TRIPWIRE -------- http://www.tripwire.org GPL'd Tripwire verifies the integrity of system files by comparing them against "fingerprints" stored in a secure database. Although this cannot prevent attacks from succeeding, it can help ensure that no backdoors have been left behind. As the checksumming process is fairly compute intensive, Tripwire is best scheduled to run on only a daily basis. Installation ------------ Download and install the RPM. Check that /etc/tripwire/twcfg.txt looks sensible, and that directories in policy file /etc/tripwire/twpol.txt match. Make any required changes to the policy file (adding all the grid stuff for a start...). Now run /etc/tripwire/twinstall.sh to create signed versions of the config and policy files - you will have to supply two new passwords: a "site passphrase" and a "local passphrase". You should now be able to create the Tripwire database: /usr/sbin/tripwire -m i (If this doesn't work you may need to create a signed policy again with /usr/sbin/twadmin -m P /etc/tripwire/twpol.txt) This took about half an hour on a P166, with a RH62/EDG UI setup producing a database (/var/lib/tripwire/.twd) about 850 Kb in size. You will probably find that the policy file includes lots of non-existent files (and is still missing some important ones). Edit twpol.txt, then update the policy in the database: /usr/sbin/tripwire -m p -Z low /etc/tripwire/twpol.txt [redir stderr: | tee triplog.txt | cat] Repeat this process until you are happy with the policy file. You now have an up-to-date database representing the system. Now run Tripwire in integrity checking mode on a couple of occasions over a few days, tweaking the policy file again if needed. /usr/sbin/tripwire -m c -p /etc/tripwire/tw.pol Once the policy file is stable, you will need to decide how to communicate alerts: if you want Tripwire to e-mail reports to you directly, then you will need to add your e-mail address to every relevant rule in the policy file. Alternatively, you may want to keep the reports in /var/lib/tripwire/reports/ , and process them using Swatch or LogSentry. Re-sign the policy file, if necessary test the e-mail mechanism /usr/sbin/tripwire -m t -e and finally update the database /usr/sbin/tripwire -m p -Z low /etc/tripwire/twpol.txt You can now schedule Tripwire to do an integrity check on a regular basis. If desired, you can move the database to a read-only volume - such as a floppy disk - to prevent it being deleted or invalidated by intruders. Configuration ------------- Based on RH6.2 + EDG 1.1.4. Deletions: #JJN /sbin/dosfsck -> $(SEC_CRIT) ; #JJN /sbin/dump.static -> $(SEC_CRIT) ; #JJN /sbin/fsck.msdos -> $(SEC_CRIT) ; #JJN /sbin/ftl_check -> $(SEC_CRIT) ; #JJN /sbin/ftl_format -> $(SEC_CRIT) ; #JJN /sbin/mkdosfs -> $(SEC_CRIT) ; #JJN /sbin/mkfs.msdos -> $(SEC_CRIT) ; #JJN /sbin/mtx -> $(SEC_CRIT) ; #JJN /sbin/parted -> $(SEC_CRIT) ; #JJN /sbin/pcinitrd -> $(SEC_CRIT) ; #JJN /sbin/resize2fs -> $(SEC_CRIT) ; #JJN /sbin/restore.static -> $(SEC_CRIT) ; #JJN /sbin/scsi_info -> $(SEC_CRIT) ; #JJN /sbin/tapeinfo -> $(SEC_CRIT) ; #JJN /sbin/dhcpcd -> $(SEC_CRIT) ; #JJN /sbin/ifport -> $(SEC_CRIT) ; #JJN /sbin/ifuser -> $(SEC_CRIT) ; #JJN /sbin/iptables -> $(SEC_CRIT) ; #JJN /sbin/ipx_configure -> $(SEC_CRIT) ; #JJN /sbin/ipx_interface -> $(SEC_CRIT) ; #JJN /sbin/ipx_internal_net -> $(SEC_CRIT) ; #JJN /sbin/iwconfig -> $(SEC_CRIT) ; #JJN /sbin/iwpriv -> $(SEC_CRIT) ; #JJN /sbin/iwspy -> $(SEC_CRIT) ; #JJN /sbin/vgetty -> $(SEC_CRIT) ; #JJN /sbin/linuxconf -> $(SEC_CRIT) ; #JJN /sbin/linuxconf-auth -> $(SEC_CRIT) ; #JJN /sbin/remadmin -> $(SEC_CRIT) ; #JJN /sbin/rescuept -> $(SEC_CRIT) ; #JJN /sbin/cardctl -> $(SEC_CRIT) ; #JJN /sbin/cardmgr -> $(SEC_CRIT) ; #JJN /sbin/probe -> $(SEC_CRIT) ; #JJN /bin/aumix-minimal -> $(SEC_CRIT) ; #JJN /bin/sfxload -> $(SEC_CRIT) ; #JJN /bin/vimtutor -> $(SEC_CRIT) ; #JJN /bin/zsh -> $(SEC_CRIT) ; #JJN /bin/zsh-3.0.8 -> $(SEC_CRIT) ; #JJN /sbin/fsconf -> $(SEC_CRIT) ; #JJN /sbin/managerpm -> $(SEC_CRIT) ; #JJN /sbin/modemconf -> $(SEC_CRIT) ; #JJN /sbin/mount.ncp -> $(SEC_CRIT) ; #JJN /sbin/mount.ncpfs -> $(SEC_CRIT) ; #JJN /sbin/mount.smb -> $(SEC_CRIT) ; #JJN /sbin/mount.smbfs -> $(SEC_CRIT) ; #JJN /sbin/netconf -> $(SEC_CRIT) ; #JJN /sbin/rdump.static -> $(SEC_CRIT) ; #JJN /sbin/rrestore.static -> $(SEC_CRIT) ; #JJN /sbin/userconf -> $(SEC_CRIT) ; #JJN /sbin/uucpconf -> $(SEC_CRIT) ; #JJN/bin/xnmap -> $(SEC_CRIT) ; #JJN /bin/ksh -> $(SEC_BIN) ; #JJN /usr/kerberos/bin/rsh -> $(SEC_SUID) ; #JJN /var/lock/subsys/atd -> $(SEC_CONFIG) ; #JJN /var/lock/subsys/gpm -> $(SEC_CONFIG) ; #JJN /var/lock/subsys/httpd -> $(SEC_CONFIG) ; #JJN /var/lock/subsys/anacron -> $(SEC_CONFIG) ; #JJN /var/lock/subsys/autofs -> $(SEC_CONFIG) ; #JJN /var/lock/subsys/canna -> $(SEC_CONFIG) ; #JJN /var/lock/subsys/firewall -> $(SEC_CONFIG) ; #JJN /var/lock/subsys/jserver -> $(SEC_CONFIG) ; #JJN /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; #JJN /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; #JJN /root/Mail -> $(SEC_CONFIG) ; #JJN /root/.sawfish -> $(SEC_CONFIG) ; #JJN /root/.esd_auth -> $(SEC_CONFIG) ; #JJN /root/.elm -> $(SEC_CONFIG) ; #JJN /root/.amandahosts -> $(SEC_CONFIG) ; #JJN /root/.Xresources -> $(SEC_CONFIG) ; #JJN /etc/smb.conf -> $(SEC_CONFIG) ; Additions: Under rulename = "Critical configuration files", #JJN add: /etc/swatch.conf -> $(SEC_CONFIG) ; /etc/modules.conf -> $(SEC_BIN) ; /etc/tripwire/twpol.txt -> $(SEC_CONFIG) ; ############################### # ## ############################### # # # # # Grid Bits # # # ## ############################### # Other changes above marked by #JJN # Added /etc/swatch.conf at "critical config files" # Added /etc/modules.conf # Added /etc/tripwire/twpol.txt ( rulename = "Grid Certificates and Revocation Lists", severity = $(SIG_HI) ) { # Certificate details: /etc/grid-security/certificates/0ed6468a.0 -> $(SEC_CRIT) ; /etc/grid-security/certificates/0ed6468a.crl_url -> $(SEC_CRIT) ; /etc/grid-security/certificates/0ed6468a.signing_policy -> $(SEC_CRIT) ; /etc/grid-security/certificates/c35c1972.0 -> $(SEC_CRIT) ; /etc/grid-security/certificates/c35c1972.crl_url -> $(SEC_CRIT) ; /etc/grid-security/certificates/c35c1972.signing_policy -> $(SEC_CRIT) ; /etc/grid-security/certificates/df312a4e.0 -> $(SEC_CRIT) ; /etc/grid-security/certificates/df312a4e.crl_url -> $(SEC_CRIT) ; /etc/grid-security/certificates/df312a4e.ldap -> $(SEC_CRIT) ; # Revocations lists ("logs") /etc/grid-security/certificates/0ed6468a.r0 -> $(SEC_LOG) ; /etc/grid-security/certificates/c35c1972.r0 -> $(SEC_LOG) ; /etc/grid-security/certificates/df312a4e.r0 -> $(SEC_LOG) ; } # Commonly accessed grid directories that should remain static with regards to owner and group ( rulename = "Grid Directories", severity = $(SIG_MED) ) { /etc/grid-security -> $(SEC_INVARIANT) (recurse = 0) ; /etc/grid-security/certificates -> $(SEC_INVARIANT) (recurse = 0) ; /opt/edg -> $(SEC_INVARIANT) (recurse = 0) ; /opt/edg/etc -> $(SEC_INVARIANT) (recurse = 0) ; /opt/globus -> $(SEC_INVARIANT) (recurse = 0) ; /opt/globus/etc -> $(SEC_INVARIANT) (recurse = 0) ; } # Grid configuration files ( rulename = "Grid Configuration Files", severity = $(SIG_HI) ) { /opt/edg/etc/UI_ConfigENV.cfg -> $(SEC_CONFIG) ; /opt/edg/etc/UI_Errors.cfg -> $(SEC_CONFIG) ; /opt/edg/etc/UI_Help.cfg -> $(SEC_CONFIG) ; /opt/edg/etc/job_template.tpl -> $(SEC_CONFIG) ; /opt/edg/etc/edg-crl-upgrade.conf -> $(SEC_BIN) ; /opt/edg/etc/edg-gridmapfile-upgrade.conf -> $(SEC_BIN) ; /opt/edg/etc/edg-user-env.csh -> $(SEC_BIN) ; /opt/edg/etc/gdmp.conf -> $(SEC_BIN) ; /opt/edg/etc/gdmp.shared.conf -> $(SEC_BIN) ; /opt/edg/etc/rc.conf -> $(SEC_BIN) ; /opt/edg/etc/gridpp/gdmp.conf -> $(SEC_BIN) ; /opt/edg/etc/info -> $(SEC_BIN) ; /opt/edg/etc/wl-ui-env.csh -> $(SEC_BIN) ; /opt/edg/etc/wl-ui-env.sh -> $(SEC_BIN) ; /opt/edg/etc/workload.csh -> $(SEC_BIN) ; /opt/edg/etc/workload.sh -> $(SEC_BIN) ; /opt/globus/etc/globus-user-env.csh -> $(SEC_BIN) ; /opt/globus/etc/globus-user-env.sh -> $(SEC_BIN) ; /opt/globus/etc/openldap/ldap.conf -> $(SEC_BIN) ; /opt/globus/etc/openldap/ldapfilter.conf -> $(SEC_BIN) ; /opt/globus/etc/openldap/ldapsearchprefs.conf -> $(SEC_BIN) ; /opt/globus/etc/openldap/ldaptemplates.conf -> $(SEC_BIN) ; /opt/globus/etc/openldap/slapd.conf -> $(SEC_BIN) ; /opt/globus/etc/openldap/schema -> $(SEC_BIN) ; } # Grid executables and libraries ( rulename = "Grid Executables and Libraries", severity = $(SIG_HI) ) { /opt/edg/bin -> $(SEC_BIN) ; /opt/edg/lib -> $(SEC_BIN) ; /opt/edg/sbin -> $(SEC_BIN) ; /opt/edg/share -> $(SEC_BIN) ; /opt/globus/bin -> $(SEC_BIN) ; /opt/globus/lib -> $(SEC_BIN) ; /opt/globus/libexec -> $(SEC_BIN) ; /opt/globus/sbin -> $(SEC_BIN) ; /opt/globus/share -> $(SEC_BIN) ; /opt/globus/ssl -> $(SEC_BIN) ; /opt/classads -> $(SEC_BIN) ; /opt/xerces-c -> $(SEC_BIN) ; /opt/alice -> $(SEC_BIN) ; /opt/atlas -> $(SEC_BIN) ; /opt/biome -> $(SEC_BIN) ; /opt/cms -> $(SEC_BIN) ; /opt/eo -> $(SEC_BIN) ; /opt/iteam -> $(SEC_BIN) ; /opt/wpsix -> $(SEC_BIN) ; } ------------------------------------------------------ Addenda for RH7.3: Do a --check and then a --update before trying to modify the policy. # Netscape Navigator 7.0 ( rulename = "Netscape", severity = $(SIG_HI) recurse = true ) { /usr/local/netscape -> $(SEC_BIN) ; } # Java JDK ( rulename = "Java", severity = $(SIG_HI), recurse = true ) { /usr/java -> $(SEC_BIN) ; } # Production profiles ( rulename = "LCFG Production profiles", severity = $(SIG_HI) ) { /root/config/production -> $(SEC_CONFIG) ; } # LCFG includes ( rulename = "LCFG includes", severity = $(SIG_HI) recurse = true ) { /data/LCFG_conf -> $(SEC_CONFIG) ; } # LCFG LCG repository ( rulename = "LCG repository", severity = $(SIG_HI) recurse = true ) { /data/LCFG_repo -> $(SEC_BIN) ; } # LCFG LiveOS repository ( rulename = "LCG LiveOS repository", severity = $(SIG_HI) recurse = true ) { /opt/local/linux/nginstallroot -> $(SEC_BIN) ; } # Grid Certificates/CRLs etc. ( rulename = "Grid Certificates", severity = $(SIG_HI), recurse = true ) { /etc/grid-security -> $(SEC_BIN) ; !/etc/grid-security/gridmapdir ; # CE, SE } # Grid ( rulename = "Grid", severity = $(SIG_HI), recurse = true ) { /opt -> $(SEC_BIN) ; !/opt/bdii/var ; # CE !/opt/globus/tmp ; # CE !/opt/globus/var/log ; # CE !/opt/lcg/var/gip/tmp ; # CE, SE !/opt/glite/var/rgma-gin/gin.status ; # CE, SE, MON !/opt/glite/var/rgma-gin/gin.time ; # CE, SE, MON # !/opt/edg/var/log/edg-rgma-tools.log ; # MON # !/opt/lcg/var/log/lcg-archiver.log ; # MON? } - JJN 11 November 2005