations discovered during an integrity check. + +There are several methods of viewing the tripwire report file. You could have been viewing it whilst the integrity check was running, you could view it in the form of an e-mail automatically sent to you or you could view it using the “twprint” command provided with the tripwire package. + +!!! NOTE +You probably noticed from the earlier exercise that by default, tripwire uses a combination of the systems FQDN name, the date and the time to name the report files. + +1. First change to the default report’s directory and view the default report created for you in step 1 above ( FILE_NAME). Type: + +``` +[root@localhost report]# cd /var/lib/tripwire/report && twprint --print-report -r +``` + +Replace above with the value you noted earlier. + +To use the short form of the above command Type: +``` +[root@localhost report]# twprint -m r -r | less +``` +We pipe the output to the less command because the report scrolls by quickly. + +2. Now view the other report you created manually, under root’s home directory. Type: +``` +[root@localhost root]# cd && twprint --print-report -r /root/tripwire_report.twr | less +``` + +3. Brace yourself and study the output of the report file carefully. + +4. You should have noticed again that tripwire created binary/data forms of the report files. Create a text only version of the report file under roots home directory. Type: +``` +[root@localhost root]# twprint --print-report -r /root/tripwire_report.twr > tripwire_report.txt +``` + +#### To view the reports via e-mail + +Here you will test the e-mail functionality of tripwire. Tripwire’s e-mail notification system uses the setting specified in the tripwire configuration file. (twcfg.txt). + +1. First view the configuration file and note the variable(s), that control tripwire’s e-mail notification system. To view the configuration file type: + +``` +[root@localhost report]# twadmin -m f | less +``` + +Write down the relevant variable(s) here? + + + +2. Next make sure that your local mail system is up and running by checking the status of say sendmail. + +Type: + +``` +[root@localhost report]# systemctl -n 0 status postfix +....... + Active: active (running) since Thu 2023-08-31 16:21:26 UTC; 3 weeks 6 days ago +....... +``` + +Your output should be similar to the above. If your mailing system is not running, trouble-shoot that first and get it up and running before continuing. + +3. Send a test message to root. Type: + +[root@localhost report]# tripwire --test --email root + +4. Use the mail program to check root’s mail. Type: + +[root@localhost report]# mail + +The super user should have a message with the subject “"Test email message from Tripwire" + + +5. After you have confirmed that the e-mail functionality works you could try manually sending a copy of one of the reports to yourself. + +Write down the command to do this? + + + +### Fine tuning tripwire + +After installing tripwire, taking a snapshot of the system and then running the first integrity check you will more likely than not need to fine tune tripwire to suit the needs of your particular environment. +This is mostly because the default configuration and policy file that comes bundled with tripwire may not exactly fit your needs or reflect the actual objects on your file system. + +You need to ascertain if the file system violations reported in the report file during the integrity check are actual violations or legitimate/authorized changes to your file system objects. +Again tripwire offers several ways of doing this. + + + +### Updating the policy file ( --update-policy ) + +Using this method you will change or fine tune what tripwire considers violations to your file system objects by changing the rules in the policy file. The database can then be updated without a complete + +re-initialization. This saves time and preserves security by keeping the policy file synchronized with the database it uses. + +You will use the report file you created earlier ( /root/tripwire_report.txt ) to fine tune your policy file by first preventing tripwire from reporting the absence of files that were never on the filesystem in the first place. + +This will help to greatly reduce the length of the report file that you have to manage. + + +#### To fine tune tripwire + +1. Use the grep command to filter out all lines in the report file that refers to missing files + +( Lines containing the word “Filename”). Redirect the output to another file - tripwire_diffs.txt + +Type: + +``` +[root@localhost root]# grep Filename /root/tripwire_report.txt > tripwire_diffs.txt +``` + +2. View the contents of the file you created above. Type: + +``` +[root@localhost root]# *less tripwire_diffs.txt* + + +207: Filename: /proc/scsi + +210: Filename: /root/.esd_auth + +213: Filename: /root/.gnome_private + +216: Filename: /sbin/fsck.minix + +219: Filename: /sbin/mkfs.bfs + +.................................. +``` + +3. Now you need to edit the tripwire policy file and comment out or delete the entries in the file that should not be in there. i.e. files that are not on your system and files that probably + +never will be on your system. For example one of the files that the policy file is trying to monitor is the /proc/scsi file. If you dont have any SCSI device on your system then it makes absolutely NO + +SENSE to monitor this file. + +Another debatable example of what to monitor or not to monitor are the various lock files under the “/var/lock/subsys/” directory. Choosing to monitor these files should be a personal call. + +Re-create a text version of the policy file - just in case you removed it (as advised ) from the local system. Type: + +``` +[root@localhost root]# twadmin --print-polfile > twpol.txt +``` + +4. Edit the text file you created above using any text editor. Comment out references to the objects that you don’t want to monitor; you can use the tripwire_diffs.txt file you created earlier as a guideline. + +Type: + +``` +[root@localhost root]# vi twpol.txt +``` + +Save your changes to the file and close it. + +5. Run tripwire in policy file update mode. Type: +``` +[root@localhost root]# tripwire --update-policy /root/twpol.txt* +``` + +Enter your local and site passphrases when prompted. + +A new signed and encrypted policy file will be created for you under the “/etc/tripwire/” directory. + +6. Delete or remove the text version of the policy file from your local system. + +7. Running the command in step 5 above will also have created a report file for you under the + +/var/lib/tripwire/report directory. + +Write down the name of your latest report file here? + + + + + +8. Run an integrity check of the system again until you are satisfied that you have a good baseline of the + +system, with which to make future decisions. What is the command to do this? + + + +### Updating the database (--update) + +Running tripwire in the database update mode after an integrity check provides a quick and dirty way to fine tune tripwire. This is because Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violations from showing up in future reports. + +This update process saves time by enabling you to update the database without having to re-initialize it. + +#### To update the database + +1. Change your pwd to the location where tripwire stores the report files on your system. Type: + +``` +[root@localhost root]# cd /var/lib/tripwire/report/ +``` + +2. You will first use the database update mode in an interactive manner. Type: + +``` +[root@localhost report]# tripwire --update -Z low -r +``` + +Replace with the report file name you noted earlier. + +The above command will also launch your default text editor (e.g. vi) which will present you with so called “update ballot boxes”. You may need to scroll through the file. + +The entries marked with an “[x]” implies that the database should be updated with that particular object. + +Remove the "x" from the ballot box “[ ]” to prevent updating the database with the new values for that object. + +Use your text editor’s usual key-strokes to save and exit the editor. + +3. Next try using the database update mode in a non-interactive manner. i.e. you will accept all + +the entries in the report file will be accepted without prompting. Type: + +``` +[root@localhost report]# tripwire --update -Z low -a -r +``` + +### Tripwire configuration file + +You will begin these exercises by first fine-tuning your configuration file. In an earlier exercise you were advised to remove or delete all clear text versions of tripwire’s file from your system. You will create a slightly more secure installation of tripwire by editing some of the variables in the tripwire config. file. e.g. you will specify that tripwire should always look for the binaries versions of the policy and config file on a removable media such as a floppy disk or a cdrom. + +1. Change your pwd to the /etc/tripwire directory. + +2. Generate a clear text version of the configuration file. Type: + +``` +[root@localhost tripwire]# twadmin --print-cfgfile > twcfg.txt +``` + +3. Open up the config file you created above in your text editor. Type: + +``` +[root@localhost tripwire]# vi twcfg.txt +``` + +Edit the file to look like the sample file below: + +( NOTE: The newly added and changed variables have been highlighted for you ) + +``` + +1 ROOT =/usr/sbin + +2 POLFILE =/mnt/floppy/tw.pol + +3 DBFILE =/var/lib/tripwire/$(HOSTNAME).twd + +4 REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr + +5 SITEKEYFILE =/mnt/floppy/site.key + +6 LOCALKEYFILE =/mnt/floppy/$(HOSTNAME)-local.key + +7 EDITOR =/bin/vi + +8 LATEPROMPTING =false + +9 LOOSEDIRECTORYCHECKING =true + +10 GLOBALEMAIL =root@localhost + +11 MAILNOVIOLATIONS =true + +12 EMAILREPORTLEVEL =3 + +13 REPORTLEVEL =3 + +14 MAILMETHOD =SENDMAIL + +15 SYSLOGREPORTING =true + +16 MAILPROGRAM =/usr/sbin/sendmail -oi -t +``` + + +4. Consult the man page for “twconfig” to find out what the following variables are meant for ? + +`````` +LOOSEDIRECTORYCHECKING + +GLOBALEMAIL + +SYSLOGREPORTING +``` + +5. Mount the removal media to the /mnt/usbdrive directory. Type: + +[root@localhost tripwire]# mount /dev/usbdrive /mnt/usbdrive + +!!! NOTE +If you choose to store your files on a different location (e.g. a cdrom media) make the necessary adjustments to the commands. + +6. Relocate the site key, local key and binary files to the location you specified in the new config. file. + +Type: + +``` +[root@localhost tripwire]# mv site.key tw.pol localhost.localdomain-local.key /mnt/usbdrive +``` + +6. Create a binary version of the clear text config file. Type: + +``` +[root@localhost tripwire]# *twadmin --create-cfgfile -S /mnt/floppy/site.key twcfg.txt* +``` + +The “/etc/tripwire/tw.cfg” file will be created for you. + +7. Test your new set up. Un-mount the floppy drive and eject the floppy disk. + +8. Try running one the tripwire commands that needs the files stored on the floppy drive. Type: + +``` +[root@localhost tripwire]# twadmin --print-polfile + +### Error: File could not be opened. + +### Filename: /mnt/usbdrive/tw.pol + +### No such file or directory + +### + +### Unable to print policy file. + +### Exiting... +``` + +You should get an error similar to the one above. + +9. Mount the media that your tripwire files are stored. And try the above command again. + + + Did the command run successfully this time? + + +10. Search for and delete all the plain text versions of tripwire’s config files you have created thus far from your system. + +Having to mount and unmount a removable media each time you want to administer an aspect of tripwire may end up being such a drag, but the payoff may be in the extra security. You definitely want to consider storing a pristine version of tripwire’s database on a read-only media such as a CDROM. + + + +ADDITIONAL EXERCISES + +1. Configure your tripwire installation run an integrity check every day at 2 A.M and send out a report of the integrity check via e-mail to the super user on the system. + +!!! HINT: +You may need to do this using a cron job. From 9bd76074cbff9afcc6f1c6383ffc02f07d2dd69e Mon Sep 17 00:00:00 2001 From: wale soyinka Date: Wed, 27 Sep 2023 15:32:36 -0400 Subject: [PATCH 2/6] Update lab9-cryptography.md add quote --- docs/labs/security/lab9-cryptography.