Difference between revisions of "SEC520/labs/Lab 8"

From CDOT Wiki
Jump to: navigation, search
(Created page with "<h1> <span class="mw-headline">Intrusion Detection</span></h1> <a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2> <dl><dd><ul...")
 
m (Protected "SEC520/labs/Lab 8": OER transfer ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
 
<h1> <span class="mw-headline">Intrusion Detection</span></h1>
 
<h1> <span class="mw-headline">Intrusion Detection</span></h1>
<a name="Introduction" id="Introduction"></a><h2> <span class="mw-headline">Introduction</span></h2>
+
<h2> <span class="mw-headline">Introduction</span></h2>
 
<dl><dd><ul><li>Students will learn how to routinely check a computer system's performance (one of the side-effects of system intrusion). Students will specifically check log files in order to detect intrusion activity.
 
<dl><dd><ul><li>Students will learn how to routinely check a computer system's performance (one of the side-effects of system intrusion). Students will specifically check log files in order to detect intrusion activity.
 
</li></ul>
 
</li></ul>
Line 13: Line 13:
 
</dd></dl>
 
</dd></dl>
 
<br>
 
<br>
<a name="Objectives" id="Objectives"></a><h2> <span class="mw-headline">Objectives</span></h2>
+
<h2> <span class="mw-headline">Objectives</span></h2>
 
<ol><li>Check the <b>computer's performance</b> for indications of computer system intrusion activity.</li>
 
<ol><li>Check the <b>computer's performance</b> for indications of computer system intrusion activity.</li>
 
<li><b>Monitor log files</b> (in Linux) to detect any suspected system intrusions.</li>
 
<li><b>Monitor log files</b> (in Linux) to detect any suspected system intrusions.</li>
Line 21: Line 21:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Required_Materials_.28Bring_to_All_Labs.29" id="Required_Materials_.28Bring_to_All_Labs.29"></a><h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
+
<h2> <span class="mw-headline">Required Materials (Bring to All Labs)</span></h2>
 
<ul>
 
<ul>
 
<li> <b>SATA Hard Disk</b> (in removable disk tray).
 
<li> <b>SATA Hard Disk</b> (in removable disk tray).
Line 28: Line 28:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Prerequisites" id="Prerequisites"></a><h2> <span class="mw-headline">Prerequisites</span></h2>
+
<h2> <span class="mw-headline">Prerequisites</span></h2>
<ul><li> <a href="https://scs.senecac.on.ca/%7Efac/sec520/labs/SEC520_Lab_7.html">SEC520 Lab 7</a>
+
<ul><li> [https://wiki.cdot.senecacollege.ca/wiki/SEC520/labs/Lab_7 SEC520 Lab 7]
 
</li></ul>
 
</li></ul>
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Linux_Command_Online_Reference" id="Linux_Command_Online_Reference"></a><h2> <span class="mw-headline">Online Tools and References</span></h2>
+
<h2> <span class="mw-headline">Online Tools and References</span></h2>
  
 
<ul>
 
<ul>
  <li><a href="https://www.sans.org/media/score/checklists/ID-Linux.pdf" target="_new">Intrusion Discovery (Linux)</a></li>
+
  <li>[https://www.sans.org/media/score/checklists/ID-Linux.pdf Intrusion Discovery (Linux)]</li>
  <li><a href="http://help.ubuntu.com/community/LinuxLogFiles" target="_new">Using Syslog Files (Linux)</a></li>
+
  <li>[http://help.ubuntu.com/community/LinuxLogFiles Using Syslog Files (Linux)]</li>
  <li><a href="http://en.wikipedia.org/wiki/Open_Source_Tripwire" target="_new">Tripwire Definition</a></li>
+
  <li>[http://en.wikipedia.org/wiki/Open_Source_Tripwire Tripwire Definition]</li>
  <li><a href="http://sourceforge.net/projects/tripwire/" target="_new">Download Tripwire</a></li>
+
  <li>[http://sourceforge.net/projects/tripwire/ Download Tripwire]</li>
  <li><a href="http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system/" target="_new">Using Tripwire</a></li>
+
  <li>[http://www.thegeekstuff.com/2008/12/tripwire-tutorial-linux-host-based-intrusion-detection-system/ Using Tripwire]</li>
<li><a href="" target="_new">Online Linux Manpages</a></li>
 
