Cyber security: Monitor file integrity


(0 comments)

In addition to ClamAV antivirus, Omarine 4.0 provides Tripwire package to monitor the integrity of the files in the system. The monitoring policy is derived from /etc/tripwire/twpol.txt, a plain text file that you can edit.

To use tripwire you first create the site key and local key:

sudo twadmin -m G -L /etc/tripwire/$(uname -n)-local.key \
-S /etc/tripwire/site.key


Then create binary configuration file and binary policy file from the corresponding source text files:

sudo twadmin -m F --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt &&
sudo twadmin -m P --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt


Now initialize the tripwire database:

sudo tripwire --init


To see the effect of file monitoring, try changing the files that are set for monitoring in the policy, for example adding new.conf to /etc:

sudo touch /etc/new.conf


We check with the following command:

sudo tripwire --check


The results are as follows:

Parsing policy file: /etc/tripwire/tw.pol

*** Processing Unix File System ***

Performing integrity check...

Wrote report file: /var/lib/tripwire/report/omarine-20180826-084906.twr

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by: root

Report created on: Sun 26 Aug 2018 08:49:06 AM +07

Database last updated on: Never

===============================================================================

Report Summary:

===============================================================================

Host name: omarine

Host IP address: 192.168.0.1

Host ID: None

Policy file used: /etc/tripwire/tw.pol

Configuration file used: /etc/tripwire/tw.cfg

Database file used: /var/lib/tripwire/omarine.twd

Command line used: tripwire --check

===============================================================================

Rule Summary:

===============================================================================

-------------------------------------------------------------------------------

Section: Unix File System

-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Tripwire Binaries 0 0 0 0
Tripwire Data Files 0 0 0 0
RPM Checksum Files 0 0 0 0
* Global Configuration Files 0 1 0 1

Total objects scanned: 1693
Total violations found: 2

===============================================================================

Object Summary:

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Global Configuration Files (/etc)

Severity Level: 0

-------------------------------------------------------------------------------

Added:

"/etc/new.conf"

Modified:

"/etc"

===============================================================================

Error Report:

===============================================================================

No Errors

-------------------------------------------------------------------------------

*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered

trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;

for details use --version. This is free software which may be redistributed

or modified only under certain conditions; see COPYING for details.

All rights reserved.

Integrity check complete.

You rely on the report to take the necessary processing and recheck if needed. Once have no further processing, we update the tripwire database with the newly created report file, for example:

sudo tripwire --update --twrfile /var/lib/tripwire/report/omarine-20180826-084906.twr


The database will be updated with modification via the vi editor. If you agree to the default update of all items, just type :q to escape.

File integrity monitoring can be done automatically by scheduling with cron as follows:

echo "0 2 * * * /usr/sbin/tripwire --check --quiet" | sudo tee -a /var/spool/cron/crontabs/root


Report files are located in /var/lib/tripwire/report. To view the latest report, run the following command:

sudo twprint --print-report -r \
/var/lib/tripwire/report/$(ls -1 /var/lib/tripwire/report | tail -n1)
Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required


What is 3 + 3?

required