From e0d597fbc620941441ec869a2d381510c8904510 Mon Sep 17 00:00:00 2001 From: sspencerwire Date: Tue, 20 Feb 2024 09:42:16 -0600 Subject: [PATCH] Anna edits for `lab3-auditing_the_system.md` * sentence restructuring * other minor changes --- .../labs/security/lab3-auditing_the_system.md | 128 +++++++++--------- 1 file changed, 64 insertions(+), 64 deletions(-) diff --git a/docs/labs/security/lab3-auditing_the_system.md b/docs/labs/security/lab3-auditing_the_system.md index 1c27420731..a74ead9d4c 100644 --- a/docs/labs/security/lab3-auditing_the_system.md +++ b/docs/labs/security/lab3-auditing_the_system.md @@ -4,20 +4,20 @@ author: Wale Soyinka contributors: Steven Spencer, Ganna Zhyrnova --- -# Lab 3: Auditing the System +# Lab 3 - Auditing the System ## Objectives After completing this lab, you will be able to: - create a simple and custom auditing tool from scratch -- use and understand security auditing tools like tripwire +- use and understand security auditing tools like Tripwire Estimated time to complete this lab: 90 minutes ## A simple home grown integrity checker -Before we begin to install and configure tripwire, we create a sample script that performs a similar function. This script will help in gaining a better understanding of how Tripwire and similar tools function. +Before we begin to install and configure Tripwire, we create a sample script that performs a similar function. This script will help in gaining a better understanding of how Tripwire and similar tools function. The script relies heavily on the md5sum program. The md5sum program is used to compute a 128-bit checksum (or "fingerprint") for a specified FILE. @@ -29,7 +29,7 @@ The script functions’ as summarized below: It does this when run with the initialization option ( -- initialization| -i) -2. The script will then be used to obtain the md5 checksums of the known good files (untainted files). +2. The script will then obtain the md5 checksums of the known suitable files (untainted files). 3. The list of MD5 sums will be stored in a file called “md5_good”. @@ -43,7 +43,7 @@ The script functions’ as summarized below: The script below can be fine-tuned and scaled to do much more than it does. It is left to you and your imagination to make it do whatever you want. -If you just want a quick and dirty way to get the job done the script will suffice but for everything else there is MasterCard – excuse me, I meant, for everything else there is Tripwire. +If you just want a quick and dirty way to get the job done the script will suffice but for everything else there is Tripwire. ## Exercise 1 @@ -142,8 +142,8 @@ Save the text above in a text file and name the file “check.sh” Untainted baseline file (~/etc.bak/md5_good) has been created !! ``` -5. Use the ls command to view contents root’s home directory. You should have a new directory named `etc.bak` therein. - Use the cat command to view the `/root/etc.bak/md5_good` file – just for fun. +5. Use the `ls` command to view contents of root’s home directory. You should have a new directory named `etc.bak` therein. + Use the `cat` command to view the `/root/etc.bak/md5_good` file. 6. Run the script using the verify option. Type: @@ -174,7 +174,7 @@ Save the text above in a text file and name the file “check.sh” Re-run the script with the re-build option (e.g. ./check.sh --rebuild) to approve ``` -9. Per the warning above, you should go and investigate further to see if the altered file meets your approval. You may run the script with a `--rebuild` option if it does. +9. Per the warning above, you should investigate further to see if the altered file meets your approval. If it does, you may run the script with a `--rebuild` option. To view only the differences between the “tainted” file and the “untainted” file you could type: ```bash @@ -185,23 +185,23 @@ Save the text above in a text file and name the file “check.sh” One of the first things you should do after building any new system is to get a snapshot of a known good state of the system before the system is “contaminated” or before deploying the system into production. -Several tools exist for doing this. One such tool is tripwire. Tripwire is an advanced tool, so brace yourself for many options, syntax, quirks, and switches. +Several tools exist for doing this. One such tool is Tripwire. Tripwire is an advanced tool, so brace yourself for many options, syntax, quirks, and switches. -Tripwire can be regarded as a form of a host-based intrusion detection system (IDS). It performs intrusion detection functions by taking a snapshot of a "healthy system" and later on comparing this healthy state with any other suspect states. It provides a means of knowing/monitoring whether certain sensitive files have been altered illegally. The system administrator of course decides what files are to be monitored. +Tripwire can be regarded as