Tripwire : Install

Tripwire : Install 2015/06/21

	Install and configure Host Based IDS (Intrusion Detection System) "Tripwire".
[1]	Install Tripwire.

# install from EPEL [root@dlp ~]#  yum --enablerepo=epel -y install tripwire

[2]	Create keys and database.

# generate keys [root@dlp ~]#  tripwire-setup-keyfiles ..... ..... Enter the site keyfile passphrase: # set site keyfile passphrase Verify the site keyfile passphrase: # confirm ..... ..... Enter the local keyfile passphrase: # set local keyfile passphrase Verify the local keyfile passphrase: # confirm ..... ..... Please enter your site passphrase:  # answer with site keyfile passphrase ..... ..... Please enter your site passphrase:  # answer with site keyfile passphrase ..... ..... [root@dlp ~]#  cd /etc/tripwire  [root@dlp tripwire]#  vi twcfg.txt # line 12: report level (4 is max) REPORTLEVEL = 4 # generate config [root@dlp tripwire]#  twadmin -m F -c tw.cfg -S site.key twcfg.txt  Please enter your site passphrase: # answer with site keyfile passphrase Wrote configuration file: /etc/tripwire/tw.cfg # optimize policy file with the script below [root@dlp tripwire]#  vi twpolmake.pl #!/usr/bin/perl # Tripwire Policy File customize tool # ---------------------------------------------------------------- # Copyright (C) 2003 Hiroaki Izumi # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # ---------------------------------------------------------------- # Usage: # perl twpolmake.pl {Pol file} # ---------------------------------------------------------------- # $POLFILE=$ARGV[0]; open(POL,"$POLFILE") or die "open error: $POLFILE" ; my($myhost,$thost) ; my($sharp,$tpath,$cond) ; my($INRULE) = 0 ; while (<POL>) { chomp; if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) { $myhost = `hostname` ; chomp($myhost) ; if ($thost ne $myhost) { $_="HOSTNAME=\"$myhost\";" ; } } elsif ( /^{/ ) { $INRULE=1 ; } elsif ( /^}/ ) { $INRULE=0 ; } elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) { $ret = ($sharp =~ s/\#//g) ; if ($tpath eq '/sbin/e2fsadm' ) { $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ; } if (! -s $tpath) { $_ = "$sharp#$tpath$cond" if ($ret == 0) ; } else { $_ = "$sharp$tpath$cond" ; } } print "$_\n" ; } close(POL) ; [root@dlp tripwire]#  perl twpolmake.pl twpol.txt > twpol.txt.new  [root@dlp tripwire]#  twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new  Please enter your site passphrase: Wrote policy file: /etc/tripwire/tw.pol # create database [root@dlp tripwire]#  tripwire -m i -s -c tw.cfg Please enter your local passphrase:

[3]	Execute checking manually. ( Daily check script for Cron is included in package )