 
</ul>
 
</ul>
 
<p><br>
 
<p><br>
 
</p>
 
</p>
 
+
<h2> <span class="mw-headline">Course Notes</span></h2>
</p>
 
<a name="Resources_on_the_web" id="Resources_on_the_web"></a><h2> <span class="mw-headline">Course Notes</span></h2>
 
 
<ul>
 
<ul>
  <li><a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.odp" target="_new">odp</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.pdf" target="_new">pdf</a> | <a href="http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.ppt" target="_new">ppt</a> (Slides: Intrusion Detection)</li>
+
  <li>[http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.odp odp] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.pdf pdf] | [http://cs.senecac.on.ca/%7Efac/sec520/slides/sec520_w9_l1.ppt ppt] (Slides: Intrusion Detection)</li>
 
</ul>
 
</ul>
  
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Performing_Lab_2" id="Performing_Lab_2"></a><h1> <span class="mw-headline">Performing Lab 8</span></h1>
+
<h1> <span class="mw-headline">Performing Lab 8</span></h1>
<a name="Task1" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #1: Checking System Performance</span></h2>
+
<h2> <span class="mw-headline">Task #1: Checking System Performance</span></h2>
 
<br />
 
<br />
 
Usually system administrators continually monitor thier computer systems to check for reductions in system performance. These "monitoring checks" can be <b>benchmark programs</b> (or operating system commands) to identify system performance. Reduced system performance may be an indicator of an intrusion by a malicious hacker.<br /><br />In this lab, we will issue several Linux commands to help monitor to monitor a Linux system's performance.<br />
 
Usually system administrators continually monitor thier computer systems to check for reductions in system performance. These "monitoring checks" can be <b>benchmark programs</b> (or operating system commands) to identify system performance. Reduced system performance may be an indicator of an intrusion by a malicious hacker.<br /><br />In this lab, we will issue several Linux commands to help monitor to monitor a Linux system's performance.<br />
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
{{Admon/important|Use your Hardened Linux VM for this Lab|You are to use your hardened Linux VM for the duration of this lab.|}}
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div>
 
<div><b>Use your Hardened Linux VM for this Lab</b><br>You are to use your hardened Linux VM for the duration of this lab.</div>
 
</div>
 
 
<br />
 
<br />
 
INSTRUCTIONS:
 
INSTRUCTIONS:
Line 77: Line 71:
 
<br /><br />
 
<br /><br />
  
<a name="Task2" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #2: Checking Unusual Activity </span></h2>
+
<h2> <span class="mw-headline">Task #2: Checking Unusual Activity </span></h2>
 
<br />
 
<br />
 
Checking for unusual activity in a Linux system focuses of several key indicators:
 
Checking for unusual activity in a Linux system focuses of several key indicators:
Line 95: Line 89:
 
  <li>Issue the Linux commands:<br />
 
  <li>Issue the Linux commands:<br />
 
   <pre>
 
   <pre>
   <b>ps aux | more</b>
+
   ps aux | more
  
   <b>lsof | more</b>
+
   lsof | more
  
   <b>lsof -p PID</b>
+
   lsof -p PID  
 
   </pre>
 
   </pre>
 
How does the information from this listing differ from the previous Linux command that you issued?<br />What sort of services/processes might indicate a problem?<br /><br /></li>
 
How does the information from this listing differ from the previous Linux command that you issued?<br />What sort of services/processes might indicate a problem?<br /><br /></li>
 
  <li>Issue the following Linux commands:  
 
  <li>Issue the following Linux commands:  
 
<pre>
 
<pre>
   <b>netstat -nap</b>
+
   netstat -nap
  
   <b>lsof -i</b>  
+
   lsof -i   
  
   <b>arp -a</b>
+
   arp -a
 
</pre>
 
</pre>
 
What sort of network usage would indicate an intrusion problem?<br /><br /></li>
 
What sort of network usage would indicate an intrusion problem?<br /><br /></li>
 
  <li>Issue the following Linux commands: <pre>
 
  <li>Issue the following Linux commands: <pre>
   <b>sort -nk3 -t: /etc/passwd | more</b>
+
   sort -nk3 -t: /etc/passwd | more
  
   <b>egrep ':0+:' /etc/passwd</b>
+
   egrep ':0+:' /etc/passwd
 
</pre>
 
</pre>
 
What is the purpose of these commands, and how would you check the results for intrusion?<br /><br /></li>
 
What is the purpose of these commands, and how would you check the results for intrusion?<br /><br /></li>
 