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/labs/security/lab9-cryptography.md b/docs/labs/security/lab9-cryptography.md index 2a328765b6..aadcff7f27 100644 --- a/docs/labs/security/lab9-cryptography.md +++ b/docs/labs/security/lab9-cryptography.md @@ -9,6 +9,15 @@ After completing this lab, you will be able to: Estimated time to complete this lab: 120 minutes + + +"*Three may keep a secret, if two of them are dead...*." + +-- Benjamin Franklin + + + + ## Common Cryptography terms and definitions ### Cryptography From 242ffa21e30736cc80e70fc3d667c30fa853a35a Mon Sep 17 00:00:00 2001 From: wale soyinka Date: Wed, 27 Sep 2023 15:52:01 -0400 Subject: [PATCH 3/6] Update lab9-cryptography.md - add quote - start format fixing --- docs/labs/security/lab9-cryptography.md | 242 ++++++++++++++++-------- 1 file changed, 160 insertions(+), 82 deletions(-) diff --git a/docs/labs/security/lab9-cryptography.md b/docs/labs/security/lab9-cryptography.md index aadcff7f27..85d0205724 100644 --- a/docs/labs/security/lab9-cryptography.md +++ b/docs/labs/security/lab9-cryptography.md @@ -116,9 +116,11 @@ To create a new key pair 2. Make sure that the GnuPG package is installed on your system. Type: -`[ying@serverXY ying]$ rpm -q gnupg` +``` +[ying@serverXY ying]$ rpm -q gnupg -gnupg-\*.\* +gnupg-*.* +``` If it isn’t, get the super-user to install it. @@ -126,7 +128,9 @@ If it isn’t, get the super-user to install it. 4. List the keys you currently have in your keyring. Type: -`[ying@serverXY ying]$ gpg --list-keys` +``` +[ying@serverXY ying]$ gpg --list-keys +``` !!! NOTE @@ -164,6 +168,7 @@ At the prompt for the type of key you want to create, accept the default, i.e.(D 6. You will create an ELG-E key size of 1024. Accept the default again at the prompt below: +``` DSA key pair will have 1024 bits. About to generate a new ELG-E key pair. @@ -175,6 +180,7 @@ About to generate a new ELG-E key pair. highest suggested key size is 2048 bits What key size do you want? (1024) 1024 +``` 7. Create keys that will expire in a year. Type “1y” at the prompt below: @@ -194,7 +200,9 @@ Key is valid for? (0) 1y 8. Type “y” to accept the expiry date shown at the prompt: +``` Is this correct (y/n)? y +``` 9. Create a User-ID to identify your key with: @@ -220,10 +228,11 @@ Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O 10. Select a passphrase that you WILL NOT forget at the next prompt: +``` Enter passphrase: \*\*\*\*\*\*\*\* Repeat passphrase: \*\*\*\*\*\*\*\* - +``` ## Exercise 2 ### Key Administration @@ -234,6 +243,7 @@ Listing your keys 1. While still logged into the system as the user ying. Display the keys in your key-ring. Type: +``` [ying@serverXY ying\]$ gpg --list-keys gpg: WARNING: using insecure memory! @@ -245,24 +255,26 @@ gpg: WARNING: using insecure memory! pub 1024D/1D12E484 2003-10-16 Ying Yang (my test) <ying@serverXY> sub 1024g/1EDB00AC 2003-10-16 \[expires: 2004-10-15\] +``` -2. To suppress the somewhat annoying “warning” about “insecure memory” add the following option - - to your personal gpg configuration file. Type: +2. To suppress the somewhat annoying “warning” about “insecure memory” add the following option to your personal gpg configuration file. Type: +``` [ying@serverXY ying\]$ echo "no-secmem-warning" >> ~/.gnupg/gpg.conf - +``` 3. Run the command to list your keys again. to make sure your change is in effect. 4. List your keys along with their signatures. Type: +``` [ying@serverXY ying\]$ gpg --list-sigs /home/ying/.gnupg/pubring.gpg - +``` 5. List only your secret keys. Type: +``` [ying@serverXY ying\]$ gpg --list-secret-keys /home/ying/.gnupg/secring.gpg @@ -272,10 +284,12 @@ sub 1024g/1EDB00AC 2003-10-16 \[expires: 2004-10-15\] sec 1024D/1D12E484 2003-10-16 Ying Yang (my test) <ying@serverXY> ssb 1024g/1EDB00AC 2003-10-16 +``` 6. Display the key fingerprints. Type: -\[ying@serverXY ying\]$ ***gpg --fingerprint*** +``` +[ying@serverXY ying\]$ ***gpg --fingerprint*** /home/ying/.gnupg/pubring.gpg @@ -290,14 +304,15 @@ sub 1024g/1EDB00AC 2003-10-16 \[expires: 2004-10-15\] Revocation certificates Revocation certificates are used to revoke keys in case someone gets knowledge of your secret key or in case you forget your passphrase. They are also useful for other various functions. +``` To create a revocation certificate -1. While still logged in as the user ying. Create a revocation certificate. It will be displayed on your +1. While still logged in as the user ying. Create a revocation certificate. It will be displayed on your standard output. Type: - standard output. Type: - -[ying@serverXY ying\]$*** gpg --gen-revoke ying@serverXY*** +``` +[ying@serverXY ying\]$ gpg --gen-revoke ying@serverXY +``` Follow the prompts and enter your passphrase when prompted to do so. @@ -305,7 +320,9 @@ Follow the prompts and enter your passphrase when prompted to do so. “revoke.asc”. Type: -[ying@serverXY ying\]$*** gpg --output revoke.asc --gen-revoke ying@serverXY*** +``` +[ying@serverXY ying\]$ gpg --output revoke.asc --gen-revoke ying@serverXY +``` 3. You should store the revocation certificate in a safe place and even make a hard printed copy. @@ -323,7 +340,9 @@ To export your public keys 1. Export your public key in binary format to a file called “ying-pub.gpg”. Type: +``` [ying@serverXY ying\]$ ***gpg --output ying-pub.gpg --export <your\_key’s\_user\_ID>*** +``` !!! NOTE @@ -339,11 +358,13 @@ To export your public keys ASCII-armored format. Type: +``` [ying@serverXY ying\]$***gpg --output ying-pub.asc --armor --export ying@serverXY *** +``` 3. Use the cat command to view the binary version of ying’s public key (ying-pub.gpg) -4. (To reset your terminal type: “reset”) +4. To reset your terminal type: `reset` 5. Use the cat command to view the ASCII version of ying’s public key (ying-pub.asc) @@ -359,31 +380,38 @@ To digitally sign a file 1. Create a file named “secret-file.txt” with the text “Hello All” in it. Type: -\[ying@serverXY ying\]$ ***echo "Hello All" > secret1.txt*** +``` +[ying@serverXY ying\]$ echo "Hello All" > secret1.txt +``` 2. Use cat to view the contents of the file. Use the file command to see the kind of file it is. 3. Now sign the file with your digital signature. Type: -\[ying@serverXY ying\]$ ***gpg -s secret1.txt*** - +``` +[ying@serverXY ying\]$ gpg -s secret1.txt +``` Input your passphrase when prompted. The above command will create another file “secret1.txt.gpg” which is compressed and has a signature attached to it. Run the “file” command on the file to check this. View the file with cat 4. Check the signature on the signed “secret1.txt.gpg” file. Type: -\[ying@serverXY ying\]$ ***gpg --verify secret1.txt.gpg*** +``` +[ying@serverXY ying\]$ gpg --verify secret1.txt.gpg gpg: Signature made Thu 16 Oct 2003 07:29:37 AM PDT using DSA key ID 1D12E484 gpg: Good signature from "Ying Yang (my test) <ying@serverXY>" +``` 5. Create another file secret2.txt with the text “ Hello All” in it. 6. Sign the secret2.txt file, but let the file be ASCII armored this time. Type: -\[ying@serverXY ying\]$ ***gpg -sa secret2.txt*** +``` +[ying@serverXY ying\]$ gpg -sa secret2.txt +``` An ASCII armored file called “secret2.txt.asc” will be created in your pwd. @@ -391,12 +419,14 @@ An ASCII armored file called “secret2.txt.asc” will be created in your pwd. 8. Create another file called “secret3.txt” with the text “hello dude” in it. Type: -\[ying@serverXY ying\]$*** echo "hello dude" > secret3.txt*** +``` +[ying@serverXY ying echo "hello dude" > secret3.txt +``` 9. Append your signature to the body of the file you created above. Type: - -\[ying@serverXY ying\]$ ***gpg --clearsign secret3.txt*** - +``` +[ying@serverXY ying\]$ gpg --clearsign secret3.txt +``` This will create an uncompressed file (secret3.txt.asc) that is wrapped in your ASCII-armored signature. Write down the command to verify the signature of the file that was created for you. @@ -429,7 +459,7 @@ Importing public keys either - me@serverXY or ying@serverPR) -NOTE: +!!! NOTE: There are several ways of doing this e.g. e-mail, copying and pasting, scp, ftp, Saving on a diskette etc. @@ -441,17 +471,20 @@ Select the most efficient method for yourself. Import the key into your key-ring. Type: -\[ying@serverXY ying\]$ ***gpg --import me-pub.asc*** +``` +[ying@serverXY ying\]$ gpg --import me-pub.asc gpg: key 1D0D7654: public key "Me Mao (my test) <me@serverXY>" imported gpg: Total number processed: 1 gpg: imported: 1 +``` 5. Now list the keys in your key-ring. Type: -\[ying@serverXY ying\]$*** gpg --list-keys*** +``` +[ying@serverXY ying\]$ gpg --list-keys /home/ying/.gnupg/pubring.gpg @@ -464,14 +497,20 @@ sub 1024g/1EDB00AC 2003-10-16 \[expires: 2004-10-15\] pub 1024D/1D0D7654 2003-10-16 Me Mao (my test) <me@serverXY> sub 1024g/FD20DBF1 2003-10-16 \[expires: 2004-10-15\] +``` 6. In particular list the key that is associated with the user-ID me@serverXY. Type: -\[ying@serverXY ying\]$*** gpg --list-keys me@serverXY*** +``` +[ying@serverXY ying\]$ gpg --list-keys me@serverXY +``` 7. View the fingerprint of the key for me@serverXY. Type: -\[ying@serverXY ying\]$*** gpg --fingerprint me@serverXY*** +``` +[ying@serverXY ying\]$ gpg --fingerprint me@serverXY +``` + Encrypting and decrypting files @@ -487,7 +526,9 @@ To encrypt a file 1. While logged into the system as the user ying, create a file called encrypt-sec.txt. Type: -\[ying@serverXY ying\]$ ***echo "hello" > encrypt-sec.txt*** +``` +[ying@serverXY ying\]$ echo "hello" > encrypt-sec.txt +``` Make sure you can read the contents of the file using cat. @@ -495,7 +536,9 @@ Make sure you can read the contents of the file using cat. it using me@serverXY’s public key ( which you now have in your key-ring). Type: -\[ying@serverXY ying\]$ ***gpg --encrypt --recipient me@serverXY encrypt-sec.txt*** +``` +[ying@serverXY ying\]$ gpg --encrypt --recipient me@serverXY encrypt-sec.txt +``` The above command will create an encrypted file called “encrypt-sec.txt.gpg” in your pwd. @@ -504,14 +547,15 @@ Make sure you can read the contents of the file using cat. 1. The file you encrypted above was meant for me@serverXY. Try to decrypt the file. Type: - -\[ying@serverXY ying\]$ ***gpg --decrypt encrypt-sec.txt.gpg*** +``` +\[ying@serverXY ying\]$ gpg --decrypt encrypt-sec.txt.gpg gpg: encrypted with 1024-bit ELG-E key, ID FD20DBF1, created 2003-10-16 "Me Mao (my test) <me@serverXY>" gpg: decryption failed: secret key not available +``` 2. Have we learnt any valuable lesson here? @@ -525,7 +569,9 @@ gpg: decryption failed: secret key not available Make a habit of using the command below instead when decrypting files: -\[ying@serverXY ying\]$ ***gpg --output encrypt-sec --decrypt encrypt-sec.txt.gpg*** +``` +[ying@serverXY ying\]$ gpg --output encrypt-sec --decrypt encrypt-sec.txt.gpg +``` This forces sending the output to a file called “encrypt-sec”. @@ -537,24 +583,27 @@ Which can then be viewed (or run) using any program that is suited for the file typing for the user at the command line. e.g. +``` gpg --encrypt --recipient me@serverXY encrypt-sec.txt - +``` The short form of the above command is: - +``` gpg -e -r me@serverXY encrypt-sec.txt - +``` 2. To encrypt the string "hello" and mails it as an ASCII armored message to the user with the mail address ying@serverXY; Use the command below: - +``` echo "hello" | gpg -ea -r ying@serverXY | mail ying@serverXY +``` 3. To encrypt the file "your\_file" with the public key of "me@serverXY" and write it to "your\_file.gpg" after ***signing*** it with your user id (using your digital signature); Use the command below: +``` gpg -se -r me@serverXY your\_file - +``` 4. There is a publicly available key server