[root@dlp ~]#  tripwire -m c -s -c /etc/tripwire/tw.cfg  Open Source Tripwire(R) 2.4.2.2 Integrity Check Report Report generated by: root Report created on: Fri 18 Jun 2015 19:53:39 PM JST Database last updated on: Never =============================================================================== Report Summary: =============================================================================== Host name: dlp.srv.world Host IP address: 10.0.0.30 Host ID: None Policy file used: /etc/tripwire/tw.pol Configuration file used: /etc/tripwire/tw.cfg Database file used: /var/lib/tripwire/dlp.srv.world.twd Command line used: tripwire -m c -s -c /etc/tripwire/tw.cfg =============================================================================== Rule Summary: =============================================================================== ------------------------------------------------------------------------------- Section: Unix File System ------------------------------------------------------------------------------- Rule Name Severity Level Added Removed Modified --------- -------------- ----- ------- -------- User binaries 66 0 0 0 Tripwire Binaries 100 0 0 0 Libraries 66 0 0 0 File System and Disk Administraton Programs 100 0 0 0 Kernel Administration Programs 100 0 0 0 Networking Programs 100 0 0 0 System Administration Programs 100 0 0 0 Hardware and Device Control Programs 100 0 0 0 System Information Programs 100 0 0 0 Application Information Programs 100 0 0 0 (/sbin/rtmon) Operating System Utilities 100 0 0 0 Critical Utility Sym-Links 100 0 0 0 Shell Binaries 100 0 0 0 Critical system boot files 100 0 0 0 * Tripwire Data Files 100 1 0 0 System boot changes 100 0 0 0 OS executables and libraries 100 0 0 0 Critical configuration files 100 0 0 0 Security Control 100 0 0 0 Login Scripts 100 0 0 0 Root config files 100 0 0 0 Invariant Directories 66 0 0 0 Temporary directories 33 0 0 0 Critical devices 100 0 0 0 (/proc/kcore) Total objects scanned: 21739 Total violations found: 1 =============================================================================== Object Summary: =============================================================================== ------------------------------------------------------------------------------- # Section: Unix File System ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/var/lib/tripwire) Severity Level: 100 ------------------------------------------------------------------------------- Added: "/var/lib/tripwire/dlp.srv.world.twd" =============================================================================== Error Report: =============================================================================== No Errors ------------------------------------------------------------------------------- *** End of report *** Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version. This is free software which may be redistributed or modified only under certain conditions; see COPYING for details. All rights reserved.

[4]	If there is no ploblem even if some differences are detected, then update database like follows.

# results are saved under the directory below [root@dlp ~]#  ll /var/lib/tripwire/report  total 8 -rw-r--r-- 1 root root 6814 Jun 17 19:53 dlp.srv.world-20150617-125339.twr # update database with a specific report [root@dlp ~]#  tripwire -m u -a -s -c /etc/tripwire/tw.cfg \ -r /var/lib/tripwire/report/dlp.srv.world-20150617-125339.twr  Please enter your local passphrase:

Install PHP 7.0

Install PHP 7.0 2016/03/10

	The version of PHP in CentOS 7 repository is 5.4 but Install 7.0 with RPM package if you need.
[1]	Install Remi repository which provides RPM packages.

[root@dlp ~]#  yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm

[2]	Install PHP 7 from Remi repository.

[root@dlp ~]#  yum --enablerepo=remi -y install php70 # possible to access with "php70" [root@dlp ~]#  php70 -v  PHP 7.0.4 (cli) (built: Mar 2 2016 17:13:39) ( NTS ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies # php70 binary is under the /opt/remi/php70 [root@dlp ~]#  ll /bin/php70  lrwxrwxrwx 1 root root 32 Mar 11 11:48 /bin/php70 -> /opt/remi/php70/root/usr/bin/php # if using scl command, then possible to access with "php" [root@dlp ~]#  scl enable php70 bash  [root@dlp ~]#  php -v  PHP 7.0.4 (cli) (built: Mar 2 2016 17:13:39) ( NTS ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies

Clam AntiVirus

Clam AntiVirus 2014/09/25

	Install Clam AntiVirus to protect servers from virus.
[1]	Install Clamav.

# install from EPEL [root@dlp ~]#  yum --enablerepo=epel -y install clamav clamav-update [root@dlp ~]#  sed -i -e "s/^Example/#Example/" /etc/freshclam.conf # update pattern files [root@dlp ~]#  freshclam ClamAV update process started at Fri Aug 29 22:03:30 2014 main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cvd is up to date (version: 19314, sigs: 1094505, f-level: 63, builder: neo) bytecode.cvd is up to date (version: 242, sigs: 46, f-level: 63, builder: dgoddard)

[2]	Try to scan.

