Total de visualizações de página

terça-feira, 3 de maio de 2016

Tripwire : Install


Tripwire : Install
2015/06/21
 
Install and configure Host Based IDS (Intrusion Detection System) "Tripwire".
[1]Install Tripwire.
# install from EPEL

[root@dlp ~]# 
yum --enablerepo=epel -y install tripwire
[2]Create keys and database.
# generate keys

[root@dlp ~]# 
tripwire-setup-keyfiles
.....
.....
Enter the site keyfile passphrase:
# set site keyfile passphrase

Verify the site keyfile passphrase:
# confirm

.....
.....
Enter the local keyfile passphrase:
# set local keyfile passphrase

Verify the local keyfile passphrase:
# confirm

.....
.....
Please enter your site passphrase: 
# answer with site keyfile passphrase

.....
.....
Please enter your site passphrase: 
# answer with site keyfile passphrase

.....
.....
[root@dlp ~]# 
cd /etc/tripwire 

[root@dlp tripwire]# 
vi twcfg.txt
# line 12: report level (4 is max)

REPORTLEVEL =
4
# generate config

[root@dlp tripwire]# 
twadmin -m F -c tw.cfg -S site.key twcfg.txt 

Please enter your site passphrase:
# answer with site keyfile passphrase

Wrote configuration file: /etc/tripwire/tw.cfg
# optimize policy file with the script below

[root@dlp tripwire]# 
vi twpolmake.pl
#!/usr/bin/perl
# Tripwire Policy File customize tool
# ----------------------------------------------------------------
# Copyright (C) 2003 Hiroaki Izumi
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------
# Usage:
#     perl twpolmake.pl {Pol file}
# ----------------------------------------------------------------
#
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while (<POL>) {
    chomp;
    if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
        $myhost = `hostname` ; chomp($myhost) ;
        if ($thost ne $myhost) {
            $_="HOSTNAME=\"$myhost\";" ;
        }
    }
    elsif ( /^{/ ) {
        $INRULE=1 ;
    }
    elsif ( /^}/ ) {
        $INRULE=0 ;
    }
    elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
        $ret = ($sharp =~ s/\#//g) ;
        if ($tpath eq '/sbin/e2fsadm' ) {
            $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
        }
        if (! -s $tpath) {
            $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
        }
        else {
            $_ = "$sharp$tpath$cond" ;
        }
    }
    print "$_\n" ;
}
close(POL) ;

[root@dlp tripwire]# 
perl twpolmake.pl twpol.txt > twpol.txt.new 

[root@dlp tripwire]# 
twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new 

Please enter your site passphrase:
Wrote policy file: /etc/tripwire/tw.pol
# create database

[root@dlp tripwire]# 
tripwire -m i -s -c tw.cfg

Please enter your local passphrase:
[3]Execute checking manually. ( Daily check script for Cron is included in package )
[root@dlp ~]# 
tripwire -m c -s -c /etc/tripwire/tw.cfg 

Open Source Tripwire(R) 2.4.2.2 Integrity Check Report

Report generated by:          root
Report created on:            Fri 18 Jun 2015 19:53:39 PM JST
Database last updated on:     Never

===============================================================================
Report Summary:
===============================================================================

Host name:                    dlp.srv.world
Host IP address:              10.0.0.30
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/dlp.srv.world.twd
Command line used:            tripwire -m c -s -c /etc/tripwire/tw.cfg

===============================================================================
Rule Summary:
===============================================================================

