Tripwire Installation for SuSE 15

Monday, July 26, 2021 Add a comment

by Ramses Soto-Navarro ramses@sotosystems.com, 7/26/2021

Overview
Installation
Generate Keys
Initialize
Check Files

Overview

Brief notes on how to install and run tripwire on SuSE Enterprise Linux SLE 15. Tripwire checksums critical files in a database. Afterward you can inspect the checksum for files that have changed or files that have been breached. So for example, files in /bin/ should never change unless an upgrade was performed; Tripwire can scan daily for delicate files changed; a good security intrusion detection software.

Installation

Install the package.

# zypper install tripwire

Edit the policy.

# vi /etc/tripwire/twpol.txt

@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL=/etc/tripwire;
TWDB=/var/lib/tripwire;
TWSKEY=/etc/tripwire;
TWLKEY=/etc/tripwire;
TWREPORT=/var/lib/tripwire/report;
HOSTNAME=myhostname;
Device        = +pugsdr-intlbamcCMSH ;
Dynamic       = +pinugtd-srlbamcCMSH ;
Growing       = +pinugtdl-srbamcCMSH ;
IgnoreAll     = -pinugtsdrlbamcCMSH ;
IgnoreNone    = +pinugtsdrbamcCMSH-l ;
ReadOnly      = +pinugtsdbmCM-rlacSH ;
Temporary     = +pugt ;
@@section FS
(
  rulename = "Tripwire Binaries",
)
{
  $(TWBIN)/siggen                      -> $(ReadOnly) ;
  $(TWBIN)/tripwire                    -> $(ReadOnly) ;
  $(TWBIN)/twadmin                     -> $(ReadOnly) ;
  $(TWBIN)/twprint                     -> $(ReadOnly) ;
}
(
  rulename = "Tripwire Data Files",
)
{
  $(TWDB)                              -> $(Dynamic) -i ;
  $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
  $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(ReadOnly) ;
  $(TWSKEY)/site.key                   -> $(ReadOnly) ;
  # don't scan the individual reports
  $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
}
(
  rulename = "Global Configuration Files",
)
{
  /etc                           -> $(IgnoreNone) -SHa ;
}
(
  rulename = "OS Boot Files and Mount Points",
)
{
  /boot                         -> $(ReadOnly) ;
}
(
  rulename = "OS Devices and Misc Directories",
)
{
  /opt                          -> $(Dynamic) ;
}
(
  rulename = "OS Binaries and Libraries",
)
{
  /bin                          -> $(ReadOnly) ;
  /lib                          -> $(ReadOnly) ;
  /lib64                         -> $(ReadOnly) ;
  /sbin                         -> $(ReadOnly) ;
  /usr/bin                      -> $(ReadOnly) ;
  /usr/lib                      -> $(ReadOnly) ;
  /usr/lib64                      -> $(ReadOnly) ;
  /usr/sbin                     -> $(ReadOnly) ;
}
(
  rulename = "User Binaries and Libraries",
)
{
  /usr/local                    -> $(ReadOnly) ;
  /usr/local/bin                -> $(ReadOnly) ;
  /usr/local/etc                -> $(ReadOnly) ;
  /usr/local/include            -> $(ReadOnly) ;
  /usr/local/lib                -> $(ReadOnly) ;
  /usr/local/sbin               -> $(ReadOnly) ;
  /usr/local/share              -> $(ReadOnly) ;
}
(
  rulename = "Root Directory and Files",
)
{
  /root                         -> $(IgnoreNone) -SHa ;
}
(
  rulename = "Monitor Filesystems",
)
{
  /home                         -> $(ReadOnly) ;  # Modify as needed
  /usr                          -> $(ReadOnly) ;
  /var                          -> $(ReadOnly) ;
}

Generate Keys

# twadmin --generate-keys --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/$HOSTNAME-local.key
# twadmin --create-cfgfile --cfgfile /etc/tripwire/tw.cfg --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt
# mkdir /usr/local/etc/
# ln -s /etc/tripwire/tw.cfg /usr/local/etc/tw.cfg
# twadmin --create-polfile --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt

Initialize

# tripwire --init

Check Files

# tripwire --check > /tmp/tw1.txt

The End.