a form of a host-based intrusion detection system (IDS). It performs intrusion detection functions by taking a snapshot of a "healthy system" and later comparing this healthy state with any other suspect states. It provides a means of knowing/monitoring whether certain sensitive files have been altered illegally. The system administrator of course decides what files are to be monitored. -The authors of tripwire describe it as an Open Source Security, Intrusion Detection, Damage Assessment and Recovery, Forensics software. +The authors of Tripwire describe it as an Open Source Security, Intrusion Detection, Damage Assessment and Recovery, and Forensics software. Tripwire compares a file’s new signature with the one taken when the database was created. -The steps involved in installing and configuring tripwire are as listed below: +The steps involved in installing and configuring Tripwire are as listed below: -1. Install the software from source or binary +1. Install the software from the source or binary 2. Run the configuration script: (twinstall.sh). This script is used to: -a) Create the site key and the local key and prompts for pass phrases for both -b) Sign the policy file and configuration file with the site key. +a) Create the site key, local key, and prompts for passphrases for both +b) Sign the policy file and configuration file with the site key -3. Initialize the tripwire database +3. Initialize the Tripwire database 4. Run the first integrity check. @@ -290,7 +290,7 @@ Tripwire accepts the following command line options: policyfile.txt ``` -**Summary Of Options for the tripwire command:** +**Summary Of Options for the `tripwire` command:** ```bash SYNOPSIS @@ -306,7 +306,7 @@ SYNOPSIS ### `twadmin` -The `twadmin` utility performs administrative functions related to tripwire files and configuration options. Specifically, `twadmin` allows encoding, decoding, signing, and verification of tripwire files, and provides a means to generate and change local and site keys. +The `twadmin` utility performs administrative functions related to Tripwire files and configuration options. Specifically, `twadmin` allows encoding, decoding, signing, and verification of Tripwire files, and provides a means to generate and change local and site keys. ```bash Create Configuration File: twadmin [-m F|--create-cfgfile][options] cfgfile.txt @@ -349,7 +349,7 @@ Prints Tripwire database and report files in plain text format. ### `siggen` -`siggen` is a signature gathering routine for Tripwire. It is a utility that displays the hash function values for the specified files. +`siggen` is a signature-gathering routine for Tripwire. It is a utility that displays the hash function values for the specified files. ```bash OPTIONS @@ -382,38 +382,38 @@ OPTIONS ### To install Tripwire -1. Check to see if you already have tripwire installed on your system. Type: +1. Check to see if you already have Tripwire installed on your system. Type: ```bash [root@localhost root]# rpm -q tripwire tripwire-* ``` - If you get an output similar to the one above then you already have it installed. Skip the next step. + If you get an output similar to the one above, you already have it installed. Skip the next step. -2. If you dont have it installed, obtain the tripwire binary and install it. Type: +2. If you do not have it installed, obtain the Tripwire binary and install it. Type: ```bash [root@localhost root]# dnf -y install tripwire ``` -### To Configure tripwire +### To configure Tripwire -Configuring tripwire involves customizing the tripwire configuration file if needed, then customizing the policy file if needed and then running the configuration script which will prompt you for a passphrase that will be used to sign/protect the configuration file, the policy file and the database file. +Configuring Tripwire involves (if needed) customizing the Tripwire configuration file, customizing the policy file, and then running the configuration script. The script will prompt you for a passphrase that will be used to sign/protect the configuration file, the policy file and the database file. -1. Change your pwd to the tripwire’s working directory: Type: +1. Change your pwd to Tripwire’s working directory: Type: ```bash [root@localhost root]# cd /etc/tripwire/ ``` -2. List the contents of the directory +2. List the contents of the directory. 