  <li>Next, look for unusual files by using the following Linux commands:
 
  <li>Next, look for unusual files by using the following Linux commands:
 
<pre>
 
<pre>
   <b>find / -size +10000k -print</b>
+
   find / -size +10000k -print
  
   <b>ls -a .*</b>
+
   ls -a .*
  
   <b>lsof +L1</b>
+
   lsof +L1
  
   <b>rpm -Va | sort</b>
+
   rpm -Va | sort
 
</pre>
 
</pre>
 
Write these commands in your lab log-book and give a brief purpose of how they can be used to interpret system intrusion.<br /><br /></li>
 
Write these commands in your lab log-book and give a brief purpose of how they can be used to interpret system intrusion.<br /><br /></li>
Line 133: Line 127:
 
</p>
 
</p>
 
<br /><br />
 
<br /><br />
<a name="Task3" id="Investigation_1:_How_to_Perform_a_Fedora_DVD_Install_on_Your_Removable_Hard_Drive"></a><h2> <span class="mw-headline">Task #3: Checking System Logs &amp; Using Syslog File</span></h2>
+
<h2> <span class="mw-headline">Task #3: Checking System Logs &amp; Using Syslog File</span></h2>
 
<br>
 
<br>
 
In this section, you will learn how to configure the <b>Syslog File</b> in  
 
In this section, you will learn how to configure the <b>Syslog File</b> in  
Line 141: Line 135:
 
INSTRUCTIONS:
 
INSTRUCTIONS:
 
<ol>
 
<ol>
  <li>Read the article on Linux Log Files: <a href="https://help.ubuntu.com/community/LinuxLogFiles" target="_new">Linux Log Files</a></li>
+
  <li>Read the article on Linux Log Files: [https://help.ubuntu.com/community/LinuxLogFiles Linux Log Files]</li>
 
  <li>In your hardened Linux server, experiment with each of the log files  
 
  <li>In your hardened Linux server, experiment with each of the log files  
 
mentioned in the article above (including configuration files). Note that your system may not have the same services installed, so some of the files may not be there.</li>
 
mentioned in the article above (including configuration files). Note that your system may not have the same services installed, so some of the files may not be there.</li>
Line 150: Line 144:
 
  <li>What would the following line achieve?
 
  <li>What would the following line achieve?
 
<pre>
 
<pre>
   <b>kern.none /var/log/messages</b>
+
   kern.none /var/log/messages
 
</pre><br></li>
 
</pre><br></li>
 
  <li>What does the following line do?
 
  <li>What does the following line do?
 
<pre>
 
<pre>
   <b>*.emerg *</b>
+
   *.emerg *
 
</pre>
 
</pre>
 
<br></li>
 
<br></li>
Line 166: Line 160:
 
</p>
 
</p>
 
<br><br>
 
<br><br>
<a name="Task4" d="Investigation_2:_How_many_file_packages_and_files_are_installed_on_the_system.3F"></a><h2> <span class="mw-headline">Task #4: IDS Example: Tripwire</span></h2>
+
<h2> <span class="mw-headline">Task #4: IDS Example: Tripwire</span></h2>
  
 
<p><br>
 
<p><br>
Line 176: Line 170:
 
INSTRUCTIONS:
 
INSTRUCTIONS:
 
<br><br>
 
<br><br>
</p><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
</p>{{Admon/tip|About Tripwire|Tripwire is an optional package during install. Tripwire for earlier releases is available from the RedHat/Fedora Powertools CD in RPM format. Upon installation, it will proceed to scan your entire filesystem to create a default database of what your system looks like. (files and sizes etc) It might take as long as ten minutes to initially scan...
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:35px-Idea.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Idea.png" height="35" border="0" width="35"></a></div>
+
|}}
<div><b>About Tripwire</b><br>Tripwire is an optional package during  
 
install. Tripwire for earlier releases is available from the  
 
RedHat/Fedora Powertools CD in RPM format. Upon installation, it will  
 
proceed to scan your entire filesystem to create a default database of  
 
what your system looks like. (files and sizes etc) It might take as long
 
as ten minutes to initially scan...
 
