We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Tripwire - ids - archivos modificados en ataque


oceano
10/11/2011, 22:13
Muy bueno, realmente merece la pena echarle un vistazo y comprobar como funciona. Me ha costado un tiempo ponerlo en marcha, pero realmente funciona bien y merece la pena. Os animo a probarlo.

Existe un archivo de configuración para indicarle que directorios quieres que analice, aparte de los que trae por defecto, que son practicamente, pero se me ha traspapelado, :confused: en cuanto lo localice actualizaré el primer post, la verdad me ha sorprendido su funcionamiento.

A.- Iniciar tripwire

tripwire --check --interactive

B.- Archivo de politicas de tripwire

1.- crear nuevas politicas --> vi /usr/local/etc/twpol.txt ( guardar una copia antes de modificarlo )
2.- guardar las politicas que serán analizadas la próxima vez por tripwire --> twadmin -m P /etc/tripwire/twpol.txt
3.- regeneramos la base de datos y enviamos al temporal "mensajes", toda dirección de archivo que hemos introducido erronea para que sea correctamente redireccionado, es decir, todo lo que encontremos en vi /tmp/mensajes/ deberemos enlazarlo bien --> tripwire -m i 2> /tmp/mensajes

* para visualizar el archivo = vi /tmp/mensajes/
* guardarlo sin modificar = esc + :q! + enter
* guardar cambios = esc + :wq + enter
* modificar el archivo una vez dentro = i
* buscar una cadena dentro del archivo hacia adelante = esc + ? y escribimos dicho texto + enter
* buscar una cadena de texto dentro del archivo hacia atrás = esc + / y escribimos dicho texto + enter



----------------------------------------
Modified Objects: 1
----------------------------------------

Modified object name: /aquota.user

Property: Expected Observed
------------- ----------- -----------
Object Type Regular File Regular File
Device Number 2305 2305
Inode Number 17 17
Mode -rw------- -rw-------
Num Links 1 1
UID root (0) root (0)
GID root (0) root (0)
Size 10240 10240
* Modify Time Thu 10 Nov 2011 09:12:02 PM CET
Blocks 24 24
* CRC32 DXo5At C1dgWQ
* MD5 A/YulmH+X6nja/XOPUr812 C8UAtGmrnehkjOjOtXVXAQ

oceano
10/11/2011, 13:36
Bueno, hace un tiempo pregunté " Monitorización servidor , herramienta ¿ ? " en este foro, por si alguien sabía de alguna herramienta con la cual poder verificar que archivos habían sido modificados, si por algún motivo habíamos sido objetos de un ataque.

Bajo WHM, Power me indicó una herramienta de visualización de logs http://foros.ovh.es/showthread.php?t=8898 la cual es buena, pero creo que esta herramienta y aporte nuevo podrán ayudar también.


Plataforma CentOS

Tripwire 2.4.1 es un producto de la evaluación de integridad de los archivos para redes Linux. Rather than preventing an intruder or virus from attacking system files, Tripwire detects intrusions when they do occur. En lugar de impedir que un intruso o un virus de atacar a los archivos del sistema, Tripwire detecta intrusiones cuando se produzcan. By comparing system files and directories against a previously stored "baseline" database, Tripwire finds any additions, deletions, or changes to specified properties. Mediante la comparación de archivos y directorios del sistema previamente almacenadas en contra de una "línea base" base de datos, Tripwire encuentra todas las adiciones, supresiones o cambios en las propiedades especificadas. This allows the system administrator to determine the extent of the problem and begin necessary damage control. Esto permite al administrador del sistema para determinar la magnitud del problema y comenzar a controlar el daño necesario.


By Kioto on January 29th, 2011

+ Install gcc gcc-cpp gcc-c++
[root@srv ~]# yum -y install gcc gcc-cpp gcc-c++

+ Download Tripwire V.- 2.4.2.2 ( 26/07/2013)
[root@srv ~]# wget http://sourceforge.net/projects/trip...atest/download

+ Descompresión parte I
[root@srv ~]# bzip2 -d tripwire-2.4.2.2-src.tar.bz2

* ahora lo hemos pasado a formato .tar, nuevamene a descomprimir.

+ Descompresión parte II
[root@srv ~]# tar -xvf tripwire-2.4.2.2-src.tar

+ Install Tripwire again
[root@srv ~]# cd tripwire-2.4.2.2-src

[root@srv tripwire-2.4.2-src]# ./configure --prefix=/usr/local/tripwire sysconfdir=/etc/tripwire && make && make install

checking build system type... i686-pc-linux-gnu
.
.
.
LICENSE AGREEMENT for Tripwire(R) 2.4 Open Source

Please read the following license agreement. You must accept the
agreement to continue installing Tripwire.

Press ENTER to view the License Agreement.

GNU GENERAL PUBLIC LICENSE
Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
.
.
.
Public License instead of this License.

Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept
Using configuration file ./install/install.cfg

Checking for programs specified in install configuration file....

/usr/sbin/sendmail -oi -t exists. Continuing installation.

