Install and Run a Host-Based Intrusion Detection System


Intrusion detection systems have become more popular as of late due to the immense value they provide a security team in the detection of malicious and unusual events on a network or system. In this section, we will be discussing a host-based intrusion detection system (HIDS), which is based on the machine to be protected. There are many types of HIDS, from those that detect malicious connections or watch programs to detect anomalous events, to the ubiquitous file integrity checkers. At a minimum, you should run a host-based intrusion detection system on your most critical servers. But the better the coverage, the more protection you afford yourself. In this chapter, we will discuss some of the most popular versions.

Install and Use Tripwire

Tripwire works by creating a baseline snapshot of the files identified in the policy file. It uses the baseline for comparison of files at scheduled intervals and, if changes are detected , alerts are processed based on the configuration. If changes are approved, the baseline is updated with the new information. If the changes are not authorized, you can investigate further based on the changes indicated by Tripwire.

There are two versions of Tripwire that we will discuss in this chapter, the commercial version and the open source version. The open source version of Tripwire is available at http://www.tripwire.org/. A 30-day evaluation copy of the commercial version of Tripwire software is available at http://www.tripwire.com/downloads/tmtfs/ and you will receive a download link or CD and an evaluation license. For management of multiple servers and for the feature set included with the commercial version of Tripwire, it is well worth the costs associated with the product. We recommend that you evaluate the commercial version and purchase it if it meets your needs, as you gain support and an excellent management interface for managing all aspects of Tripwire for multiple machines running Tripwire. The commercial version s management interface also allows you to manage Linux and non-Linux Tripwire installations from one central location as well as many more enhancements and improvements over the open source version. Besides offering host-based intrusion detection capabilities, Tripwire offers change management capabilities and significantly enhances any security and change management program.

Heads Up  

Ideally, Tripwire should be installed on a machine that has just had the operating system installed and never on a network. This is not always a possibility, so you should install it on a known good machine. This is because Tripwire doesn't inspect the file in the way an antivirus program might. It only checks specific attributes of the file, not the contents of the file for malicious code. If you have a file that has been maliciously modified, and you install Tripwire, you are simply checking the integrity of the altered file, which does you no good. You also need to copy the initial Tripwire database that contains the file attributes to a read-only medium so that you will have an original, known good copy. The database for the commercial version is located in TWROOT /db/database.twd (/usr/local/db/database.twd in our example). In the open source version, it is located at /var/lib/tripwire/ hostname .twd (/var/lib/tripwire/linux1.twd in our example).

Commercial Version Pre-installation Preparation

To begin the installation, you will need to get the media or download file and traverse to where the install.cfg file is located (on the CD-ROM, it is in linux-x86). Review the install.cfg file to see if there are any special requirements for your system. Some things to watch out for in the install.cfg file are

  • TWROOT=/usr/local/tripwire/tfs This is where you want your Tripwire binaries, configuration files, and so on to be located. Depending on your system setup, you may need to change this.

  • TWSYSLOG=FALSE In most instances, you will want to set this to TRUE . You can then set up your syslog to log these messages to the remote syslog server for later analysis (or you can set up TWSYSLOGHOST directly to log remotely as discussed later in this chapter and in Chapter 12).

  • TWIPADDRESS=127.0.0.1 Leave this parameter as is if you only have one network interface. If you have dual homed computers (multiple network interfaces), set this IP address to the trusted network interface.

  • INSTALL_INIT_SCRIPT=FALSE Set this parameter if you want to use Tripwire s default initialization (startup) script, which is used for starting Tripwire when the machine reboots or for easy startup.

  • MAILNOVIOLATIONS =TRUE This will send an e-mail whenever a check is run, whether or not a violation was found. While this is good, it can be overwhelming, especially if you have a very large number of machines running Tripwire and have the checks run frequently, such as every hour . Use with caution ”if you get too many e- mails , you may begin to disregard them.