-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  User binaries                   66                0        0        0
  Tripwire Binaries               100               0        0        0
  Libraries                       66                0        0        0
  File System and Disk Administraton Programs
                                  100               0        0        0
  Kernel Administration Programs  100               0        0        0
  Networking Programs             100               0        0        0
  System Administration Programs  100               0        0        0
  Hardware and Device Control Programs
                                  100               0        0        0
  System Information Programs     100               0        0        0
  Application Information Programs
                                  100               0        0        0
  (/sbin/rtmon)
  Operating System Utilities      100               0        0        0
  Critical Utility Sym-Links      100               0        0        0
  Shell Binaries                  100               0        0        0
  Critical system boot files      100               0        0        0
* Tripwire Data Files             100               1        0        0
  System boot changes             100               0        0        0
  OS executables and libraries    100               0        0        0
  Critical configuration files    100               0        0        0
  Security Control                100               0        0        0
  Login Scripts                   100               0        0        0
  Root config files               100               0        0        0
  Invariant Directories           66                0        0        0
  Temporary directories           33                0        0        0
  Critical devices                100               0        0        0
  (/proc/kcore)

Total objects scanned:  21739
Total violations found:  1

===============================================================================
Object Summary:
===============================================================================

-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Rule Name: Tripwire Data Files (/var/lib/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------

Added:
"/var/lib/tripwire/dlp.srv.world.twd"

===============================================================================
Error Report:
===============================================================================

No Errors

-------------------------------------------------------------------------------
*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
[4]If there is no ploblem even if some differences are detected, then update database like follows.
# results are saved under the directory below

[root@dlp ~]# 
ll /var/lib/tripwire/report 

total 8
-rw-r--r-- 1 root root 6814 Jun 17 19:53 dlp.srv.world-20150617-125339.twr

# update database with a specific report

[root@dlp ~]# 
tripwire -m u -a -s -c /etc/tripwire/tw.cfg \
-r /var/lib/tripwire/report/dlp.srv.world-20150617-125339.twr 

Please enter your local passphrase:

Install PHP 7.0


Install PHP 7.0
2016/03/10
 
The version of PHP in CentOS 7 repository is 5.4 but Install 7.0 with RPM package if you need.
[1]Install Remi repository which provides RPM packages.
[root@dlp ~]# 
yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
[2]Install PHP 7 from Remi repository.
[root@dlp ~]# 
yum --enablerepo=remi -y install php70
# possible to access with "php70"

[root@dlp ~]# 
php70 -v 

PHP 7.0.4 (cli) (built: Mar 2 2016 17:13:39) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
# php70 binary is under the /opt/remi/php70

[root@dlp ~]# 
ll /bin/php70 

lrwxrwxrwx 1 root root 32 Mar 11 11:48 /bin/php70 -> /opt/remi/php70/root/usr/bin/php
# if using scl command, then possible to access with "php"

[root@dlp ~]# 
scl enable php70 bash 

[root@dlp ~]# 
php -v 

PHP 7.0.4 (cli) (built: Mar 2 2016 17:13:39) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies

Clam AntiVirus


Clam AntiVirus
2014/09/25
 
Install Clam AntiVirus to protect servers from virus.
[1]Install Clamav.
# install from EPEL

[root@dlp ~]# 
yum --enablerepo=epel -y install clamav clamav-update
[root@dlp ~]# 
sed -i -e "s/^Example/#Example/" /etc/freshclam.conf
# update pattern files

[root@dlp ~]# 
freshclam

ClamAV update process started at Fri Aug 29 22:03:30 2014
main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo)
daily.cvd is up to date (version: 19314, sigs: 1094505, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 242, sigs: 46, f-level: 63, builder: dgoddard)
[2]Try to scan.
[root@dlp ~]# 
clamscan --infected --remove --recursive /home
----------- SCAN SUMMARY -----------
Known viruses: 3575245
Engine version: 0.98.4
Scanned directories: 2
Scanned files: 3
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 10.369 sec (0 m 10 s)

# download trial virus

[root@dlp ~]# 
curl -O http://www.eicar.org/download/eicar.com
[root@dlp ~]# 
clamscan --infected --remove --recursive .