/bin/vi exists. Continuing installation.

----------------------------------------------
Verifying existence of binaries...

./bin/siggen found
./bin/tripwire found
./bin/twprint found
./bin/twadmin found

This program will copy Tripwire files to the following directories:

TWBIN: /usr/local/tripwire/sbin
TWMAN: /usr/local/tripwire/man
TWPOLICY: /etc/tripwire
TWREPORT: /usr/local/tripwire/lib/tripwire/report
TWDB: /usr/local/tripwire/lib/tripwire
TWSITEKEYDIR: /etc/tripwire
TWLOCALKEYDIR: /etc/tripwire

CLOBBER is false.

--> Continue with installation? [y/n] y

----------------------------------------------
Creating directories...

/usr/local/tripwire/sbin: already exists
/etc/tripwire: created
/usr/local/tripwire/lib/tripwire/report: created
/usr/local/tripwire/lib/tripwire: already exists
/etc/tripwire: already exists
/etc/tripwire: already exists
/usr/local/tripwire/man: created
/usr/local/tripwire/doc/tripwire: created

----------------------------------------------
Copying files...

/usr/local/tripwire/doc/tripwire/COPYING: copied
/usr/local/tripwire/doc/tripwire/TRADEMARK: copied
/usr/local/tripwire/doc/tripwire/policyguide.txt: copied
/etc/tripwire/twpol-Linux.txt: copied

----------------------------------------------
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.

Passphrases should be at least 8 characters in length
and contain both letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------
Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase: Enter site passphrase
Verify the site keyfile passphrase: Enter site passphrase
Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase: Enter local passphrase
Verify the local keyfile passphrase: Enter local passphrase
Generating key (this may take several minutes)...Key generation complete.

----------------------------------------------
Generating Tripwire configuration file...

----------------------------------------------
Creating signed configuration file...
Please enter your site passphrase: Enter site passphrase
Wrote configuration file: /etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file
/etc/tripwire/twcfg.txt
has been preserved for your inspection. It is recommended
that you delete this file manually after you have examined it.

----------------------------------------------
Customizing default policy file...

----------------------------------------------
Creating signed policy file...
Please enter your site passphrase: Enter site passphrase
Wrote policy file: /etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file
/etc/tripwire/twpol.txt
has been preserved for your inspection. This implements
a minimal policy, intended only to test essential
Tripwire functionality. You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.

----------------------------------------------
The installation succeeded.

Please refer to
for release information and to the printed user documentation
for further instructions on using Tripwire 2.4 Open Source.

make[3]: Leaving directory `/root/tripwire-2.4.2-src'
make[2]: Leaving directory `/root/tripwire-2.4.2-src'
make[1]: Leaving directory `/root/tripwire-2.4.2-src'
[root@srv tripwire-2.4.2-src]# cd
[root@srv ~]#

+ Remapping Tripwire compiler’s directory
[root@srv ~]# echo PATH=$PATH:/usr/local/tripwire/sbin >> .bashrc ; source .bashrc

+ Delete installation file and download file

[root@srv ~]# rm -rf tripwire-2.4.2-src
[root@srv ~]# rm -rf tripwire-2.4.2-src.tar.bz2

+ Configure Tripwire
[root@srv ~]# vi /etc/tripwire/twcfg.txt
ROOT =/usr/local/tripwire/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/usr/local/tripwire/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/usr/local/tripwire/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/srv-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS = true
EMAILREPORTLEVEL =3
--> * REPORTLEVEL =3 ( lo dejamos en 4 )
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
[root@srv ~]#

+ Create encrypt for Tripwire config file (Encrypt file)
[root@srv ~]# twadmin -m F -c /etc/tripwire/tw.cfg -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
Please enter your site passphrase: Enter site passphrase
Wrote configuration file: /etc/tripwire/tw.cfg
[root@srv ~]#

+ Delete Tripwire config file (Text file)
[root@srv ~]# rm -f /etc/tripwire/twcfg.txt

+ Create policy file
[root@srv ~]# vi /etc/tripwire/twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
# perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while () {
chomp;
if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
$myhost = `hostname` ; chomp($myhost) ;
if ($thost ne $myhost) {
$_="HOSTNAME=\"$myhost\";" ;
}
}
elsif ( /^{/ ) {
$INRULE=1 ;
}
elsif ( /^}/ ) {
$INRULE=0 ;
}
elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
$ret = ($sharp =~ s/\#//g) ;
if ($tpath eq '/sbin/e2fsadm' ) {
$cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
}
if (! -s $tpath) {
$_ = "$sharp#$tpath$cond" if ($ret == 0) ;
}
else {
$_ = "$sharp$tpath$cond" ;
}
}
print "$_\n" ;
}
close(POL) ;

[root@srv ~]#

+ Defragment policy file
[root@srv ~]# perl /etc/tripwire/twpolmake.pl /etc/tripwire/twpol.txt > /etc/tripwire/twpol.txt.new