  • #MAILFROMADDRESS= This is commented out initially. You should remove the # sign and set a valid e-mail address, otherwise your e-mails will show up as coming from whatever user the program is run as, which can create problems with e-mail routing.

If you determine you need to alter the install.cfg file, you will need to copy the entire linux-x86 directory to a directory mounted on your system (such as /tmp) as the CD-ROM is a read-only file system.

Open Source Version Pre-installation Preparation

Download the latest version (currently 2.3-47) of the open source Tripwire source files at http://www.tripwire.org. Next , you should ungzip and untar the file using the following command:

 tar -zxvf tripwire-2.3-47.bin.tar.gz 

You will find there are some documentation files and install.sh and install.cfg files. You will need to edit the install.cfg file before installing Tripwire to set it up for your system. In the file, you should edit the parameters as appropriate for your organization, but pay special attention to the following entries:

  • TWSYSLOG=FALSE In most instances, you will want to set this to TRUE . You can then set up your syslog to log these messages to the remote syslog server for later analysis (or you can set up TWSYSLOGHOST directly to log remotely as discussed later in this chapter and in Chapter 12).

  • TWMAILNOVIOLATIONS =TRUE This will send an e-mail whenever a check is run, whether or not a violation was found. While this is good, it can be overwhelming, especially if you have a very large number of machines running Tripwire and have the checks run frequently, such as every hour. Use with caution ”if you get too many e-mails, you may begin to disregard them.

  • TWMAILMETHOD=SENDMAIL or TWMAILMETHOD=SMTP Determine if you are running sendmail (if you aren t running a mail server on the machine, use SMTP). If using sendmail, leave the sections alone. If you use SMTP, comment out the two SENDMAIL lines by putting # as the first entry of the line and removing the # from the first character of the 3 SENDMAIL entries (make sure to put in the proper information as well).

Commercial Version Installation

After you have configured the install.cfg file as needed, you can then install the software. Begin the install process by typing

 ./install.sh 

Read the license agreement, and at the end, press q to exit from the license file and if you accept, type accept . If you read the license and determine you don t want to accept at that time, the installation procedure will exit. The installation will begin from there and you will be asked a series of questions that should be self-explanatory. Answer as appropriate for your situation. Figure 14-1 shows a sample of what you should see when installing Tripwire.

click to expand
Figure 14-1: Tripwire installation

Note that you will need to enter two passphrases, the local and site passphrases. These passphrases are used to protect the site and local keys by cryptographically signing files. The requirements for these two passphrases are that they must be at least eight characters , and contain one digit and one non-digit. The local key is used to sign database and report files, while the site key is used to sign the configuration and policy files. Make sure to pick two good passphrases as the loss of these can result in the loss of data.

Adjust Tripwire Configuration Files Now that you have Tripwire installed, you need to set up your configuration files to fit the needs of your site. If you have Tripwire Manager installed, use the graphical interface to configure the schedule, policy, and configuration on all the servers you have already set up. For the purposes of this chapter, we will assume you are using the standalone Tripwire for Servers (TFS) product without the Tripwire Manager (TWM) product.

The first step in configuring Tripwire for Servers is to create a meaningful configuration file. Navigate to TWROOT /tfs/bin, which by default is /usr/local/bin/tripwire/tfs/bin. There are two files related to the configuration in the directory: tw.cfg (signed configuration file) and twcfg.txt. The twcfg.txt file is the readable file that can be updated and configured by the user. Open twcfg.txt with your text editor and edit your configurations as needed, although most will pertain to your specific environment (view TWROOT /tfs/docs for further clarification on the different parameters) such as the TWIP setting for multi-IP machines, TWROOT for the root directory for your Tripwire installation, and so on. If you make any changes to the configuration file, you will need to sign the document using the following command while in the TWROOT directory (typically /usr/local/tripwire/tfs on a default installation. Signing prevents tampering on the system and confirms the authenticity of the file to Tripwire.