./eicar.com: Eicar-Test-Signature FOUND
./eicar.com: Removed. 
# just detected
----------- SCAN SUMMARY -----------
Known viruses: 3575245
Engine version: 0.98.4
Scanned directories: 3
Scanned files: 10
Infected files: 1
Data scanned: 0.00 MB
Data read: 256.57 MB (ratio 0.00:1)
Time: 10.307 sec (0 m 10 s)

Access Control by ACL


Access Control by ACL
2015/07/02
 
This is the example to configure ACL (Access Control Lists).
[1]ACL package is included in minimum OS installation, however, if not in your system, install like follows.
[root@dlp ~]# 
yum -y install acl
[2]
It's not necessary to set pre-settings to use ACL function if you are using xfs which is the default filesystem on CentOS 7. But if you are using ext4 which is the default filesystem on CentOS 6, it's necessary to set pre-settings to use ACL function, refer to the section [2], [3] on here.
[3]For how to set ACL,
for example, set ACL to the file "/home/test.txt".
[root@dlp ~]# 
ll /home/test.txt 

-rwx------ 1 root root 10 Jul  3 16:17 /home/test.txt

# set r(read) for "cent" user to /home/test.txt

[root@dlp ~]# 
setfacl -m u:cent:r /home/test.txt
# after setting ACL, "+" is added on attribute

[root@dlp ~]# 
ll /home/test.txt 

-rwxr-----+ 1 root root 10 Jul  3 16:17 /home/test.txt

# confirm settings

[root@dlp ~]# 
getfacl /home/test.txt 

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

# try to access with "cent"

[cent@dlp ~]$ 
cat /home/test.txt 

ACL test file
# read normally
# try to access with another user

[fedora@dlp ~]$ 
cat /home/test.txt 

cat: /home/test.txt: Permission denied
# cannot read normally
[4]Set ACL to a directory recursively.
# set r(read) for "cent" to "/home/testdir" recursively

[root@dlp ~]# 
setfacl -R -m u:cent:r /home/testdir
[root@dlp ~]# 
ll /home/testdir 

total 4
-rwxr-----+ 1 root root 5 Jul  3 16:23 testfile

[root@dlp ~]# 
getfacl -R /home/testdir 

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

# file: home/testdir/testfile
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---
[5]Set ACL by group.
# set rw(read/write) for "security" group to "/home/test.txt"

[root@dlp ~]# 
setfacl -m g:security:rw /home/test.txt 

[root@dlp ~]# 
getfacl /home/test.txt 

getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
group:security:rw-
mask::rw-
other::---

# try to access with "cent" user who in "security" group

[cent@dlp ~]$ 
echo "test write" >> /home/test.txt 

[cent@dlp ~]$ 
cat /home/test.txt 

ACL test file
test write
# write normally
# try to access with a user who in not in "security" group

[fedora@dlp ~]$ 
echo "test write" >> /home/test.txt 

-bash: /home/test.txt: Permission denied
# cannot write normally
[6]Remove ACL.
# remove ACL from "/home/test.txt"

[root@dlp ~]# 
setfacl -b /home/test.txt
# remove ACL only for "fedora" user on "/home/test.txt"

[root@dlp ~]# 
setfacl -x u:fedora /home/test.txt
[7]Set default ACL to a directory.
If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change attribute with "chmod", then ACL would be invalid.
[root@dlp ~]# 
setfacl -m u:cent:r-x /home/testdir 

# set default ACL "r-x(read/execute)" for "cent" to "/home/testdir" directory

[root@dlp ~]# 
setfacl -d -m u:cent:r-x /home/testdir 

[root@dlp ~]# 
getfacl /home/testdir 

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
default:user::rwx
default:user:cent:r-x
default:group::---
default:mask::r-x
default:other::---

[root@dlp ~]# 
echo "ACL default setting" > /home/testdir/test.txt 

[root@dlp ~]# 
ll /home/testdir/test.txt 

-rw-r-----+ 1 root root 20 Jan 31 22:32 /home/testdir/test.txt

# try to access with "cent"

[cent@dlp ~]$ 
cat /home/testdir/test.txt 

ACL default setting
# it can read normally
[8]Remove default ACL.
[root@dlp ~]# 
setfacl -k /home/testdir 