at wwwkeys.pgp.net. You can use gpg to upload your key there with: gpg --send-keys <your\_real\_email\_address> --keyserver wwwkeys.pgp.net @@ -595,7 +644,8 @@ The client's suite of programs include “ssh”. This is a program used for log ### sshd -Usage: sshd \[options\] +``` +Usage: sshd [options\ Options: @@ -628,18 +678,21 @@ Options: -6 Use IPv6 only -o option Process the option as if it was read from a configuration file. +``` + Most Linux systems out of the box already have the OpenSSH server configured and running with some defaults. The configuration file for sshd usually resides under - /etc/ssh/ - and is called sshd\_config. sshd\_config 1. Open up the ssh server’s config file with any pager and study it. Type: +``` +[root@serverXY root\]\# less /etc/ssh/sshd_config +``` -\[root@serverXY root\]\# less /etc/ssh/sshd\_config - -NOTE: +!!! NOTE: -sshd\_config is a rather odd configuration file. +sshd_config is a rather odd configuration file. You will notice that unlike other Linux config files - comments (\#) in the sshd\_config file denotes the defaults values of the options. i.e. comments represents already compiled-in defaults. @@ -671,8 +724,9 @@ To generate host keys for your server 1. Create a new directory under your pwd. Call it spare-keys. cd to the new directory. Type: -\[root@serverXY ssh\]\# mkdir spare-keys && cd spare-keys - +``` +[root@serverXY ssh\]# mkdir spare-keys && cd spare-keys +``` 2. Use the ssh-keygen program to create a host key with the following characteristics: a. key type should be “rsa” @@ -685,11 +739,15 @@ d. The key should not use any passphrase Type: -\[root@serverXY spare-keys\]\# ssh-keygen -q -t rsa -f ssh\_host\_rsa\_key -C '' -N '' +``` +[root@serverXY spare-keys]# ssh-keygen -q -t rsa -f ssh\_host\_rsa\_key -C '' -N '' +``` 3. View the fingerprint of the key you created above. Type: -\[root@serverXY spare-keys\]\# ssh-keygen -l -f ssh\_host\_rsa\_key +``` +[root@serverXY spare-keys]# ssh-keygen -l -f ssh_host_rsa_key +``` 4. Write down the command to create a ***dsa*** type key called “ssh\_host\_dsa\_key” with no comments, @@ -717,19 +775,25 @@ To use ssh 2. Use ssh to connect to serverPR. Type: -\[me@serverXY me\]$ ***ssh serverPR*** +``` +[me@serverXY me\]$ ***ssh serverPR*** +``` Type in me’s password when prompted. If you get any warning messages type “yes” to continue. 3. After logging in, create a directory called - myexport and create an empty file. Type: -\[me@serverPR me\]$ ***mkdir ~/myexport && touch myexport/$$*** +``` +[me@serverPR me\]$ mkdir ~/myexport && touch myexport +``` Make a note of the random file that was created for you, under ~/myexport ? 4. Log off serverPR. Type: -\[me@serverPR me\]$ ***exit*** +``` +[me@serverPR me]$ exit +``` You will be returned to your local shell at serverXY. @@ -737,15 +801,18 @@ You will be returned to your local shell at serverXY. serverPR. Type: -\[me@serverXY me\]$ ***ssh ying@serverPR “ls /home/ying”*** - +``` +[me@serverXY me]$ssh ying@serverPR “ls /home/ying” +``` Type in ying’s password when prompted. If you get any warning messages type “yes” to continue. 6. While still logged in as me on serverXY, log into serverPR as the user ying. Type: -\[me@serverXY me\]$ ***ssh -l ying serverPR *** +``` +[me@serverXY me\]$ ***ssh -l ying serverPR *** +``` - **Type in ying’s password when prompted.** +**Type in ying’s password when prompted.** 7. Type “exit” to log off serverPR and return to serverXY. @@ -756,11 +823,9 @@ scp - secure copy (remote file copy program) scp copies files between hosts on a network. It uses ssh for data transfer, and uses the same authentication and provides the same security as ssh. ``` -Usage:- scp \[-pqrvBC46\] \[-F ssh\_config\] \[-S program\] \[-P port\] \[-c cipher\] - - \[-i identity\_file\] \[-o ssh\_option\] \[\[user@\]host1:\] file1 \[...\] - - \[\[user@\]host2:\] file2 +usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config] + [-i identity_file] [-J destination] [-l limit] + [-o ssh_option] [-P port] [-S program] source ... target ``` To use scp @@ -771,8 +836,9 @@ To use scp 3. Copy over all the files under the “/home/me/myexport/” directory on serverPR. Type: -\[me@serverXY myimports\]$ ***scp serverPR:/home/me/myexport .*** - +``` +[me@serverXY myimports\]$ scp serverPR:/home/me/myexport . +``` 4. List the contents of your pwd ? Was that totally cool or what ? @@ -781,7 +847,9 @@ To use scp 6. Now copy over all the files under ying’s home directory on serverPR. Type: -\[me@serverXY myimports\]$ ***scp -r ying@serverPR:/home/ying/\* .*** +``` +[me@serverXY myimports\]$ scp -r ying@serverPR:/home/ying/* . +``` ## Exercise 7 @@ -801,7 +869,8 @@ To create ying’s authentication keys 2. Run the “ssh-keygen” program to create a “***dsa***” type key with the default length. Type: -\[ying@serverXY ying\]$ ***ssh-keygen -t dsa*** +``` +[ying@serverXY ying]$ ssh-keygen -t dsa Generating public/private dsa key pair. @@ -813,9 +882,9 @@ Enter a very good passphrase when prompted - i.e. one that is difficult to guess Created directory '/home/ying/.ssh'. -Enter passphrase (empty for no passphrase): \*\*\*\*\*\*\*\*\* +Enter passphrase (empty for no passphrase): ******** -Enter same passphrase again: \*\*\*\*\*\*\*\*\* +Enter same passphrase again: ******* Your identification has been saved in /home/ying/.ssh/id\_dsa. @@ -824,6 +893,8 @@ Your public key has been saved in /home/ying/.ssh/id\_dsa.pub. The key fingerprint is: 61:68:aa:c2:0c:af:9b:49:4a:11:b8:aa:b5:84:18:10 ying@serverXY.example.org +``` + 3. cd to your “**~/.ssh/**” directory. List the files in the directory? @@ -848,16 +919,14 @@ To configure public-key authentication 2. cd to your “~/.ssh” directory. 3. Type in the horrible looking command below: - -\[ying@serverXY .ssh\]$ ***cat id\_dsa.pub | ssh ying@serverPR \\*** +``` +[ying@serverXY .ssh\]$ cat id\_dsa.pub | ssh ying@serverPR \ '(cd ~/.ssh && cat - >> authorized\_keys && chmod 600 authorized\_keys)' The above command reads: - a. cat the contents of your dsa public-key file, but send the out to the pipe ( | ) instead of the - - usual standard out. + a. cat the contents of your dsa public-key file, but send the out to the pipe ( | ) instead of the usual standard out. b. run the command “***cd ~/.ssh && cat - >> authorized\_keys && chmod 600 authorized\_keys”*** @@ -873,9 +942,11 @@ To configure public-key authentication login to serverPR as ying via ssh. Type: -\[ying@serverXY .ssh\]$ ***ssh serverPR*** +``` +[ying@serverXY .ssh]$ ssh serverPR -Enter passphrase for key '/home/ying/.ssh/id\_dsa': \*\*\*\*\*\*\*\*\*\* +Enter passphrase for key '/home/ying/.ssh/id\_dsa': ******** +``` Note very carefully that, you are being prompted for your passphrase this time instead of the @@ -890,9 +961,11 @@ password. Enter the passphrase you created earlier when you created your keys. According to the man page - ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA). The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for authentication when logging into other machines using ssh. ``` -Usage ssh-agent \[-a bind\_address\] \[-c | -s\] \[-d\] \[command \[args ...\]\] - - ssh-agent \[-c | -s\] -k +usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash] + [-P allowed_providers] [-t life] + ssh-agent [-a bind_address] [-E fingerprint_hash] [-P allowed_providers] + [-t life] command [arg ...] + ssh-agent [-c | -s] -k ``` In this exercise you will learn how to configure the agent such that you wont have to type in your passphrase every time you want to connect to another system using public-key authentication. @@ -901,14 +974,17 @@ In this exercise you will learn how to configure the agent such that you wont ha 2. Type in the command below: -[ying@serverXY .ssh\]$ ***eval \`ssh-agent\`*** +``` +[ying@serverXY .ssh\]$ eval `ssh-agent` Agent pid 5623 +``` Take note of the PID of the agent: -3. Use the “***ssh-add***” program to add your keys to the agent you launched above. Type: +3. Use the `ssh-add` program to add your keys to the agent you launched above. Type: +``` [ying@serverXY .ssh\]$ ***ssh-add*** Enter your passphrase when prompted. @@ -916,11 +992,13 @@ Take note of the PID of the agent: Enter passphrase for /home/ying/.ssh/id\_dsa: Identity added: /home/ying/.ssh/id\_dsa (/home/ying/.ssh/id\_dsa) +``` -4. Now connect to serverPR as the user ying. You WILL NOT be prompted for a password or -passphrase (i.e if everything has been done correctly). Type: +4. Now connect to serverPR as the user ying. You WILL NOT be prompted for a password or passphrase (i.e if everything has been done correctly). Type: -[ying@serverXY .ssh\]$ ***ssh serverPR*** +``` +[ying@serverXY .ssh\]$ ssh serverPR +``` 5. Enjoy. From fb98a5e9f91c797fa21bfe92776d34bd8538c5cb Mon Sep 17 00:00:00 2001 From: wale soyinka Date: Wed, 27 Sep 2023 15:53:33 -0400 Subject: [PATCH 4/6] Update lab9-cryptography.md --- docs/labs/security/lab9-cryptography.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/labs/security/lab9-cryptography.md b/docs/labs/security/lab9-cryptography.md index 85d0205724..cd816a1e76 100644 --- a/docs/labs/security/lab9-cryptography.md +++ b/docs/labs/security/lab9-cryptography.md @@ -923,6 +923,7 @@ To configure public-key authentication [ying@serverXY .ssh\]$ cat id\_dsa.pub | ssh ying@serverPR \ '(cd ~/.ssh && cat - >> authorized\_keys && chmod 600 authorized\_keys)' +``` The above command reads: From dd63f4edfbd34f05de49752d6bc90f4e79eac842 Mon Sep 17 00:00:00 2001 From: wale soyinka Date: Wed, 27 Sep 2023 19:48:19 -0400 Subject: [PATCH 5/6] Create lab3-auditing_the_system.md --- .../labs/security/lab3-auditing_the_system.md | 967 ++++++++++++++++++ 1 file changed, 967 insertions(+) create mode 100644 docs/labs/security/lab3-auditing_the_system.md diff --git a/docs/labs/security/lab3-auditing_the_system.md b/docs/labs/security/lab3-auditing_the_system.md new file mode 100644 index 0000000000..e2a55652bb --- /dev/null +++ b/docs/labs/security/lab3-auditing_the_system.md @@ -0,0 +1,967 @@ +# Lab 3: Auditing the System + +## Objectives + + +After completing this lab, you will be able to + +- create a simple and custom auditing tool from scratch +- use and understand security auditing tools like tripwire + +Estimated time to complete this lab: 90 minutes + + + + + + + +# A simple home grown integrity checker + +Before we begin to install and configure tripwire we will first create a sample script that performs a similar function to tripwire. This script will help in gaining a better understanding of how Tripwire and similar tools function. + +The script relies heavily on the md5sum program. The md5sum program is used to compute a 128-bit checksum (or "fingerprint") for a specified FILE. + +The script functions’ as summarized below: + +i) Right after the base system has been installed, it will back up some of the system configuration files in the /etc directory, into a directory called etc.bak in roots home directory. + +In particular it will back up all the files under /etc with the suffix “*.conf” + +It does this when run with the initialization option ( -- initialization| -i) + +ii) The script will then be used to obtain the md5 checksums of the known good files (untainted files). + +iii) The list of MD5 sums will be stored in a file called “md5_good”. + +iv) When the script is run in a verify mode, the md5sum program will be called with the “ - -check” option to check the current MD5 sums against a given list (the md5_good file). + + +The script will print the output of the verification to the standard output and will also send a copy of the + +result via e-mail to the super-user. + +v) Whenever changes are made (legal or illegal) to the configuration files under /etc the script can be called + +with the “--rebuild| -r” option to approve the changes and rebuild the baseline pseudo database. + +vi) You can periodically manually run the script or create a cron job to automatically run the script. + + +The script below can be fine tuned and scaled to do much more than it does. It is left to you and your imagination to make it do whatever you want it to do. + +If you are lazy (like me) and just want a quick and dirty way to get the job done the script will suffice but for everything else there is MasterCard – excuse me, I meant, for everything else there is Tripwire. + + +### Exercise 1 + +1. Log in as root and launch your text editor of choice. Enter the text below: + +``` +#!