+ Encrypt the defragmented policy file (Encrypt file)
[root@srv ~]# twadmin -m P -c /etc/tripwire/tw.cfg -p /etc/tripwire/tw.pol -S /etc/tripwire/site.key /etc/tripwire/twpol.txt.new
Please enter your site passphrase: Enter site passphrase
Wrote policy file: /etc/tripwire/tw.pol
[root@srv ~]#

+ Delete policy file (Text file)
[root@srv ~]# rm -f /etc/tripwire/twpol.txt*

+ Create database for Tripwire
[root@srv ~]# tripwire -m i -s -c /etc/tripwire/tw.cfg
Please enter your local passphrase: Enter local passphrase

[root@srv ~]#

+ Test compile for Tripwire
[root@srv ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by: root
Report created on: Sun 30 Jan 2011 06:30:47 AM JST
Database last updated on: Never

================================================== =============================
Report Summary:
================================================== =============================

Host name: srv
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /usr/local/tripwire/lib/tripwire/srv.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg

================================================== =============================
Rule Summary:
================================================== =============================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
* Tripwire Data Files 0 1 0 0
* Monitor Filesystems 0 0 0 5
User Binaries and Libraries 0 0 0 0
Tripwire Binaries 0 0 0 0
OS Binaries and Libraries 0 0 0 0
Temporary Directories 0 0 0 0
Global Configuration Files 0 0 0 0
System Boot Changes 0 0 0 0
RPM Checksum Files 0 0 0 0
OS Boot Files and Mount Points 0 0 0 0
OS Devices and Misc Directories 0 0 0 0
* Root Directory and Files 0 0 0 1

Total objects scanned: 91412
Total violations found: 7

================================================== =============================
Object Summary:
================================================== =============================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Monitor Filesystems (/usr)
Severity Level: 0
-------------------------------------------------------------------------------

Modified:
"/usr/java/tomcat/temp/hsperfdata_root/39975"

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/usr/local/tripwire/lib/tripwire)
Severity Level: 0
-------------------------------------------------------------------------------

Added:
"/usr/local/tripwire/lib/tripwire/srv.twd"

-------------------------------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
-------------------------------------------------------------------------------

Modified:
"/var/lib/mysql/wordpress_db/wp_posts.MYD"
"/var/lib/mysql/wordpress_db/wp_posts.MYI"
"/var/spool/postfix/public/pickup"
"/var/spool/postfix/public/qmgr"

-------------------------------------------------------------------------------
Rule Name: Root Directory and Files (/root)
Severity Level: 0
-------------------------------------------------------------------------------

Modified:
"/root"

================================================== =============================
Error Report:
================================================== =============================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
[root@srv ~]#
[root@srv ~]# echo test > test.txt
[root@srv ~]#
[root@srv ~]# tripwire -m c -s -c /etc/tripwire/tw.cfg
Open Source Tripwire(R) 2.4.1 Integrity Check Report

Report generated by: root
Report created on: Sun 30 Jan 2011 06:36:50 AM JST
Database last updated on: Never

================================================== =============================
Report Summary:
================================================== =============================

Host name: srv
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /usr/local/tripwire/lib/tripwire/srv.twd
Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg

================================================== =============================
Rule Summary:
================================================== =============================

-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
* Tripwire Data Files 0 1 0 0
* Monitor Filesystems 0 0 0 5
User Binaries and Libraries 0 0 0 0
Tripwire Binaries 0 0 0 0
OS Binaries and Libraries 0 0 0 0
Temporary Directories 0 0 0 0
Global Configuration Files 0 0 0 0
System Boot Changes 0 0 0 0
RPM Checksum Files 0 0 0 0
OS Boot Files and Mount Points 0 0 0 0
OS Devices and Misc Directories 0 0 0 0
* Root Directory and Files 0 1 0 1

Total objects scanned: 91413
Total violations found: 8

================================================== =============================
Object Summary:
================================================== =============================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Monitor Filesystems (/usr)
Severity Level: 0
-------------------------------------------------------------------------------

Modified:
"/usr/java/tomcat/temp/hsperfdata_root/39975"

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/usr/local/tripwire/lib/tripwire)
Severity Level: 0
-------------------------------------------------------------------------------

Added:
"/usr/local/tripwire/lib/tripwire/srv.twd"

-------------------------------------------------------------------------------
Rule Name: Monitor Filesystems (/var)
Severity Level: 0
-------------------------------------------------------------------------------

Modified:
"/var/lib/mysql/wordpress_db/wp_posts.MYD"
"/var/lib/mysql/wordpress_db/wp_posts.MYI"
"/var/spool/postfix/public/pickup"
"/var/spool/postfix/public/qmgr"

-------------------------------------------------------------------------------
Rule Name: Root Directory and Files (/root)
Severity Level: 0
-------------------------------------------------------------------------------

Added:
"/root/test.txt"

Modified:
"/root"

================================================== =============================
Error Report:
================================================== =============================

No Errors

-------------------------------------------------------------------------------
*** End of report ***