[root@dlp ~]# 
getfacl /home/testdir 

getfacl: Removing leading '/' from absolute path names
# file: home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---
[9]Set ACL from a configration file.
# create a configuration file for ACL

# if there are ACLs you'd like to set on other system, there is a way to export with "getfacl" command

[root@dlp ~]# 
vi acl.txt
# file: /home/testdir
# owner: root
# group: root
user::rwx
user:cent:r-x
group::---
mask::r-x
other::---

# file: /home/test.txt
# owner: root
# group: root
user::rwx
user:cent:r--
group::---
mask::r--
other::---

[root@dlp ~]# 
setfacl --restore=acl.txt 

[root@dlp ~]# 
ll /home 

total 16
drwx------. 2 cent   cent   4096 Jan 31 12:14 cent
drwx------  2 fedora fedora 4096 Jan 31 12:14 fedora
drwxr-x---+ 2 root   root   4096 Jan 31 22:32 testdir
-rwxr-----+ 1 root   root     25 Jan 31 21:56 test.txt

Rsync : Sync Files/Directories


Rsync : Sync Files/Directories
2015/01/12
 
Copy files or directories from one location to an another host by rsync. 
Basic usage of rsync is here.
If you'd like to set rsync automatically by cron or others, it need to configure like follows because authentication is required without settings. For example, Copy files or directories under the [/root/work] on dlp.srv.world to [/home/backup] on www.srv.world.
+----------------------+          |          +----------------------+
|     dlp.srv.world    |10.0.0.30 | 10.0.0.31|     www.srv.world    |
|                      +----------+----------+                      |
|     /root/work/*     |   ------------->    |     /home/backup/*   |
+----------------------+        copy         +----------------------+

[1]Configure on source host.
[root@dlp ~]# 
yum -y install rsync
[root@dlp ~]# 
vi /etc/rsync_exclude.lst
# specify files or directories you'd like to exclude to copy

test
test.txt
[2]Configure on destination host.
[root@www ~]# 
yum -y install rsync
[root@www ~]# 
vi /etc/rsyncd.conf
# any name you like

[backup]
# destination directory for copy

path = /home/backup
# hosts you allow to access

hosts allow = 10.0.0.30
hosts deny = *
list = true
uid = root
gid = root
read only = false
[root@www ~]# 
mkdir /home/backup 

[root@www ~]# 
systemctl start rsyncd 

[root@www ~]# 
systemctl enable rsyncd 
[3]It's OK. Execute rsync on Source Host like follows.
[root@dlp ~]# 
rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /root/work/ www.srv.world::backup
# Add in cron if you'd like to run reguraly

[root@dlp ~]# 
crontab -e
# for example, run at 2:00 AM in a day

00 02 * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /root/work/ www.srv.world::backup

Lsync + Rsync : Sync Files timely


Lsync + Rsync : Sync Files timely
2015/01/12
 
Install Lsyncd that is a flexible cross-platform synchronization tool.
[1]
[2]In addition to settings of [1], Install and configure Lsyncd to sync files or directories timely.
# install from EPEL

[root@dlp ~]# 
yum --enablerepo=epel -y install lsyncd
[root@dlp ~]# 
vi /etc/lsyncd.conf
# line 8: comment out

--
 sync{default.rsyncssh, source="/var/www/html", host="localhost", targetdir="// tmp/htmlcopy/"}
# add follows to the end

settings{
    statusFile = "/tmp/lsyncd.stat",
    statusInterval = 1,
}
sync{
    default.rsync,
    
# source directory

    source="/root/work/",
    
# destination Hostname or IP address:(the name set in rsyncd.conf)

    target="10.0.0.31::backup",
    
# excluding list

    excludeFrom="/etc/rsync_exclude.lst",
}
[root@dlp ~]# 
systemctl start lsyncd 

[root@dlp ~]# 
systemctl enable lsyncd 
[3]
Make sure files and directories are copied timely on destination Host.