/bin/sh +# This script checks for changes in the MD5 sums of files named "/etc/*.conf" + + +case $1 in + + -i|--initialize) + +# This section will run if the script is run in an initialization mode +# Delete old directory, make directory, backup good files and change directory to /root/etc.bak + +rm -rf /root/etc.bak && mkdir /root/etc.bak && cp /etc/*.conf /root/etc.bak && cd /root/etc.bak + + +# Create our baseline file containing a list of good MD5 sums + + for i in /etc/*.conf ; do + + md5sum $i >> md5_good + done + echo -e "nUntainted baseline file ("~/etc.bak/md5_good") has been created !!n" + ;; + + + -v|--verify) + +# This section will run if the script is called in a verify mode + + cd /root/etc.bak + + +# Check if there is any file containing output from a previous run + + if [ -f md5_diffs ] ; then + + rm -f md5_diffs # if it exists we delete it + fi + + +# We re-create the file with a pretty sub-heading and some advice + + echo -e "n **** Possibly tainted File(s) ****" > md5_diffs + +# echo "" >> md5_diffs # append a blank line + +# Run the md5sum program against a known good list i.e. "md5_good" file + + md5sum -c md5_good 2> /dev/null | grep FAILED >> md5_diffs + + + + if [ $? -ge 1 ] ; then + echo "Nothing wrong here." + else + + +# append some "advice" to the md5_diffs file + + echo -e "\n Update the baseline file if you approve of the changes to the file(s) above \n" >> md5_diffs + + echo -e "Re-run the script with the re-build option (e.g. ./check.sh --rebuild) to approven" >> md5_diffs + + + cat md5_diffs # print the md5_diffs file to the display + + mail -s "Changed Files" root < md5_diffs # also e-mail the md5_diffs file to root + + fi + + ;; + + -r|--rebuild) + + +# This section is for re-building the Baseline file just incase +# the changes to the configuration files are legal and sanctioned + + cd /root/etc.bak/ + mv md5_good md5_good.bak # make a backup copy of current untainted baseline file + + + for j in /etc/*.conf ; do + md5sum $j >> md5_good + + done + echo -e "n Baseline file updated with approved changes !!!n " + ;; + + *) + + echo "This script accepts: only ( -i|--initialize or -v|--verify or -r|--rebuild ) parameters" + + ;; + +esac +``` + +Save the text above in a text file and name the file “check.sh” + +#### To use the check.sh script + +1. Create a directory under root’s home directory called “scripts” + +2. Copy the script you created above into your scripts directory. + +3. Make the script executable. + +4. Run the script with the initialization option. Type: + +``` +[root@localhost scripts]# *./check.sh -i* +``` + + +Untainted baseline file (~/etc.bak/md5_good) has been created !! + +5. Use the ls command to view contents root’s home directory. You should have a new directory named + +“etc.bak” therein. Use the cat command to view the “/root/etc.bak/md5_good” file – just for fun. + +6. Run the script using the verify option. Type: + +``` +[root@localhost scripts]# ./check.sh -v + +Nothing wrong here. +``` + + +You should get the output above if all is well. + +7. You will deliberately alter the /etc/modules.conf files under the /etc directory. Type: + +``` +[root@localhost scripts]# echo "# This is just a test" >> /etc/modules.conf +``` + + +8. Now run the check.sh script again in verification mode. Type: + +``` +[root@localhost scripts]# ./check.sh -v + + + **** + +/etc/modules.conf: FAILED +``` + +Update the baseline file if you approve of the changes to the file(s) above + +Re-run the script with the re-build option (e.g. ./check.sh --rebuild) to approve + + +9. Per the warning above, you should go and investigate further to see if the altered file meets your + +approval. If it does you may run the script with a - - rebuild option. + +To view only the differences between the “tainted” file and the “untainted” file you could type: + + + +[root@localhost scripts]# *sdiff -s /etc/modules.conf /root/etc.bak/modules.conf* + + + < + +# Tripwire + +One of the first things you should do after building any new system is to get a snapshot of a known good state of the system before the system is “contaminated” or before deploying the system into production. + +There are several tools available for doing this. One of such tools is tripwire. Tripwire is an advanced tool, so brace yourself for a plethora of options, syntax, idiosyncrasies and switches. + +Tripwire can be regarded as a form of a host based intrusion detection system (IDS). It performs intrusion detection functions by taking a snapshot of a "healthy system" and later on comparing this healthy state with any other suspect states. It provides a means of knowing/monitoring whether certain sensitive files have been altered illegally. The system administrator of course decides what files are to be monitored. + +The authors of tripwire describe it as an Open Source Security, Intrusion Detection, Damage Assessment and Recovery, Forensics software. + +Tripwire simply compares a file’s new signature with that taken when the database was initially created. + +The steps involved in installing and configuring tripwire are as listed below: + +i. Install the software from source or binary + +ii. Run the configuration script: (twinstall.sh). This script is used to: + +a) Create the site key and the local key and prompts for pass phrases for both + +b) Sign the policy file and configuration file with the site key. + +iii. Initialize the tripwire database + +iv. Run the first integrity check. + +v. Edit the configuration file (twcfg.txt) + +vi. Edit the policy file (twpol.txt) + +Tripwire accepts the following command line options: + + +#### Database Initialization mode: +``` + + -m i --init + -v --verbose + -s --silent, --quiet + -c cfgfile --cfgfile cfgfile + -p polfile --polfile polfile + -d database --dbfile database + -S sitekey --site-keyfile sitekey + -L localkey --local-keyfile localkey + -P passphrase --local-passphrase passphrase + -e --no-encryption + +``` + +#### Integrity Checking mode: +``` + + -m c --check + -I --interactive + -v --verbose + -s --silent, --quiet + -c cfgfile --cfgfile cfgfile + -p polfile --polfile polfile + -d database --dbfile database + -r report --twrfile report + -S sitekey --site-keyfile sitekey + -L localkey --local-keyfile localkey + -P passphrase --local-passphrase passphrase + -n --no-tty-output + -V editor --visual editor + -E --signed-report + -i list --ignore list + -l { level | name } --severity { level | name } + -R rule --rule-name rule + -x section --section section + -M --email-report + -t { 0|1|2|3|4 } --email-report-level { 0|1|2|3|4 } + -h --hexadecimal + [ object1 [ object2... ]] + + +``` +#### Database Update mode: + +``` + -m u --update + -v --verbose + -s --silent, --quiet + -c cfgfile --cfgfile cfgfile + -p polfile --polfile polfile + -d database --dbfile database + -r report --twrfile report + -S sitekey --site-keyfile sitekey + -L localkey --local-keyfile localkey + -P passphrase --local-passphrase passphrase + -V editor --visual editor + -a --accept-all + -Z { low | high } --secure-mode { low | high } +``` + + + + +Policy Update mode: + +``` + -m p --update-policy + -v --verbose + -s --silent, --quiet + -c cfgfile --cfgfile cfgfile + -p polfile --polfile polfile + -d database --dbfile database + -S sitekey --site-keyfile sitekey + -L localkey --local-keyfile localkey + -P passphrase --local-passphrase passphrase + -Q passphrase --site-passphrase passphrase + -Z { low | high } --secure-mode { low | high } + policyfile.txt +``` + + +Summary Of Options for the tripwire command: + +``` +SYNOPSIS + Database Initialization: tripwire { -m i | --init } [ options... ] + Integrity Checking: tripwire { -m c | --check } [ options... ] + [ object1 [ object2... ]] + Database Update: tripwire { -m u | --update } [ options... ] + Policy update: tripwire { -m p | --update-policy } [ options... ] + policyfile.txt + Test: tripwire { -m t | --test } [ options... ] + +``` + + + + + +#### twadmin + +The twadmin utility is used to perform administrative functions related to tripwire files and configuration options. Specifically, twadmin allows encoding, decoding, signing, and verification of tripwire files, and provides a means to generate and change local and site keys. + +Create Configuration File: twadmin [-m F|--create-cfgfile][options] cfgfile.txt + +Print Configuration File: twadmin [-m f|--print-cfgfile] [options] + +Create Policy File: twadmin [-m P|--create-polfile] [options] polfile.txt + +Print Policy File: twadmin [-m p|--print-polfile] [options] + +Remove Encryption: twadmin [-m R|--remove-encryption] [options] [file1...] + +Encryption: twadmin [-m E|--encrypt] [options] [file1...] + +Examine Encryption: twadmin [-m e|--examine] [options] [file1...] + +Generate Keys: twadmin [-m G|--generate-keys] [options] + +#### twprint + +Prints Tripwire database and report files in clear text format. + +Print Report mode: + +``` +-m r --print-report + +-v --verbose + +-s --silent, --quiet + +-c cfgfile --cfgfile cfgfile + +-r report --twrfile report + +-L localkey --local-keyfile localkey + +-t { 0|1|2|3|4 } --report-level { 0|1|2|3|4 } +``` + +Print Database mode: + +``` +-m d --print-dbfile + +-v --verbose + +-s --silent, --quiet + +-c cfgfile --cfgfile cfgfile + +-d database --dbfile database + +-L localkey --local-keyfile localkey + +[object1 [object2 ...] +``` + +#### siggen + +siggen is a signature gathering routine for Tripwire. It is a utility that displays the hash function values for the specified files. + +``` +OPTIONS + ‐t, --terse + Terse mode. Prints requested hashes for a given file on one line, delimited by spaces, with no extraneous information. + + ‐h, --hexadecimal + Display results in hexadecimal rather than base64 notation. + + ‐a, --all + Display all hash function values (default). + + ‐C, --CRC32 + Display CRC-32, POSIX 1003.2 compliant 32-bit Cyclic Redundancy Check. + + ‐M, --MD5 + Display MD5, the RSA Data Security, Inc. Message Digest Algorithm. + + ‐S, --SHA + Display SHA, Tripwire's implementation of the NIST Secure Hash Standard, SHS (NIST FIPS 180). + + ‐H, --HAVAL + Display Haval value, a 128-bit hash code. + + file1 [ file2... ] + List of filesystem objects for which to display values. +``` + + + +### Exercise 1 + +#### To install Tripwire + +1. Check to see if you already have tripwire installed on your system. Type: + +[root@localhost root]# rpm -q tripwire + +tripwire-* + +If you get an output similar to the one above then you already have it installed. Skip the next step. + +2. If you dont have it installed, obtain the tripwire binary and install it. Type: + +[root@localhost root]# dnf -y install tripwire + + +#### To Configure tripwire + +Configuring tripwire involves customizing the tripwire configuration file if needed, then customizing the policy file if needed and then running the configuration script which will prompt you for a passphrase that will be used to sign/protect the configuration file, the policy file and the database file. + + +1. Change your pwd to the tripwire’s working directory: Type: + +[root@localhost root]# cd /etc/tripwire/ + +2. List the contents of the directory + + +3. Use any pager or text editor to view/study the files in the directory. + +4. We will accept the settings that come with the default config. file (twcfg.txt) and the provided default + +policy file (twpol.txt) for now. + +5. Execute the tripwire configuration utility as root. You will be prompted (twice) for site keyfile passphrase. Select any passphrase that you + +WILL NOT forget ( The site