 ./twadmin -m F -s ../key/site.key twcfg.txt 

You will be asked the passphrases you entered when installing Tripwire after entering the command.

Open Source Version Installation

To install the open source version, you need to go to the untarred Tripwire directory, which in our case is tripwire-2.3. You now need to run the installation script with the following command:

 ./install.sh 

You will be prompted to press ENTER to view the license file. After reading the entire file, type q to exit. You will be asked to type accept if you accept the license agreement (if you press just RETURN without typing accept or if you do not accept the license, the program will be terminated ). After accepting the license, the installation will start and you will see information similar to

 license agreement. [do not accept] accept Using configuration file install.cfg Checking for programs specified in install configuration file.... /usr/lib/sendmail exists.  Continuing installation. /bin/vi exists.  Continuing installation. ---------------------------------------------- Verifying existence of binaries... ./bin/i686-pc-linux_r/siggen found ./bin/i686-pc-linux_r/tripwire found ./bin/i686-pc-linux_r/twprint found ./bin/i686-pc-linux_r/twadmin found This program will copy Tripwire files to the following directories:         TWBIN: /usr/sbin         TWMAN: /usr/man      TWPOLICY: /etc/tripwire      TWREPORT: /var/lib/tripwire/report          TWDB: /var/lib/tripwire  TWSITEKEYDIR: /etc/tripwire TWLOCALKEYDIR: /etc/tripwire CLOBBER is false. Continue with installation? [y/n] 

If the default locations look fine, type y . Your next set of prompts are related to the site and local passphrases and should be unique passwords that follow the guidelines noted in the prompts as discussed in the Commercial Version Installation. Here is what you will see in reference to the site and local passphrases:

 ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: Verify the site keyfile passphrase: 

At this point you enter your site passphrase and verify it, at which point your keys will be generated as shown here:

 Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: Verify the local keyfile passphrase: 

At this point you enter your local keyfile passphrase and verify it, at which point your keys will be generated as shown here:

 Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Generating Tripwire configuration file... ---------------------------------------------- Creating signed configuration file... Please enter your site passphrase: 

You will need to enter your site passphrase as entered previously:

 Wrote configuration file: /etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file /etc/tripwire/twcfg.txt has been preserved for your inspection.  It is recommended that you delete this file manually after you have examined it. ---------------------------------------------- Customizing default policy file... ---------------------------------------------- Creating signed policy file... Please enter your site passphrase: 

You will need to enter your site passphrase as entered previously:

 Wrote policy file: /etc/tripwire/tw.pol A clear-text version of the Tripwire policy file /etc/tripwire/twpol.txt has been preserved for your inspection.  This implements a minimal policy, intended only to test essential Tripwire functionality.  You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. ---------------------------------------------- The installation succeeded. Please refer to /usr/doc/tripwire/Release_Notes for release information and to the printed user documentation for further instructions on using Tripwire 2.3 Open Source for LINUX. 

Create the Policy File

The next step is to create the policy file. The policy file identifies what files are to be watched and with what options. You will need to plan ahead and determine what files and directories you want Tripwire to watch. As you refine your settings or as new files or directories need to be added or removed you can adjust the policy files as shown in the next paragraph and reinitialize your database to keep your Tripwire policy up to date. Your selection should be based on what files or objects are not typically changed, or files that are sensitive. This policy file is very important and will take some time to configure properly.