3. Use any pager or text editor to view/study the files in the directory. -4. We will accept the settings that come with the default config. file (twcfg.txt) and the provided default policy file (twpol.txt) for now. +4. We will accept the settings that come with the default configuration. file (twcfg.txt) and the provided default policy file (twpol.txt) for now. -5. Execute the tripwire configuration utility as root. You will be prompted (twice) for site keyfile passphrase. Select any passphrase that you WILL NOT forget ( The site key is meant for the twcfg.txt file and the twpol.txt file) Type: +5. Execute the Tripwire configuration utility as root. You will be prompted (twice) for site keyfile passphrase. Select any passphrase that you WILL NOT forget ( The site key is meant for the twcfg.txt file and the twpol.txt file) Type: ```bash [root@localhost tripwire]# tripwire-setup-keyfiles @@ -424,7 +424,7 @@ Configuring tripwire involves customizing the tripwire configuration file if nee Generating key (this may take several minutes)...Key generation complete. ``` - Next you will be prompted for a local key. Again select another password YOU WILL not forget. ( The local key signs the tripwire database files and the reports files) + Next you will be prompted for a local key. Again select another password YOU WILL not forget. (The local key signs the Tripwire database files and the reports files) ```bash Enter the local keyfile passphrase: @@ -453,7 +453,7 @@ Configuring tripwire involves customizing the tripwire configuration file if nee List the new contents of the /etc/tripwire directory. -6. Per the warning you got while the tripwire-setup-keyfiles utility was running, you will now move the plain text versions of the configuration file and policy files away from the local system. You could store them on an external removal medium or encrypt them in place (using a tool like GPG for example) OR completely delete them if you are feeling particularly daring. Type: +6. Per the warning you got while the `tripwire-setup-keyfiles` utility was running, you will now move the plain text versions of the configuration file and policy files away from the local system. You could store them on an external removal medium or encrypt them in place (using a tool like GPG for example) OR completely delete them if you are feeling particularly daring. Type: ```bash [root@localhost tripwire]# mkdir /root/tripwire_stuff && mv twcfg.txt twpol.txt /root/tripwire_stuff @@ -461,11 +461,11 @@ Configuring tripwire involves customizing the tripwire configuration file if nee !!! note - It may be useful to keep the plain text versions in safe place incase you forget your passphrases. You can then always re-run the “tripwire-setup-keyfiles” based on the configurations and policies you have fine-tuned over time. + It may be useful to keep the plain text versions in safe place incase you forget your passphrases. You can then always re-run the `tripwire-setup-keyfiles` based on the configurations and policies you have fine-tuned over time. ### To initialize the database -Initializing the database is the tripwire terminology for, taking an initial “untainted” snapshot of the files you have decided to monitor (based on the policy file). This generates the database and also signs the database with the local key. The database serves as the baseline for all future integrity checks. +Initializing the database is the Tripwire terminology for, taking an initial “untainted” snapshot of the files you have decided to monitor (based on the policy file). This generates the database and also signs the database with the local key. The database serves as the baseline for all future integrity checks. 1. While still logged in as root type: @@ -494,11 +494,11 @@ Initializing the database is the tripwire terminology for, taking an initial “ **Integrity checking and viewing reports** -In this exercise you will learn how to run an integrity check of the system and view the reports that tripwire generates for you. +In this exercise you will learn how to run an integrity check of the system and view the reports that Tripwire generates for you. ### To run an integrity check -Running tripwire in this mode (integrity check mode) compares the current file system objects with their properties in the tripwire database. Discrepancies between the database and the current file system objects are printed to the standard output while tripwire runs in this mode. After the check is complete tripwire also generates a report file in the directory specified in the twcfg.txt file (/var/lib/tripwire/report/). +Running Tripwire in this mode (integrity check mode) compares the current file system objects with their properties in the Tripwire database. Discrepancies between the database and the current file system objects are printed to the standard output while Tripwire runs in this mode. After the check is complete Tripwire also generates a report file in the directory specified in the twcfg.txt file (/var/lib/tripwire/report/). 