Posted by Ramses at 15:31:58 in

Custom Log Checker

Tuesday, April 27, 2021 Add a comment

by Ramses Soto-Navarro ramses@sotosystems.com, 4/27/2021

Overview
The Script
Crontab

Overview

Brief explanation of a log check bash script which alerts when there are too many log errors per day. It parses a set of words to search at the end of the day; counts the number of occurrences; then if a max number is surpassed, send an Email alert with a count of each set of words. A choice of sending via Email or displaying on console is provided.

[Read more…]

Posted by Ramses at 20:37:28 in

Nagios Install on Red Hat 8

Thursday, April 15, 2021 Add a comment

by Ramses Soto-Navarro ramses@sotosystems.com, 4/15/2021

Overview
Required Packages
Install Fping
Create Accounts
Install Nagios Core
Install Nagios Plugins
Configure Nagios
Configure Apache
Configure Email
Firewall Rules
Configure Nodes
Add Nodes to Monitor
Logrotate
Configure SNMP Defaults
Test Commands
Node Stress Test
OID List
TODO

Overview

Brief notes on Nagios install on Red Hat Linux 8.x. Provides: SNMP monitoring, Email alerts, web interface. The audience is experienced Linux administrators.

Required Packages

# yum install man wget openssh-clients rsync traceroute nmap nc telnet ftp elinks ntp bind-utils 
httpd gcc gcc-c++ php glibc glibc-common man perl gd gd-devel libjpeg-devel libpng-devel postfix 
openssl-devel gnutls gnutls-devel perl-CPAN  libdbi libdbi-devel libdbi-dbd-mysql samba-client 
net-snmp-utils bind-utils perl-DBD-MySQL  mod_auth_mysql openldap-clients openldap-devel 
perl-LDAP php-ldap libgcrypt-devel libopenssl-devel gettext-runtime automake net-snmp perl-Net-SNMP
cpan Crypt::DES Digest::HMAC Digest::SHA1 Net::SNMP Crypt:Rijndael

# yum groupinstall "MYSQL Database Client"

(Optional)
# yum install mysql mysql-server mysql-test mysql-devel mysql-libs mysql-connector-odbc php-mysql

Install Fping

# cd /usr/src
# wget http://fping.org/dist/fping-5.0.tar.gz
# tar zxf fping-5.0.tar.gz 
# cd fping-5.0/
# ./configure --disable-ipv6 --enable-ipv4
# make
# make install
# fping mis26

[Read more…]

Posted by Ramses at 22:24:01 in

Borg Backup Notes

Wednesday, April 14, 2021 Add a comment

by Ramses Soto-Navarro, ramses@sotosystems.com

Overview
Install
Quick Start
Daily Script
List Archives
Extract Restore
Delete Archive
Prune
Mount Archive
Export Tarball
Install SSHFS
Remote Restore
Prune

Overview

Brief notes about Borg; an executable for backups with many cool features: deduplication, high compression, encryption, mountable archives, authentication security, offsite backups via SSH, BSD license. Follow the logic; for experienced Linux administrators.

Install

Download latest from: https://github.com/borgbackup/borg/releases

# cd /usr/local/bin
# wget https://github.com/borgbackup/borg/releases/download/1.1.16/borg-linux64
# chmod 0755 borg-linux64
# ln -s borg-linux64 borg
# borg -h

[Read more…]

Posted by Ramses at 22:46:19 in

MyDeny Script

Friday, February 19, 2021 Add a comment

by Ramses Soto-Navarro, ramses@sotosystems.com

Overview
The Script
Cronjob
Remove IP

Overview

mydeny.sh script adds IP addresses to /etc/hosts.deny, which have too many bad SSH login attempts. It is a simple alternative to the older python denyhosts. It searches every night for IP addresses that failed to SSH more than 20 times, via cron. If so then it adds it to hosts.deny. Logging of each denied IP will be sent to /var/log/messages as mydeny.sh. Follow the parsing logic to automatically add more libwrap services to hosts.deny. This document is for experienced Linux administrators.

[Read more…]

Posted by Ramses at 01:13:02 in
Next Page »