key is meant for the twcfg.txt file and the twpol.txt file) Type: + +``` +[root@localhost tripwire]# tripwire-setup-keyfiles +..... +Enter the site keyfile passphrase: +Verify the site keyfile passphrase: +...... +Generating key (this may take several minutes)...Key generation complete. +``` + + +Next you will be prompted for a local key. Again select another password YOU WILL not forget. ( The local key signs the tripwire database files and the reports files) + + + +``` +Enter the local keyfile passphrase: +Verify the local keyfile passphrase: +.... +Generating key (this may take several minutes)...Key generation complete. + +``` + + + +After choosing your passphrases the “twinstall.sh” script will then proceed with the actual creation/signing of the encrypted versions of the original plain text files ( i.e tw.cfg and tw.pol will be created respectively) You will be prompted again for the passphrases you choose earlier. At this point just follow the prompts until the script exits. + +``` +---------------------------------------------- +Signing configuration file... +Please enter your site passphrase: +`````` + +``` +---------------------------------------------- +Signing policy file... +Please enter your site passphrase: ******** +...... + +Wrote policy file: /etc/tripwire/tw.pol + +``` + +6. List the new contents of the /etc/tripwire directory. + + +7. Per the warning you got while the tripwire-setup-keyfiles utility was running, you will now move the plain text versions of the configuration file and policy files away from the local system. You could store them + +on an external removal medium or encrypt them in place [using a tool like GPG for example] OR completely delete them if you are feeling particularly daring. Type: + +[root@localhost tripwire]# mkdir /root/tripwire_stuff && mv twcfg.txt twpol.txt /root/tripwire_stuff + + +!!!NOTE +It may be useful to keep the plain text versions in safe place, just incase you forget your passphrases. You can then always re-run the “tripwire-setup-keyfiles” based on the configurations and policies you have fine tuned over time. + + + +#### To initialize the database + +Initializing the database is the tripwire terminology for, taking an initial “untainted” snapshot of the files you have decided to monitor (based on the policy file). This generates the database and also signs the database with the local key. The database serves as the baseline for all future integrity checks. + +1. While still logged in as root type: + +``` +[root@localhost tripwire]# tripwire --init + +Please enter your local passphrase: +Parsing policy file: /etc/tripwire/tw.pol +Generating the database... +*** Processing Unix File System *** + +``` + +Enter your local passphrase when prompted. The database creation will run to conclusion and you should get an output similar to the one below: + + +**The database was successfully generated.** + +2. Use the `ls` command to verify that the database was indeed created under the stated location. Type: + +``` +[root@localhost tripwire]# ls -lh /var/lib/tripwire/$(hostname).twd +-rw-r--r--. 1 root root 3.3M Sep 27 18:35 /var/lib/tripwire/localhost.twd +``` + + +### Exercise 2 + +Integrity checking and viewing reports + +In this exercise you will learn how to run an integrity check of the system and view the reports that tripwire generates for you. + +#### To run an integrity check + +Running tripwire in this mode (integrity check mode) compares the current file system objects with their properties in the tripwire database. Discrepancies between database and the current file system objects are printed to the standard output while tripwire is running in this mode. After the check is complete tripwire also generates a report file in the directory specified in the twcfg.txt file (/var/lib/tripwire/report/). + +1. Run an integrity check. Type: + +``` +[root@localhost tripwire]# tripwire --check +``` + +You'll see some [expected] warnings stream by during this check. + +Check under the /var/lib/tripwire/report directory to see if a report was also created in there for you. + +Write down the name of the report file that was created? + +FILE_NAME = + + + +2. Run the integrity check again but manually specify a file name for the report file. Type: +``` +[root@localhost tripwire]# tripwire -m c -r /root/tripwire_report.twr +``` + +3. Now make sure that a new file was created for you under root’s home directory. Type: + +``` +[root@localhost tripwire]# ls -l /root/tripwire_report.twr +``` + +#### To examine the report + +Tripwire’s report files, are a collection of rule violations discovered during an integrity check. + +There are several methods of viewing the tripwire report file. You could have been viewing it whilst the integrity check was running, you could view it in the form of an e-mail automatically sent to you or you could view it using the “twprint” command provided with the tripwire package. + +!!! NOTE +You probably noticed from the earlier exercise that by default, tripwire uses a combination of the systems FQDN name, the date and the time to name the report files. + +1. First change to the default report’s directory and view the default report created for you in step 1 above ( FILE_NAME). Type: + +``` +[root@localhost report]# cd /var/lib/tripwire/report && twprint --print-report -r +``` + +Replace above with the value you noted earlier. + +To use the short form of the above command Type: +``` +[root@localhost report]# twprint -m r -r | less +``` +We pipe the output to the less command because the report scrolls by quickly. + +2. Now view the other report you created manually, under root’s home directory. Type: +``` +[root@localhost root]# cd && twprint --print-report -r /root/tripwire_report.twr | less +``` + +3. Brace yourself and study the output of the report file carefully. + +4. You should have noticed again that tripwire created binary/data forms of the report files. Create a text only version of the report file under roots home directory. Type: +``` +[root@localhost root]# twprint --print-report -r /root/tripwire_report.twr > tripwire_report.txt +``` + +#### To view the reports via e-mail + +Here you will test the e-mail functionality of tripwire. Tripwire’s e-mail notification system uses the setting specified in the tripwire configuration file. (twcfg.txt). + +1. First view the configuration file and note the variable(s), that control tripwire’s e-mail notification system. To view the configuration file type: + +``` +[root@localhost report]# twadmin -m f | less +``` + +Write down the relevant variable(s) here? + + + +2. Next make sure that your local mail system is up and running by checking the status of say sendmail. + +Type: + +``` +[root@localhost report]# systemctl -n 0 status postfix +....... + Active: active (running) since Thu 2023-08-31 16:21:26 UTC; 3 weeks 6 days ago +....... +``` + +Your output should be similar to the above. If your mailing system is not running, trouble-shoot that first and get it up and running before continuing. + +3. Send a test message to root. Type: + +[root@localhost report]# tripwire --test --email root + +4. Use the mail program to check root’s mail. Type: + +[root@localhost report]# mail + +The super user should have a message with the subject “"Test email message from Tripwire" + + +5. After you have confirmed that the e-mail functionality works you could try manually sending a copy of one of the reports to yourself. + +Write down the command to do this? + + + +### Fine tuning tripwire + +After installing tripwire, taking a snapshot of the system and then running the first integrity check you will more likely than not need to fine tune tripwire to suit the needs of your particular environment. +This is mostly because the default configuration and policy file that comes bundled with tripwire may not exactly fit your needs or reflect the actual objects on your file system. + +You need to ascertain if the file system violations reported in the report file during the integrity check are actual violations or legitimate/authorized changes to your file system objects. +Again tripwire offers several ways of doing this. + + + +### Updating the policy file ( --update-policy ) + +Using this method you will change or fine tune what tripwire considers violations to your file system objects by changing the rules in the policy file. The database can then be updated without a complete + +re-initialization. This saves time and preserves security by keeping the policy file synchronized with the database it uses. + +You will use the report file you created earlier ( /root/tripwire_report.txt ) to fine tune your policy file by first preventing tripwire from reporting the absence of files that were never on the filesystem in the first place. + +This will help to greatly reduce the length of the report file that you have to manage. + + +#### To fine tune tripwire + +1. Use the grep command to filter out all lines in the report file that refers to missing files + +( Lines containing the word “Filename”). Redirect the output to another file - tripwire_diffs.txt + +Type: + +``` +[root@localhost root]# grep Filename /root/tripwire_report.txt > tripwire_diffs.txt +``` + +2. View the contents of the file you created above. Type: + +``` +[root@localhost root]# *less tripwire_diffs.txt* + + +207: Filename: /proc/scsi + +210: Filename: /root/.esd_auth + +213: Filename: /root/.gnome_private + +216: Filename: /sbin/fsck.minix + +219: Filename: /sbin/mkfs.bfs + +.................................. +``` + +3. Now you need to edit the tripwire policy file and comment out or delete the entries in the file that should not be in there. i.e. files that are not on your system and files that probably + +never will be on your system. For example one of the files that the policy file is trying to monitor is the /proc/scsi file. If you dont have any SCSI device on your system then it makes absolutely NO + +SENSE to monitor this file. + +Another debatable example of what to monitor or not to monitor are the various lock files under the “/var/lock/subsys/” directory. Choosing to monitor these files should be a personal call. + +Re-create a text version of the policy file - just in case you removed it (as advised ) from the local system. Type: + +``` +[root@localhost root]# twadmin --print-polfile > twpol.txt +``` + +4. Edit the text file you created above using any text editor. Comment out references to the objects that you don’t want to monitor; you can use the tripwire_diffs.txt file you created earlier as a guideline. + +Type: + +``` +[root@localhost root]# vi twpol.txt +``` + +Save your changes to the file and close it. + +5. Run tripwire in policy file update mode. Type: +``` +[root@localhost root]# tripwire --update-policy /root/twpol.txt* +``` + +Enter your local and site passphrases when prompted. + +A new signed and encrypted policy file will be created for you under the “/etc/tripwire/” directory. + +6. Delete or remove the text version of the policy file from your local system. + +7. Running the command in step 5 above will also have created a report file for you under the + +/var/lib/tripwire/report directory. + +Write down the name of your latest report file here? + + + + + +8. Run an integrity check of the system again until you are satisfied that you have a good baseline of the + +system, with which to make future decisions. What is the command to do this? + + + +### Updating the database (--update) + +Running tripwire in the database update mode after an integrity check provides a quick and dirty way to fine tune tripwire. This is because Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violations from showing up in future reports. + +This update process saves time by enabling you to update the database without having to re-initialize it. + +#### To update the database + +1. Change your pwd to the location where tripwire stores the report files on your system. Type: + +``` +[root@localhost