Contact us |
llm4-lab3-exercise-4Fine tuning tripwireAfter installing tripwire, taking a snap shot of the system and then running the first integrity check you will more likely than not need to fine tune tripwire to suit the needs of your particular site. This is mostly because the default configuration and policy file that comes bundled with tripwire may not exactly fit your needs or reflect the actual objects on your file system. You need to ascertain if the file system violations reported in the report file during the integrity check are actual violations or legitimate/authorized changes to your file system objects. Again tripwire offers several ways of doing this. Updating the policy file ( --update-policy ) Using this method you will change or fine tune what tripwire considers violations to your file system objects by changing the rules in the policy file. The database can then be updated without a complete re-initialization. This saves time and preserves security by keeping the policy file synchronized with the database it uses. You will use the report file you created earlier ( /root/tripwire_report.txt ) to fine tune your policy file by first preventing tripwire from reporting the absence of files that were never on the filesystem in the first place. This will help to greatly reduce the length of the report file that you have to manage. Exercise 4To fine tune tripwire1. Use the grep command to filter out all lines in the report file that refers to missing files ( Lines containing the word “Filename”). Redirect the output to another file - tripwire_diffs.txt Type: root@localhost root# grep Filename /root/tripwire_report.txt > tripwire_diffs.txt 2. View the contents of the file you created above. Type: root@localhost root# less tripwire_diffs.txt 207: Filename: /proc/scsi 210: Filename: /root/.esd_auth 213: Filename: /root/.gnome_private 216: Filename: /sbin/fsck.minix 219: Filename: /sbin/mkfs.bfs .................................. 3. Now you need to edit the tripwire policy file and comment out or delete the entries in the file that should not be in there. i.e. files that are not on your system and files that probably never will be on your system. For example one of the files that the policy file is trying to monitor is the /proc/scsi file. If you dont have any SCSI device on your system then it makes absolutely NO SENSE to monitor this file. Another debatable example of what to monitor or not to monitor are the various lock files under the “/var/lock/subsys/” directory. Choosing to monitor these files should be a personal call. Re-create a text version of the policy file - just in case you removed it (as advised ) from the local system. Type: root@localhost root# twadmin --print-polfile > twpol.txt 4. Edit the text file you created above using any text editor. Comment out references to the objects that you don’t want to monitor; you can use the tripwire_diffs.txt file you created earlier as a guideline. Type: root@localhost root# vi twpol.txt Save your changes to the file and close it. 5. Run tripwire in policy file update mode. Type: root@localhost root# tripwire --update-policy /root/twpol.txt Enter your local and site passphrases when prompted. A new signed and encrypted policy file will be created for you under the “/etc/tripwire/” directory. 6. Delete or remove the text version of the policy file from your local system. 7. Running the command in step 5 above will also have created a report file for you under the Write down the name of your latest report file here? <LATEST_REPORT> 8. Run an integrity check of the system again until you are satisfied that you have a good baseline of the system, with which to make future decisions. What is the command to do this? Updating the database (--update) Running tripwire in the database update mode after an integrity check provides a quick and dirty way to fine tune tripwire. This is because Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violations from showing up in future reports. This update process saves time by enabling you to update the database without having to re-initialize it. To update the database1. Change your pwd to the location where tripwire stores the report files on your system. Type: root@localhost root# cd /var/lib/tripwire/report/ 2. You will first use the database update mode in an interactive manner. Type: root@localhost report# tripwire --update -Z low -r <LATEST_REPORT> Replace <LATEST_REPORT> with the report file name you noted earlier. The above command will also launch your default text editor (e.g. vi) which will present you with so called “update ballot boxes”. You may need to scroll through the file. The entries marked with an “x” implies that the database should be updated with that particular object. Remove the "x" from the ballot box “ ” to prevent updating the database with the new values for that object. Use your text editor’s usual key-strokes to save and exit the editor. 3. Next try using the database update mode in a non-interactive manner. i.e. you will accept all the entries in the report file will be accepted without prompting. Type: root@localhost report# tripwire - -update -Z low -a -r <LATEST_REPORT> Tripwire configuration fileYou will begin these exercises by first fine-tuning your configuration file. In an earlier exercise you were advised to remove or delete all clear text versions of tripwire’s file from your system. You will create a slightly more secure installation of tripwire by editing some of the variables in the tripwire config. file. e.g. you will specify that tripwire should always look for the binaries versions of the policy and config file on a removable media such as a floppy disk or a cdrom. 1. Change your pwd to the /etc/tripwire directory. 2. Generate a clear text version of the configuration file. Type: root@localhost tripwire# twadmin --print-cfgfile > twcfg.txt 3..Open up the config file you created above in your text editor. Type: root@localhost tripwire# vi twcfg.txt Edit the file to look like the sample file below: ( NOTE: The newly added and changed variables have been highlighted for you ) 1 ROOT =/usr/sbin 2 POLFILE =/mnt/floppy/tw.pol 3 DBFILE =/var/lib/tripwire/$(HOSTNAME).twd 4 REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr 5 SITEKEYFILE =/mnt/floppy/site.key 6 LOCALKEYFILE =/mnt/floppy/$(HOSTNAME)-local.key 7 EDITOR =/bin/vi 8 LATEPROMPTING =false 9 LOOSEDIRECTORYCHECKING =true 10 GLOBALEMAIL =root@localhost 11 MAILNOVIOLATIONS =true 12 EMAILREPORTLEVEL =3 13 REPORTLEVEL =3 14 MAILMETHOD =SENDMAIL 15 SYSLOGREPORTING =true 16 MAILPROGRAM =/usr/sbin/sendmail -oi -t 4. Consult the man page for “twconfig” to find out what the following variables are meant for ? LOOSEDIRECTORYCHECKING GLOBALEMAIL SYSLOGREPORTING 4. Mount the floppy drive to the /mnt/floppy directory. Type: root@localhost tripwire# mount /dev/fd0 /mnt/floppy NOTE: If you choose to store your files on a different location (e.g. a cdrom media) make the necessary adjustments to the commands. 5. Relocate the site key, local key and binary files to the location you specified in the new config. file. Type: root@localhost tripwire# mv site.key tw.pol localhost.localdomain-local.key /mnt/floppy 6. Create a binary version of the clear text config file. Type: root@localhost tripwire# twadmin --create-cfgfile -S /mnt/floppy/site.key twcfg.txt The “/etc/tripwire/tw.cfg” file will be created for you. 7. Test your new set up. Un-mount the floppy drive and eject the floppy disk. 8. Try running one the tripwire commands that needs the files stored on the floppy drive. Type: root@localhost tripwire# twadmin --print-polfile
You should get an error similar to the one above. 9. Mount the media that your tripwire files are stored. And try the above command again. Did the command run successfully this time? 10. Search for and delete all the plain text versions of tripwire’s config files you have created thus far from your system. Having to mount and unmount a removable media each time you want to administer an aspect of tripwire may end up being such a drag, but the payoff may be in the extra security. You definitely want to consider storing a pristine version of tripwire’s database on a read-only media such as a CDROM. ADDITIONAL EXERCISES1. Configure your tripwire installation run an integrity check every day at 2 A.M and send out a report of the integrity check via e-mail to the super user on the system. HINT: You may need to do this using a cron job.
|
Login... |