1. Run an integrity check. Type: @@ -532,11 +532,11 @@ Running tripwire in this mode (integrity check mode) compares the current file s Tripwire’s report files, are a collection of rule violations discovered during an integrity check. -There are several methods of viewing the tripwire report file. You could have been viewing it whilst the integrity check was running, you could view it in the form of an e-mail automatically sent to you or you could view it using the “twprint” command provided with the tripwire package. +There are several methods of viewing the Tripwire report file. You could have been viewing it whilst the integrity check was running, you could view it in the form of an e-mail automatically sent to you or you could view it using the “twprint” command provided with the Tripwire package. !!! note - You probably noticed from the earlier exercise that tripwire uses a combination of the systems FQDN name, the date, and the time to name the report files by default. + You probably noticed from the earlier exercise that Tripwire uses a combination of the systems FQDN name, the date, and the time to name the report files by default. 1. First change to the default report’s directory and view the default report created for you in step 1 above ( FILE_NAME). Type: @@ -562,7 +562,7 @@ There are several methods of viewing the tripwire report file. You could have be 3. Brace yourself and study the output of the report file carefully. -4. You should have noticed again that tripwire created binary/data forms of the report files. Create a text only version of the report file under roots home directory. Type: +4. You should have noticed again that Tripwire created binary/data forms of the report files. Create a text only version of the report file under roots home directory. Type: ```bash [root@localhost root]# twprint --print-report -r /root/tripwire_report.twr > tripwire_report.txt @@ -570,9 +570,9 @@ There are several methods of viewing the tripwire report file. You could have be ### To view the reports via e-mail -Here you will test the e-mail functionality of tripwire. Tripwire’s e-mail notification system uses the setting specified in the tripwire configuration file. (twcfg.txt). +Here you will test the e-mail functionality of Tripwire. Tripwire’s e-mail notification system uses the setting specified in the Tripwire configuration file. (twcfg.txt). -1. First view the configuration file and note the variable(s), that control tripwire’s e-mail notification system. To view the configuration file type: +1. First view the configuration file and note the variable(s), that control Tripwire’s e-mail notification system. To view the configuration file type: ```bash [root@localhost report]# twadmin -m f | less @@ -582,7 +582,7 @@ Here you will test the e-mail functionality of tripwire. Tripwire’s e-mail not Write down the relevant variable(s). -2. Next ensure that your local mail system is up and running by checking the status of say postfix. Type: +2. Next, ensure that your local mail system is up and running by checking the status of say postfix. Type: ```bash [root@localhost report]# systemctl -n 0 status postfix @@ -591,7 +591,7 @@ Here you will test the e-mail functionality of tripwire. Tripwire’s e-mail not ....... ``` - Your output should be similar to the above. If your mailing system is not running, trouble-shoot that first and get it up and running before continuing. + Your output should be similar to the above. If your mailing system is not running, troubleshoot that first and get it up and running before continuing. 3. Send a test message to root. Type: @@ -605,7 +605,7 @@ Here you will test the e-mail functionality of tripwire. Tripwire’s e-mail not [root@localhost report]# mail ``` - The superuser should have a message with the subject “"Test email message from Tripwire" + The superuser should have a message with the subject "Test email message from Tripwire" 5. After you have confirmed that the e-mail functionality works you could try manually sending a copy of one of the reports to yourself. @@ -613,23 +613,23 @@ Here you will test the e-mail functionality of tripwire. Tripwire’s e-mail not What was the command to do this? -### Fine-tuning tripwire +### Fine-tuning Tripwire -After installing tripwire, taking a snapshot of the system and then running the first integrity check you will more likely than not need to fine-tune tripwire to suit the needs of your particular environment. -This is mostly because the default configuration and policy file that comes bundled with tripwire may not exactly fit your needs or reflect the actual objects on your file system. +After installing Tripwire, taking a snapshot of the system and then running the first integrity check you will more likely than not need to fine-tune Tripwire to suit the needs of your particular environment. +This is mostly because the default configuration and policy file that comes bundled with Tripwire may not exactly fit your needs or reflect the actual objects on your file system. You need to ascertain if the file system violations reported in the report file during the integrity check are actual violations or legitimate/authorized changes to your file system