Tripwire Installation for SuSE 15

by Ramses Soto-Navarro ramses@sotosystems.com, 7/26/2021


Overview
Installation
Generate Keys
Initialize
Check Files


Overview

Brief notes on how to install and run tripwire on SuSE Enterprise Linux SLE 15. Tripwire checksums critical files in a database. Afterward you can inspect the checksum for files that have changed or files that have been breached. So for example, files in /bin/ should never change unless an upgrade was performed; Tripwire can scan daily for delicate files changed; a good security intrusion detection software.

Installation

Install the package.

# zypper install tripwire

Edit the policy.

# vi /etc/tripwire/twpol.txt

@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL=/etc/tripwire;
TWDB=/var/lib/tripwire;
TWSKEY=/etc/tripwire;
TWLKEY=/etc/tripwire;
TWREPORT=/var/lib/tripwire/report;
HOSTNAME=myhostname;
Device        = +pugsdr-intlbamcCMSH ;
Dynamic       = +pinugtd-srlbamcCMSH ;
Growing       = +pinugtdl-srbamcCMSH ;
IgnoreAll     = -pinugtsdrlbamcCMSH ;
IgnoreNone    = +pinugtsdrbamcCMSH-l ;
ReadOnly      = +pinugtsdbmCM-rlacSH ;
Temporary     = +pugt ;
@@section FS
(
  rulename = "Tripwire Binaries",
)
{
  $(TWBIN)/siggen                      -> $(ReadOnly) ;
  $(TWBIN)/tripwire                    -> $(ReadOnly) ;
  $(TWBIN)/twadmin                     -> $(ReadOnly) ;
  $(TWBIN)/twprint                     -> $(ReadOnly) ;
}
(
  rulename = "Tripwire Data Files",
)
{
  $(TWDB)                              -> $(Dynamic) -i ;
  $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
  $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(ReadOnly) ;
  $(TWSKEY)/site.key                   -> $(ReadOnly) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
}
(
  rulename = "Global Configuration Files",
)
{
  /etc                           -> $(IgnoreNone) -SHa ;
}
(
  rulename = "OS Boot Files and Mount Points",
)
{
  /boot                         -> $(ReadOnly) ;
}
(
  rulename = "OS Devices and Misc Directories",
)
{
  /opt                          -> $(Dynamic) ;
}
(
  rulename = "OS Binaries and Libraries",
)
{
  /bin                          -> $(ReadOnly) ;
  /lib                          -> $(ReadOnly) ;
  /lib64                         -> $(ReadOnly) ;
  /sbin                         -> $(ReadOnly) ;
  /usr/bin                      -> $(ReadOnly) ;
  /usr/lib                      -> $(ReadOnly) ;
  /usr/lib64                      -> $(ReadOnly) ;
  /usr/sbin                     -> $(ReadOnly) ;
}
(
  rulename = "User Binaries and Libraries",
)
{
  /usr/local                    -> $(ReadOnly) ;
  /usr/local/bin                -> $(ReadOnly) ;
  /usr/local/etc                -> $(ReadOnly) ;
  /usr/local/include            -> $(ReadOnly) ;
  /usr/local/lib                -> $(ReadOnly) ;
  /usr/local/sbin               -> $(ReadOnly) ;
  /usr/local/share              -> $(ReadOnly) ;
}
(
  rulename = "Root Directory and Files",
)
{
  /root                         -> $(IgnoreNone) -SHa ;
}
(
  rulename = "Monitor Filesystems",
)
{
  /home                         -> $(ReadOnly) ;  # Modify as needed
  /usr                          -> $(ReadOnly) ;
  /var                          -> $(ReadOnly) ;
}

Generate Keys

# twadmin --generate-keys --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/$HOSTNAME-local.key
# twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt
# mkdir /usr/local/etc/
# ln -s /etc/tripwire/tw.cfg /usr/local/etc/tw.cfg
# twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt

Initialize

# tripwire --init

Check Files

# tripwire --check > /tmp/tw1.txt

The End.

Custom Log Checker

by Ramses Soto-Navarro ramses@sotosystems.com, 4/27/2021


Overview
The Script
Crontab


Overview

Brief explanation of a log check bash script which alerts when there are too many log errors per day. It parses a set of words to search at the end of the day; counts the number of occurrences; then if a max number is surpassed, send an Email alert with a count of each set of words. A choice of sending via Email or displaying on console is provided.

[Read more…]

Nagios Install on Red Hat 8

by Ramses Soto-Navarro ramses@sotosystems.com, 4/15/2021


Overview
Required Packages
Install Fping
Create Accounts
Install Nagios Core
Install Nagios Plugins
Configure Nagios
Configure Apache
Configure Email
Firewall Rules
Configure Nodes
Add Nodes to Monitor
Logrotate
Configure SNMP Defaults
Test Commands
Node Stress Test
OID List
TODO


Overview

Brief notes on Nagios install on Red Hat Linux 8.x. Provides: SNMP monitoring, Email alerts, web interface. The audience is experienced Linux administrators.

Required Packages

# yum install man wget openssh-clients rsync traceroute nmap nc telnet ftp elinks ntp bind-utils 
httpd gcc gcc-c++ php glibc glibc-common man perl gd gd-devel libjpeg-devel libpng-devel postfix 
openssl-devel gnutls gnutls-devel perl-CPAN  libdbi libdbi-devel libdbi-dbd-mysql samba-client 
net-snmp-utils bind-utils perl-DBD-MySQL  mod_auth_mysql openldap-clients openldap-devel 
perl-LDAP php-ldap libgcrypt-devel libopenssl-devel gettext-runtime automake net-snmp perl-Net-SNMP
cpan Crypt::DES Digest::HMAC Digest::SHA1 Net::SNMP Crypt:Rijndael

# yum groupinstall "MYSQL Database Client"

(Optional)
# yum install mysql mysql-server mysql-test mysql-devel mysql-libs mysql-connector-odbc php-mysql

Install Fping

# cd /usr/src
# wget http://fping.org/dist/fping-5.0.tar.gz
# tar zxf fping-5.0.tar.gz 
# cd fping-5.0/
# ./configure --disable-ipv6 --enable-ipv4
# make
# make install
# fping mis26

[Read more…]

Borg Backup Notes

by Ramses Soto-Navarro, ramses@sotosystems.com


Overview
Install
Quick Start
Daily Script
List Archives
Extract Restore
Delete Archive
Prune
Mount Archive
Export Tarball
Install SSHFS
Remote Restore
Prune


Overview

Brief notes about Borg; an executable for backups with many cool features: deduplication, high compression, encryption, mountable archives, authentication security, offsite backups via SSH, BSD license. Follow the logic; for experienced Linux administrators.

Install

Download latest from: https://github.com/borgbackup/borg/releases

# cd /usr/local/bin
# wget https://github.com/borgbackup/borg/releases/download/1.1.16/borg-linux64
# chmod 0755 borg-linux64
# ln -s borg-linux64 borg
# borg -h

[Read more…]

MyDeny Script

by Ramses Soto-Navarro, ramses@sotosystems.com

Overview
The Script
Cronjob
Remove IP

Overview

mydeny.sh script adds IP addresses to /etc/hosts.deny, which have too many bad SSH login attempts. It is a simple alternative to the older python denyhosts. It searches every night for IP addresses that failed to SSH more than 20 times, via cron. If so then it adds it to hosts.deny. Logging of each denied IP will be sent to /var/log/messages as mydeny.sh. Follow the parsing logic to automatically add more libwrap services to hosts.deny. This document is for experienced Linux administrators.

[Read more…]