</div>
 
</div>
 
 
<br>
 
<br>
  
Line 194: Line 180:
 
application is not installed, then issue the following command:
 
application is not installed, then issue the following command:
 
<pre>
 
<pre>
   <b>sudo yum install tripwire</b>
+
   sudo yum install tripwire
 
</pre>
 
</pre>
 
<br />
 
<br />
 
Alternatively, you can download and install tripwire at the following link:
 
Alternatively, you can download and install tripwire at the following link:
 
<br />
 
<br />
<a href="http://sourceforge.net/projects/tripwire/" target="_new">http://sourceforge.net/projects/tripwire/</a><br /><br /></li>
+
[http://sourceforge.net/projects/tripwire/ http://sourceforge.net/projects/tripwire/]<br /><br /></li>
 
  <li>Based on instructions in the <b>README.Fedora</b> file<br />
 
  <li>Based on instructions in the <b>README.Fedora</b> file<br />
 
     (located in <b>/usr/share/docs/tripwire-2.4.2.2</b> directory)<br />
 
     (located in <b>/usr/share/docs/tripwire-2.4.2.2</b> directory)<br />
 
     You are required to issue the following commands to initialize and run the tripwire application (using default settings):
 
     You are required to issue the following commands to initialize and run the tripwire application (using default settings):
 
<pre>
 
<pre>
   <b>/usr/sbin/tripwire-setup-keyfiles</b> # Generate the system-specific
+
   /usr/sbin/tripwire-setup-keyfiles # Generate the system-specific
 
                                     # cryptographic key files
 
                                     # cryptographic key files
 
                                     # Remember your password phrase
 
                                     # Remember your password phrase
  
   <b>/usr/sbin/tripwire --init</b>         # Initialize the Tripwire
+
   /usr/sbin/tripwire --init        # Initialize the Tripwire
 
                                     # database file. Note: this process
 
                                     # database file. Note: this process
 
                                     # may take several minutes to perform
 
                                     # may take several minutes to perform
  
   <b>/usr/sbin/tripwire --check</b>       # Run the first integrity check
+
   /usr/sbin/tripwire --check        # Run the first integrity check
 
                                             # May take several minutes
 
                                             # May take several minutes
 
</pre>
 
</pre>
Line 219: Line 205:
 
</ol>
 
</ol>
 
<br>
 
<br>
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
+
{{Admon/important|Tripwire Configuration Files|Configuration file pathnames for Tripwire should be:<br><br><b>/etc/tripwire/twcfg.txt<br>/etc/tripwire/twpol.txt</b><br><br>These files are first edited and then processed by issueing the command:<br /><b>tripwire --update-policy &nbsp; POLICY-TEXT-FILENAME</b><br /><br />In order to have tripwire report any violations:<ol><li>Edit the file /etc/tripwire/twpol.txt and comment out the lines where it says files not found</li><li>Issue the command:<br /><br />
<div style="float: left; margin-left: -40px;"><a href="https://scs.senecac.on.ca/wiki/index.php/File:Important.png" class="image" title="Important.png"><img alt="" src="SEC520_Lab_1_files/35px-Important.png" height="35" border="0" width="35"></a></div>
+
<b>/usr/sbin/tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt</b><br /><br /></li></ol>|}}
<div><b>Tripwire Configuration Files</b><br>Configuration file pathnames for Tripwire should be:<br><br><b>/etc/tripwire/twcfg.txt<br>/etc/tripwire/twpol.txt</b><br><br>These files are first edited and then processed by issueing the command:<br /><b>tripwire --update-policy &nbsp; POLICY-TEXT-FILENAME</b><br /><br />In order to have tripwire report any violations:<ol><li>Edit the file /etc/tripwire/twpol.txt and comment out the lines where it says files not found</li><li>Issue the command:<br /><br />
 
<b>/usr/sbin/tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt</b><br /><br /></li></ol></div>
 
</div>
 
 
<br>
 
<br>
 
<ol>
 
<ol>
Line 235: Line 218:
 
</p>
 
</p>
  
<a name="Completing_the_Lab" id="Completing_the_Lab"></a><h1> <span class="mw-headline"> Completing the Lab </span></h1>
+
<h1> <span class="mw-headline"> Completing the Lab </span></h1>
 
<p><b>Arrange evidence for each of these items on your screen, then ask  
 
<p><b>Arrange evidence for each of these items on your screen, then ask  
 
your instructor to review them and sign off on the lab's completion:</b>
 
your instructor to review them and sign off on the lab's completion:</b>
Line 249: Line 232:
 