root]# cd /var/lib/tripwire/report/ +``` + +2. You will first use the database update mode in an interactive manner. Type: + +``` +[root@localhost report]# tripwire --update -Z low -r +``` + +Replace with the report file name you noted earlier. + +The above command will also launch your default text editor (e.g. vi) which will present you with so called “update ballot boxes”. You may need to scroll through the file. + +The entries marked with an “[x]” implies that the database should be updated with that particular object. + +Remove the "x" from the ballot box “[ ]” to prevent updating the database with the new values for that object. + +Use your text editor’s usual key-strokes to save and exit the editor. + +3. Next try using the database update mode in a non-interactive manner. i.e. you will accept all + +the entries in the report file will be accepted without prompting. Type: + +``` +[root@localhost report]# tripwire --update -Z low -a -r +``` + +### Tripwire configuration file + +You will begin these exercises by first fine-tuning your configuration file. In an earlier exercise you were advised to remove or delete all clear text versions of tripwire’s file from your system. You will create a slightly more secure installation of tripwire by editing some of the variables in the tripwire config. file. e.g. you will specify that tripwire should always look for the binaries versions of the policy and config file on a removable media such as a floppy disk or a cdrom. + +1. Change your pwd to the /etc/tripwire directory. + +2. Generate a clear text version of the configuration file. Type: + +``` +[root@localhost tripwire]# twadmin --print-cfgfile > twcfg.txt +``` + +3. Open up the config file you created above in your text editor. Type: + +``` +[root@localhost tripwire]# vi twcfg.txt +``` + +Edit the file to look like the sample file below: + +( NOTE: The newly added and changed variables have been highlighted for you ) + +``` + +1 ROOT =/usr/sbin + +2 POLFILE =/mnt/floppy/tw.pol + +3 DBFILE =/var/lib/tripwire/$(HOSTNAME).twd + +4 REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr + +5 SITEKEYFILE =/mnt/floppy/site.key + +6 LOCALKEYFILE =/mnt/floppy/$(HOSTNAME)-local.key + +7 EDITOR =/bin/vi + +8 LATEPROMPTING =false + +9 LOOSEDIRECTORYCHECKING =true + +10 GLOBALEMAIL =root@localhost + +11 MAILNOVIOLATIONS =true + +12 EMAILREPORTLEVEL =3 + +13 REPORTLEVEL =3 + +14 MAILMETHOD =SENDMAIL + +15 SYSLOGREPORTING =true + +16 MAILPROGRAM =/usr/sbin/sendmail -oi -t +``` + + +4. Consult the man page for “twconfig” to find out what the following variables are meant for ? + +`````` +LOOSEDIRECTORYCHECKING + +GLOBALEMAIL + +SYSLOGREPORTING +``` + +5. Mount the removal media to the /mnt/usbdrive directory. Type: + +[root@localhost tripwire]# mount /dev/usbdrive /mnt/usbdrive + +!!! NOTE +If you choose to store your files on a different location (e.g. a cdrom media) make the necessary adjustments to the commands. + +6. Relocate the site key, local key and binary files to the location you specified in the new config. file. + +Type: + +``` +[root@localhost tripwire]# mv site.key tw.pol localhost.localdomain-local.key /mnt/usbdrive +``` + +6. Create a binary version of the clear text config file. Type: + +``` +[root@localhost tripwire]# *twadmin --create-cfgfile -S /mnt/floppy/site.key twcfg.txt* +``` + +The “/etc/tripwire/tw.cfg” file will be created for you. + +7. Test your new set up. Un-mount the floppy drive and eject the floppy disk. + +8. Try running one the tripwire commands that needs the files stored on the floppy drive. Type: + +``` +[root@localhost tripwire]# twadmin --print-polfile + +### Error: File could not be opened. + +### Filename: /mnt/usbdrive/tw.pol + +### No such file or directory + +### + +### Unable to print policy file. + +### Exiting... +``` + +You should get an error similar to the one above. + +9. Mount the media that your tripwire files are stored. And try the above command again. + + + Did the command run successfully this time? + + +10. Search for and delete all the plain text versions of tripwire’s config files you have created thus far from your system. + +Having to mount and unmount a removable media each time you want to administer an aspect of tripwire may end up being such a drag, but the payoff may be in the extra security. You definitely want to consider storing a pristine version of tripwire’s database on a read-only media such as a CDROM. + + + +ADDITIONAL EXERCISES + +1. Configure your tripwire installation run an integrity check every day at 2 A.M and send out a report of the integrity check via e-mail to the super user on the system. + +!!! HINT: +You may need to do this using a cron job. From d112de8ce2b3e19846e042529ade2dad51b8b4f9 Mon Sep 17 00:00:00 2001 From: wale soyinka Date: Wed, 27 Sep 2023 19:50:08 -0400 Subject: [PATCH 6/6] Delete docs/labs/security/lab3-auditing_the_system --- docs/labs/security/lab3-auditing_the_system | 967 -------------------- 1 file changed, 967 deletions(-) delete mode 100644 docs/labs/security/lab3-auditing_the_system diff --git a/docs/labs/security/lab3-auditing_the_system b/docs/labs/security/lab3-auditing_the_system deleted file mode 100644 index e2a55652bb..0000000000 --- a/docs/labs/security/lab3-auditing_the_system +++ /dev/null @@ -1,967 +0,0 @@ -# Lab 3: Auditing the System - -## Objectives - - -After completing this lab, you will be able to - -- create a simple and custom auditing tool from scratch -- use and understand security auditing tools like tripwire - -Estimated time to complete this lab: 90 minutes - - - - - - - -# A simple home grown integrity checker - -Before we begin to install and configure tripwire we will first create a sample script that performs a similar function to tripwire. This script will help in gaining a better understanding of how Tripwire and similar tools function. - -The script relies heavily on the md5sum program. The md5sum program is used to compute a 128-bit checksum (or "fingerprint") for a specified FILE. - -The script functions’ as summarized below: - -i) Right after the base system has been installed, it will back up some of the system configuration files in the /etc directory, into a directory called etc.bak in roots home directory. - -In particular it will back up all the files under /etc with the suffix “*.conf” - -It does this when run with the initialization option ( -- initialization| -i) - -ii) The script will then be used to obtain the md5 checksums of the known good files (untainted files). - -iii) The list of MD5 sums will be stored in a file called “md5_good”. - -iv) When the script is run in a verify mode, the md5sum program will be called with the “ - -check” option to check the current MD5 sums against a given list (the md5_good file). - - -The script will print the output of the verification to the standard output and will also send a copy of the - -result via e-mail to the super-user. - -v) Whenever changes are made (legal or illegal) to the configuration files under /etc the script can be called - -with the “--rebuild| -r” option to approve the changes and rebuild the baseline pseudo database. - -vi) You can periodically manually run the script or create a cron job to automatically run the script. - - -The script below can be fine tuned and scaled to do much more than it does. It is left to you and your imagination to make it do whatever you want it to do. - -If you are lazy (like me) and just want a quick and dirty way to get the job done the script will suffice but for everything else there is MasterCard – excuse me, I meant, for everything else there is Tripwire. - - -### Exercise 1 - -1. Log in as root and launch your text editor of choice. Enter the text below: - -``` -#!/bin/sh -# This script checks for changes in the MD5 sums of files named "/etc/*.conf" - - -case $1 in - - -i|--initialize) - -# This section will run if the script is run in an initialization mode -# Delete old directory, make directory, backup good files and change directory to /root/etc.bak - -rm -rf /root/etc.bak && mkdir /root/etc.bak && cp /etc/*.conf /root/etc.bak && cd /root/etc.bak - - -# Create our baseline file containing a list of good MD5 sums - - for i in /etc/*.conf ; do - - md5sum $i >> md5_good - done - echo -e "nUntainted baseline file ("~/etc.bak/md5_good") has been created !!n" - ;; - - - -v|--verify) - -# This section will run if the script is called in a verify mode - - cd /root/etc.bak - - -# Check if there is any file containing output from a previous run - - if [ -f md5_diffs ] ; then - - rm -f md5_diffs # if it exists we delete it - fi - - -# We re-create the file with a pretty sub-heading and some advice - - echo -e "n **** Possibly tainted File(s) ****" > md5_diffs - -# echo "" >> md5_diffs # append a blank line - -# Run the md5sum program against a known good list i.e. "md5_good" file - - md5sum -c md5_good 2> /dev/null | grep FAILED >> md5_diffs - - - - if [ $? -ge 1 ] ; then - echo "Nothing wrong here." - else - - -# append some "advice" to the md5_diffs file - - echo -e "\n Update the baseline file if you approve of the changes to the file(s) above \n" >> md5_diffs - - echo -e "Re-run the script with the re-build option (e.g. ./check.sh --rebuild) to approven" >> md5_diffs - - - cat md5_diffs # print the md5_diffs file to the display - - mail -s "Changed Files" root < md5_diffs # also e-mail the md5_diffs file to root - - fi - - ;; - - -r|--rebuild) - - -# This section is for re-building the Baseline file just incase -# the changes to the configuration files are legal and sanctioned - - cd /root/etc.bak/ - mv md5_good md5_good.bak # make a backup copy of current untainted baseline file - - - for j in /etc/*.conf ; do - md5sum $j >> md5_good - - done - echo -e "n Baseline file updated with approved changes !!!n " - ;; - - *) - - echo "This script accepts: only ( -i|--initialize or -v|--verify or -r|--rebuild ) parameters" - - ;; - -esac -``` - -Save the text above in a text file and name the file “check.sh” - -#### To use the check.sh script - -1. Create a directory under root’s home directory called “scripts” - -2. Copy the script you created above into your scripts directory. - -3. Make the script executable. - -4. Run the script with the initialization option. Type: - -``` -[root@localhost scripts]# *./check.sh -i* -``` - - -Untainted baseline file (~/etc.bak/md5_good) has been created !! - -5. Use the ls command to view contents root’s home directory. You should have a new directory named - -“etc.bak” therein. Use the cat command to view the “/root/etc.bak/md5_good” file – just for fun. - -6. Run the script using the verify option. Type: - -``` -[root@localhost scripts]# ./check.sh -v - -Nothing wrong here. -``` - - -You should get the output above if all is well. - -7. You will deliberately alter the /etc/modules.conf files under the /etc directory. Type: - -``` -[root@localhost scripts]# echo "# This is just a test" >> /etc/modules.conf -``` - - -8. Now run the check.sh script again in verification mode. Type: - -``` -[root@localhost scripts]# ./check.sh -v - - - **** - -/etc/modules.conf: FAILED -``` - -Update the baseline file if you approve of the changes to the file(s) above - -Re-run the script with the re-build option (e.g. ./check.sh --rebuild) to approve - - -9. Per the warning above, you should go and investigate further to see if the altered file meets your - -approval. If it does you may run the script with a - - rebuild option. - -To view only the differences between the “tainted” file and the “untainted” file you could type: - - - -[root@localhost scripts]# *sdiff -s /etc/modules.conf /root/etc.bak/modules.conf* - - - < - -# Tripwire - -One of the first things you should do after building any new system is to get a snapshot of a known good state of the system before the system is “contaminated” or before deploying the system into production. - -There are several tools available for doing this. One of such tools is tripwire. Tripwire