To view the policy file, navigate to TWROOT /policy for the commercial version or /etc/tripwire for the open source version. There you will see two files: tw.pol is your signed file and twpol.txt is the editable file. For more information on writing the policy file and sample policy files, visit http://www.tripwire.com/resources/policy_center/index.cfm?cat=3#unix_policy_files or view the included documentation located in TWROOT/ docs/tfs_unix_refcard.pdf for the commercial version or /usr/doc/tripwire in the open source version. Edit the file and add the files you want to watch. Now save the file and name it something meaningful; for our file we will name it new_twpol_feb04.txt. After you have configured your policy file, you will need to sign it for use by Tripwire with the command twadmin . For the sample policy file that was named new_twpol_feb04.txt, we would use the following command in either version of Tripwire:

 ./twadmin -m P /usr/local/tripwire/tfs/policy/new_twpol_feb04.txt 

Or for the open source version we would use

 /usr/sbin/twadmin -m P /etc/tripwire/new_twpol_feb04.txt 

After you have signed your new file (by entering your site passphrase), you need to notify Tripwire what files to add to its baseline. This is called initializing the database in Tripwire terminology and must be completed for the policy file to be recognized by Tripwire. To initialize the database, run the following command in either version of Tripwire:

 ./tripwire -m i 
Heads Up  

You should remove the unsigned or plaintext versions of your policy file and configuration file from your servers and store them off the machine. These files contain a roadmap to your protected systems and how notification is done, which can give an attacker deep insight to your systems or at a minimum a guideline for which file systems to avoid to get around integrity checking.

Run an Integrity Check (Commercial Version)

After you have initialized the database, it is time to run the first integrity check. The integrity check compares Tripwire s baseline against the current state of the objects in the file system identified in the policy file. To initiate an integrity check, run the following command (in either version):

 ./tripwire -m c 

Your output will be similar to the Tripwire report shown in Figure 14-2.

click to expand
Figure 14-2: Sample Tripwire report

If you need your report for later use, you can run the twprint command to get the report to a file (called /tmp/integritycheck.txt for our example) for easier viewing ( assuming our report name to update is linux1-20040228-115521.twr). For the commercial version, run

 ./twprint -m r -r ../report/linux1-20040228-115521.twr -o \ /tmp/integritycheck.txt 

Or in the open source version, you can use

 ./twprint -m r -r /var/lib/tripwire/report/linux1-20040228-115521.twr > \ /tmp/integritycheck.txt 

Note that the report above was created by Tripwire from the tripwire -m c command. The files will be located in your TWROOT directory under the report subdirectory in the commercial version, while in the open source version the reports are located in /var/lib/tripwire/report (fully configurable if desired). The reports will have a format of hostname - YYYYMMDD - hhmmss .twr with YYYY representing year, MM representing month, DD representing day, hh representing hour, mm representing minutes, and finally ss representing seconds. So our sample report was created on February 28, 2004, at 11:55:21 local time. Whew!

Update Tripwire Baseline

As changes are approved and made to your server, you will need to update your Tripwire baseline. For instance, someone adds a new user, so /etc/password will have changed and Tripwire notifies you about it. It was a planned change, so you want to update your baseline to take into account that this is an accepted change. If all your violations were expected changes, you can update the entire database by updating your baseline database. To do this you need to run the tripwire command (assuming our report name to update is linux1-20040228-115521.twr). In the commercial version the syntax would be

 ./tripwire -m u -r ../report/linux1-20040228-115521.twr \ --accept-all 

while in the open source the syntax is

 /usr/sbin/tripwire -m u -r \ /var/lib/tripwire/report/linux1-20040228 115521.twr --accept-all 

If you don t want to accept all the changes, because some are not expected, you can run the update interactively. This will allow you to remove an x value from a box to prevent files you don t want updating with new values. To run the update in interactive mode in the commercial version, type

 ./tripwire -m u -r ../report/linux1-20040228-115521.twr 

Or in the open source version run

 /usr/sbin/tripwire -m u -r \ /var/lib/tripwire/report/linux1-20040228-115521.twr 

an example of the output you will receive is shown here:

 ------------------------------------------------------------------------- Rule Name: Tripwire Data Files (/usr/local/tripwire/tfs/db) Severity Level: 100 ---------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Added: [x] "/usr/local/tripwire/tfs/db/database.twd.bak" ---------------------------------------------------------------------------- Rule Name: System configuration files (/etc) Severity Level: 100 ---------------------------------------------------------------------------- Remove the "x" from the adjacent box to prevent updating the database with the new values for this object. Modified: [x] "/etc/passwd" 