[root@dlp ~]#  clamscan --infected --remove --recursive /home ----------- SCAN SUMMARY ----------- Known viruses: 3575245 Engine version: 0.98.4 Scanned directories: 2 Scanned files: 3 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 10.369 sec (0 m 10 s) # download trial virus [root@dlp ~]#  curl -O http://www.eicar.org/download/eicar.com [root@dlp ~]#  clamscan --infected --remove --recursive . ./eicar.com: Eicar-Test-Signature FOUND ./eicar.com: Removed.  # just detected ----------- SCAN SUMMARY ----------- Known viruses: 3575245 Engine version: 0.98.4 Scanned directories: 3 Scanned files: 10 Infected files: 1 Data scanned: 0.00 MB Data read: 256.57 MB (ratio 0.00:1) Time: 10.307 sec (0 m 10 s)

Access Control by ACL

Access Control by ACL 2015/07/02

	This is the example to configure ACL (Access Control Lists).
[1]	ACL package is included in minimum OS installation, however, if not in your system, install like follows.

[root@dlp ~]#  yum -y install acl

[2]	It's not necessary to set pre-settings to use ACL function if you are using xfs which is the default filesystem on CentOS 7. But if you are using ext4 which is the default filesystem on CentOS 6, it's necessary to set pre-settings to use ACL function, refer to the section [2], [3] on here.
[3]	For how to set ACL, for example, set ACL to the file "/home/test.txt".

[root@dlp ~]#  ll /home/test.txt  -rwx------ 1 root root 10 Jul 3 16:17 /home/test.txt # set r(read) for "cent" user to /home/test.txt [root@dlp ~]#  setfacl -m u:cent:r /home/test.txt # after setting ACL, "+" is added on attribute [root@dlp ~]#  ll /home/test.txt  -rwxr-----+ 1 root root 10 Jul 3 16:17 /home/test.txt # confirm settings [root@dlp ~]#  getfacl /home/test.txt  getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rwx user:cent:r-- group::--- mask::r-- other::--- # try to access with "cent" [cent@dlp ~]$  cat /home/test.txt  ACL test file # read normally # try to access with another user [fedora@dlp ~]$  cat /home/test.txt  cat: /home/test.txt: Permission denied # cannot read normally

[4]	Set ACL to a directory recursively.

# set r(read) for "cent" to "/home/testdir" recursively [root@dlp ~]#  setfacl -R -m u:cent:r /home/testdir [root@dlp ~]#  ll /home/testdir  total 4 -rwxr-----+ 1 root root 5 Jul 3 16:23 testfile [root@dlp ~]#  getfacl -R /home/testdir  getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:cent:r-- group::--- mask::r-- other::--- # file: home/testdir/testfile # owner: root # group: root user::rwx user:cent:r-- group::--- mask::r-- other::---

[5]	Set ACL by group.

# set rw(read/write) for "security" group to "/home/test.txt" [root@dlp ~]#  setfacl -m g:security:rw /home/test.txt  [root@dlp ~]#  getfacl /home/test.txt  getfacl: Removing leading '/' from absolute path names # file: home/test.txt # owner: root # group: root user::rwx user:cent:r-- group::--- group:security:rw- mask::rw- other::--- # try to access with "cent" user who in "security" group [cent@dlp ~]$  echo "test write" >> /home/test.txt  [cent@dlp ~]$  cat /home/test.txt  ACL test file test write # write normally # try to access with a user who in not in "security" group [fedora@dlp ~]$  echo "test write" >> /home/test.txt  -bash: /home/test.txt: Permission denied # cannot write normally

[6]	Remove ACL.

# remove ACL from "/home/test.txt" [root@dlp ~]#  setfacl -b /home/test.txt # remove ACL only for "fedora" user on "/home/test.txt" [root@dlp ~]#  setfacl -x u:fedora /home/test.txt

[7]	Set default ACL to a directory. If files/directories are created under the directory with setting default ACL, default access attribute is inherited. But be careful, if you change attribute with "chmod", then ACL would be invalid.