is an advanced tool, so brace yourself for a plethora of options, syntax, idiosyncrasies and switches. - -Tripwire can be regarded as a form of a host based intrusion detection system (IDS). It performs intrusion detection functions by taking a snapshot of a "healthy system" and later on comparing this healthy state with any other suspect states. It provides a means of knowing/monitoring whether certain sensitive files have been altered illegally. The system administrator of course decides what files are to be monitored. - -The authors of tripwire describe it as an Open Source Security, Intrusion Detection, Damage Assessment and Recovery, Forensics software. - -Tripwire simply compares a file’s new signature with that taken when the database was initially created. - -The steps involved in installing and configuring tripwire are as listed below: - -i. Install the software from source or binary - -ii. Run the configuration script: (twinstall.sh). This script is used to: - -a) Create the site key and the local key and prompts for pass phrases for both - -b) Sign the policy file and configuration file with the site key. - -iii. Initialize the tripwire database - -iv. Run the first integrity check. - -v. Edit the configuration file (twcfg.txt) - -vi. Edit the policy file (twpol.txt) - -Tripwire accepts the following command line options: - - -#### Database Initialization mode: -``` - - -m i --init - -v --verbose - -s --silent, --quiet - -c cfgfile --cfgfile cfgfile - -p polfile --polfile polfile - -d database --dbfile database - -S sitekey --site-keyfile sitekey - -L localkey --local-keyfile localkey - -P passphrase --local-passphrase passphrase - -e --no-encryption - -``` - -#### Integrity Checking mode: -``` - - -m c --check - -I --interactive - -v --verbose - -s --silent, --quiet - -c cfgfile --cfgfile cfgfile - -p polfile --polfile polfile - -d database --dbfile database - -r report --twrfile report - -S sitekey --site-keyfile sitekey - -L localkey --local-keyfile localkey - -P passphrase --local-passphrase passphrase - -n --no-tty-output - -V editor --visual editor - -E --signed-report - -i list --ignore list - -l { level | name } --severity { level | name } - -R rule --rule-name rule - -x section --section section - -M --email-report - -t { 0|1|2|3|4 } --email-report-level { 0|1|2|3|4 } - -h --hexadecimal - [ object1 [ object2... ]] - - -``` -#### Database Update mode: - -``` - -m u --update - -v --verbose - -s --silent, --quiet - -c cfgfile --cfgfile cfgfile - -p polfile --polfile polfile - -d database --dbfile database - -r report --twrfile report - -S sitekey --site-keyfile sitekey - -L localkey --local-keyfile localkey - -P passphrase --local-passphrase passphrase - -V editor --visual editor - -a --accept-all - -Z { low | high } --secure-mode { low | high } -``` - - - - -Policy Update mode: - -``` - -m p --update-policy - -v --verbose - -s --silent, --quiet - -c cfgfile --cfgfile cfgfile - -p polfile --polfile polfile - -d database --dbfile database - -S sitekey --site-keyfile sitekey - -L localkey --local-keyfile localkey - -P passphrase --local-passphrase passphrase - -Q passphrase --site-passphrase passphrase - -Z { low | high } --secure-mode { low | high } - policyfile.txt -``` - - -Summary Of Options for the tripwire command: - -``` -SYNOPSIS - Database Initialization: tripwire { -m i | --init } [ options... ] - Integrity Checking: tripwire { -m c | --check } [ options... ] - [ object1 [ object2... ]] - Database Update: tripwire { -m u | --update } [ options... ] - Policy update: tripwire { -m p | --update-policy } [ options... ] - policyfile.txt - Test: tripwire { -m t | --test } [ options... ] - -``` - - - - - -#### twadmin - -The twadmin utility is used to perform administrative functions related to tripwire files and configuration options. Specifically, twadmin allows encoding, decoding, signing, and verification of tripwire files, and provides a means to generate and change local and site keys. - -Create Configuration File: twadmin [-m F|--create-cfgfile][options] cfgfile.txt - -Print Configuration File: twadmin [-m f|--print-cfgfile] [options] - -Create Policy File: twadmin [-m P|--create-polfile] [options] polfile.txt - -Print Policy File: twadmin [-m p|--print-polfile] [options] - -Remove Encryption: twadmin [-m R|--remove-encryption] [options] [file1...] - -Encryption: twadmin [-m E|--encrypt] [options] [file1...] - -Examine Encryption: twadmin [-m e|--examine] [options] [file1...] - -Generate Keys: twadmin [-m G|--generate-keys] [options] - -#### twprint - -Prints Tripwire database and report files in clear text format. - -Print Report mode: - -``` --m r --print-report - --v --verbose - --s --silent, --quiet - --c cfgfile --cfgfile cfgfile - --r report --twrfile report - --L localkey --local-keyfile localkey - --t { 0|1|2|3|4 } --report-level { 0|1|2|3|4 } -``` - -Print Database mode: - -``` --m d --print-dbfile - --v --verbose - --s --silent, --quiet - --c cfgfile --cfgfile cfgfile - --d database --dbfile database - --L localkey --local-keyfile localkey - -[object1 [object2 ...] -``` - -#### siggen - -siggen is a signature gathering routine for Tripwire. It is a utility that displays the hash function values for the specified files. - -``` -OPTIONS - ‐t, --terse - Terse mode. Prints requested hashes for a given file on one line, delimited by spaces, with no extraneous information. - - ‐h, --hexadecimal - Display results in hexadecimal rather than base64 notation. - - ‐a, --all - Display all hash function values (default). - - ‐C, --CRC32 - Display CRC-32, POSIX 1003.2 compliant 32-bit Cyclic Redundancy Check. - - ‐M, --MD5 - Display MD5, the RSA Data Security, Inc. Message Digest Algorithm. - - ‐S, --SHA - Display SHA, Tripwire's implementation of the NIST Secure Hash Standard, SHS (NIST FIPS 180). - - ‐H, --HAVAL - Display Haval value, a 128-bit hash code. - - file1 [ file2... ] - List of filesystem objects for which to display values. -``` - - - -### Exercise 1 - -#### To install Tripwire - -1. Check to see if you already have tripwire installed on your system. Type: - -[root@localhost root]# rpm -q tripwire - -tripwire-* - -If you get an output similar to the one above then you already have it installed. Skip the next step. - -2. If you dont have it installed, obtain the tripwire binary and install it. Type: - -[root@localhost root]# dnf -y install tripwire - - -#### To Configure tripwire - -Configuring tripwire involves customizing the tripwire configuration file if needed, then customizing the policy file if needed and then running the configuration script which will prompt you for a passphrase that will be used to sign/protect the configuration file, the policy file and the database file. - - -1. Change your pwd to the tripwire’s working directory: Type: - -[root@localhost root]# cd /etc/tripwire/ - -2. List the contents of the directory - - -3. Use any pager or text editor to view/study the files in the directory. - -4. We will accept the settings that come with the default config. file (twcfg.txt) and the provided default - -policy file (twpol.txt) for now. - -5. Execute the tripwire configuration utility as root. You will be prompted (twice) for site keyfile passphrase. Select any passphrase that you - -WILL NOT forget ( The site key is meant for the twcfg.txt file and the twpol.txt file) Type: - -``` -[root@localhost tripwire]# tripwire-setup-keyfiles -..... -Enter the site keyfile passphrase: -Verify the site keyfile passphrase: -...... -Generating key (this may take several minutes)...Key generation complete. -``` - - -Next you will be prompted for a local key. Again select another password YOU WILL not forget. ( The local key signs the tripwire database files and the reports files) - - - -``` -Enter the local keyfile passphrase: -Verify the local keyfile passphrase: -.... -Generating key (this may take several minutes)...Key generation complete. - -``` - - - -After choosing your passphrases the “twinstall.sh” script will then proceed with the actual creation/signing of the encrypted versions of the original plain text files ( i.e tw.cfg and tw.pol will be created respectively) You will be prompted again for the passphrases you choose earlier. At this point just follow the prompts until the script exits. - -``` ----------------------------------------------- -Signing configuration file... -Please enter your site passphrase: -`````` - -``` ----------------------------------------------- -Signing policy file... -Please enter your site passphrase: ******** -...... - -Wrote policy file: /etc/tripwire/tw.pol - -``` - -6. List the new contents of the /etc/tripwire directory. - - -7. Per the warning you got while the tripwire-setup-keyfiles utility was running, you will now move the plain text versions of the configuration file and policy files away from the local system. You could store them - -on an external removal medium or encrypt them in place [using a tool like GPG for example] OR completely delete them if you are feeling particularly daring. Type: - -[root@localhost tripwire]# mkdir /root/tripwire_stuff && mv twcfg.txt twpol.txt /root/tripwire_stuff - - -!!!NOTE -It may be useful to keep the plain text versions in safe place, just incase you forget your passphrases. You can then always re-run the “tripwire-setup-keyfiles” based on the configurations and policies you have fine tuned over time. - - - -#### To initialize the database - -Initializing the database is the tripwire terminology for, taking an initial “untainted” snapshot of the files you have decided to monitor (based on the policy file). This generates the database and also signs the database with the local key. The database serves as the baseline for all future integrity checks. - -1. While still logged in as root type: - -``` -[root@localhost tripwire]# tripwire --init - -Please enter your local passphrase: -Parsing policy file: /etc/tripwire/tw.pol -Generating the database... -*** Processing Unix File System *** - -``` - -Enter your local passphrase when prompted. The database creation will run to conclusion and you should get an output similar to the one below: - - -**The database was successfully generated.** - -2. Use the `ls` command to verify that the database was indeed created under the stated location. Type: - -``` -[root@localhost tripwire]# ls -lh /var/lib/tripwire/$(hostname).twd --rw-r--r--. 