RKHunter : Detect Rootkit


RKHunter : Detect Rootkit
2015/07/08
 
Install RKHunter which is the Rootkit Detection tool.
[1]Install RKHunter.
# install from EPEL

[root@dlp ~]# 
yum --enablerepo=epel -y install rkhunter
[2]Configure and Use RKHunter.
For regular checking, checking script is installed under cron.daily directory and it is executed everyday by Cron.
[root@dlp ~]# 
vi /etc/sysconfig/rkhunter
# recipient address for report

MAILTO=root@localhost
# if specified "yes", scan more detaily

DIAG_SCAN=no
# update database

[root@dlp ~]# 
rkhunter --update
# update system file properties

[root@dlp ~]# 
rkhunter --propupd
# execute checking

# --sk means sikpping to push Enter key

# if specified --rwo , display only warnings

[root@dlp ~]# 
rkhunter --check --sk
[ Rootkit Hunter version 1.4.2 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks
    Checking for prerequisites                               [ OK ]
    /usr/sbin/adduser                                        [ OK ]
    /usr/sbin/chkconfig                                      [ OK ]
    /usr/sbin/chroot                                         [ OK ]
    /usr/sbin/depmod                                         [ OK ]
    /usr/sbin/fsck                                           [ OK ]

.....
.....

System checks summary
=====================

File properties checks...
    Files checked: 121
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 365
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 1 minute and 35 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

No warnings were found while checking the system.

AIDE : Install


AIDE : Install
2015/06/21
 
Install and configure Host Based IDS (Intrusion Detection System) "AIDE" (Advanced Intrusion Detection Environment).
[1]Install AIDE.
[root@dlp ~]# 
yum -y install aide
[2]Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows. Setting rules are writen near 26-84 lines, refer to them.
[root@dlp ~]# 
vi /etc/aide.conf
# for example, change setting of monitoring /var/log

/var/log   
p+u+g+i+n+acl+selinux+xattrs
# initialize database

[root@dlp ~]# 
aide --init 

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

# copy generated DB to master DB

[root@dlp ~]# 
cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[3]Execute checking.
[root@dlp ~]# 
aide --check
# if thete is no unmatch, it displayed "Okay"

AIDE, version 0.15.1

### All files match AIDE database. Looks okay!

# try to change a file and check again

[root@dlp ~]# 
chmod 640 /root/anaconda-ks.cfg 

[root@dlp ~]# 
aide --check
# detected differences like follows

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2015-06-17 19:55:20

Summary:
  Total number of files:        39039
  Added files:                  0
  Removed files:                0
  Changed files:                1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root/anaconda-ks.cfg

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /root/anaconda-ks.cfg
 Perm     : -rw-------                       , -rw-r-----
 Ctime    : 2015-05-24 02:22:04              , 2015-06-19 11:55:15
 ACL      : old = A:
----
user::rw-
group::---
other::---
----
                  D: <NONE>
            new = A:
----
user::rw-
group::r--
other::---
----
                  D: <NONE>
[4]If there is no ploblem even if some differences are detected, then update database like follows.
[root@dlp ~]# 
aide --update
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2015-06-17 19:56:31

Summary:
  Total number of files:        39039
  Added files:                  0
  Removed files:                0
  Changed files:                1


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root/anaconda-ks.cfg
.....
.....

# update database

[root@dlp ~]# 
cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
[5]Add in Cron if check regulary. Log file [/var/log/aide/aide.log] is updated every time and if there is no difference, it is updated with zero byte, so if you's like to save log files, it needs to create a shell script or send results via email or others.
# for example, add daily check in Crontab and send results via email

[root@dlp ~]# 
vi /etc/cron.d/aide
00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root