[root@dlp ~]#  setfacl -m u:cent:r-x /home/testdir  # set default ACL "r-x(read/execute)" for "cent" to "/home/testdir" directory [root@dlp ~]#  setfacl -d -m u:cent:r-x /home/testdir  [root@dlp ~]#  getfacl /home/testdir  getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:cent:r-x group::--- mask::r-x other::--- default:user::rwx default:user:cent:r-x default:group::--- default:mask::r-x default:other::--- [root@dlp ~]#  echo "ACL default setting" > /home/testdir/test.txt  [root@dlp ~]#  ll /home/testdir/test.txt  -rw-r-----+ 1 root root 20 Jan 31 22:32 /home/testdir/test.txt # try to access with "cent" [cent@dlp ~]$  cat /home/testdir/test.txt  ACL default setting # it can read normally

[8]	Remove default ACL.

[root@dlp ~]#  setfacl -k /home/testdir  [root@dlp ~]#  getfacl /home/testdir  getfacl: Removing leading '/' from absolute path names # file: home/testdir # owner: root # group: root user::rwx user:cent:r-x group::--- mask::r-x other::---

[9]	Set ACL from a configration file.

# create a configuration file for ACL # if there are ACLs you'd like to set on other system, there is a way to export with "getfacl" command [root@dlp ~]#  vi acl.txt # file: /home/testdir # owner: root # group: root user::rwx user:cent:r-x group::--- mask::r-x other::--- # file: /home/test.txt # owner: root # group: root user::rwx user:cent:r-- group::--- mask::r-- other::--- [root@dlp ~]#  setfacl --restore=acl.txt  [root@dlp ~]#  ll /home  total 16 drwx------. 2 cent cent 4096 Jan 31 12:14 cent drwx------ 2 fedora fedora 4096 Jan 31 12:14 fedora drwxr-x---+ 2 root root 4096 Jan 31 22:32 testdir -rwxr-----+ 1 root root 25 Jan 31 21:56 test.txt

Rsync : Sync Files/Directories

Rsync : Sync Files/Directories 2015/01/12

Copy files or directories from one location to an another host by rsync.  Basic usage of rsync is here. If you'd like to set rsync automatically by cron or others, it need to configure like follows because authentication is required without settings. For example, Copy files or directories under the [/root/work] on dlp.srv.world to [/home/backup] on www.srv.world. +----------------------+ | +----------------------+ | dlp.srv.world |10.0.0.30 | 10.0.0.31| www.srv.world | | +----------+----------+ | | /root/work/* | -------------> | /home/backup/* | +----------------------+ copy +----------------------+

[1]	Configure on source host.

[root@dlp ~]#  yum -y install rsync [root@dlp ~]#  vi /etc/rsync_exclude.lst # specify files or directories you'd like to exclude to copy test test.txt

[2]	Configure on destination host.

[root@www ~]#  yum -y install rsync [root@www ~]#  vi /etc/rsyncd.conf # any name you like [backup] # destination directory for copy path = /home/backup # hosts you allow to access hosts allow = 10.0.0.30 hosts deny = * list = true uid = root gid = root read only = false [root@www ~]#  mkdir /home/backup  [root@www ~]#  systemctl start rsyncd  [root@www ~]#  systemctl enable rsyncd

[3]	It's OK. Execute rsync on Source Host like follows.

[root@dlp ~]#  rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /root/work/ www.srv.world::backup # Add in cron if you'd like to run reguraly [root@dlp ~]#  crontab -e # for example, run at 2:00 AM in a day 00 02 * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /root/work/ www.srv.world::backup

Lsync + Rsync : Sync Files timely

Lsync + Rsync : Sync Files timely 2015/01/12

	Install Lsyncd that is a flexible cross-platform synchronization tool.
[1]	Configure Rsync first, refer to here.
[2]	In addition to settings of [1], Install and configure Lsyncd to sync files or directories timely.

# install from EPEL [root@dlp ~]#  yum --enablerepo=epel -y install lsyncd [root@dlp ~]#  vi /etc/lsyncd.conf # line 8: comment out --  sync{default.rsyncssh, source="/var/www/html", host="localhost", targetdir="// tmp/htmlcopy/"} # add follows to the end settings{     statusFile = "/tmp/lsyncd.stat",     statusInterval = 1, } sync{     default.rsync,      # source directory     source="/root/work/",      # destination Hostname or IP address:(the name set in rsyncd.conf)     target="10.0.0.31::backup",      # excluding list     excludeFrom="/etc/rsync_exclude.lst", } [root@dlp ~]#  systemctl start lsyncd  [root@dlp ~]#  systemctl enable lsyncd

[3]	Make sure files and directories are copied timely on destination Host.