Run Scheduled Tripwire Checks

Now that Tripwire is properly installed on the system, you will want to run scheduled checks. You can put the Tripwire command for integrity checks into a cronjob for the open source version or you can schedule as appropriate in the Tripwire Manager that is available for the commercial version of Tripwire. A sample cron entry to run every hour would be (run crontab -e as root to edit root s crontab)

 10 * * * * /usr/sbin/tripwire -m c 2&>1 

Use RPM for File Integrity Checking

If there is no money in the budget to purchase a full host-based intrusion detection system or if you want a very quick security check, you can use the rpm command as a basic system checker included with most distributions of Linux. Even if you do purchase commercial software or use open source products for integrity checking, it is always in good form to have multiple layers of defense and run this and other integrity checks periodically. Red Hat Package Manager (RPM) manages software packages for the system and can be used to check the integrity of system files. When using certain switches, it will check to see if aspects of the file have changed and report the results of that check. While not a robust solution, it can assist a system administrator in a pinch . To check the integrity of all files, run the following command:

 rpm -Va 

If you get no output, then all the files checked by rpm are unchanged. You will likely see some output as files change with new software additions and routine change to the system. An example of some changes taken from a live system are

 linux1:/tmp# rpm -Va .M...... c /media/cdrom SM5....T c /etc/crontab .......T   /lib/modules/2.4.19-4GB/modules.dep 

A period (.) means the test passed and no changes were found for a certain test. The other possible characters and their meaning are listed in Table 14-1.

Table 14-1: rpm -Va Output Meaning

Character

Meaning

. (period)

Test passed, no changes

5 (five)

MD5 sum mismatch.

S

File size mismatch

L

Symbolic link change

T

Mtime (modification time) error

D

Device file mismatch

U

User ownership mismatch

G

Group ownership mismatch

M

Mode (file type or permission mismatch)

Missing

File is missing

?

Couldn't read file (problem with permission probably)

Using Table 14-1, we can now figure out what changes occurred on the system for the sample file list. The c in between the tests and the file change indicates the file is a configuration file. For /etc/crontab, we know that the file size has changed and there is a mode modification, a MD5 mismatch, and a modification time mismatch. For this particular file, these changes are out of the ordinary and having some files changed is normal for a system that is in a production environment. There is a certain group of files that should not change and this is where the value of this tool comes in. Files such as /bin/ps shouldn t change (unless patched, and then the database should be updated), and if these types of files are discovered , more investigation would be prudent. If you are concerned with only one file, such as /bin/ps, you can run a verify command on a single file using the rpm -Vf command and specifying the filename. One note on using rpm as a security mechanism is that you may want to make a backup to tape or other nonsystem attached media of your RPM library (for SUSE and Red Hat the library is located in /var/lib/rpm). This allows you to verify your packages against a known good source in case a malicious attacker modifies your RPM database.

For a more hands-off approach to monitoring with RPM, you could utilize a cronjob to script the use of RPM checking with the command awk to extract a list of files that have changed and put a file on the system for later viewing. Here s a sample line in a crontab ( crontab -e ) that would extract only the files changed and put the output to /var/log/rpm_output:

 * * * * 1 /bin/rpm -Va > /var/log/rpm_output 

Other Tools

Some other tools that can assist with host-based intrusion detection are

  • Advanced Intrusion Detection Environment (AIDE) An open source alternative to Tripwire with similar functionality. Available at http:// sourceforge .net/projects/aide/.

  • Another File Integrity Checker ( AFICK ) Another open source alternative to Tripwire. Available at http://sourceforge.net/projects/afick/.

  • Radmind Another file integrity checker, available at http://rsug.itd.umich.edu/software/radmind/




Hardening Linux
Hardening Linux
ISBN: 0072254971
EAN: 2147483647
Year: 2004
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net