objects. -Again tripwire offers several ways of doing this. +Again Tripwire offers several ways of doing this. ### Updating the policy file -Using this method you will change or fine-tune what tripwire considers violations to your file system objects by changing the rules in the policy file. The database can then be updated without a complete re-initialization. This saves time and preserves security by keeping the policy file synchronized with the database it uses. +Using this method you will change or fine-tune what Tripwire considers violations to your file system objects by changing the rules in the policy file. The database can then be updated without a complete re-initialization. This saves time and preserves security by keeping the policy file synchronized with the database it uses. -You will use the report file you created earlier ( /root/tripwire_report.txt ) to fine-tune your policy file by first preventing tripwire from reporting the absence of files that were never on the filesystem in the first place. +You will use the report file you created earlier ( /root/tripwire_report.txt ) to fine-tune your policy file by first preventing Tripwire from reporting the absence of files that were never on the filesystem in the first place. This will help to greatly reduce the length of the report file that you have to manage. -#### To fine-tune tripwire +#### To fine-tune Tripwire 1. Use the grep command to filter out all lines in the report file that refers to missing files (i.e. Lines containing the word “Filename”). Redirect the output to another file - tripwire_diffs.txt. Type: @@ -653,9 +653,9 @@ This will help to greatly reduce the length of the report file that you have to .................................. ``` -3. Now you need to edit the tripwire policy file and comment out or delete the entries in the file that should not be in there. As an example, files that are not on your system and files that probably never will be on your system. For example one of the files that the policy file is trying to monitor is the /proc/scsi file. If you do not have any SCSI device on your system then it makes absolutely NO SENSE to monitor this file. +3. Now you need to edit the Tripwire policy file and comment out or delete the entries in the file that should not be in there. For example, some files are not on your system, and some never will be. One of the files, for example, that the policy file is trying to monitor is the /proc/scsi file. If you do not have any SCSI devices on your system, then there is no sense in monitor this file. - Another debatable example of what to monitor or not to monitor are the various lock files under the `/var/lock/subsys/` directory. Choosing to monitor these files should be a personal call. + Another debatable example of what to monitor or not to monitor is the various lock files under the `/var/lock/subsys/` directory. Choosing to monitor these files should be a personal call. Re-create a text version of the policy file - just in case you removed it (as advised ) from the local system. Type: @@ -663,7 +663,7 @@ This will help to greatly reduce the length of the report file that you have to [root@localhost root]# twadmin --print-polfile > twpol.txt ``` -4. Edit the text file you created above using any text editor. Comment out references to the objects that you don’t want to monitor; you can use the tripwire_diffs.txt file you created earlier as a guideline. Type: +4. Edit the text file you created above using any text editor. Comment out references to objects that you do not want to monitor. You can use the tripwire_diffs.txt file you created earlier as a guideline. Type: ```bash [root@localhost root]# vi twpol.txt @@ -671,7 +671,7 @@ This will help to greatly reduce the length of the report file that you have to Save your changes to the file and close it. -5. Run tripwire in policy file update mode. Type: +5. Run `tripwire` in policy file update mode. Type: ```bash [root@localhost root]# tripwire --update-policy /root/twpol.txt @@ -699,13 +699,13 @@ This will help to greatly reduce the length of the report file that you have to ### Updating the database -Running tripwire in the database update mode after an integrity check provides a quick and dirty way to fine tune tripwire. This is because Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violations from showing up in future reports. +Running `tripwire` in the database update mode after an integrity check provides a quick and dirty way to fine tune Tripwire. This is because Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violations from showing up in future reports. This update process saves time by enabling you to update the database without having to re-initialize it. #### To update the database -1. Change your pwd to the location where tripwire stores the report files on your system. Type: +1. Change your pwd to