Cyber security: Monitor file integrity

In addition to ClamAV antivirus, Omarine 4.0 provides Tripwire package to monitor the integrity of the files in the system. The monitoring policy is derived from /etc/tripwire/twpol.txt, a plain text file that you can edit.

To use tripwire you first create the site key and local key:

sudo twadmin -m G -L /etc/tripwire/$(uname -n)-local.key \
    -S /etc/tripwire/site.key

Then create binary configuration file and binary policy file from the corresponding source text files:

sudo twadmin -m F --site-keyfile /etc/tripwire/site.key /etc/tripwire/twcfg.txt &&
sudo twadmin -m P --site-keyfile /etc/tripwire/site.key /etc/tripwire/twpol.txt

Now initialize the tripwire database:

sudo tripwire --init

To see the effect of file monitoring, try changing the files that are set for monitoring in the policy, for example adding new.conf to /etc:

sudo touch /etc/new.conf

We check with the following command:

sudo tripwire --check

The results are as follows:

Parsing policy file: /etc/tripwire/tw.pol

*** Processing Unix File System ***

Performing integrity check...

Wrote report file: /var/lib/tripwire/report/omarine-20180826-084906.twr

Open Source Tripwire(R) 2.4.3.7 Integrity Check Report

Report generated by: root

Report created on: Sun 26 Aug 2018 08:49:06 AM +07

Database last updated on: Never

===============================================================================

Report Summary:

===============================================================================

Host name: omarine

Host IP address: 192.168.0.1

Host ID: None

Policy file used: /etc/tripwire/tw.pol

Configuration file used: /etc/tripwire/tw.cfg

Database file used: /var/lib/tripwire/omarine.twd

Command line used: tripwire --check 

===============================================================================

Rule Summary: 

===============================================================================

-------------------------------------------------------------------------------

Section: Unix File System

-------------------------------------------------------------------------------

Rule Name                     Severity Level   Added   Removed   Modified 
---------                     --------------   -----   -------   -------- 
Tripwire Binaries             0                0       0         0 
Tripwire Data Files           0                0       0         0 
RPM Checksum Files            0                0       0         0 
* Global Configuration Files  0                1       0         1 

Total objects scanned: 1693
Total violations found: 2

===============================================================================

Object Summary: 

===============================================================================

-------------------------------------------------------------------------------

# Section: Unix File System

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Rule Name: Global Configuration Files (/etc)

Severity Level: 0

-------------------------------------------------------------------------------

Added:

"/etc/new.conf"

Modified:

"/etc"

===============================================================================

Error Report: 

===============================================================================

No Errors

-------------------------------------------------------------------------------

*** End of report ***

Open Source Tripwire 2.4 Portions copyright 2000-2018 Tripwire, Inc. Tripwire is a registered

trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;

for details use --version. This is free software which may be redistributed

or modified only under certain conditions; see COPYING for details.

All rights reserved.

Integrity check complete.

You rely on the report to take the necessary processing and recheck if needed. Once have no further processing, we update the tripwire database with the newly created report file, for example:

sudo tripwire --update --twrfile /var/lib/tripwire/report/omarine-20180826-084906.twr

The database will be updated with modification via the vi editor. If you agree to the default update of all items, just type :q to escape.

File integrity monitoring can be done automatically by scheduling with cron as follows:

echo "0 2 * * * /usr/sbin/tripwire --check --quiet" | sudo tee -a /var/spool/cron/crontabs/root

Report files are located in /var/lib/tripwire/report. To view the latest report, run the following command:

sudo twprint --print-report -r \
    /var/lib/tripwire/report/$(ls -1 /var/lib/tripwire/report | tail -n1)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.