1 root root 3.3M Sep 27 18:35 /var/lib/tripwire/localhost.twd -``` - - -### Exercise 2 - -Integrity checking and viewing reports - -In this exercise you will learn how to run an integrity check of the system and view the reports that tripwire generates for you. - -#### To run an integrity check - -Running tripwire in this mode (integrity check mode) compares the current file system objects with their properties in the tripwire database. Discrepancies between database and the current file system objects are printed to the standard output while tripwire is running in this mode. After the check is complete tripwire also generates a report file in the directory specified in the twcfg.txt file (/var/lib/tripwire/report/). - -1. Run an integrity check. Type: - -``` -[root@localhost tripwire]# tripwire --check -``` - -You'll see some [expected] warnings stream by during this check. - -Check under the /var/lib/tripwire/report directory to see if a report was also created in there for you. - -Write down the name of the report file that was created? - -FILE_NAME = - - - -2. Run the integrity check again but manually specify a file name for the report file. Type: -``` -[root@localhost tripwire]# tripwire -m c -r /root/tripwire_report.twr -``` - -3. Now make sure that a new file was created for you under root’s home directory. Type: - -``` -[root@localhost tripwire]# ls -l /root/tripwire_report.twr -``` - -#### To examine the report - -Tripwire’s report files, are a collection of rule violations discovered during an integrity check. - -There are several methods of viewing the tripwire report file. You could have been viewing it whilst the integrity check was running, you could view it in the form of an e-mail automatically sent to you or you could view it using the “twprint” command provided with the tripwire package. - -!!! NOTE -You probably noticed from the earlier exercise that by default, tripwire uses a combination of the systems FQDN name, the date and the time to name the report files. - -1. First change to the default report’s directory and view the default report created for you in step 1 above ( FILE_NAME). Type: - -``` -[root@localhost report]# cd /var/lib/tripwire/report && twprint --print-report -r -``` - -Replace above with the value you noted earlier. - -To use the short form of the above command Type: -``` -[root@localhost report]# twprint -m r -r | less -``` -We pipe the output to the less command because the report scrolls by quickly. - -2. Now view the other report you created manually, under root’s home directory. Type: -``` -[root@localhost root]# cd && twprint --print-report -r /root/tripwire_report.twr | less -``` - -3. Brace yourself and study the output of the report file carefully. - -4. You should have noticed again that tripwire created binary/data forms of the report files. Create a text only version of the report file under roots home directory. Type: -``` -[root@localhost root]# twprint --print-report -r /root/tripwire_report.twr > tripwire_report.txt -``` - -#### To view the reports via e-mail - -Here you will test the e-mail functionality of tripwire. Tripwire’s e-mail notification system uses the setting specified in the tripwire configuration file. (twcfg.txt). - -1. First view the configuration file and note the variable(s), that control tripwire’s e-mail notification system. To view the configuration file type: - -``` -[root@localhost report]# twadmin -m f | less -``` - -Write down the relevant variable(s) here? - - - -2. Next make sure that your local mail system is up and running by checking the status of say sendmail. - -Type: - -``` -[root@localhost report]# systemctl -n 0 status postfix -....... - Active: active (running) since Thu 2023-08-31 16:21:26 UTC; 3 weeks 6 days ago -....... -``` - -Your output should be similar to the above. If your mailing system is not running, trouble-shoot that first and get it up and running before continuing. - -3. Send a test message to root. Type: - -[root@localhost report]# tripwire --test --email root - -4. Use the mail program to check root’s mail. Type: - -[root@localhost report]# mail - -The super user should have a message with the subject “"Test email message from Tripwire" - - -5. After you have confirmed that the e-mail functionality works you could try manually sending a copy of one of the reports to yourself. - -Write down the command to do this? - - - -### Fine tuning tripwire - -After installing tripwire, taking a snapshot of the system and then running the first integrity check you will more likely than not need to fine tune tripwire to suit the needs of your particular environment. -This is mostly because the default configuration and policy file that comes bundled with tripwire may not exactly fit your needs or reflect the actual objects on your file system. - -You need to ascertain if the file system violations reported in the report file during the integrity check are actual violations or legitimate/authorized changes to your file system objects. -Again tripwire offers several ways of doing this. - - - -### Updating the policy file ( --update-policy ) - -Using this method you will change or fine tune what tripwire considers violations to your file system objects by changing the rules in the policy file. The database can then be updated without a complete - -re-initialization. This saves time and preserves security by keeping the policy file synchronized with the database it uses. - -You will use the report file you created earlier ( /root/tripwire_report.txt ) to fine tune your policy file by first preventing tripwire from reporting the absence of files that were never on the filesystem in the first place. - -This will help to greatly reduce the length of the report file that you have to manage. - - -#### To fine tune tripwire - -1. Use the grep command to filter out all lines in the report file that refers to missing files - -( Lines containing the word “Filename”). Redirect the output to another file - tripwire_diffs.txt - -Type: - -``` -[root@localhost root]# grep Filename /root/tripwire_report.txt > tripwire_diffs.txt -``` - -2. View the contents of the file you created above. Type: - -``` -[root@localhost root]# *less tripwire_diffs.txt* - - -207: Filename: /proc/scsi - -210: Filename: /root/.esd_auth - -213: Filename: /root/.gnome_private - -216: Filename: /sbin/fsck.minix - -219: Filename: /sbin/mkfs.bfs - -.................................. -``` - -3. Now you need to edit the tripwire policy file and comment out or delete the entries in the file that should not be in there. i.e. files that are not on your system and files that probably - -never will be on your system. For example one of the files that the policy file is trying to monitor is the /proc/scsi file. If you dont have any SCSI device on your system then it makes absolutely NO - -SENSE to monitor this file. - -Another debatable example of what to monitor or not to monitor are the various lock files under the “/var/lock/subsys/” directory. Choosing to monitor these files should be a personal call. - -Re-create a text version of the policy file - just in case you removed it (as advised ) from the local system. Type: - -``` -[root@localhost root]# twadmin --print-polfile > twpol.txt -``` - -4. Edit the text file you created above using any text editor. Comment out references to the objects that you don’t want to monitor; you can use the tripwire_diffs.txt file you created earlier as a guideline. - -Type: - -``` -[root@localhost root]# vi twpol.txt -``` - -Save your changes to the file and close it. - -5. Run tripwire in policy file update mode. Type: -``` -[root@localhost root]# tripwire --update-policy /root/twpol.txt* -``` - -Enter your local and site passphrases when prompted. - -A new signed and encrypted policy file will be created for you under the “/etc/tripwire/” directory. - -6. Delete or remove the text version of the policy file from your local system. - -7. Running the command in step 5 above will also have created a report file for you under the - -/var/lib/tripwire/report directory. - -Write down the name of your latest report file here? - - - - - -8. Run an integrity check of the system again until you are satisfied that you have a good baseline of the - -system, with which to make future decisions. What is the command to do this? - - - -### Updating the database (--update) - -Running tripwire in the database update mode after an integrity check provides a quick and dirty way to fine tune tripwire. This is because Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violations from showing up in future reports. - -This update process saves time by enabling you to update the database without having to re-initialize it. - -#### To update the database - -1. Change your pwd to the location where tripwire stores the report files on your system. Type: - -``` -[root@localhost root]# cd /var/lib/tripwire/report/ -``` - -2. You will first use the database update mode in an interactive manner. Type: - -``` -[root@localhost report]# tripwire --update -Z low -r -``` - -Replace with the report file name you noted earlier. - -The above command will also launch your default text editor (e.g. vi) which will present you with so called “update ballot boxes”. You may need to scroll through the file. - -The entries marked with an “[x]” implies that the database should be updated with that particular object. - -Remove the "x" from the ballot box “[ ]” to prevent updating the database with the new values for that object. - -Use your text editor’s usual key-strokes to save and exit the editor. - -3. Next try using the database update mode in a non-interactive manner. i.e. you will accept all - -the entries in the report file will be accepted without prompting. Type: - -``` -[root@localhost report]# tripwire --update -Z low -a -r -``` - -### Tripwire configuration file - -You will begin these exercises by first fine-tuning your configuration file. In an earlier exercise you were advised to remove or delete all clear text versions of tripwire’s file from your system. You will create a slightly more secure installation of tripwire by editing some of the variables in the tripwire config. file. e.g. you will specify that tripwire should always look for the binaries versions of the policy and config file on a removable media such as a floppy disk or a cdrom. - -1. Change your pwd to the /etc/tripwire directory. - -2. Generate a clear text version of the configuration file. Type: - -``` -[root@localhost tripwire]# twadmin --print-cfgfile > twcfg.txt -``` - -3. Open up the config file you created above in your text editor. Type: - -``` -[root@localhost tripwire]# vi twcfg.txt -``` - -Edit the file to look like the sample file below: - -( NOTE: The newly added and changed variables have been highlighted for you ) - -``` - -1 ROOT =/usr/sbin - -2 POLFILE =/mnt/floppy/tw.pol - -3 DBFILE =/var/lib/tripwire/$(HOSTNAME).twd - -4 REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr - -5 SITEKEYFILE =/mnt/floppy/site.key - -6 LOCALKEYFILE =/mnt/floppy/$(HOSTNAME)-local.key - -7 EDITOR =/bin/vi - -8 LATEPROMPTING =false - -9 LOOSEDIRECTORYCHECKING =true - -10 GLOBALEMAIL =root@localhost - -11 MAILNOVIOLATIONS =true - -12 EMAILREPORTLEVEL =3 - -13 REPORTLEVEL =3 - -14 MAILMETHOD =SENDMAIL - -15 SYSLOGREPORTING =true - -16 MAILPROGRAM =/usr/sbin/sendmail -oi -t -``` - - -4. Consult the man page for “twconfig” to find out what the following variables are meant for ? - -`````` -LOOSEDIRECTORYCHECKING - -GLOBALEMAIL - -SYSLOGREPORTING -``` - -5. Mount the removal media to the /mnt/usbdrive directory. Type: - -[root@localhost tripwire]# mount /dev/usbdrive /mnt/usbdrive - -!!! NOTE -If you choose to store your files on a different location (e.g. a cdrom media) make the necessary adjustments to the commands. - -6. Relocate the site key, local key and binary files to the location you specified in the new config. file. - -Type: - -``` -[root@localhost tripwire]# mv site.key tw.pol localhost.localdomain-local.key /mnt/usbdrive -``` - -6. Create a binary version of the clear text config file. Type: - -``` -[root@localhost tripwire]# *twadmin --create-cfgfile -S /mnt/floppy/site.key twcfg.txt* -``` - -The “/etc/tripwire/tw.cfg” file will be created for you. - -7. Test your new set up. Un-mount the floppy drive and eject the floppy disk. - -8. Try running one the tripwire commands that needs the files stored on the floppy drive. Type: - -``` -[root@localhost tripwire]# twadmin --print-polfile - -### Error: File could not be opened. - -### Filename: /mnt/usbdrive/tw.pol - -### No such file or directory - -### - -### Unable to print policy file. - -### Exiting... -``` - -You should get an error similar to the one above. - -9. Mount the media that your tripwire files are stored. And try the above command again. - - - Did the command run successfully this time? - - -10. Search for and delete all the plain text versions of tripwire’s config files you have created thus far from your system. - -Having to mount and unmount a removable media each time you want to administer an aspect of tripwire may end up being such a drag, but the payoff may be in the extra security. You definitely want to consider storing a pristine version of tripwire’s database on a read-only media such as a CDROM. - - - -ADDITIONAL EXERCISES - -1. Configure your tripwire installation run an integrity check every day at 2 A.M and send out a report of the integrity check via e-mail to the super user on the system. - -!!! HINT: -You may need to do this using a cron job.