RKHunter : Detect Rootkit

RKHunter : Detect Rootkit 2015/07/08

	Install RKHunter which is the Rootkit Detection tool.
[1]	Install RKHunter.

# install from EPEL [root@dlp ~]#  yum --enablerepo=epel -y install rkhunter

[2]	Configure and Use RKHunter. For regular checking, checking script is installed under cron.daily directory and it is executed everyday by Cron.

[root@dlp ~]#  vi /etc/sysconfig/rkhunter # recipient address for report MAILTO=root@localhost # if specified "yes", scan more detaily DIAG_SCAN=no # update database [root@dlp ~]#  rkhunter --update # update system file properties [root@dlp ~]#  rkhunter --propupd # execute checking # --sk means sikpping to push Enter key # if specified --rwo , display only warnings [root@dlp ~]#  rkhunter --check --sk [ Rootkit Hunter version 1.4.2 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chkconfig [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/depmod [ OK ] /usr/sbin/fsck [ OK ] ..... ..... System checks summary ===================== File properties checks... Files checked: 121 Suspect files: 0 Rootkit checks... Rootkits checked : 365 Possible rootkits: 0 Applications checks... All checks skipped The system checks took: 1 minute and 35 seconds All results have been written to the log file: /var/log/rkhunter/rkhunter.log No warnings were found while checking the system.

AIDE : Install

AIDE : Install 2015/06/21

	Install and configure Host Based IDS (Intrusion Detection System) "AIDE" (Advanced Intrusion Detection Environment).
[1]	Install AIDE.

[root@dlp ~]#  yum -y install aide

[2]	Configure AIDE and initialize database. It's possible to use AIDE with default config but if you'd like to customize settings, change configuration file like follows. Setting rules are writen near 26-84 lines, refer to them.

[root@dlp ~]#  vi /etc/aide.conf # for example, change setting of monitoring /var/log /var/log    p+u+g+i+n+acl+selinux+xattrs # initialize database [root@dlp ~]#  aide --init  AIDE, version 0.15.1 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. # copy generated DB to master DB [root@dlp ~]#  cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

[3]	Execute checking.

[root@dlp ~]#  aide --check # if thete is no unmatch, it displayed "Okay" AIDE, version 0.15.1 ### All files match AIDE database. Looks okay! # try to change a file and check again [root@dlp ~]#  chmod 640 /root/anaconda-ks.cfg  [root@dlp ~]#  aide --check # detected differences like follows AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2015-06-17 19:55:20 Summary: Total number of files: 39039 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /root/anaconda-ks.cfg --------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /root/anaconda-ks.cfg Perm : -rw------- , -rw-r----- Ctime : 2015-05-24 02:22:04 , 2015-06-19 11:55:15 ACL : old = A: ---- user::rw- group::--- other::--- ---- D: <NONE> new = A: ---- user::rw- group::r-- other::--- ---- D: <NONE>

[4]	If there is no ploblem even if some differences are detected, then update database like follows.

[root@dlp ~]#  aide --update AIDE 0.15.1 found differences between database and filesystem!! Start timestamp: 2015-06-17 19:56:31 Summary: Total number of files: 39039 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /root/anaconda-ks.cfg ..... ..... # update database [root@dlp ~]#  cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

[5]	Add in Cron if check regulary. Log file [/var/log/aide/aide.log] is updated every time and if there is no difference, it is updated with zero byte, so if you's like to save log files, it needs to create a shell script or send results via email or others.

# for example, add daily check in Crontab and send results via email [root@dlp ~]#  vi /etc/cron.d/aide 00 01 * * * /usr/sbin/aide --update | mail -s 'Daily Check by AIDE' root