<p><br>
 
<p><br>
 
</p>
 
</p>
<a name="Preparing_for_Quizzes" id="Preparing_for_Quizzes"></a><h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>
+
<h1> <span class="mw-headline"> Preparing for Quizzes </span></h1>
  
 
<ol>
 
<ol>

Latest revision as of 15:00, 21 July 2023

Intrusion Detection

Introduction

  • Students will learn how to routinely check a computer system's performance (one of the side-effects of system intrusion). Students will specifically check log files in order to detect intrusion activity.
  • Students will also configure the syslog file in Linux in inform the system administrator of any suspected intrusions that have occurred in thier computer system.
  • Students will also learn how to automate the tasks to intrusion detection by installing, configuring and running a common Intruction Detection System (IDS) called Tripwire in order to flag and report suspected computer system intrusions.


Objectives

  1. Check the computer's performance for indications of computer system intrusion activity.
  2. Monitor log files (in Linux) to detect any suspected system intrusions.
  3. Configure the Syslog File (in Linux) to notify the adminstrator of any suspected system intrusions.
  4. Install, configure and run the Tripwire open-source application to automatically flag and report suspected system instructions.


Required Materials (Bring to All Labs)

  • SATA Hard Disk (in removable disk tray).
  • Lab Logbook (Lab8 Reference Sheet) (to make notes and observations).


Prerequisites


Online Tools and References


Course Notes

  • odp | pdf | ppt (Slides: Intrusion Detection)


Performing Lab 8

Task #1: Checking System Performance


Usually system administrators continually monitor thier computer systems to check for reductions in system performance. These "monitoring checks" can be benchmark programs (or operating system commands) to identify system performance. Reduced system performance may be an indicator of an intrusion by a malicious hacker.

In this lab, we will issue several Linux commands to help monitor to monitor a Linux system's performance.

Important.png
Use your Hardened Linux VM for this Lab
You are to use your hardened Linux VM for the duration of this lab.


INSTRUCTIONS:

  1. Start your Kali Linux (host) system, and start your Hardended Linux VM.
  2. Switch to your Hardened Linux VM, and open a shell terminal.
  3. Issue the Linux command: uptime. Record the value for the load average of your Linux system. Research on the Internet to determine what load average for a Linux system means and what a higher load average may indicate. Record your findings in your lab log-book.
  4. Issue the Linux command: df -h and view the remaining amount of disk space. For detailed information regarding particular file sizes within a directory, you can use the du -h command. What directories may indicate a higher size to indicate hacking, worm or a virus on your Linux system? Recording your findings in your lab log-book.
  5. How would you monitor the same measurements of system performance for a Windows system?
  6. Proceed to Task #2

Answer the Task #1 observations / questions in your lab log book.



Task #2: Checking Unusual Activity


Checking for unusual activity in a Linux system focuses of several key indicators:

  • Unusual Running Processes
  • Unusual Network Usage
  • Unusual User Accounts
  • Unusual Large Files
  • Unusual Log Entries


In the next 2 sections, we will learn how to monitor these indicators to help identify Linux system intrusion. In this section, use man pages or perform or research on the Intenet in order to understand how the following Linux commands can be used to detect system intrusion (or "suspicious activity").

INSTRUCTIONS:

  1. Issue the Linux command: chkconfig --list (or systemctl list-units --all on newer systems). List all the running services in your lab log-book.
  2. Issue the Linux commands:
       ps aux | more
    
       lsof | more
    
       lsof -p PID 
       
    How does the information from this listing differ from the previous Linux command that you issued?
    What sort of services/processes might indicate a problem?

  3. Issue the following Linux commands:
       netstat -nap
    
       lsof -i  
    
       arp -a
    
    What sort of network usage would indicate an intrusion problem?

  4. Issue the following Linux commands:
       sort -nk3 -t: /etc/passwd | more
    
       egrep ':0+:' /etc/passwd
    
    What is the purpose of these commands, and how would you check the results for intrusion?

  5. Next, look for unusual files by using the following Linux commands:
       find / -size +10000k -print
    
       ls -a .*
    
       lsof +L1
    
       rpm -Va | sort
    
    Write these commands in your lab log-book and give a brief purpose of how they can be used to interpret system intrusion.

  6. Proceed to Task #3

Answer the Task #2 observations / questions in your lab log book.



Task #3: Checking System Logs & Using Syslog File


In this section, you will learn how to configure the Syslog File in Linux in order to detect and report suspected intrusion actions on your computer system.