the location where Tripwire stores the report files on your system. Type: ```bash [root@localhost root]# cd /var/lib/tripwire/report/ @@ -719,7 +719,7 @@ This update process saves time by enabling you to update the database without ha Replace with the report file name you noted earlier. - The above command will also launch your default text editor (e.g. `vi`) which will present you with so called “update ballot boxes”. You may need to scroll through the file. + The above command will also launch your default text editor (e.g. `vi`), which will present you with so-called “update ballot boxes”. You may need to scroll through the file. The entries marked with an “[x]” implies that the database should be updated with that particular object. @@ -735,7 +735,7 @@ This update process saves time by enabling you to update the database without ha ### Tripwire configuration file -You will begin these exercises by first fine-tuning your configuration file. In an earlier exercise you were advised to remove or delete all clear-text versions of tripwire’s file from your system. You will create a slightly more secure installation of tripwire by editing some of the variables in the tripwire configuration file. You will specify that tripwire should always look for the binaries versions of the policy and config file on a removable media such as a floppy disk or a cdrom. +You will begin these exercises by first fine-tuning your configuration file. In an earlier exercise you were advised to remove or delete all clear-text versions of Tripwire’s file from your system. You will create a slightly more secure Tripwire installation by editing some of the variables in the Tripwire configuration file. You will specify that Tripwire should always look for the binary versions of the policy and configuration files on removable media such as a floppy disk or CDROM. 1. Change your pwd to the /etc/tripwire directory. @@ -745,7 +745,7 @@ You will begin these exercises by first fine-tuning your configuration file. In [root@localhost tripwire]# twadmin --print-cfgfile > twcfg.txt ``` -3. Open up the config file you created above in your text editor. Type: +3. Open up the configuration file you created above in your text editor. Type: ```bash [root@localhost tripwire]# vi twcfg.txt @@ -811,7 +811,7 @@ You will begin these exercises by first fine-tuning your configuration file. In If you choose to store your files on a different location (e.g. a cdrom media) make the necessary adjustments to the commands. -5. Relocate the site key, local key, and binary files to the location you specified in the new configuration file. Type: +5. Relocate the site key, local key, and binary files to the location specified in the new configuration file. Type: ```bash [root@localhost tripwire]# mv site.key tw.pol localhost.localdomain-local.key /mnt/usbdrive @@ -827,7 +827,7 @@ You will begin these exercises by first fine-tuning your configuration file. In 7. Test your new set up. Un-mount the USB drive and eject it. -8. Try running one the tripwire commands that needs the files stored on the floppy drive. Type: +8. Try running one the `tripwire` commands that needs the files stored on the floppy drive. Type: ```bash [root@localhost tripwire]# twadmin --print-polfile @@ -847,19 +847,19 @@ You will begin these exercises by first fine-tuning your configuration file. In You should get an error similar to the one above. -9. Mount the media where your tripwire files are stored, and try the above command again. +9. Mount the media where your Tripwire files are stored, and try the above command again. !!! question Did the command run successfully this time? -10. Search for and delete all the plain text versions of tripwire’s config files you have created thus far from your system. +10. Search for and delete all the plain text versions of Tripwire’s configuration files you have created thus far from your system. -Having to mount and unmount a removable media each time you want to administer an aspect of tripwire may end up being such a drag, but the payoff may be in the extra security. You definitely want to consider storing a pristine version of tripwire’s database on a read-only media such as a DVD. +Having to mount and unmount a removable media each time you want to administer an aspect of Tripwire may end up being such a drag, but the payoff may be in the extra security. You definitely want to consider storing a pristine version of Tripwire’s database on a read-only media such as a DVD. ### ADDITIONAL EXERCISES -1. Configure your tripwire installation run an integrity check every day at 2 A.M and send out a report of the integrity check via e-mail to the super user on the system. +1. Configure your Tripwire installation run an integrity check every day at 2 A.M and send out a report of the integrity check via e-mail to the super user on the system. !!! hint