INSTRUCTIONS:

  1. Read the article on Linux Log Files: Linux Log Files
  2. In your hardened Linux server, experiment with each of the log files mentioned in the article above (including configuration files). Note that your system may not have the same services installed, so some of the files may not be there.
  3. Read the man pages for syslogd and syslog.conf. Learn what types of activities generate various types of system messages.
  4. What line would you put in syslog.conf to send all security messages to the console? How would you send them directly to the printer?
  5. What would the following line achieve?
       kern.none /var/log/messages
    

  6. What does the following line do?
       *.emerg *
    

  7. How would you send all access control messages directly to the root user?
  8. Read your syslog.conf file. Make sure you understand what each line means.
  9. Using research and experimentation, configure your syslogd so that any reboots are logged on your lab mate's /var/log/messages log file. Demonstrate that this works by rebooting your system.
  10. Record all of your observations/answers in your lab log-book.
  11. Proceed to Task #4

Answer the Task #3 observations / questions in your lab log book.



Task #4: IDS Example: Tripwire


In this section, students will learn how to install, configure and run a commonly-used open source application called Tripwire that will automatically detect system intrusion. Tripwire is used to create an initial database of information on all the system files then runs periodically (via cron) in order to compare the system to the database. This allows the IT security manager to "manage by exception", and allow them to concentrate on providing a balanced and effective method of system security.

INSTRUCTIONS:

Idea.png
About Tripwire
Tripwire is an optional package during install. Tripwire for earlier releases is available from the RedHat/Fedora Powertools CD in RPM format. Upon installation, it will proceed to scan your entire filesystem to create a default database of what your system looks like. (files and sizes etc) It might take as long as ten minutes to initially scan...


  1. We will be installing tripwire on your hardened Linux server.
  2. While in your hardened Linux server, open a shell terminal, and issue the command which tripwire to check to see if the application has been installed. If the application is not installed, then issue the following command:
       sudo yum install tripwire
    


    Alternatively, you can download and install tripwire at the following link:

    http://sourceforge.net/projects/tripwire/

  3. Based on instructions in the README.Fedora file
    (located in /usr/share/docs/tripwire-2.4.2.2 directory)
    You are required to issue the following commands to initialize and run the tripwire application (using default settings):
       /usr/sbin/tripwire-setup-keyfiles # Generate the system-specific
                                         # cryptographic key files
                                         # Remember your password phrase
    
       /usr/sbin/tripwire --init         # Initialize the Tripwire
                                         # database file. Note: this process
                                         # may take several minutes to perform
    
       /usr/sbin/tripwire --check        # Run the first integrity check
                                                # May take several minutes
    


  4. There were some errors when initializing the tripwire database. Why do you think these errors occurred?


Important.png
Tripwire Configuration Files
Configuration file pathnames for Tripwire should be:

/etc/tripwire/twcfg.txt
/etc/tripwire/twpol.txt


These files are first edited and then processed by issueing the command:
tripwire --update-policy   POLICY-TEXT-FILENAME

In order to have tripwire report any violations:
  1. Edit the file /etc/tripwire/twpol.txt and comment out the lines where it says files not found
  2. Issue the command:

    /usr/sbin/tripwire --update-policy --secure-mode low /etc/tripwire/twpol.txt


  1. Create a cronjob to be run on a daily basis that will run the tripwire --check" as root

  2. Record your findings in your lab log-book.
  3. Proceed to "Completing the Lab"

Answer Task #4 observations / questions in your lab log book.


Completing the Lab

Arrange evidence for each of these items on your screen, then ask your instructor to review them and sign off on the lab's completion:

  1. Results of uptime and df commands.
  2. Display information regarding Linux system's Process, network usage and any unusual user accounts.
  3. Run Linux command to display files over 10000 Kilobytes.
  4. Contents of syslog.conf file.
  5. Cron job (root) running tripwire --check command.
  6. Completed Lab 8 notes.


Preparing for Quizzes

  1. Write 2 Linux command to help measure Linux system performance.
  2. List and explain 5 types of unusual activities (indicators) that could affect system performance from a system intrusion. For each indicator, write a Linux command used to help detect the unusual activity due to system intrusion.
  3. List 4 types of logs to view to detect unusual activity associated with system intrusion.
  4. Briefly list the steps to setup syslog on your Linux server.
  5. Define the term IDS.
  6. Write the Linux command to generate a Tripwire report.